[arin-tech-discuss] RPKI How long to set a ROA certificate

David Farmer farmer at umn.edu
Fri Jan 11 12:10:22 EST 2019 

On Fri, Jan 11, 2019 at 1:13 AM Christopher Morrow <morrowc.lists at gmail.com>
wrote:

>
> On Thu, Jan 10, 2019 at 10:29 PM Delacruz, Anthony B <
> Anthony.DeLaCruz at centurylink.com> wrote:
>
>> The default using ARIN systems looks to be 10 years. That just feels like
>> too long given how other certificates I interact with expire. What is
>> everyone else
>>
>
> that seems very long.
> I expect it might make sense to think about how long do you expect to need
> the ROA (for example)? and how often will your automation be able to update
> all objects which need to be updated? One other thing to keep in mind is
> how long do you think a 'lost' object to be usable?
>

I agree that is long, and probably too long for the default, but it's not
insanely long, for much of the Internet prefixes don't change very much
once they are advertised and typically the prefixes allocated or assigned
are the ones advertised.  The prefixes intentional advertised by our
network have been stable for several decades, yes we have added new
prefixes, but in the last thirty years, only one of our prefixes has had a
more specific added to our list of intentionally advertised prefixes once
initially advertised. The nature and longevity (more than 150 year) of our
institution lends itself to an abnormally high level of stability,
nevertheless for much of the Internet stability in scale of several years
is the norm.

tending to do? We’re just putting our toe in the water for this so using
>> the hosted to accommodate a few customers as we research and test doing
>> delegated which probably would be 2 or so years out. Would I run into
>> trouble if it’s too long then switch to us running on our servers? I
>> wouldn’t think so just expire it and issue new ones right? Any tips on
>> running hosted for a while with intent to switch to delegated?
>>
>
> seems correct to me, there may be more wonkery required than at first
> blush seems right, but :)
>

I think somewhere between 2 to 5 years is reasonable and going to be
common, probably starting out closer to 2 years and over time moving closer
to 5 years as everyone gains experience. But if you are just dipping your
toes in the water 1 or 2 years seems perfectly appropriate.

I'd like to see ARIN change the default to 3 years, 10 year is way too long
for the default, 10 years might be a reasonable maximum though. I'm
suggesting 3 years to help encourage people to not use too short of time,
but also these things need to be regularly evaluated and update too, 3
years seems a reasonable balance of the issues, at least without additional
knowledge of other circumstances involved.

-- 
===============================================
David Farmer               Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20190111/d1abfd86/attachment.html>

More information about the arin-tech-discuss mailing list