nanog mailing list archives
Re: rpki vs. secure dns?
From: Alex Band <alexb () ripe net>
Date: Sat, 28 Apr 2012 15:19:39 +0200
On 28 Apr 2012, at 14:57, Stephane Bortzmeyer wrote:
On Sat, Apr 28, 2012 at 12:34:52PM +0200, Alex Band <alexb () ripe net> wrote a message of 41 lines which said:In reality, since the RIRs launched an RPKI production service on 1 Jan 2011, adoption has been incredibly good (for example compared to IPv6 and DNSSEC). More than 1500 ISPs and large organizations world-wide have opted-in to the system and requested a resource certificate using the hosted service, or running an open source package with their own CA.I have an experience with the deployment of DNSSEC and the problem with DNSSEC was not to have signed zones (many are, now) but to have people *using* these signatures to check the data (i.e. validating in a resolver). RPKI has many ROA (signed objects) but how many operators validate routes on their production routers? Zero?
First you need a robust system and reliable data. Native router support is coming along. We could be getting to a stage where people will use the data in production. Time will tell...
But it's not just that, these ISPs didn't just blindly get certificate and walk away.Most of the ROAs are very recent. Again, the experience with DNSSEC shows that starting is easy ("DNSSEC in siw minutes"). It's long term management which is *the* problem. Wait until people start to change the routing data and watch the ROAs becoming less and less correct...Data quality is really good.It's not what you said: "It is safe to say that overall data quality is pretty bad" <https://labs.ripe.net/Members/AlexBand/resource-certification-rpki-in-the-real-world> (good paper, by the way, thanks)
A lot has changed since I wrote that. :) -Alex
Attachment:
smime.p7s
Description:
Current thread:
- Re: rpki vs. secure dns?, (continued)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 29)
- Re: rpki vs. secure dns? Alex Band (Apr 30)
- Re: rpki vs. secure dns? Danny McPherson (Apr 30)
- Re: rpki vs. secure dns? Dmitry Burkov (Apr 30)
- Re: rpki vs. secure dns? Randy Bush (Apr 30)
- Re: rpki vs. secure dns? Jared Mauch (Apr 30)
- Re: rpki vs. secure dns? Christopher Morrow (Apr 30)
- Re: rpki vs. secure dns? Dmitry Burkov (Apr 30)
- Message not available
- Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 28)
- Message not available
- Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 28)
- Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 28)
- Re: rpki vs. secure dns? Phil Regnauld (Apr 30)