10 Jun
2020
10 Jun
'20
12:26 p.m.
Just an example isn't helpful here. A few issues:
- Resource PKI and web PKI are completely different and incompatible
- RIRs do not trust people, people trust RIRs.
- 44net is not a legacy allocation, is is part of an ARIN /8
- 44net could setup their own TAL however then ever RPKI validator would
need that imported (something which would be difficult to do)
Thanks,
Q
Director
AS207960 Cyfyngedig
https://as207960.net
On Wed, 10 Jun 2020 at 17:23, Tom Cardinal via 44Net <44net(a)mailman.ampr.org>
wrote:
Cynthia,
I only listed them as an example, my point was a having our own CA
signed by a signing org that is trusted by RIRs. If that be ARIN then
so be it. More importantly though, as you know, we have a legacy
allocation. In my opinion we are equal to an RIR but with the ability
to make global allocations from the 44.0/9 and 44.128/10 space.
--ton/n2xu 44.98.63.0/29.
On 6/10/20 7:38 AM, Cynthia Revström via 44Net wrote:
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
Tom,
As Q already mentioned, Thawte or Comodo (now called Sectigo) are for Web
PKI, not RPKI, they have nothing to do with this.
And not to mention the huge requirements something like that would have,
and enormous fees.
Not entirely sure what you mean by "act as an IR"?
44net(a)mailman.ampr.org>
They would have to accept it much like ARIN and
RIPE trust each other
In the context of RPKI, ARIN and RIPE NCC do not trust each
other, they
have their own Root CAs (TALs), which are independent of each other.
An RPKI validator has to use both of them.
- Cynthia
On Wed, Jun 10, 2020 at 2:33 PM Q Misell via 44Net < wrote:
> CA's like Thawte or Comodo won't work for this, they're for web PKI not
> resource PKI.
> The 44.0.0.0/9 cert would have to be signed by one of the RIR's trust
> anchors (probably ARIN since they have 44.0.0.0/8 assigned to them)
>
> Thanks,
> Q
>
>
> On Wed, 10 Jun 2020 at 13:28, Tom Cardinal via 44Net <
> 44net(a)mailman.ampr.org>
> wrote:
>
>> I've been monitoring this discussion. Since our space was allocated by
>> Jon Postel, initially around 1981 (ish), why can't we create our own
>> trust model (CA signed by a CA signing agency like Thawte or Comodo as
>> examples) and act as an IR for the 44.0/9 and 22.128/10 space ourselves
>> and publish that trust model to the RIRs? They would have to accept it
>> much like ARIN and RIPE trust each other. Then RPKI would work for
>> AMPRNet and AMPRNet would control it's own destiny.
>>
>> --tom/n2xu 44.98.62.0/29
>>
>>
>> On 6/2/20 2:34 PM, Jonathan Lassoff via 44Net wrote:
>>> I can sympathize with the sentiment that RPKI and widespread RPKI
>>> adoption in its current form will really lock out and disenfranchise
>>> smaller network operators.
>>>
>>> Now, *more than ever*, we need to enable an Internet that any
>>> organization (a natural person, a registered entity, a hackerspace,
>>> etc.) can connect to, uniquely address itself, and begin exchanging
>>> traffic.
>>>
>>> In order to enable such an open system to function, we also need ways
>>> of ensuring that unicast addresses are unique and that there is some
>>> public, verifiable way of claiming ownership of IP space. Without
>>> this, the entire network is open to disruption and abuse by almost any
>>> operator. It's amazing we have gotten so far on the good will of most
>>> operators.
>>>
>>> The RIR model of lawyers, paperwork, and public databases works for a
>>> lot of people and organizations. IRR was the first step, but it was
>>> complex and a bit clunky to use. I see RPKI for Origin Validation as
>>> just the first/next step of extending this model of trust and
>>> numbering resource ownership into the routing protocol space more
>>> directly.
>>> From a technical standpoint, this logical extension of systems
makes
a
> lot of sense and I don't have a problem with
it.
>
> For commercial network operators, a RIR registration is just the cost
> of doing business.
> But for many small nonprofits, regional amataur radio/network
> operators, or individuals, a few thousand dollars/euros a year is a
> lot of money that makes Internet independence out of reach.
> They end up having to resort to the hegemony of their local incumbent
> monopoly and chain themselves to the whims of their upstreams and
> regulators.
>
> I suspect many legacy resource holders find themselves in a similar
> limbo-state of not wanting to participate in the RIR model and pay
> money for essentially nothing.
>
>
>
>
> Echoing some similar earlier sentiments to want to create a CA for
> legacy address holders: How feasible would it be to create something
> RIR-like, but noncommercial?
> A place for legacy address holders to coordinate and register
> resources seems like a natural fit. If we're going to operate a
> database of ROAs, we're going to need some database of address space
> ownership.
> For 44net use cases, this seems really straightforward, since we have
> the Portal to draw from. But for other organizations, it gets a bit
> more complicated to do properly. Given some random email
> address/account in some hypothetical legacy RIR, how can we really
> validate that they're authorized to take actions on behalf of some
> organization?
> To take some random examples from the IANA IPv4 list: DISA, USPS,
> AT&T, Apple, etc. Doing this right is going to take some process,
> record keeping, and well.... work.
> With this context, I can see how a lot of RIRs go commercial. However,
> with a bit of automation, good documentation and records, and some
> dedicated volunteers, this seems like a really doable/achievable thing
> in the netops community.
>
> I would be curious to know if anyone else shares these views/dreams
> and would like to chat about it.
>
> Stay safe and sane out there.
>
> Cheers,
> jof
>
> On Tue, 2 Jun 2020 at 08:18, Job Snijders via 44Net
> <44net(a)mailman.ampr.org> wrote:
>> Thomas,
>>
>> You say
>>
>> On Tue, Jun 2, 2020, at 04:17, Thomas Jones - KG5ZI /8 via 44Net
wrote:
>>> DO NOT participate in RPKI!
>> And ...
>>
>>> We should be protecting our Internet!! Just saying...
>> What are you really saying? These statements seem at odds with each
other.
>> How do you protect your internet? Maybe I can learn some tricks from
you?
>> Kind regards,
>>
>> Job
>> _________________________________________
>> 44Net mailing list
>> 44Net(a)mailman.ampr.org
>> https://mailman.ampr.org/mailman/listinfo/44net
> _________________________________________
> 44Net mailing list
> 44Net(a)mailman.ampr.org
> https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net