nanog mailing list archives

ARIN resource certification service update

From: John Curran <jcurran () arin net>
Date: Thu, 6 Jan 2011 16:17:51 +0000

On Jan 5, 2011, at 5:32 PM, Randy Bush wrote:

1) If ARIN doesn't provide the level of authentication you desire, as
an ARIN member you should send a note to ppml each day until it's
available


this is not address policy.  this is ops.  surely one does not have to
dirty one's self with the ppml list to get an ops fix done in arin.  it
is not address policy.

i have a rumor that arin is delaying and possibly not doing rpki that
seems to have been announced on the ppml list (to which i do not
subscribe).  as it has impact on routing, not address policy, across
north america and, in fact the globe, one would think it would be
announced and discussed a bit more openly and widely.


Randy - 

   Excellent point; my apologies for not realizing this sooner and
   posting some information directly for consideration by the NANOG 
   community.

   Attached is a message from the arin-discuss mailing list which 
   has some more context; please feel free to discuss this on the 
   arin-discuss mailing list or here on NANOG (as appropriate)

Thanks!
/John

Begin forwarded message:

From: John Curran <jcurran () arin net>
Date: January 6, 2011 11:08:39 AM EST
To: "George, Wes E [NTK]" <Wesley.E.George () sprint com>
Cc: "arin-discuss () arin net" <arin-discuss () arin net>
Subject: Re: [arin-discuss] Important Update Regarding Resource Certification

On Jan 6, 2011, at 9:32 AM, George, Wes E [NTK] wrote:

There have been some threads about this on NANOG in the last few days. Can
we get a bit clearer explanation of what the specific security concerns are
and why they are delaying things? It may also make sense for someone from
ARIN to post to NANOG with an explanation as well. If there are security
concerns, it is something that the community should be aware of in case
other RIRs or the SIDR WG need to be considering those issues as well.

Thanks, 
Wes George


George - 

  The security concerns are not specificly related to the RPKI
  protocol, but inherent implications of any service that might 
  be heavily relied upon for real-time network operations, i.e.
  I don't think it's a SIDR WG matter, but simply part of the
  due diligence associated with the service as noted below.

  While the RIRs presently provide services which are used to 
  support operations (such as WHOIS and Reverse DNS services),
  failure of RIR resource certification services could have 
  some very significant consequences, particularly in the case
  of incorrect data as opposed to simply unavailable data.  
  There are some potential liability implications of operating 
  such a service that ARIN is presently reviewing in depth.  I 
  need to also note that these issues exist even in the case of 
  a perfectly secure and operational service, in that an error
  by an ISP using ARIN's services (e.g. having entered the wrong 
  AS number into a ROA for a major customer) could result in 
  ARIN needing to readily "prove" the integrity of its resource 
  certification system as well as fidelity of performance against 
  the operators request.

  This has led ARIN to consider some aspects of its resource 
  certification design, specifically to mitigate potential risks
  in the areas of non-repudiation and multi-party controls. Even
  so, the ultimate decision in these matters lies with the ARIN 
  Board, as there is always going to be residual risk associated
  with any operations-related service provided by ARIN (note also
  that we have also discussed these issues with the other RIRs, 
  but as they don't operate in ARIN's highly-litigous region, it   
  is not necessarily a similar priority for their consideration)

  To the extent that ARIN offering resource certification services 
  is important to your plans, it would good to express such needs
  on the arin-discuss mailing list. This helps us gauge the demand
  which obviously is another important factor to be considered in
  making the final determination on offering these services.

  We intend to have more detailed information out later this month
  once the plans for finalized, but I hope the above information
  provides some insight into the process at this point.  I will 
  post this to the NANOG list for the community's information.

Thanks!
/John

John Curran
President and CEO
ARIN

p.s.  I'm presently on a Caribbean cruise ship on a bona fide 
     family vacation, so please recognize that replies may 
     be deferred to off hours so that my laptop isn't thrown 
     overboard... ;-)

Current thread:

RE: AltDB?, (continued)
- - - RE: AltDB? Lee Howard (Jan 08)
    - arin and ops fora (was Re: AltDB?) David Conrad (Jan 08)
    - Re: arin and ops fora (was Re: AltDB?) Randy Bush (Jan 08)
    - Re: arin and ops fora (was Re: AltDB?) Owen DeLong (Jan 08)
    - Re: arin and ops fora (was Re: AltDB?) David Conrad (Jan 10)
    - Re: arin and ops fora (was Re: AltDB?) Owen DeLong (Jan 10)
    - RE: arin and ops fora (was Re: AltDB?) Lee Howard (Jan 09)
    - Re: arin and ops fora (was Re: AltDB?) David Conrad (Jan 10)
    - Re: arin and ops fora (was Re: AltDB?) Jack Bates (Jan 11)
    - Re: arin and ops fora (was Re: AltDB?) Owen DeLong (Jan 11)
    - ARIN resource certification service update John Curran (Jan 06)
    - Re: ARIN resource certification service update Randy Bush (Jan 06)
- Re: AltDB? Paul Vixie (Jan 07)
  - Re: AltDB? Randy Bush (Jan 07)
    - Re: AltDB? Paul Vixie (Jan 08)
    - Re: AltDB? Randy Bush (Jan 08)
    - RE: AltDB? Lee Howard (Jan 08)
  - Re: AltDB? David Conrad (Jan 07)
    - arin and ops fora (was: AltDB? RPKI, the universe, and ...) Randy Bush (Jan 07)
    - Re: arin and ops fora (was: AltDB? RPKI, the universe, and ...) David Conrad (Jan 08)
    - Re: arin and ops fora (was: AltDB? RPKI, the universe, and ...) Randy Bush (Jan 08)

(Thread continues...)