[AusNOG] FW: [sig-routing] prop-059: Using the Resource Public Key Infrastructure to construct validated IRR data

Stephen Baxter Stephen.Baxter at staff.pipenetworks.com
Tue May 13 23:01:24 EST 2008


I am not sure if people see this list but this looks very operationally
relevant so far as the way things may be done in future.

Cheers,

SB 

-----Original Message-----
From: sig-routing-bounces at lists.apnic.net
[mailto:sig-routing-bounces at lists.apnic.net] On Behalf Of Philip Smith
Sent: Friday, 9 May 2008 8:06 PM
To: sig-routing at lists.apnic.net
Subject: Re: [sig-routing] prop-059: Using the Resource Public Key
Infrastructure to construct validated IRR data

Hi everyone,

It has been a month since I sent you all this e-mail regarding policy 
proposal 59.

If you haven't already done so, please will you read the policy 
proposal: http://www.apnic.net/policy/discussions/prop-059-v001.txt

Do you have any questions about the proposal?

Do you agree that it useful to construct an IRR out of certified 
resources placed in the RPKI?

Do you oppose the proposal? If so, please explain why?

As I mentioned last month, this proposal will be discussed at the 
meeting of the Routing SIG at APNIC 26 in Christchurch at the end of
August.

I would like to see constructive discussion about this on the mailing 
list before we arrive in Christchurch though.

Thanks!

philip
--

Philip Smith said the following on 3/4/08 21:34:
> Dear SIG members
> 
> The proposal 'Using the Resource Public Key Infrastructure to
construct
> validated IRR data' has been sent to the Routing SIG for review. It
will
> be presented at the Routing SIG at APNIC 26 in Christchurch, New
> Zealand, 25-29 August 2008.
> 
> The proposal's history can be found at:
> 
>            http://www.apnic.net/policy/proposals/prop-059-v001.html
> 
> We invite you to review and comment on the proposal on the mailing
list
> before the meeting.
> 
> The comment period on the mailing list before an APNIC meeting is an
> important part of the policy development process. We encourage you to
> express your views on the proposal:
> 
>       - Do you support or oppose this proposal?
> 
>       - Does this proposal solve a problem you are experiencing? If
so,
>         tell the community about your situation.
> 
>       - Do you see any disadvantages in this proposal?
> 
>       - Is there anything in the proposal that is not clear?
> 
>       - What changes could be made to this proposal to make it more
>         effective?
> 
> 
> Philip Smith
> Routing SIG Chair
> --
> 
>
________________________________________________________________________
> 
> prop-059-v001: Using the Resource Public Key Infrastructure to
>                  construct validated IRR data
>
________________________________________________________________________
> 
> 
> Author:    Randy Bush
> 
> Version:   1
> 
> Date:      31 March 2008
> 
> 
> 1.  Introduction
> ----------------
> 
> This is a proposal to introduce a new registry that augments Internet
> Routing Registry (IRR) data with the formally verifiable trust model
of
> the Resource Public Key Infrastructure (RPKI) and provide ISPs with
the
> tools to generate an overlay to the IRR which is much more strongly
> trustable.
> 
> 
> 2.  Summary of current problem
> ------------------------------
> 
> The current methods for adding or updating Internet Routing Registry
> (IRR) data have weak security, and lack an inherently formally
> verifiable structure, resulting in a low level of trust in IRR data.
> 
> To address the problem of this low level of trust in IRR data, there
> have been proposals to use Resource Public Key Infrastructure (RPKI)
to
> sign IRR data. The problem with most of the proposed schemes, however,
> is that they are conceptually weak and hard to implement due to the
> differences between the trust structures of the IRR and the RPKI.
> 
> More recently, however, Ruediger Volk has described a very simple
method
> of using the RPKI that involves no change to the IRR, software that
uses
> the IRR, or the RPKI.
> 
> This is a proposal to implement Ruediger Volk's idea to strengthen the
> operators' use of data in the global IRR.
> 
> 
> 3.   Situation in other RIRs
> ----------------------------
> 
> This proposal has yet to be made in any other RIR.
> 
> 
> 4.   Details of the proposal
> ----------------------------
> 
> It is proposed that:
> 
> 4.1 APNIC publish a new IRR that contains 'route' objects generated
from
>       Route Origin Authorizations (ROAs) in the RPKI.
> 
>       - This new IRR would accept 'route' objects generated from the
>         global RPKI, and would therefore cover the entire routing
space,
>         in so much as the RPKI covers the global space.
> 
>       - Operators who use the IRR to generate routing filters can
choose
>         to put this new IRR registry logically in front of the other
>         registries. Operators can then given preference to routing
origin
>         information that can be formally validated.
> 
>       - This new registry would be made available as an IRR
publication
>         point.
> 
> 
> 4.2 APNIC publish an open source tool that enables network operators
to
>       generate their own overlay IRR publication points themselves.
> 
>       - Such generated IRR publication points should be identical to
the
>         one generated and made available by APNIC.
> 
>       - Producing overlay IRR publication points allows security
>         conscious operators to have a more formal trust model that
>         prevents attacks on the IRR segment generated and served by
>         APNIC.
> 
> 
> 5.   Advantages and disadvantages of the proposal
> -------------------------------------------------
> 
> Advantages:
> 
> - Router filters would be more reliable as they would prefer RPKI
>     validated origins, where available, rather than those not
validated
>     in the RPKI.
> 
>     ISPs would achieve this by configuring tools that automatically
>     generate router filters to give priority to the IRR publication
point
>     of the new registry based on RPKI-signed objects.
> 
> - The community will have an enhanced ability to filter BGP peer
>     prefixes at no additional cost or changes to the data or tool
bases.
>     This would increase the reliability of the global routing system.
> 
> - This new IRR publication point would be much simpler than other
>     current ideas about how to use RPKI in conjunction with IRR data.
> 
> - This proposal requires no changes to RPSL, the IRR, IRR toolsets, or
>     the RPKI.
> 
> 
> Disadvantages:
> 
> - None are known.
> 
> 
> 6.   Effect on APNIC members
> ----------------------------
> 
> See 'Advantages' above.
> 
> 
> 7.   Effect on NIRs
> -------------------
> 
> None are known.
> 
> 
> 
> <end>
> *              sig-routing:  APNIC SIG on IP routing technology and
policy issues           *
> _______________________________________________
> sig-routing mailing list
> sig-routing at lists.apnic.net
> http://mailman.apnic.net/mailman/listinfo/sig-routing
> 

*              sig-routing:  APNIC SIG on IP routing technology and
policy issues           *
_______________________________________________
sig-routing mailing list
sig-routing at lists.apnic.net
http://mailman.apnic.net/mailman/listinfo/sig-routing

--
This message was scanned by ESVA and is believed to be clean.




More information about the AusNOG mailing list