[arin-tech-discuss] RPKI How long to set a ROA certificate

Fri Jan 11 16:13:44 EST 2019

Hi David et. al.

This is good input. The code was written to match the lifetime of the resource cert. We can certainly lower the default down. Is 3 years the consensus?

Thanks,
Mark

From: arin-tech-discuss <arin-tech-discuss-bounces at arin.net> on behalf of David Farmer <farmer at umn.edu>
Date: Friday, January 11, 2019 at 12:10 PM
To: Christopher Morrow <morrowc.lists at gmail.com>
Cc: "arin-tech-discuss at arin.net" <arin-tech-discuss at arin.net>
Subject: Re: [arin-tech-discuss] RPKI How long to set a ROA certificate

On Fri, Jan 11, 2019 at 1:13 AM Christopher Morrow <morrowc.lists at gmail.com<mailto:morrowc.lists at gmail.com>> wrote:

On Thu, Jan 10, 2019 at 10:29 PM Delacruz, Anthony B <Anthony.DeLaCruz at centurylink.com<mailto:Anthony.DeLaCruz at centurylink.com>> wrote:
The default using ARIN systems looks to be 10 years. That just feels like too long given how other certificates I interact with expire. What is everyone else

that seems very long.
I expect it might make sense to think about how long do you expect to need the ROA (for example)? and how often will your automation be able to update all objects which need to be updated? One other thing to keep in mind is how long do you think a 'lost' object to be usable?

I agree that is long, and probably too long for the default, but it's not insanely long, for much of the Internet prefixes don't change very much once they are advertised and typically the prefixes allocated or assigned are the ones advertised.  The prefixes intentional advertised by our network have been stable for several decades, yes we have added new prefixes, but in the last thirty years, only one of our prefixes has had a more specific added to our list of intentionally advertised prefixes once initially advertised. The nature and longevity (more than 150 year) of our institution lends itself to an abnormally high level of stability, nevertheless for much of the Internet stability in scale of several years is the norm.

tending to do? We’re just putting our toe in the water for this so using the hosted to accommodate a few customers as we research and test doing delegated which probably would be 2 or so years out. Would I run into trouble if it’s too long then switch to us running on our servers? I wouldn’t think so just expire it and issue new ones right? Any tips on running hosted for a while with intent to switch to delegated?

seems correct to me, there may be more wonkery required than at first blush seems right, but :)

I think somewhere between 2 to 5 years is reasonable and going to be common, probably starting out closer to 2 years and over time moving closer to 5 years as everyone gains experience. But if you are just dipping your toes in the water 1 or 2 years seems perfectly appropriate.

I'd like to see ARIN change the default to 3 years, 10 year is way too long for the default, 10 years might be a reasonable maximum though. I'm suggesting 3 years to help encourage people to not use too short of time, but also these things need to be regularly evaluated and update too, 3 years seems a reasonable balance of the issues, at least without additional knowledge of other circumstances involved.

--
===============================================
David Farmer               Email:farmer at umn.edu<mailto:Email%3Afarmer at umn.edu>
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20190111/7a4cf79d/attachment-0001.html>