nanog mailing list archives

Re: RPKI and Trust Anchor question

From: Doug Barton <dougb () dougbarton us>
Date: Mon, 05 Aug 2013 21:25:18 -0700

On 08/05/2013 06:58 PM, John Curran wrote:


On Aug 5, 2013, at 2:26 PM, Marcel Plug <marcelplug () gmail com> wrote:

Hi Nanog,

Does anyone have any inside information what may be happening in the effort
to have a single trust anchor for RPKI?  Is ICANN still working on this?
If so is there any timeline or published info of any kind?

Most of the information i can find is about 2 years old.

Any links or info of any kind would be much appreciated.


Hello Marcel -

   The IAB and the five RIRs have both indicated that it is desirable
   to have a single trust anchor for RPKI.  The IAB made a statement
   in 2010 here <http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07028.html>
   and in August 2011, the RIRs asked to meet with ICANN to work towards
   "an ICANN-hosted global trust anchor for the RPKI system."
   <http://www.nro.net/news/nro-communication-to-icann-on-rpki-global-trust-anchor>
   ICANN has indicated that it is willing to host such a service, and has
   included support for it within ICANN budget each year.

   Since that time, there has been quite a bit of technical work going on
   between the RIR's and ICANN's technical teams, including work to document
   some of the technical issues that might result from having a global trust
   anchor (if you are interested in those, you might want to follow the IETF
   sidr working group.)  I would say that slow and steady progress is being
   made towards the technical ability to have a single global trust anchor
   (including understanding some of the more interesting things that happen
   with key roll-overs, blocks transfers between RIRs, etc.); my present
   estimate is that we'll have a solid understanding of technical steps and
   consequences for deploying a RPKI global trust anchor by the end of 2013.
   There is discussion of preparing a ICANN/RIR testbed at that time to
   demonstrate technical compatibility and functionality of the RPKI system
   while making use of a Global Trust Anchor.

   In parallel, there is another set of issues being worked, and that is
   engaging with the operator community in each region to understand their
   desire for having a global trust anchor.  It has been noted that relying
   on such a construct will effectively create a single point of "control"
   for Internet operational routing (to the extent that folks everywhere
   begin actively validating routes using RPKI.)  There is a single point
   of failure argument against a global trust anchor, as well as creation
   of a point of potential compromise, whether due to malfeasance or actual
   governmental interference.  Note that these types of concerns are very
   similar to those faced by DNSSEC, and in that case they were able to be
   managed in an acceptable manner.  The discussion of the merit of a single
   trust anchor is still ongoing among operators globally, and will need to
   reach convergence in order to proceed (in addition to the technical issues
   outlined above.)

   So, Marcel, please allow me to turn the question around...  Do you
   do you believe that there should be an RPKI Global Trust Anchor?
   Are you concerned about the potential aggregation of control and
   risk that may result? (Feel free to answer me privately if you
   would prefer.)

   At the point in time when we understand the technical architecture
   being proposed and its implications, we will formally poll the ARIN
   and NANOG community on the question of whether there is support for
   having an RPKI Global Trust Anchor.  My best estimate is that this
   will occur near the end of this year, but there's nothing wrong with
   having some discussion in the meantime if the mailing list is otherwise
   quiet.  :-)

I hope this provides some insight - thank you for asking about it,
as it has been too long since any status update on this project
(I will work on that as well for the very near future.)

Thanks!
/John

John Curran
President and CEO
ARIN


John,

Thanks for the update! It's good to hear that progress is being made.

Is there a place where the challenges and solutions are being discussedpublicly? It's interesting that you raise DNSSEC in comparison since thetwo technologies have many similarities. One of the things that madeDNSSEC successful was the wide-ranging public discussion that not onlyled to concerns that would likely not have been uncovered otherwise, butalso solutions to those and other problems.


Doug

Current thread:

RPKI and Trust Anchor question Marcel Plug (Aug 05)
- Re: RPKI and Trust Anchor question Rubens Kuhl (Aug 05)
  - Re: RPKI and Trust Anchor question David Conrad (Aug 05)
    - Re: RPKI and Trust Anchor question Barbara Roseman (Aug 05)
    - Re: RPKI and Trust Anchor question David Conrad (Aug 06)
    - Re: RPKI and Trust Anchor question Valdis . Kletnieks (Aug 06)
    - Re: RPKI and Trust Anchor question Randy Bush (Aug 06)
- Re: RPKI and Trust Anchor question John Curran (Aug 05)
  - Re: RPKI and Trust Anchor question Doug Barton (Aug 05)
    - Re: RPKI and Trust Anchor question John Curran (Aug 06)
  - Re: RPKI and Trust Anchor question Marcel Plug (Aug 06)