[ppml] Staff Comments Regarding Policy Proposal 2006-3

Edward Lewis Ed.Lewis at neustar.biz
Thu Oct 5 09:48:53 EDT 2006 

At 9:22 -0400 10/5/06, Sandy Murphy wrote:
>The April ARIN meeting saw the first presentation of policy 2006-3 ("Capturing
>Originations in Templates"), which suggested that AS origination authorization
>be collected in a new optional field in address resource templates. 
>The intent
>was to permit the publication of an authenticated list of authorized prefix
>originations.
>
>The AC decided that this policy proposal should be revised in order to make
>it more acceptable to the membership.  However, the AC and I found 
>it difficult
>to decide just what revisions were needed.  The decision was to broaden
>the proposal to suit the goal of the suggested collection, rather than state
>the collection mechanism itself.  So the proposal in summary would state that
>ARIN will support and facilitate the collection and publication of an
>authenticated list of authorized prefix originations (for prefixes assigned
>to ARIN) and cooperate with other RIRs in any similar efforts.

Having spent some time getting more familiar with the IRPEP, I would 
(now) concur that the proposed policy (change) deal with both 
semantics of collection and publication (or redistribution) of the 
data, if not syntax.

>The April meeting also saw a panel presentation about a resource certificate
>PKI and route origination attestations based on that PKI.

A presentation on this was given (again) at RIPE 53 this week.  Geoff 
Huston began it with an observation that he has covered this topic 
quite often in the past year or so, and he has come to the 
realization that the approach being taken in presentations probably 
ought to be modified.  If I caught this right - he said it was like 
talking about driving a car and he had been boring us with the 
details of the internal combustion engine and not spending time on 
the techniques and tools of driving well.

I say this because maybe the discussion on 2006-3 is suffering from 
the cart and  horse misplacement problem.  Perhaps 2006-3 is trying 
to put functionality in place to enable certificates for routing 
before there is broad understanding of the problem.  (Not that the 
experts don't have an understanding, it's the broadness of 
understanding.)

>The goal underlying both the panel topic and the proposal 2006-3 is to
>produce an authenticated list of authorized prefix originations.  (The
>resource certificate PKI could be used in other ways as well, as a means of
>judging the validity of  requests for route origination from new customers,
>as a resource to use when diagnosing routing difficulties, <see slides>)
>
>Commentary at the mike during the resource PKI and route origination
>attestation panel was predominantly positive.  The comments at the mike
>regarding policy proposal 2006-3 were not as predominately positive  :-).
>However, none of the comments about the policy proposal disagreed with the
>policy proposal's goal.
>
>Would the membership accept the broadened statement of proposal 2006-3?
>Such a proposal would indicate the membership's support for the goals of the
>resource certificate PKI, and (happily) would also support the goal behind
>policy proposal 2006-3.

I think the policy proposal ought to talk about the data collected, 
how it is redistributed.  I think that the proposal needs to be 
understood in the context of the routing certificate goop.  The 
proposal also needs to be understood in terms of any unintended 
consequences too (as usual), meaning the role the data plays outside 
of the PKI goop.

I don't know if this collection ought to be tied to a/the routing 
registry.  As much as it would be bad to have this data be stored in 
two places (because the two may become inconsistent), I am not sure 
which routing registry ARIN should insert this learned data.  Will 
another routing registry recognize ARIN as the authority to do so?

(I guess I am assuming that there are multiple routing registries 
still in play.)

Maybe the larger issue is that although it is acceptable to me that 
ARIN bind a resource to a registrant, ARIN has traditionally stayed 
out of operations, so creating a binding between any two "Internet 
resources" seems like "something new" or maybe "mission creep."

A question I have is whether this collected information is intended 
to stay in the ARIN database, and/or whether this information ought 
to stay in the ARIN database.

Is it reasonable for an address range to change its originating 
autonomous system number?  If so - the policy should also cover 
modifying the origination information for an already 
allocated/assigned address range.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Secrets of Success #107: Why arrive at 7am for the good parking space?
Come in at 11am while the early birds drive out to lunch.

More information about the ARIN-PPML mailing list