Paul, I think my question is very pertinent. Of course the number of signed prefixes directly influences the number of validators. Do you think the RIPE NCC Validator tool would have been downloaded over 100 times in the last month if there were only 5 certified prefixes?
In my opinion, the widespread availability of signed prefixes and mature validation methods is key to the global success of resource certification. I agree that small differences in the size of the set of signed routes don't matter on a (relatively) short term, but the reality is that the difference would be *enormous* if we wouldn't offer a hosted solution. Practically, in the real world, why would anyone invest time and effort in altering their current BGP decision making process to accommodate for resource certification if the technology is on nobody's radar, it's hard to get your feet wet and there are just a handful of certified prefixes out there. Wouldn't it be good if network operators think: "Because it helps increase global routing security, it's easy to get started and lots of people are already involved, perhaps I should have a look at (both sides of) resource certification too." This is why I believe – and our adoption numbers prove – that the entry barrier to the system should be as low as possible, both on the signing side and the validation side. Once some of the people that are using the hosted platform now decide they would rather run their own non-hosted solution at a later stage, that would be even better. That immediately solves the private key situation. But there will always be a group happy to rely on the hosted model, and we cater to that. Because of the path we chose there is already a lot of operational experience being gained, resulting in a large amount of feedback from a wide range of users. This helps us shape the certification system and the validator tool, which aids quality and usability. To me, that makes a lot of business sense. This is why I think there should be as much certified address space available as possible. Otherwise this will stay a niche technology until perhaps a major event causes people to wake up (and hopefully take action). If certification has reached the necessary level of maturity at that point remains to be seen. Furthermore, preventing (future) malicious hijacking is not the *only* reason the Internet community needs better routing security, the accidental route leaking that happens every day is reason enough. -Alex On 29 Jan 2011, at 23:00, Paul Vixie wrote: >> From: Alex Band <al...@ripe.net> >> Date: Sat, 29 Jan 2011 16:26:55 +0100 >> >> ... So the question is, if the RIPE NCC would have required everyone >> to run their own certification setup using the open source tool-sets >> Randy mentions, would there be this much certified address space now? > > i don't agree that that question is pertinent. in deployment scenario > planning i've come up with three alternatives and this question is not > relevant to any of them. perhaps you know a fourth alternative. here > are mine. > > 1. people who receive routes will prefer signed vs. unsigned, and other > people who can sign routes will sign them if it's easy (for example, > hosted) but not if it's too hard (for example, up/down). > > 2. same as #1 except people who really care about their routes (like > banks or asp's) will sign them even if it is hard (for example, up/down). > > 3. people who receive routes will ignore any unsigned routes they hear, > and everyone who can sign routes will sign them no matter how hard it is. > > i do not expect to live long enough to see #3. the difference between #1 > and #2 depends on the number of validators not the number of signed routes > (since it's an incentive question). therefore small differences in the > size of the set of signed routes does not matter very much in 2011, and > the risk:benefit profile of hosted vs. up/down still matters far more. > >> Looking at the depletion of IPv4 address space, it's going to be >> crucially important to have validatable proof who is the legitimate >> holder of Internet resources. I fear that by not offering a hosted >> certification solution, real world adoption rates will rival those of >> IPv6 and DNSSEC. Can the Internet community afford that? > > while i am expecting a rise in address piracy following depletion, i am > not expecting #3 (see above) and i think most of the piracy will be of > fallow or idle address space that will therefore have no competing route > (signed or otherwise). this will become more pronounced as address > space holders who care about this and worry about this sign their routes > -- the pirates will go after easier prey. so again we see no material > difference between hosted and up/down on the deployment side or if there > is a difference it is much smaller than the risk:benefit profile > difference on the provisioning side. > > in summary, i am excited about RPKI and i've been pushing hard for in > both my day job and inside the ARIN BoT, but... let's not overstate the > case for it or kneejerk our way into provisioning models whose business > sense has not been closely evaluated. as john curran said, ARIN will > look to the community for the guideance he needs on this question. i > hope to see many of you at the upcoming ARIN public policy meeting in > san juan PR where this is sure to be discussed both at the podium and in > the hallways and bar rooms. > > Paul Vixie > Chairman and Chief Scientist, ISC > Member, ARIN BoT > >
smime.p7s
Description: S/MIME cryptographic signature
