nanog mailing list archives
ARIN resource certification service update
From: John Curran <jcurran () arin net>
Date: Thu, 6 Jan 2011 16:17:51 +0000
On Jan 5, 2011, at 5:32 PM, Randy Bush wrote:
1) If ARIN doesn't provide the level of authentication you desire, as an ARIN member you should send a note to ppml each day until it's availablethis is not address policy. this is ops. surely one does not have to dirty one's self with the ppml list to get an ops fix done in arin. it is not address policy. i have a rumor that arin is delaying and possibly not doing rpki that seems to have been announced on the ppml list (to which i do not subscribe). as it has impact on routing, not address policy, across north america and, in fact the globe, one would think it would be announced and discussed a bit more openly and widely.
Randy - Excellent point; my apologies for not realizing this sooner and posting some information directly for consideration by the NANOG community. Attached is a message from the arin-discuss mailing list which has some more context; please feel free to discuss this on the arin-discuss mailing list or here on NANOG (as appropriate) Thanks! /John Begin forwarded message:
From: John Curran <jcurran () arin net> Date: January 6, 2011 11:08:39 AM EST To: "George, Wes E [NTK]" <Wesley.E.George () sprint com> Cc: "arin-discuss () arin net" <arin-discuss () arin net> Subject: Re: [arin-discuss] Important Update Regarding Resource Certification On Jan 6, 2011, at 9:32 AM, George, Wes E [NTK] wrote:There have been some threads about this on NANOG in the last few days. Can we get a bit clearer explanation of what the specific security concerns are and why they are delaying things? It may also make sense for someone from ARIN to post to NANOG with an explanation as well. If there are security concerns, it is something that the community should be aware of in case other RIRs or the SIDR WG need to be considering those issues as well. Thanks, Wes GeorgeGeorge - The security concerns are not specificly related to the RPKI protocol, but inherent implications of any service that might be heavily relied upon for real-time network operations, i.e. I don't think it's a SIDR WG matter, but simply part of the due diligence associated with the service as noted below. While the RIRs presently provide services which are used to support operations (such as WHOIS and Reverse DNS services), failure of RIR resource certification services could have some very significant consequences, particularly in the case of incorrect data as opposed to simply unavailable data. There are some potential liability implications of operating such a service that ARIN is presently reviewing in depth. I need to also note that these issues exist even in the case of a perfectly secure and operational service, in that an error by an ISP using ARIN's services (e.g. having entered the wrong AS number into a ROA for a major customer) could result in ARIN needing to readily "prove" the integrity of its resource certification system as well as fidelity of performance against the operators request. This has led ARIN to consider some aspects of its resource certification design, specifically to mitigate potential risks in the areas of non-repudiation and multi-party controls. Even so, the ultimate decision in these matters lies with the ARIN Board, as there is always going to be residual risk associated with any operations-related service provided by ARIN (note also that we have also discussed these issues with the other RIRs, but as they don't operate in ARIN's highly-litigous region, it is not necessarily a similar priority for their consideration) To the extent that ARIN offering resource certification services is important to your plans, it would good to express such needs on the arin-discuss mailing list. This helps us gauge the demand which obviously is another important factor to be considered in making the final determination on offering these services. We intend to have more detailed information out later this month once the plans for finalized, but I hope the above information provides some insight into the process at this point. I will post this to the NANOG list for the community's information. Thanks! /John John Curran President and CEO ARIN p.s. I'm presently on a Caribbean cruise ship on a bona fide family vacation, so please recognize that replies may be deferred to off hours so that my laptop isn't thrown overboard... ;-)
Current thread:
- RE: AltDB?, (continued)
- RE: AltDB? Lee Howard (Jan 08)
- arin and ops fora (was Re: AltDB?) David Conrad (Jan 08)
- Re: arin and ops fora (was Re: AltDB?) Randy Bush (Jan 08)
- Re: arin and ops fora (was Re: AltDB?) Owen DeLong (Jan 08)
- Re: arin and ops fora (was Re: AltDB?) David Conrad (Jan 10)
- Re: arin and ops fora (was Re: AltDB?) Owen DeLong (Jan 10)
- RE: arin and ops fora (was Re: AltDB?) Lee Howard (Jan 09)
- Re: arin and ops fora (was Re: AltDB?) David Conrad (Jan 10)
- Re: arin and ops fora (was Re: AltDB?) Jack Bates (Jan 11)
- Re: arin and ops fora (was Re: AltDB?) Owen DeLong (Jan 11)
- ARIN resource certification service update John Curran (Jan 06)
- Re: ARIN resource certification service update Randy Bush (Jan 06)
- Re: AltDB? Randy Bush (Jan 07)
- Re: AltDB? Paul Vixie (Jan 08)
- Re: AltDB? Randy Bush (Jan 08)
- RE: AltDB? Lee Howard (Jan 08)
- arin and ops fora (was: AltDB? RPKI, the universe, and ...) Randy Bush (Jan 07)
- Re: arin and ops fora (was: AltDB? RPKI, the universe, and ...) David Conrad (Jan 08)
- Re: arin and ops fora (was: AltDB? RPKI, the universe, and ...) Randy Bush (Jan 08)