Re: ARIN RPKI TAL deployment issues

[Jared Mauch <jared () puck nether net>]

> On Sep 25, 2018, at 7:55 PM, Michel Py <michel.py () tsisemi com> wrote:
>
> John,
>
> > John Curran wrote :
> > 2) They could not agree to ARIN RPA agreement (for which the most cited reason is the indemnification clause, but 
> > perplexing given agreement to other indemnification clauses such as RIPE’s Certification services.)
>
> I would entertain that "could not agree to ARIN RPA" is why they don't use the TAL. I may not be representative, but  
> I knew I had to download it.
> And maybe you missed a third possibility :
> 3) Nobody really cares about the ARIN TAL because almost nobody has validated a prefix within the ARIN region 
> therefore installing the ARIN TAL is almost useless :-(
>
> We don't only have a problem withTAL deployment, we also have an adoption issue.
> And possibly an egg-and-chicken issue : nobody deploys the TAL because nobody validates their prefixes, and vice 
> versa.

Actually there are prefixes in the ARIN region with ROAs, and one would presume that issuing the ROA means you want it 
to be validated as well.  (Similar to hosting a website on SSL vs HTTP or even gopher://)

The intent is at least there, and similar to DNSSEC, publishing your DS record in the parent is part of that explicit 
configured intent.

Saying “nobody validates their prefixes” is patently false.  You may not.  I may not, but there are a number of 
networks that are and have advertised that they are.

I’m not saying you need to secure your network, but if you want to secure your routes and have an allocation from ARIN, 
you really need their TAL to be in the default trust store similar to how you have your PKI trust store in your OS, 
Browser, etc…

I need my local geographic RIR to care that their anchor is included by default and to make it clear that distributing 
the TAL is different from _using_ the TAL.  Just because I have CA roots in my browser trust store does not mean I am 
using them all, but if I need to it will work.

On my Mac when I upgrade Xcode it often asks me to accept the License for what I downloaded.  The same is true if you 
use gnu parallel, it outputs some wonderful legalese.  There are many comparisons, which is why I’m asking that ARIN 
permit developers to make it easier for end-users to use the PKI material that makes the global ecosystem more complete 
and secure.  If to start you have to edit the config file to say “I accept arin license for this”=yes would that work?  
We need that outreach and clarity because at present it’s not there by default and there is a communication gap between 
the various developers and ARIN.

Those that are issuing ROAs (or are soon to) depend on this.  Like I said previously, I’m going to be talking to each 
ARIN candidate for election this fall about this very topic and what actions they intend to do to support global secure 
routing.

Michel, It would be a shame if you created a ROA and it could not be validated in some non-english speaking corner of 
the world that put your assets at risk due to this posture.  The community needs secure by default for all regions and 
the barriers for ARIN IP space are a real and measured problem.  It’s time to end this disparity as right now not all 
TALs are equal.  They should be.

- Jared