[arin-ppml] implementing RPKI prefix validation actually increases risk
michel at arneill-py.sacramento.ca.us
Wed Jun 7 01:13:27 EDT 2023
> Can you articulate something ARIN could do which would improve the basic fact that configuring and maintaining cryptographic validation systems is technically challenging?
Private shame on Cisco to do something better than a half-baked implementation that breaks things ?
If ARIN wants RPKI deployed, ARIN needs to understand that RPKI does not have much of a business case that executives can see, and that if it breaks even slightly security it's going to end nowhere.
What do you say to orgs who give a lot of money to SpamHaus and other pricey feeds and suddenly see them ineffective because of a cheezy RPKI implementation? They won't touch it again for years and tell everyone to stay away from it.
From: William Herrin <bill at herrin.us>
Sent: Tuesday, June 6, 2023 1:58 PM
To: Michel Py <michel at arneill-py.sacramento.ca.us>
Cc: PPML <arin-ppml at arin.net>
Subject: Re: [arin-ppml] implementing RPKI prefix validation actually increases risk
On Tue, Jun 6, 2023 at 10:38 AM Michel Py <michel at arneill-py.sacramento.ca.us> wrote:
> the point I was trying to make was about why protocols are not being
> adopted. I have some concern that RPKI may eventually die from a
> thousand cuts; none of the issues are fatal, but the accumulation of
> them sure is annoying.
Unless ARIN did something or failed to do something which contributed to the problem you described, it's not obvious that such information is useful here. Can you articulate something ARIN could do which would improve the basic fact that configuring and maintaining cryptographic validation systems is technically challenging?
There are certainly things ARIN could do to improve RPKI uptake, but I'm not aware of any that are responsive to the specific concern you raised.
bill at herrin.us
More information about the ARIN-PPML