nanog mailing list archives
Re: [ncc-services-wg] RPKI Resource Certification: building features
From: Alex Band <alexb () ripe net>
Date: Tue, 5 Oct 2010 10:51:04 +0200
On 4 Oct 2010, at 23:18, Randy Bush wrote:
1) We have not implemented support for this yet. We plan to go live with the fully hosted version first and extend it with support for non-hosted systems around Q2/Q3 2011.this is a significant slip from the 1q11 we were told in prague. care to explain.
Let me run you through the roadmap and the motivation for our choices at RIPE61. In short, everything we do is about providing *value* for our membership and the community. This means that with the resources we have, we have to make a choice between (1) offering a solution with every feature under the sun, but contains little value and usability or (2) we choose to do a phased approach where the entry barrier into the system is low, hassle is taken away from the operator, value and user-friendlyness is high while still being standards compliant and keeping the operator in the driver's seat. Soon we'll get to the full package where all options, like running your own CA, are available. It perhaps just isn't done in the order that a purist would like to see.
Let me illustrate with two examples: I've delivered full day training courses on Routing Registry and DNSSEC. With the RR course, by the time I was done explaining how to use the IRRToolset to aid in making routing decisions based on the IRR, people had given up and decided that doing it manually was easier. Like you said at RIPE60: "people are voting with their feet." In the DNSSEC training, by the time I was done explaining how to do a manual key roll-over, most LIRs decided 'this is not for me, the cure is worse than the disease'.
This is why I want to get back to my original point, Randy. You agreed in your first reply to me that something has to be done to create an easy way to get started with the system. We can provide a full, standards-compliant solution with up/down and every other feature, but how is that going to get all ~350,000 prefixes and ~35,000 ASs into the system with ROAs? Manually? I proposed an IRR+BGP import system as a value-added tool to help a network operator get started making ROAs. That's a pretty good starting point. Where do you suggest we go from here?
Of course I appreciate everyone else's response to this thread as well! :)
Cheers, -Alex
Current thread:
- Re: [ncc-services-wg] RPKI Resource Certification: building features Randy Bush (Oct 03)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Owen DeLong (Oct 03)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Alex Band (Oct 04)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Owen DeLong (Oct 04)
- Message not available
- Re: [ncc-services-wg] RPKI Resource Certification: building features Owen DeLong (Oct 04)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Alex Band (Oct 04)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Owen DeLong (Oct 03)
- Message not available
- Re: [ncc-services-wg] RPKI Resource Certification: building features Randy Bush (Oct 04)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Alex Band (Oct 05)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Randy Bush (Oct 05)
- <Possible follow-ups>
- Re: [ncc-services-wg] RPKI Resource Certification: building features mkarir (Oct 04)