[arin-ppml] implementing RPKI prefix validation actually increases risk
john at egh.com
Tue Jun 6 17:22:26 EDT 2023
Wouldn't this whole conversation be better directed to the IETF or whoever is or
has designed RPKI? If they decide to issue a new RFC to address this issue or
to clarify use of RPKI to avoid this issue, they should do so. Or some other
routing expert should do so in a new RFC. If the spec changes and the changes
require some change to AS or RPKI administration by ARIN and the other
registries, then it would be appropriate to discuss necessary policy changes
here. Or if ARIN is implementing their RPKI in a way that is not compatible
with the RPKI RFCs, and the issues could be corrected by policy changes, then
this is an appropriate place to discuss them.
BTW: RPKI appears to be a total mess: according to
there are 40 different RFCs relating to RPKI! Yikes!
On 6/6/2023 4:57 PM, William Herrin wrote:
> On Tue, Jun 6, 2023 at 10:38 AM Michel Py
> <michel at arneill-py.sacramento.ca.us> wrote:
>> the point I was trying to make was about why protocols are
>> not being adopted. I have some concern that RPKI may
>> eventually die from a thousand cuts; none of the issues are
>> fatal, but the accumulation of them sure is annoying.
> Hi Michel,
> Unless ARIN did something or failed to do something which contributed
> to the problem you described, it's not obvious that such information
> is useful here. Can you articulate something ARIN could do which would
> improve the basic fact that configuring and maintaining cryptographic
> validation systems is technically challenging?
> There are certainly things ARIN could do to improve RPKI uptake, but
> I'm not aware of any that are responsive to the specific concern you
> Bill Herrin
Evans Griffiths & Hart, Inc.
781-861-0670 ext 539
More information about the ARIN-PPML