[arin-ppml] Revisit RPKI TAL Relying Party Agreement?

Job Snijders job at ntt.net
Fri Feb 3 03:49:14 EST 2017


On Thu, Feb 02, 2017 at 05:41:19PM -0800, Owen DeLong wrote:
> > On Feb 1, 2017, at 00:48 , Job Snijders <job at ntt.net> wrote:
> > On Tue, Jan 31, 2017 at 06:41:39PM -0800, Owen DeLong wrote:
> >> RPKI doesn’t secure BGP.
> >> 
> >> All it does is provide a cryptographically signed mechanism by which
> >> you can suggest what ASN should be forged as the origin of a route that
> >> you want to hijack.
> > 
> > That feels like a misconstrued statement.
> > 
> > You highlight a subset of RPKI: a feature that are commonly
> > available today. There is potentially far more that can be done with
> > the RPKI, such as the distribution and validation of router
> > certificates, manifests and other statements related to network
> > management.
> > 
> > The RPKI stands for "Resource Public Key Infrastructure", it is a
> > public key infrastructure framework of which you currently only see
> > one application.
> > 
> > It is important in this discussion to recognise the value and potential
> > of the RPKI.
> 
> Does any RIR or any other place have even a specification for those
> other purposes, let alone actual implementation?

As recent as January 18th, 2017 the IESG approved the "BGPsec Protocol
Specification" to be published as Standards Track RFC. The announcement
can be read here:
https://www.ietf.org/mail-archive/web/ietf-announce/current/msg16252.html

And for those of us who possess technical prowess, perhaps the actual
specification might be of interest:
https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-22

BGPsec relies on the Resource Public Key Infrastructure (RPKI)
certificates that attest to the allocation of AS number and IP address
resources. Any BGPsec speaker who wishes to send, to external (eBGP)
peers, BGP update messages containing the BGPsec_Path needs to possess a
private key associated with an RPKI router certificate that corresponds
to the BGPsec speaker's AS number. Note, however, that a BGPsec speaker
does not need such a certificate in order to validate received update
messages containing the BGPsec_Path attribute. However, the organisation
wishing to validate these updates will need access to the ARIN TAL.

> If not, then I stand by my statement as regards the current state of
> the RPKI.

Please keep in mind that this thread was about removing barriers, to
enable RPKI innovation. 

Kind regards,

Job



More information about the ARIN-PPML mailing list