I agree with Alex that without a hosted solution RIPE NCC wouldn't have
so many ROAs today, for us, even with it, it has been more difficult to roll
out RPKI among our ISPs. As many, I do not think that a hosted suits to
everybody and it has some disadvantages but at leas it could help to lower the
entry barrier for some.
Speaking about RPKI stats, here some ROA evolution in various TAs (the
data from ARIN is from their beta test, the rest are production systems):
http://www.labs.lacnic.net/~rpki/rpki-evolution-report_EN.txt
And visually:
http://www.labs.lacnic.net/~rpki/rpki-heatmaps/latest/global-roa-heatmap.png
and
http://www.labs.lacnic.net/~rpki/rpki-heatmaps/latest/
To see each region.
http://www.labs.lacnic.net/~rpki/rpki-heatmaps
Also, bgpmon has a nice whois interface for humans to see ROAs (not
sure if this link was share here or in twitter, sorry if I am duplicating):
http://bgpmon.net/blog/?p=414
Best regards,
-as
On 29 Jan 2011, at 13:26, Alex Band wrote:
> John,
>
> Thanks for the update. With regards to offering a hosted solution, as you
> know that is the only thing the RIPE NCC currently offers. We're developing
> support for the up/down protocol as I write this.
>
> To give you some perspective, one month after launching the hosted RIPE NCC
> Resource Certification service, 216 LIRs are using it in the RIPE Region and
> created 169 ROAs covering 467 prefixes. This means 40151 /24 IPv4 prefixes
> and 7274499 /48 IPv6 prefixes now have a valid ROA associated with them.
>
> I realize a hosted solution is not ideal, we're very open about that. But at
> least in our region, it seems there are quite a number of organizations who
> understand and accept the security trade-off of not being the owner of the
> private key for their resource certificate and trust their RIR to run a
> properly secured and audited service. So the question is, if the RIPE NCC
> would have required everyone to run their own certification setup using the
> open source tool-sets Randy mentions, would there be this much certified
> address space now?
>
> Looking at the depletion of IPv4 address space, it's going to be crucially
> important to have validatable proof who is the legitimate holder of Internet
> resources. I fear that by not offering a hosted certification solution, real
> world adoption rates will rival those of IPv6 and DNSSEC. Can the Internet
> community afford that?
>
> Alex Band
> Product Manager, RIPE NCC
>
> P.S. For those interested in which prefixes and ASs are in the RIPE NCC ROA
> Repository, here is the latest output in CSV format:
> http://lunimon.com/valid-roas-20110129.csv
>
>
>
> On 24 Jan 2011, at 21:33, John Curran wrote:
>
>> Copy to NANOG for those who aren't on ARIN lists but may be interested in
>> this info.
>> FYI.
>> /John
>>
>> Begin forwarded message:
>>
>> From: John Curran <jcur...@arin.net<mailto:jcur...@arin.net>>
>> Date: January 24, 2011 2:58:52 PM EST
>> To: "arin-annou...@arin.net<mailto:arin-annou...@arin.net>"
>> <arin-annou...@arin.net<mailto:arin-annou...@arin.net>>
>> Subject: [arin-announce] ARIN Resource Certification Update
>>
>> ARIN continues its preparations for offering production-grade resource
>> certification
>> services for Internet number resources in the region. ARIN recognizes the
>> importance
>> of Internet number resource certification in the region as a key element of
>> further
>> securing Internet routing, and plans to rollout Resource Public Key
>> Infrastructure (RPKI)
>> at the end of the second quarter of 2011 with support for the Up/Down
>> protocol for those
>> ISPs who wish to certify their subdelegations via their own RPKI
>> infrastructure.
>>
>> ARIN continues to evaluate offering a Hosting Resource Certification service
>> for this
>> purpose (as an alternative to organizations having to run their own RPKI
>> infrastructure),
>> but at this time it remains under active consideration and is not committed.
>> We look
>> forward to discussing the need for this type of service and the organization
>> implications
>> atour upcoming ARIN Members Meeting in April in San Juan, PR.
>>
>> FYI,
>> /John
>>
>> John Curran
>> President and CEO
>> ARIN
>>
>> _______________________________________________
>> ARIN-Announce
>> You are receiving this message because you are subscribed to
>> the ARIN Announce Mailing List
>> (arin-annou...@arin.net<mailto:arin-annou...@arin.net>).
>> Unsubscribe or manage your mailing list subscription at:
>> http://lists.arin.net/mailman/listinfo/arin-announce
>> Please contact i...@arin.net if you experience any issues.
>>
>>
>
