Re: [sig-policy] Comments on prop-059-v001: Using the Resource Public Key Infrastructure to construct validated IRR data

To: APNIC Policy SIG List <sig-policy@apnic.net>
Subject: Re: [sig-policy] Comments on prop-059-v001: Using the Resource Public Key Infrastructure to construct validated IRR data
From: Izumi Okutani <izumi@nic.ad.jp>
Date: Fri, 22 Aug 2008 20:53:20 +0900
Delivered-to: sig-policy@clove.apnic.net
In-reply-to: <48A1F0E2.2000006@apnic.net>
List-archive: <http://mailman.apnic.net/mailing-lists/sig-policy>
List-help: <mailto:sig-policy-request@lists.apnic.net?subject=help>
List-id: APNIC SIG on resource management policy <sig-policy.lists.apnic.net>
List-post: <mailto:sig-policy@lists.apnic.net>
List-subscribe: <http://mailman.apnic.net/mailman/listinfo/sig-policy>, <mailto:sig-policy-request@lists.apnic.net?subject=subscribe>
List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/sig-policy>, <mailto:sig-policy-request@lists.apnic.net?subject=unsubscribe>
References: <48A1F0E2.2000006@apnic.net>
User-agent: Thunderbird 2.0.0.16 (Windows/20080708)

We have a number of questions/comments about prop-059 so that we can
have a better understanding.

It's a little long, but I hope someone on the list can help us on these
questions.

+ It seems that two elements are proposed at the same time, so it may be
easier to make further discussions if we seperate the issues and discuss
each
    1. Use of RPKI data in IRR
    2. Providing overlay publication point

+ There could be cases where prefix that operator wishes to register in
IRR is different from RPKI data. How would it help in routing for such
cases?

+ How can we confirm that ROA is based on authentic RPKI? Could we
really not change the route object at all? How would it work in that case?
  (We need some method to validate RPKI data registered in IRR. However,
if we do it from scratch, that will be the same as reviewing ROA. If
there are no changes in RPSL, then, we cannot validate RPKI data)

+ what are we trying to achieve by strengthening security by  overlay
publication point? ie., trying to make the system work even if APNIC's
IRR fails, for example?
  (just trying to understand the intention)

thanks,
izumi

Follow-Ups:
- Re: [sig-policy] Comments on prop-059-v001: Using the Resource Public Key Infrastructure to construct validated IRR data
  - From: Randy Bush <randy@psg.com>

References:
- [sig-policy] Comments on prop-059-v001: Using the Resource Public Key Infrastructure to construct validated IRR data
  - From: Geoff Huston <gih@apnic.net>

Prev by Date: Re: [sig-policy] [Sig-policy] prop-062-v001: Use of final /8
Next by Date: Re: [sig-policy] Comments on prop-059-v001: Using the Resource Public Key Infrastructure to construct validated IRR data
Previous by thread: Re: [sig-policy] Comments on prop-059-v001: Using the Resource Public Key Infrastructure to construct validated IRR data
Next by thread: Re: [sig-policy] Comments on prop-059-v001: Using the Resource Public Key Infrastructure to construct validated IRR data
Index(es):
- Date
- Thread