Don't usually feel the need to +1, but I doubt anyone can add much more to this than "well said".
Warm regards, -M< On Wed, Jun 7, 2023 at 11:09 AM Heather Schiller <heather.ska...@gmail.com> wrote: > ARIN is relatively neutral on such things. They take their mandate from > the community. The *community* wants RPKI deployed. The *community* > pushed and begged for ARIN to participate. ARIN held several consultations > and public discussions on whether or not they should participate and then > what types of service to offer. That's a fundamental thing folks should > understand about ARIN's mission. > > There are several technical forums, NANOG, MANRS, SIDR Ops in IETF, that > are better fit for implementation discussion and assistance. It is not > ARIN's mission to dictate to vendors how something should work -- chat up > the helpful folks on the SIDR Ops, that is *their* mandate. It is > occasionally ARIN's mission to raise awareness and educate the public on > how something works-- when the community requests it and it aligns with > their mission -- see ARIN's years of IPv6 outreach as an example. Even > then, ARIN facilitated discussions, pulling AC members and folks from the > community to do the presentations. > > The use case of having large content providers, banks, communications > providers, and other critical infrastructure unavailable to significant > portions of the internet because someone leaked a /24 they were hijacking > to prevent their citizens accessing a service, is a bit more important to > the overall security and stability of the internet than a few devices > responding to some leaky vpn traffic. > > What I say to orgs who give a lot of money to Spamhaus... You are doing > security wrong. There are enormous business critical institutions and > governments that want to see RPKI deployed, to prevent both outages and > interception. Those use cases far outweigh "I don't want anything on my > network to respond to packets from an arbitrary list" Spamhaus pricey lists > are designed to be applied to your email service, not your entire routing > infrastructure. Use of RPKI should reduce or eliminate the need for > CYMRU's (free!) bogon service and Spamhaus (free!) DROP service. CYMRU's > (free!) UTRS list provides a very limited set of prefixes to discard > traffic to, to mitigate a DoS attack -- it is not designed to make *your* > network any more secure, but rather protect *others* from *your* > network. Spamhaus (free!) EDROP service *could*, rightly, break against > RPKI -- I haven't gone to see how many prefixes on the EDROP list have > ROA's and there are workarounds. Overall, you really aren't really in a > worse security position for deploying RPKI. > > Shout it from the rooftops, deploy RPKI everywhere. > > --Heather > > > On Wed, Jun 7, 2023 at 1:13 AM Michel Py via ARIN-PPML <arin-ppml@arin.net> > wrote: > >> In private... >> >> > Can you articulate something ARIN could do which would improve the >> basic fact that configuring and maintaining cryptographic validation >> systems is technically challenging? >> >> Private shame on Cisco to do something better than a half-baked >> implementation that breaks things ? >> If ARIN wants RPKI deployed, ARIN needs to understand that RPKI does not >> have much of a business case that executives can see, and that if it breaks >> even slightly security it's going to end nowhere. >> >> What do you say to orgs who give a lot of money to SpamHaus and other >> pricey feeds and suddenly see them ineffective because of a cheezy RPKI >> implementation? They won't touch it again for years and tell everyone to >> stay away from it. >> >> Michel >> >> >> -----Original Message----- >> From: William Herrin <b...@herrin.us> >> Sent: Tuesday, June 6, 2023 1:58 PM >> To: Michel Py <mic...@arneill-py.sacramento.ca.us> >> Cc: PPML <arin-ppml@arin.net> >> Subject: Re: [arin-ppml] implementing RPKI prefix validation actually >> increases risk >> >> On Tue, Jun 6, 2023 at 10:38 AM Michel Py < >> mic...@arneill-py.sacramento.ca.us> wrote: >> > the point I was trying to make was about why protocols are not being >> > adopted. I have some concern that RPKI may eventually die from a >> > thousand cuts; none of the issues are fatal, but the accumulation of >> > them sure is annoying. >> >> Hi Michel, >> >> Unless ARIN did something or failed to do something which contributed to >> the problem you described, it's not obvious that such information is useful >> here. Can you articulate something ARIN could do which would improve the >> basic fact that configuring and maintaining cryptographic validation >> systems is technically challenging? >> >> There are certainly things ARIN could do to improve RPKI uptake, but I'm >> not aware of any that are responsive to the specific concern you raised. >> >> Regards, >> Bill Herrin >> >> >> >> -- >> William Herrin >> b...@herrin.us >> https://bill.herrin.us/ >> _______________________________________________ >> ARIN-PPML >> You are receiving this message because you are subscribed to >> the ARIN Public Policy Mailing List (ARIN-PPML@arin.net). >> Unsubscribe or manage your mailing list subscription at: >> https://lists.arin.net/mailman/listinfo/arin-ppml >> Please contact i...@arin.net if you experience any issues. >> > _______________________________________________ > ARIN-PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML@arin.net). > Unsubscribe or manage your mailing list subscription at: > https://lists.arin.net/mailman/listinfo/arin-ppml > Please contact i...@arin.net if you experience any issues. >
_______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML@arin.net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact i...@arin.net if you experience any issues.
