> On 19 Sep 2018, at 10:37, Christopher Morrow <morrowc.li...@gmail.com> wrote: > > > > On Wed, Sep 19, 2018 at 1:33 AM Phil Lavin <phil.la...@cloudcall.com> wrote: > > What about an one-off outreach effort? > >> Makes sense to me. As someone who (at least pretends to) care, I was very >> much unaware of RPKI before seeing discussion about it on NANOG and #ix. >> >> That said, having recently done this with ARIN... they've got a long way to >> go before it's a simple process (like RIPE). Submitting numerous tickets >> over a 3 day period doesn't strike me as particularly efficient. If outreach >> was done and widely taken up, I'd think ARIN's help desk will struggle to >> meet the demand. If this is the case and it's a multi-week process to get >> RPKI set up, it would be expected that people will give up part way through >> the process. >> > Phil. Thanks, this is interesting input.. I expected that the system arin > setup was on-par with that which ripe/apnic have setup... huh, I'm surprised > that it required any tickets at all to accomplish :(
ARIN offers all of the features that the other RIRs do, but usability remains a (big) barrier. I did a talk at NANOG several years ago demonstrating how usability of the hosted RPKI system greatly impacted adoption and data quality in the RIPE region: https://youtu.be/R2VV_APOFL8 At the time, a lot of effort went into providing a hosted RPKI system that suggested ROAs based on best practices, showed what the impact on BGP announcements was going to be and sent alerts when misconfigurations or hijacks occurred. This gives operators the confidence to use and maintain the system. As a result, the data set is now big and high quality enough for operators to start dropping invalids. I’d be interested to hear how many operators in the ARIN region would be willing to set up ROAs (and maintain them!) if it weren’t so hard to do. This might entice ARIN to address the usability issue. Because non-repudiation or not, this process shouldn’t have to take several tickets and several days. Be that as it may, we fully intend to build a Delegated CA that is on par with RIPE’s user experience so that operators can run RPKI themselves in a usable way. Alex Band NLnet Labs
