nanog mailing list archives
Re: rpki vs. secure dns?
From: Nick Hilliard <nick () foobar org>
Date: Sun, 29 Apr 2012 21:50:41 +0100
On 28/04/2012 14:04, Alex Band wrote:
At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote on RPKI at the general meeting. The result was that the RIPE NCC has the green light to continue offering the Resource Certification service, including all BGP Origin Validation related functionality. It's correct that concerns were raised in the area of security, resilience and operator autonomy, as you mention. These concerns are continuously being evaluated and addressed. The response to the update that was given at RIPE 64 two weeks ago indicated that the membership and Community are happy with the approach the RIPE NCC is taking in this regard. Of course I realize that some people will never be convinced, no matter which steps are taken…
Alex, I have to take exception with your statement that people in the RIPE region are generally happy about RPKI and the RIPE NCC RPKI project. They aren't. On the basis of some initial interest in the RIPE community several years ago, the RIPE NCC embarked on a certification + rpki project. By way of clarification for other readers of this mailing list, the RIPE NCC is a Dutch company constituted to carry out the policy requirements of the RIPE community. The way this is supposed to work is that the RIPE community puts forward policy proposals, and the RIPE NCC carries these policies out. Some time after the certification project was started in the NCC, a policy proposal (2008-08) was floated in the RIPE community in order to turn this into official RIPE policy, so that it could be formally carried out by the RIPE NCC. Mid last year, after extensive and heated discussion on the address policy working group mailing list, that policy proposal was withdrawn from the RIPE policy development process because it was clear that a large number of people in the RIPE community were deeply uneasy about a variety of implications. It is true that some of these concerns have been addressed to some extent by the NCC, but the core issues of concern are fundamental to RPKI. Later that year, several potential proposals were put forward by the RIPE NCC board at the Nov 2011 general meeting concerning the future of the RIPE NCC certification project. The RIPE NCC members - who are a fee-paying subset of the RIPE community - voted by 52% to 48% to keep funding the project. By any objective measure, this is an alarmingly slim majority. In short: - a substantial number of people, both within the RIPE community and within the RIPE NCC membership have serious concerns about the long-term legal consequences of this project which have not (in their opinion) been addressed adequately. - the RIPE NCC is now funding a project for which there is no consensus policy supported by the RIPE community, and is doing this on the basis of a hair's breath majority vote amongst its membership. Nick
Current thread:
- Re: rpki vs. secure dns?, (continued)
- Re: rpki vs. secure dns? Phil Regnauld (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 29)
- Re: rpki vs. secure dns? Jennifer Rexford (Apr 29)
- Message not available
- Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 29)
- Re: rpki vs. secure dns? Matthias Waehlisch (Apr 29)
- Re: rpki vs. secure dns? David Conrad (Apr 29)
- Re: rpki vs. secure dns? Alex Band (Apr 29)
- Re: rpki vs. secure dns? Randy Bush (Apr 29)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 29)
- Re: rpki vs. secure dns? Florian Weimer (Apr 30)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 29)
- Re: rpki vs. secure dns? Alex Band (Apr 30)
- Re: rpki vs. secure dns? Danny McPherson (Apr 30)
- Re: rpki vs. secure dns? Dmitry Burkov (Apr 30)
- Re: rpki vs. secure dns? Randy Bush (Apr 30)
- Re: rpki vs. secure dns? Jared Mauch (Apr 30)
- Re: rpki vs. secure dns? Christopher Morrow (Apr 30)
- Re: rpki vs. secure dns? Dmitry Burkov (Apr 30)
- Message not available
- Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 28)
- Message not available
- Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 28)