From Wesley.E.George at sprint.com Thu Jan 6 09:32:13 2011 From: Wesley.E.George at sprint.com (George, Wes E [NTK]) Date: Thu, 6 Jan 2011 14:32:13 +0000 Subject: [arin-discuss] [arin-announce] Important Update Regarding Resource Certification In-Reply-To: <4CF7E8E0.4030303@arin.net> References: <4CF7E8E0.4030303@arin.net> Message-ID: <54E900DC635DAB4DB7A6D799B3C4CD8E048EB2@PLSWM12A.ad.sprint.com> There have been some threads about this on NANOG in the last few days. Can we get a bit clearer explanation of what the specific security concerns are and why they are delaying things? It may also make sense for someone from ARIN to post to NANOG with an explanation as well. If there are security concerns, it is something that the community should be aware of in case other RIRs or the SIDR WG need to be considering those issues as well. Thanks, Wes George > -----Original Message----- > From: arin-announce-bounces at arin.net [mailto:arin-announce- > bounces at arin.net] On Behalf Of ARIN > Sent: Thursday, December 02, 2010 1:44 PM > To: arin-announce at arin.net > Subject: [arin-announce] Important Update Regarding Resource > Certification > > We previously announced that ARIN intends to provide a production-grade > Resource Certification service starting 1 January 2011. As a result of > an extensive review in preparation for offering this service, we have > determined that additional functionality must be added to the service > architecture to mitigate specific security concerns. These features > will > delay ARIN's production release until very early in the second quarter > of 2011. We apologize for the inconvenience that this may cause ARIN > participants; however, we think you will like the result. In the > meantime, the ARIN community is encouraged to join ARIN's Resource > Certification pilot as an interim measure. This pilot has been in place > since June 2009. For more information concerning Resource Certification > and ARIN's pilot program, visit > http://www.arin.net/resources/rpki.html. > > Regards, > > Mark Kosters > Chief Technical Officer > American Registry for Internet Numbers (ARIN) > > > > _______________________________________________ > ARIN-Announce > You are receiving this message because you are subscribed to > the ARIN Announce Mailing List (ARIN-announce at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-announce > Please contact info at arin.net if you experience any issues. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6793 bytes Desc: not available URL: From jcurran at arin.net Thu Jan 6 11:08:39 2011 From: jcurran at arin.net (John Curran) Date: Thu, 6 Jan 2011 16:08:39 +0000 Subject: [arin-discuss] Important Update Regarding Resource Certification In-Reply-To: <54E900DC635DAB4DB7A6D799B3C4CD8E048EB2@PLSWM12A.ad.sprint.com> References: <4CF7E8E0.4030303@arin.net> <54E900DC635DAB4DB7A6D799B3C4CD8E048EB2@PLSWM12A.ad.sprint.com> Message-ID: <37E8691A-89FF-4039-A5FA-157CDABD7333@corp.arin.net> On Jan 6, 2011, at 9:32 AM, George, Wes E [NTK] wrote: > There have been some threads about this on NANOG in the last few days. Can > we get a bit clearer explanation of what the specific security concerns are > and why they are delaying things? It may also make sense for someone from > ARIN to post to NANOG with an explanation as well. If there are security > concerns, it is something that the community should be aware of in case > other RIRs or the SIDR WG need to be considering those issues as well. > > Thanks, > Wes George George - The security concerns are not specificly related to the RPKI protocol, but inherent implications of any service that might be heavily relied upon for real-time network operations, i.e. I don't think it's a SIDR WG matter, but simply part of the due diligence associated with the service as noted below. While the RIRs presently provide services which are used to support operations (such as WHOIS and Reverse DNS services), failure of RIR resource certification services could have some very significant consequences, particularly in the case of incorrect data as opposed to simply unavailable data. There are some potential liability implications of operating such a service that ARIN is presently reviewing in depth. I need to also note that these issues exist even in the case of a perfectly secure and operational service, in that an error by an ISP using ARIN's services (e.g. having entered the wrong AS number into a ROA for a major customer) could result in ARIN needing to readily "prove" the integrity of its resource certification system as well as fidelity of performance against the operators request. This has led ARIN to consider some aspects of its resource certification design, specifically to mitigate potential risks in the areas of non-repudiation and multi-party controls. Even so, the ultimate decision in these matters lies with the ARIN Board, as there is always going to be residual risk associated with any operations-related service provided by ARIN (note also that we have also discussed these issues with the other RIRs, but as they don't operate in ARIN's highly-litigous region, it is not necessarily a similar priority for their consideration) To the extent that ARIN offering resource certification services is important to your plans, it would good to express such needs on the arin-discuss mailing list. This helps us gauge the demand which obviously is another important factor to be considered in making the final determination on offering these services. We intend to have more detailed information out later this month once the plans for finalized, but I hope the above information provides some insight into the process at this point. I will post this to the NANOG list for the community's information. Thanks! /John John Curran President and CEO ARIN p.s. I'm presently on a Caribbean cruise ship on a bona fide family vacation, so please recognize that replies may be deferred to off hours so that my laptop isn't thrown overboard... ;-) From morrowc.lists at gmail.com Thu Jan 6 14:00:11 2011 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 6 Jan 2011 14:00:11 -0500 Subject: [arin-discuss] Important Update Regarding Resource Certification In-Reply-To: <37E8691A-89FF-4039-A5FA-157CDABD7333@corp.arin.net> References: <4CF7E8E0.4030303@arin.net> <54E900DC635DAB4DB7A6D799B3C4CD8E048EB2@PLSWM12A.ad.sprint.com> <37E8691A-89FF-4039-A5FA-157CDABD7333@corp.arin.net> Message-ID: On Thu, Jan 6, 2011 at 11:08 AM, John Curran wrote: > On Jan 6, 2011, at 9:32 AM, George, Wes E [NTK] wrote: > >> There have been some threads about this on NANOG in the last few days. Can >> we get a bit clearer explanation of what the specific security concerns are >> and why they are delaying things? It may also make sense for someone from >> ARIN to post to NANOG with an explanation as well. If there are security >> concerns, it is something that the community should be aware of in case >> other RIRs or the SIDR WG need to be considering those issues as well. >> >> Thanks, >> Wes George > > George - > > ? The security concerns are not specificly related to the RPKI > ? protocol, but inherent implications of any service that might > ? be heavily relied upon for real-time network operations, i.e. > ? I don't think it's a SIDR WG matter, but simply part of the > ? due diligence associated with the service as noted below. > ? To the extent that ARIN offering resource certification services > ? is important to your plans, it would good to express such needs For the arin-discuss readers not also reading nanog: (original discussion which spawned discussion of RPKI) relevant message: The spawned message thread: as a vote for 'please make the RPKI a reality' count me as one on the plus side. I'd like to see a strong/clear/maintained connection between number resources (ASNs and netblocks), I'd like it if that were in some way cryptographically strong and if I could have automated processes easily deal with the data set. I'd also like it if the system would be able to grow into use with the coming SIDR-wg bgp protocol changes... which are wrapped tightly around the RPKI concept. -Chris From vixie at isc.org Sat Jan 8 00:15:19 2011 From: vixie at isc.org (Paul Vixie) Date: Sat, 08 Jan 2011 05:15:19 +0000 Subject: [arin-discuss] stepping down as chairman Message-ID: <57793.1294463719@nsa.vix.com> members, it has been a pleasure serving as a trustee for the last six years and i'm excited to now begin my third term on ARIN's board of trustees. as you know, i succeeded john curran as board chairman in the summer of 2009 and was reelected to that position in 2010. i've decided not to seek the chairmanship for 2011, which means that when the board elects officers next week in the first meeting of the year, there will be a new chairman of ARIN's board of trustees. -- Paul Vixie Chairman and Chief Scientist, ISC Trustee, ARIN From tedm at ipinc.net Sun Jan 9 20:02:58 2011 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Sun, 09 Jan 2011 17:02:58 -0800 Subject: [arin-discuss] stepping down as chairman In-Reply-To: <57793.1294463719@nsa.vix.com> References: <57793.1294463719@nsa.vix.com> Message-ID: <4D2A5AC2.5020109@ipinc.net> Thank you for your service! Ted Mittelstaedt Internet Partners, Inc. On 1/7/2011 9:15 PM, Paul Vixie wrote: > members, it has been a pleasure serving as a trustee for the last six years > and i'm excited to now begin my third term on ARIN's board of trustees. > > as you know, i succeeded john curran as board chairman in the summer of 2009 > and was reelected to that position in 2010. i've decided not to seek the > chairmanship for 2011, which means that when the board elects officers next > week in the first meeting of the year, there will be a new chairman of ARIN's > board of trustees. > -- > Paul Vixie > Chairman and Chief Scientist, ISC > Trustee, ARIN > _______________________________________________ > ARIN-Discuss > You are receiving this message because you are subscribed to > the ARIN Discussion Mailing List (ARIN-discuss at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-discuss > Please contact info at arin.net if you experience any issues. From owen at delong.com Sun Jan 30 09:25:59 2011 From: owen at delong.com (Owen DeLong) Date: Sun, 30 Jan 2011 06:25:59 -0800 Subject: [arin-discuss] Fwd: ARIN Suggestion: Thank you References: <20110130111340.348D921361B@smtp2.arin.net> Message-ID: I have submitted the following suggestion to the ACSP. Combined with policy proposal 121, this should provide relief to those who were concerned about the fee discrepancy between IPv4 and IPv6 for very small ISPs. I encourage members to make their opinions of this suggestion known on this list or to the members of the board. Owen Begin forwarded message: > From: Member Services > Date: January 30, 2011 3:13:40 AM PST > To: owen at delong.com > Subject: ARIN Suggestion: Thank you > > > Thank you for confirming your suggestion with ARIN. Please reference Suggestion ID number 2011.3 in future correspondence to info at arin.net on this topic. We will contact you if we have any additional questions. > > Sincerely, > > Communications and Member Services > American Registry for Internet Numbers (ARIN) > -------------------------------------------------------------------------------- > Suggestion received and confirmed: > > I suggest that the board change the IPv6 subscriber member fee table so that the cutoff between x-small and small is made such that a small provider is in the range /37 to /32 and an x-small provider is /36 or less. > > There is currently no policy language that would enable the creation of a /40 under the subscriber allocation policy and none is under consideration. There is consideration for /36s under proposal 121 which the AC has moved to draft policy. > > By making this change, if policy 121 is adopted, subscribers currently in the x-small IPv4 category will have the option of obtaining allocations of /36 without an annual fee increase. > > Several such providers have indicated on PPML and in other fora that the fee increase is serving as a barrier to their adopting IPv6. It is a failure of our stewardship responsibilities to ignore this community need. > > > -------------------------------------------------------------------------------- > The ARIN Consultation and Suggestion Process (ACSP) is available at: > http://www.arin.net/participate/acsp/index.html -------------- next part -------------- An HTML attachment was scrubbed... URL: