Internet2 Network Security SIG

["Montgomery, Douglas (Fed)" <>]

What NTT is doing:
https://mailman.nanog.org/pipermail/nanog/2018-July/096359.html

NTT also has irrd code to use RPKI to filter IRR data to clean up IRR 
security/error issues.
https://nlnog.net/static/nlnogday2018/9_routing_security_roadmap_nlnog_2018_snijders.pdf


dougm
-- 
DougM at NIST
 

On 4/15/19, 5:18 PM, "Andrew Gallo" < on 
behalf of > wrote:

    I think NTT is working to expose RPKI via IRR work flows, and in fact, 
    might be using ROAs in place of IRR (if overlap exists), something along 
    the lines of:
    
    ROA > IRR > nothing (??)
    
    We haven't seen the ground swell of RPKI adoption from the ground up.  
    Sadly, I think what will drive adoption is when a few of the big content 
    networks start requiring it.  There are rumblings that Google is going 
    that route.  Cloudfare is also doing some work in that area.
    
    Until "the internet" breaks (aka Facebook, Youtube, etc), adoption of 
    infrastructure technologies (RPKI and IPv6 in particular) is a 
    struggle.  The costs associated with adoption are real.  The cost 
    savings/avoidance/additional security are hard to quantify.
    
    
    On 4/15/2019 4:45 PM, Steven Wallace wrote:
    > I was thinking of asking the commodity providers to use ARIN’s RPKI 
info in the management of their networks...I realize this is a rough idea 
lacking specifics, and the error rate of misconfigured ROAs is something like 
6% right now...
    >
    > You bring up an interesting point. I believe I2 should require and use 
IRRs for their router configs. Given this could be aggregated by the RONs, it 
seems doable to me....and not an unreasonable requirement. ROAs are harder in 
the sense that you have to own the resource to sign it, meaning the RONs 
alone can’t do it.
    >
    > I like the idea of requiring ROAs. IMO, it would take something like a 
24 month implementation plan, that would include multiple workshops/webinars 
and other outreach to provide assistance to get it done. It would be a great 
opportunity to engage the community. It would be an opportunity for the 
community to demonstrate leadership in securing the internet infrastructure.
    >
    > ...now if we get pervasive IPv6 adoption....one can dream.
    >
    > Steve
    >   
    >
    > Sent from my iPad
    >
    >> On Apr 15, 2019, at 4:25 PM, Andrew Gallo <> wrote:
    >>
    >> When you say "the community may wish to consider is asking their 
internet transit providers agree to use their ROA records."
    >>
    >>
    >>
    >> Use them for what?  In place of IRR entries, LOAs?  Some of our 
upstreams have asked for nothing.  They may have checked that we have an IRR 
record.  On the other hand, one of our upstreams required an LOA from us 
allowing us to advertise our own space for an upgrade.
    >>
    >> I'm wondering if we would have better success asking Internet2 to 
start requiring ROAs for all space that can be covered (that is to say, space 
covered by some type of agreement that allows for RPKI, which should be 
nearly all IPv6).
    >>
    >>
    >>> On 4/15/2019 1:52 PM,  wrote:
    >>> I suggest we de-couple the issues, and here’s why:
    >>>
    >>> Having more networks with ROAs makes using the RPKI database more 
valuable, hence more incentive to overcome its access barriers. It would only 
take a handful backbone providers using ARIN’s database to have a huge impact 
on hijacking risk.
    >>>
    >>> Another incentive the community may wish to consider is asking their 
internet transit providers agree to use their ROA records. Perhaps The Quilt 
might consider adding such language to the purchasing program?
    >>>
    >>> Steve
    >>>
    >>>
    >>>>> On Apr 15, 2019, at 1:32 PM, A N (via security-wg Mailing List) 
<> wrote:
    >>>>>
    >>>>> Thanks for your update.
    >>>>>
    >>>>> However, same chicken and egg situation with RPA and RPKI adoption 
and ARIN not budging.
    >>>>>
    >>>>>
    >>>>> On Mon, Apr 15, 2019 at 12:21 PM < <>> 
wrote:
    >>>>> Thanks for the clarification. I should have said “current RSA”. 
Last time we requested a new resource, I think it was an additional AS, they 
required signing of the most current RSA. They were willing to accept changes 
required due to Indiana law.
    >>>>>
    >>>>> Steve
    >>>>>
    >>>>> Not quite.  It depends on the specific version of the RSA you have 
in
    >>>>> place.  For example, the RSA's we have signed both for v6 and the 
legacy
    >>>>> RSA are of a vintage that doesn't cover ROA use, so we have to go 
back
    >>>>> and re-litigate the terms to get to a modern version.
    >>>>>
    >>>>> As a first step, I asked ARIN to produce the specific language we 
had
    >>>>> already mutually agreed to.  After being referred to their council 
and
    >>>>> about 8 weeks later, they are still unable to produce the specific
    >>>>> language we have in place.  We had maintained copies, but appears 
they
    >>>>> did not.
    >>>>>
    >>>>> Dale
    >>>>>
    >> -- 
    >> ________________________________
    >> Andrew Gallo
    >> The George Washington University
    
    -- 
    ________________________________
    Andrew Gallo
    The George Washington University