On 03/21/2013 04:15 PM, Stephen Kent wrote: > Chris, > >> On Thu, Mar 21, 2013 at 11:43 AM, Randy Bush <ra...@psg.com> wrote: >>>>> In our analysis we associate number of CAs in the global RPKI with >>>>> the number of distinct IP resource holders. >>>> sure, and as a proxy for that 'AS Operator', it's not a 1:1 >>>> correlation to be sure but it should be reasonably close, no? >>> do we have anything other than conjecture on which to base estimations >>> of the numbers of CAs or repositories? >> no, since there aren't any CA's in existence... > well, there are over 1,300 so far, but almost all are managed CAs. >> we have, or I have, a >> model that says: >> "If you want to publish a ROA, you need to have a CA and you need to >> run a publication point" > > still true, even for managed CAs. > >> To me that means at the least every ASN will have a publication point >> (and this a roa and a CA). > > it's a ROA, a manifest, a CRL, maybe a GB record, and a CA cert in the > parent's pub point.
sure, I abbreviated the list. >> >>>> I jump to 'CA == REPO == AS-Operator == ASN allocated' because lacking >>>> any direct data otherwise it seems like a good estimation of numbers. >>> great example of conjecture. do you have any fact/measurement-based >>> idea of how many CAs or repositories there might be five or ten years >>> from now? the only data i have is the small number of IRR repositories >>> and whois servers. and i suspect/hope that is a poor estimator. >> I really don't know how to estimate ASIDE from saying: "it seems >> reasonable that the repo number will track with assigned ASN" > > see my earlier comment re this possible equivalency. > >> I could be wrong, I could also be corrected if someone else has a >> compelling story... I don't think it's harmful to say "tracks to ASN >> numbers" though, if it's too large a number we can be surprised by >> performance... if it's too small, we can also be surprised :) >> >>> but i very strongly doubt that any significant portion of the stub ASs, >>> 84% of the ASs, will run CAs. >> they may not. >> they may use a hosted-model product. > > but even in the "hosted model" each of these folks is represented by > a CA and a pub point. I think the only issue is whether each is a separate > repository. correct. one contiguous repo is a great target ... once or twice that'll work, then the repository operator will split all customers into separate names at the least that she can steer to infrastructure in case of a problem. > >> I suspect that very soon after 'hosted model' comes into being in the >> large, the operators of these systems will realize that if someone >> dislikes one of their customers they can't survive as a business if >> all other customers also disappear. They will be forced to run the >> system with unique names/ips for each customer (names at a minimum so >> they can shift problem children away). >> >> So, in the above case... CA == ASN == REPO >> > > I don't understand that last argument. Can you expand on it? Today, if you look at: dig NS ly ly.cctld.authdns.ripe.net. is one of the servers listed... ripe sets up a separate name/ip for each CC they serve. This gives them the flexibility to move one victim off to a dedicated server(s) in the case of really bad problems. I suspect that the hosted repository model will evolve to this over time. -chris _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
