[ppml] Staff Comments Regarding Policy Proposal 2006-3
Ed.Lewis at neustar.biz
Thu Oct 5 09:48:53 EDT 2006
At 9:22 -0400 10/5/06, Sandy Murphy wrote:
>The April ARIN meeting saw the first presentation of policy 2006-3 ("Capturing
>Originations in Templates"), which suggested that AS origination authorization
>be collected in a new optional field in address resource templates.
>was to permit the publication of an authenticated list of authorized prefix
>The AC decided that this policy proposal should be revised in order to make
>it more acceptable to the membership. However, the AC and I found
>to decide just what revisions were needed. The decision was to broaden
>the proposal to suit the goal of the suggested collection, rather than state
>the collection mechanism itself. So the proposal in summary would state that
>ARIN will support and facilitate the collection and publication of an
>authenticated list of authorized prefix originations (for prefixes assigned
>to ARIN) and cooperate with other RIRs in any similar efforts.
Having spent some time getting more familiar with the IRPEP, I would
(now) concur that the proposed policy (change) deal with both
semantics of collection and publication (or redistribution) of the
data, if not syntax.
>The April meeting also saw a panel presentation about a resource certificate
>PKI and route origination attestations based on that PKI.
A presentation on this was given (again) at RIPE 53 this week. Geoff
Huston began it with an observation that he has covered this topic
quite often in the past year or so, and he has come to the
realization that the approach being taken in presentations probably
ought to be modified. If I caught this right - he said it was like
talking about driving a car and he had been boring us with the
details of the internal combustion engine and not spending time on
the techniques and tools of driving well.
I say this because maybe the discussion on 2006-3 is suffering from
the cart and horse misplacement problem. Perhaps 2006-3 is trying
to put functionality in place to enable certificates for routing
before there is broad understanding of the problem. (Not that the
experts don't have an understanding, it's the broadness of
>The goal underlying both the panel topic and the proposal 2006-3 is to
>produce an authenticated list of authorized prefix originations. (The
>resource certificate PKI could be used in other ways as well, as a means of
>judging the validity of requests for route origination from new customers,
>as a resource to use when diagnosing routing difficulties, <see slides>)
>Commentary at the mike during the resource PKI and route origination
>attestation panel was predominantly positive. The comments at the mike
>regarding policy proposal 2006-3 were not as predominately positive :-).
>However, none of the comments about the policy proposal disagreed with the
>policy proposal's goal.
>Would the membership accept the broadened statement of proposal 2006-3?
>Such a proposal would indicate the membership's support for the goals of the
>resource certificate PKI, and (happily) would also support the goal behind
>policy proposal 2006-3.
I think the policy proposal ought to talk about the data collected,
how it is redistributed. I think that the proposal needs to be
understood in the context of the routing certificate goop. The
proposal also needs to be understood in terms of any unintended
consequences too (as usual), meaning the role the data plays outside
of the PKI goop.
I don't know if this collection ought to be tied to a/the routing
registry. As much as it would be bad to have this data be stored in
two places (because the two may become inconsistent), I am not sure
which routing registry ARIN should insert this learned data. Will
another routing registry recognize ARIN as the authority to do so?
(I guess I am assuming that there are multiple routing registries
still in play.)
Maybe the larger issue is that although it is acceptable to me that
ARIN bind a resource to a registrant, ARIN has traditionally stayed
out of operations, so creating a binding between any two "Internet
resources" seems like "something new" or maybe "mission creep."
A question I have is whether this collected information is intended
to stay in the ARIN database, and/or whether this information ought
to stay in the ARIN database.
Is it reasonable for an address range to change its originating
autonomous system number? If so - the policy should also cover
modifying the origination information for an already
allocated/assigned address range.
Edward Lewis +1-571-434-5468
Secrets of Success #107: Why arrive at 7am for the good parking space?
Come in at 11am while the early birds drive out to lunch.
More information about the ARIN-PPML