|
|
On 9 May 2008, at 06:06, Philip Smith wrote:
If you haven't already done so, please will you read the policy proposal: http://www.apnic.net/policy/discussions/prop-059-v001.txt Do you have any questions about the proposal? Do you agree that it useful to construct an IRR out of certified resources placed in the RPKI?
I think proposal has the benefit that it shifts much of the complexity of the cryptography into the hands of APNIC staff, and leaves the results in a form that many operators already know how to use.
This seems like an excellent way to make cryptographically-verifiable data available to ISPs quickly and easily, and provides a good incentive for the administrators of assigned netblocks to participate in the resource PKI process in general.
In the long term, ISPs should be encouraged to verify certificate data directly rather than relying on the analysis published by APNIC in this new IRR. However, for ISPs who are not ready to do that today, but who are already familiar with the use of RPSL to build (e.g.) prefix filters for customers, the existence of this proposed new IRR would be of great value.
The only downsides I can see are (a) extra work for APNIC staff in providing this service, and (b) potential confusion from the existence of two RPSL repositories where previously there was only one. I think both concerns are minor, however: (a) APNIC staff have already been engaged in the development of the resource PKI, and already run a production IRR instance reached through whois.apnic.net, and (b) most operators are already familiar with the need to use more than one repository when processing RPSL objects.
I am interested to hear the opinions of others on this list. Based on what I have read, I would encourage APNIC members to vote in favour of this proposal.
Joe