On Apr 2, 2013, at 9:53 AM, Danny McPherson <da...@tcb.net> wrote: > > Speaking of inconsistencies in the RPKI, what's ARIN and the NRO's status on > getting to a single trust anchor?
I believe that ICANN and the RIR technical staffs are busy trying to document a proposed structure and operation to bring to the IETF (e.g. how does one provide for transfers between regions without having an an impact at 0/0 each time...) However, that's somewhat independent of your question... Do you see inconsistent data right now from following the RIR CA trees? A single trust anchor is going to point to the same data, so if you see any issues, please speak up. > Yeah, they were nonsensical in the past and present role of ARIN, not in an > RPKI-enabled world where revocation or transfer or inaccessibility will have > some impacted on the routability of the address block in question. You keep repeating that assertion, but note that even in today's world we could be ordered to reclaim and reassign a block with similar effect. It may not be "real time" but there are plenty of folks who follow both the daily issued files as well as derivative filter lists. It is also true of various routing registries. Even after deployment of RPKI, there will be some fairly long period where loss of the covering ROA _alone_ is likely to have little impact since the routing is still there, and we don't seem to have any documentation suggesting to _only_ listen to routes that are known valid. Loss of ROA coverage exposes one to further exploits, but per existing guidance it should not result in connectivity impacts (just as leaving one's seatbelt off doesn't generate an auto accident...) > Actually, does ARIN have a public statement on this "message" you're talking > about - i.e., apparently why DNS takedowns are a good idea and effective and > LEOs should go that route v. contacting ISPs or hosting providers, etc..? > I'd like to pass that along to our compliance and abuse office for inclusive > in their LEO package (and selfishly, understand the logic)? Danny, I never said "DNS takedowns are a good idea"; I said we "educate law enforcement about the difficulty of attempting granular actions on an IP address block basis." To the extent that one accepts that LEA folks are going to sometimes impact the network for their purposes, it is better if they use the most focused tools available. If that turns out to be the DNS system, then I imagine that's where they turn next; the fact that one can impact connectivity via orders against the DNS infrastructure does not automatically mean we shouldn't deploy DNS, only that we should do so with understanding of that potential (and the same could be said for RPKI...) Thanks! /John John Curran President and CEO ARIN _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
