> On Sep 25, 2018, at 7:55 PM, Michel Py <michel...@tsisemi.com> wrote:
>
> John,
>
>> John Curran wrote :
>> 2) They could not agree to ARIN RPA agreement (for which the most cited
>> reason is the indemnification clause, but perplexing given agreement to
>> other indemnification clauses such as RIPE’s Certification services.)
>
> I would entertain that "could not agree to ARIN RPA" is why they don't use
> the TAL. I may not be representative, but I knew I had to download it.
> And maybe you missed a third possibility :
> 3) Nobody really cares about the ARIN TAL because almost nobody has validated
> a prefix within the ARIN region therefore installing the ARIN TAL is almost
> useless :-(
>
> We don't only have a problem withTAL deployment, we also have an adoption
> issue.
> And possibly an egg-and-chicken issue : nobody deploys the TAL because nobody
> validates their prefixes, and vice versa.
Actually there are prefixes in the ARIN region with ROAs, and one would presume
that issuing the ROA means you want it to be validated as well. (Similar to
hosting a website on SSL vs HTTP or even gopher://)
The intent is at least there, and similar to DNSSEC, publishing your DS record
in the parent is part of that explicit configured intent.
Saying “nobody validates their prefixes” is patently false. You may not. I
may not, but there are a number of networks that are and have advertised that
they are.
I’m not saying you need to secure your network, but if you want to secure your
routes and have an allocation from ARIN, you really need their TAL to be in the
default trust store similar to how you have your PKI trust store in your OS,
Browser, etc…
I need my local geographic RIR to care that their anchor is included by default
and to make it clear that distributing the TAL is different from _using_ the
TAL. Just because I have CA roots in my browser trust store does not mean I am
using them all, but if I need to it will work.
On my Mac when I upgrade Xcode it often asks me to accept the License for what
I downloaded. The same is true if you use gnu parallel, it outputs some
wonderful legalese. There are many comparisons, which is why I’m asking that
ARIN permit developers to make it easier for end-users to use the PKI material
that makes the global ecosystem more complete and secure. If to start you have
to edit the config file to say “I accept arin license for this”=yes would that
work? We need that outreach and clarity because at present it’s not there by
default and there is a communication gap between the various developers and
ARIN.
Those that are issuing ROAs (or are soon to) depend on this. Like I said
previously, I’m going to be talking to each ARIN candidate for election this
fall about this very topic and what actions they intend to do to support global
secure routing.
Michel, It would be a shame if you created a ROA and it could not be validated
in some non-english speaking corner of the world that put your assets at risk
due to this posture. The community needs secure by default for all regions and
the barriers for ARIN IP space are a real and measured problem. It’s time to
end this disparity as right now not all TALs are equal. They should be.
- Jared
