Internet2 Network Security SIG

[David Farmer <>]

On today's Quilt CIS call, we discussed adding RPKI and ROA validation to The Quilt 2020 CIS RFP process.  There was strong support for this and I volunteered to ensure it happens as part of the RFP process which will begin later this fall. In thinking about it we should also add MANRS and IRR questions as well.  We did ask about RPKI in the last Quilt CIS RFP. Are there other security related questions that should be asked?

If anyone has suggested language, please send it my way.  

Additionally, we always welcome volunteers from the community to participate in the Quilt CIS project in general and specifically during the RFP process. If the process goes as it typically has, we will be finishing up evaluating RFP responses about a year from now.

If you are interested please contact;

Sharon Akkoul - Chair, The Quilt CIS Project, or

Jen Leasure  - President, The Quilt

Thanks.

On Mon, Apr 15, 2019 at 12:53 PM <> wrote:

I suggest we de-couple the issues, and here’s why:

Having more networks with ROAs makes using the RPKI database more valuable, hence more incentive to overcome its access barriers. It would only take a handful backbone providers using ARIN’s database to have a huge impact on hijacking risk.

Another incentive the community may wish to consider is asking their internet transit providers agree to use their ROA records. Perhaps The Quilt might consider adding such language to the purchasing program?

Steve

On Apr 15, 2019, at 1:32 PM, A N (via security-wg Mailing List) <> wrote:

Thanks for your update.

However, same chicken and egg situation with RPA and RPKI adoption and ARIN not budging.

On Mon, Apr 15, 2019 at 12:21 PM <> wrote:

Thanks for the clarification. I should have said “current RSA”. Last time we requested a new resource, I think it was an additional AS, they required signing of the most current RSA. They were willing to accept changes required due to Indiana law.

Steve

>
> Not quite.  It depends on the specific version of the RSA you have in
> place.  For example, the RSA's we have signed both for v6 and the legacy
> RSA are of a vintage that doesn't cover ROA use, so we have to go back
> and re-litigate the terms to get to a modern version.
>
> As a first step, I asked ARIN to produce the specific language we had
> already mutually agreed to.  After being referred to their council and
> about 8 weeks later, they are still unable to produce the specific
> language we have in place.  We had maintained copies, but appears they
> did not.
>
> Dale
>

--

===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================