[arin-ppml] implementing RPKI prefix validation actually increases risk

[John Santos]

Wouldn't this whole conversation be better directed to the IETF or whoever is or 
has designed RPKI?  If they decide to issue a new RFC to address this issue or 
to clarify use of RPKI to avoid this issue, they should do so.  Or some other 
routing expert should do so in a new RFC.  If the spec changes and the changes 
require some change to AS or RPKI administration by ARIN and the other 
registries, then it would be appropriate to discuss necessary policy changes 
here.  Or if ARIN is implementing their RPKI in a way that is not compatible 
with the RPKI RFCs, and the issues could be corrected by policy changes, then 
this is an appropriate place to discuss them.

BTW: RPKI appears to be a total mess: according to 
<https://blog.apnic.net/2021/03/15/which-rpki-related-rfcs-should-you-read/>, 
there are 40 different RFCs relating to RPKI!  Yikes!


On 6/6/2023 4:57 PM, William Herrin wrote:
> On Tue, Jun 6, 2023 at 10:38 AM Michel Py
> <michel at arneill-py.sacramento.ca.us> wrote:
>> the point I was trying to make was about why protocols are
>> not being adopted. I have some concern that RPKI may
>> eventually die from a thousand cuts; none of the issues are
>> fatal, but the accumulation of them sure is annoying.
> 
> Hi Michel,
> 
> Unless ARIN did something or failed to do something which contributed
> to the problem you described, it's not obvious that such information
> is useful here. Can you articulate something ARIN could do which would
> improve the basic fact that configuring and maintaining cryptographic
> validation systems is technically challenging?
> 
> There are certainly things ARIN could do to improve RPKI uptake, but
> I'm not aware of any that are responsive to the specific concern you
> raised.
> 
> Regards,
> Bill Herrin
> 
> 
> 

-- 
John Santos
Evans Griffiths & Hart, Inc.
781-861-0670 ext 539