<div dir="ltr"><div><br></div><div>Don't usually feel the need to +1, but I doubt anyone can add much more to this than "well said". <br></div><div><br></div><div>Warm regards,</div><div><br></div><div>-M<</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 7, 2023 at 11:09 AM Heather Schiller <<a href="mailto:heather.skanks@gmail.com">heather.skanks@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">ARIN is relatively neutral on such things. They take their mandate from the community. The <i>community</i> wants RPKI deployed. The <i>community</i> pushed and begged for ARIN to participate. ARIN held several consultations and public discussions on whether or not they should participate and then what types of service to offer. That's a fundamental thing folks should understand about ARIN's mission. <div><br><div>There are several technical forums, NANOG, MANRS, SIDR Ops in IETF, that are better fit for implementation discussion and assistance. It is not ARIN's mission to dictate to vendors how something should work -- chat up the helpful folks on the SIDR Ops, that is <i>their</i> mandate. It is occasionally ARIN's mission to raise awareness and educate the public on how something works-- when the community requests it and it aligns with their mission -- see ARIN's years of IPv6 outreach as an example. Even then, ARIN facilitated discussions, pulling AC members and folks from the community to do the presentations. <div><br><div>The use case of having large content providers, banks, communications providers, and other critical infrastructure unavailable to significant portions of the internet because someone leaked a /24 they were hijacking to prevent their citizens accessing a service, is a bit more important to the overall security and stability of the internet than a few devices responding to some leaky vpn traffic. </div><div><br></div><div>What I say to orgs who give a lot of money to Spamhaus... You are doing security wrong. There are enormous business critical institutions and governments that want to see RPKI deployed, to prevent both outages and interception. Those use cases far outweigh "I don't want anything on my network to respond to packets from an arbitrary list" Spamhaus pricey lists are designed to be applied to your email service, not your entire routing infrastructure. Use of RPKI should reduce or eliminate the need for CYMRU's (free!) bogon service and Spamhaus (free!) DROP service. CYMRU's (free!) UTRS list provides a very limited set of prefixes to discard traffic to, to mitigate a DoS attack -- it is not designed to make <i>your</i> network any more secure, but rather protect <i>others</i> from <i>your</i> network. Spamhaus (free!) EDROP service <i>could</i>, rightly, break against RPKI -- I haven't gone to see how many prefixes on the EDROP list have ROA's and there are workarounds. Overall, you really aren't really in a worse security position for deploying RPKI. </div><div><br></div><div>Shout it from the rooftops, deploy RPKI everywhere.</div><div><br></div><div> --Heather</div><div><br></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 7, 2023 at 1:13 AM Michel Py via ARIN-PPML <<a href="mailto:arin-ppml@arin.net" target="_blank">arin-ppml@arin.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">In private...<br>
<br>
> Can you articulate something ARIN could do which would improve the basic fact that configuring and maintaining cryptographic validation systems is technically challenging?<br>
<br>
Private shame on Cisco to do something better than a half-baked implementation that breaks things ?<br>
If ARIN wants RPKI deployed, ARIN needs to understand that RPKI does not have much of a business case that executives can see, and that if it breaks even slightly security it's going to end nowhere.<br>
<br>
What do you say to orgs who give a lot of money to SpamHaus and other pricey feeds and suddenly see them ineffective because of a cheezy RPKI implementation? They won't touch it again for years and tell everyone to stay away from it.<br>
<br>
Michel<br>
<br>
<br>
-----Original Message-----<br>
From: William Herrin <<a href="mailto:bill@herrin.us" target="_blank">bill@herrin.us</a>> <br>
Sent: Tuesday, June 6, 2023 1:58 PM<br>
To: Michel Py <<a href="mailto:michel@arneill-py.sacramento.ca.us" target="_blank">michel@arneill-py.sacramento.ca.us</a>><br>
Cc: PPML <<a href="mailto:arin-ppml@arin.net" target="_blank">arin-ppml@arin.net</a>><br>
Subject: Re: [arin-ppml] implementing RPKI prefix validation actually increases risk<br>
<br>
On Tue, Jun 6, 2023 at 10:38 AM Michel Py <<a href="mailto:michel@arneill-py.sacramento.ca.us" target="_blank">michel@arneill-py.sacramento.ca.us</a>> wrote:<br>
> the point I was trying to make was about why protocols are not being <br>
> adopted. I have some concern that RPKI may eventually die from a <br>
> thousand cuts; none of the issues are fatal, but the accumulation of <br>
> them sure is annoying.<br>
<br>
Hi Michel,<br>
<br>
Unless ARIN did something or failed to do something which contributed to the problem you described, it's not obvious that such information is useful here. Can you articulate something ARIN could do which would improve the basic fact that configuring and maintaining cryptographic validation systems is technically challenging?<br>
<br>
There are certainly things ARIN could do to improve RPKI uptake, but I'm not aware of any that are responsive to the specific concern you raised.<br>
<br>
Regards,<br>
Bill Herrin<br>
<br>
<br>
<br>
--<br>
William Herrin<br>
<a href="mailto:bill@herrin.us" target="_blank">bill@herrin.us</a><br>
<a href="https://bill.herrin.us/" rel="noreferrer" target="_blank">https://bill.herrin.us/</a><br>
_______________________________________________<br>
ARIN-PPML<br>
You are receiving this message because you are subscribed to<br>
the ARIN Public Policy Mailing List (<a href="mailto:ARIN-PPML@arin.net" target="_blank">ARIN-PPML@arin.net</a>).<br>
Unsubscribe or manage your mailing list subscription at:<br>
<a href="https://lists.arin.net/mailman/listinfo/arin-ppml" rel="noreferrer" target="_blank">https://lists.arin.net/mailman/listinfo/arin-ppml</a><br>
Please contact <a href="mailto:info@arin.net" target="_blank">info@arin.net</a> if you experience any issues.<br>
</blockquote></div>
_______________________________________________<br>
ARIN-PPML<br>
You are receiving this message because you are subscribed to<br>
the ARIN Public Policy Mailing List (<a href="mailto:ARIN-PPML@arin.net" target="_blank">ARIN-PPML@arin.net</a>).<br>
Unsubscribe or manage your mailing list subscription at:<br>
<a href="https://lists.arin.net/mailman/listinfo/arin-ppml" rel="noreferrer" target="_blank">https://lists.arin.net/mailman/listinfo/arin-ppml</a><br>
Please contact <a href="mailto:info@arin.net" target="_blank">info@arin.net</a> if you experience any issues.<br>
</blockquote></div>