Mailing List Archive: NANOG: users

question about Mark Koster's ARIN presentation

Index | Next | Previous | View Threaded

sandy at tislabs

Jun 18, 2009, 9:05 AM

Post #1 of 10 (1329 views)
Permalink

question about Mark Koster's ARIN presentation

This message is sent to the whole nanog list, rather than the
nanog-attendees list, as I'm not sure who would be watching that
list when the conference is over.

I stood up to ask a question at the end of Mark Koster's presentation
yesterday, but before I got to the end of the table, he was being applauded
and leaving the stage. I must be too short.

The presentation said that ARIN would be doing a lot of work to
improve the IRR. The last I asked, the ARIN IRR did not support the
RPSS (Routing Policy System Security - RFC2725). RIPE supports this,
I know. Will the ARIN improvements include support for RPSS?

The presentation talked about the RPKI pilot, and Mark said that
ARIN would be using the RIPE code. I believe RIPE has or had a couple
different attempts at this, so I'm not sure what features the code
you use will have. Will you have the ability to hand certs to ISPs
so that they can do their own cert generation for the allocations
they hand to their own customers? I.e., is ARIN going to run a
service just for its members, or will it enable its members to
participate in the RPKI themselves?

--Sandy

m.hallgren at free

Jun 18, 2009, 12:35 PM

Post #2 of 10 (1257 views)
Permalink

Re: question about Mark Koster's ARIN presentation [In reply to]

Le jeudi 18 juin 2009 Ã 12:05 -0400, Sandy Murphy a Ã©crit :
> This message is sent to the whole nanog list, rather than the
> nanog-attendees list,

How come there is a nanog-attendees list disjunct from the nanog list.
Wouldn't it be natural to broadcast any kind of content to the
entire community?

Cheers,

mh

> as I'm not sure who would be watching that
> list when the conference is over.
>
> I stood up to ask a question at the end of Mark Koster's presentation
> yesterday, but before I got to the end of the table, he was being applauded
> and leaving the stage. I must be too short.
>
> The presentation said that ARIN would be doing a lot of work to
> improve the IRR. The last I asked, the ARIN IRR did not support the
> RPSS (Routing Policy System Security - RFC2725). RIPE supports this,
> I know. Will the ARIN improvements include support for RPSS?

Interesting, yes.

>
> The presentation talked about the RPKI pilot, and Mark said that
> ARIN would be using the RIPE code. I believe RIPE has or had a couple
> different attempts at this, so I'm not sure what features the code
> you use will have. Will you have the ability to hand certs to ISPs
> so that they can do their own cert generation for the allocations
> they hand to their own customers? I.e., is ARIN going to run a
> service just for its members, or will it enable its members to
> participate in the RPKI themselves?
>

As well.

> --Sandy
>

mh

--
michael hallgren, mh2198-ripe

Attachments:

signature.asc (0.19 KB)

Valdis.Kletnieks at vt

Jun 18, 2009, 12:49 PM

Post #3 of 10 (1268 views)
Permalink

Re: question about Mark Koster's ARIN presentation [In reply to]

On Thu, 18 Jun 2009 21:35:53 +0200, Michael Hallgren said:

> How come there is a nanog-attendees list disjunct from the nanog list.
> Wouldn't it be natural to broadcast any kind of content to the
> entire community?

Umm... "Presentation XYZ has been moved from the Blue Room to the Paisley Room"
and similar administrivia of interest only to actual attendees?

kris.foster at gmail

Jun 18, 2009, 12:51 PM

Post #4 of 10 (1261 views)
Permalink

Re: question about Mark Koster's ARIN presentation [In reply to]

On Jun 18, 2009, at 12:35 PM, Michael Hallgren wrote:

> Le jeudi 18 juin 2009 à 12:05 -0400, Sandy Murphy a écrit :
>> This message is sent to the whole nanog list, rather than the
>> nanog-attendees list,
>
> How come there is a nanog-attendees list disjunct from the nanog list.
> Wouldn't it be natural to broadcast any kind of content to the
> entire community?

nanog-attendees is intended to be used for social and specific
conference related topics. Topics discussed at the conference with
operational relevance should be here on the main list.

If anyone feels the need to follow up on the nanog-attendees/nanog
distinction, please do so on nanog-futures.

Thanks!

Kris
MLC Chair

jcdill.lists at gmail

Jun 18, 2009, 12:54 PM

Post #5 of 10 (1257 views)
Permalink

Re: question about Mark Koster's ARIN presentation [In reply to]

Michael Hallgren wrote:
> Le jeudi 18 juin 2009 Ã 12:05 -0400, Sandy Murphy a Ã©crit :
>
>> This message is sent to the whole nanog list, rather than the
>> nanog-attendees list,
>>
>
> How come there is a nanog-attendees list disjunct from the nanog list.
> Wouldn't it be natural to broadcast any kind of content to the
> entire community?
>
>
Before we had a nanog-attendees list, the nanog list would be bombarded
with posts that were of no interest to people who weren't actually at
the conference, such as issues with the conference wifi, issues with
schedule conflicts, chatter about outside events in the host city, etc.
It makes perfect sense to have a nanog-attendees list to keep those
discussions off the main nanog list.

I believe you can join the nanog attendees list without actually
attending a nanog conference, if you want to get everything-nanog in
your inbox.

jc

m.hallgren at free

Jun 18, 2009, 1:04 PM

Post #6 of 10 (1268 views)
Permalink

Re: question about Mark Koster's ARIN presentation [In reply to]

Le jeudi 18 juin 2009 Ã 15:49 -0400, Valdis.Kletnieks [at] vt a Ã©crit :
> On Thu, 18 Jun 2009 21:35:53 +0200, Michael Hallgren said:
>
> > How come there is a nanog-attendees list disjunct from the nanog list.
> > Wouldn't it be natural to broadcast any kind of content to the
> > entire community?
>
> Umm... "Presentation XYZ has been moved from the Blue Room to the Paisley Room"
> and similar administrivia of interest only to actual attendees?

OK. More info's good thing, better than less info... And we all know how
to read and filter mail. Right? :)

No harm, TTYS,

mh

--
michael hallgren, mh2198-ripe

Attachments:

signature.asc (0.19 KB)

m.hallgren at free

Jun 18, 2009, 1:05 PM

Post #7 of 10 (1258 views)
Permalink

Re: question about Mark Koster's ARIN presentation [In reply to]

Le jeudi 18 juin 2009 Ã 12:51 -0700, kris foster a Ã©crit :
> On Jun 18, 2009, at 12:35 PM, Michael Hallgren wrote:
>
> > Le jeudi 18 juin 2009 Ã 12:05 -0400, Sandy Murphy a Ã©crit :
> >> This message is sent to the whole nanog list, rather than the
> >> nanog-attendees list,
> >
> > How come there is a nanog-attendees list disjunct from the nanog list.
> > Wouldn't it be natural to broadcast any kind of content to the
> > entire community?
>
> nanog-attendees is intended to be used for social and specific
> conference related topics. Topics discussed at the conference with
> operational relevance should be here on the main list.
>
> If anyone feels the need to follow up on the nanog-attendees/nanog
> distinction, please do so on nanog-futures.
>
> Thanks!
>
> Kris
> MLC Chair

Thanks MLC Chair, so will be.

mh

--
michael hallgren, mh2198-ripe

Attachments:

signature.asc (0.19 KB)

markk at arin

Jun 25, 2009, 1:38 PM

Post #8 of 10 (1081 views)
Permalink

Re: question about Mark Koster's ARIN presentation [In reply to]

Hi Sandy
On Thu, Jun 18, 2009 at 12:05:20PM -0400, Sandy Murphy wrote:
> The presentation said that ARIN would be doing a lot of work to
> improve the IRR. The last I asked, the ARIN IRR did not support the
> RPSS (Routing Policy System Security - RFC2725). RIPE supports this,
> I know. Will the ARIN improvements include support for RPSS?

The current effort will only allow for ipv6 objects (route6/inet6num). Further
enhancements to ARIN's IRR will be coupled together with improvements to ARIN
Online that will be announced in the future.

> The presentation talked about the RPKI pilot, and Mark said that
> ARIN would be using the RIPE code. I believe RIPE has or had a couple
> different attempts at this, so I'm not sure what features the code
> you use will have. Will you have the ability to hand certs to ISPs
> so that they can do their own cert generation for the allocations
> they hand to their own customers? I.e., is ARIN going to run a
> service just for its members, or will it enable its members to
> participate in the RPKI themselves?

We are using the same code that RIPE is using at http://certtest.ripe.net.
RIPE has been very kind to allow us to use their code. As for ARIN,
this is a pilot and is certainly not a final fixed-feature set. The
first go of this is the "hosted" solution where an ISP can come into
ARIN's pilot and create ROAs based off of allocations that they
have received from ARIN.

All the ROAs will be placed into a rsync repository that can be retrieved
and validated. Specifically, here are the features that are a part of the
system:

* Enables ARIN resource holders to request certificates for their IPv4 and
IPv6 Provider Aggregatable (PA) resources
* Enables ARIN resource holders to manage Route Origin Authorizations (ROAs)
for their PA address space
* Provides a public repository of certificates and ROAs
* Handles key rollovers and revocations

Thanks,
Mark

randy at psg

Jun 25, 2009, 3:33 PM

Post #9 of 10 (1079 views)
Permalink

Re: question about Mark Koster's ARIN presentation [In reply to]

> The current effort will only allow for ipv6 objects
> (route6/inet6num).

s/allow for/add support for/

i hope

> We are using the same code that RIPE is using at http://certtest.ripe.net.
> RIPE has been very kind to allow us to use their code. As for ARIN,
> this is a pilot and is certainly not a final fixed-feature set. The
> first go of this is the "hosted" solution where an ISP can come into
> ARIN's pilot and create ROAs based off of allocations that they
> have received from ARIN.
>
> All the ROAs will be placed into a rsync repository that can be retrieved
> and validated. Specifically, here are the features that are a part of the
> system:
>
> * Enables ARIN resource holders to request certificates for their IPv4 and
> IPv6 Provider Aggregatable (PA) resources
> * Enables ARIN resource holders to manage Route Origin Authorizations (ROAs)
> for their PA address space
> * Provides a public repository of certificates and ROAs
> * Handles key rollovers and revocations

the simple version of the question: who holds my private key(s)?

the longer version: does this implement my having my own subsidiary CA
with it communiciating with ARIN's and RIPE's ... using the protocols of
the ietf sidr work?

randy

randy at psg

Jun 29, 2009, 6:50 PM

Post #10 of 10 (972 views)
Permalink

Re: question about Mark Koster's ARIN presentation [In reply to]

>> We are using the same code that RIPE is using at http://certtest.ripe.net.
>> RIPE has been very kind to allow us to use their code. As for ARIN,
>> this is a pilot and is certainly not a final fixed-feature set. The
>> first go of this is the "hosted" solution where an ISP can come into
>> ARIN's pilot and create ROAs based off of allocations that they
>> have received from ARIN.
>>
>> All the ROAs will be placed into a rsync repository that can be retrieved
>> and validated. Specifically, here are the features that are a part of the
>> system:
>>
>> * Enables ARIN resource holders to request certificates for their IPv4 and
>> IPv6 Provider Aggregatable (PA) resources
>> * Enables ARIN resource holders to manage Route Origin Authorizations (ROAs)
>> for their PA address space
>> * Provides a public repository of certificates and ROAs
>> * Handles key rollovers and revocations
>
> the simple version of the question: who holds my private key(s)?

i guess the answer is ARIN does. not very private are they.

> the longer version: does this implement my having my own subsidiary CA
> with it communiciating with ARIN's and RIPE's ... using the protocols of
> the ietf sidr work?

i guess not.

so how do i, a transit provider arin member, get certs and roas for my
downstream multi-homed customers?

randy

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads