Internet2 Network Security SIG

[Andrew Gallo <>]

When you say "the community may wish to consider is asking their internet transit providers agree to use their ROA records."

Use them for what?  In place of IRR entries, LOAs?  Some of our upstreams have asked for nothing.  They may have checked that we have an IRR record.  On the other hand, one of our upstreams required an LOA from us allowing us to advertise our own space for an upgrade.

I'm wondering if we would have better success asking Internet2 to start requiring ROAs for all space that can be covered (that is to say, space covered by some type of agreement that allows for RPKI, which should be nearly all IPv6).

On 4/15/2019 1:52 PM, wrote:

I suggest we de-couple the issues, and here’s why:

Having more networks with ROAs makes using the RPKI database more valuable, hence more incentive to overcome its access barriers. It would only take a handful backbone providers using ARIN’s database to have a huge impact on hijacking risk.

Another incentive the community may wish to consider is asking their internet transit providers agree to use their ROA records. Perhaps The Quilt might consider adding such language to the purchasing program?

Steve

On Apr 15, 2019, at 1:32 PM, A N (via security-wg Mailing List)  wrote:

Thanks for your update. 

However, same chicken and egg situation with RPA and RPKI adoption and ARIN not budging. 


On Mon, Apr 15, 2019 at 12:21 PM < > wrote:
Thanks for the clarification. I should have said “current RSA”. Last time we requested a new resource, I think it was an additional AS, they required signing of the most current RSA. They were willing to accept changes required due to Indiana law.

Steve

Not quite.  It depends on the specific version of the RSA you have in
place.  For example, the RSA's we have signed both for v6 and the legacy
RSA are of a vintage that doesn't cover ROA use, so we have to go back 
and re-litigate the terms to get to a modern version.

As a first step, I asked ARIN to produce the specific language we had
already mutually agreed to.  After being referred to their council and 
about 8 weeks later, they are still unable to produce the specific 
language we have in place.  We had maintained copies, but appears they 
did not. 

Dale

-- 
________________________________
Andrew Gallo
The George Washington University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature