[arin-ppml] [EXT] Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation
Jimmy Hess
mysidia at gmail.com
Mon May 6 16:21:44 EDT 2019
On Mon, May 6, 2019 at 2:04 PM Owen DeLong <owen at delong.com> wrote:
> To reduce this to one, you first need to identify an organization that can be
> Trusted with that authority, literally the ability to revoke the valid status of
> every route on the internet (or at least every route that has a corresponding
> ROA in the RPKI system.
> Who do you nominate for that function?
I would suggest making an expiration date 15 years forward as the sole
revocation
mechanism: declining to implement the processing of real-time
revocation down to
RIR CAs by utilizing issuance policies where no CRL, OCSP, or other
distribution
URLs would be specified for certificates listed for production issued
to RIR CA,
or root RPKI CA, or RPKI intermediary certificates.
Or at least have that the URLs given for distribution URLs should be URLs on
hostnames RIRs control, from which any CRLs are listed.
The requirement for revocation of one of the small number of RIR-level
cert or parent
should be so rare, that it can be made a process where operators would need to
manually download the CRL if required (that should be set to never
expire) and apply it to their own routers.
This is a case where you need routers already up and running with announcements
accepted, before the connectivity required to check certificate revocations by
fetching status from OCSP or CRL distribution points should even exist.
--
-JH
More information about the ARIN-PPML
mailing list