Hi, On Mon, May 09, 2011 at 02:24:15PM +0100, boggits wrote:
Maybe its the fact that RIPE are providing the full solution as well as the ability to publish the information thats the issue, if rather than the NCC creating a tool for validation it just published the keys and the software tools for people to do the validation themselves then I might be happier.
Uh. As far as I understand, the validation is always done by your local setup, and various software options(!) exist for that. The NCC provides a trusted data store where it signs which IP resources belong to what certificate (not "entity"). Based on that, the network holder can sign a ROA "I authorize this AS to announce my network" (and of course that would not be overly useful without some who has that authority to actually attest that "my" bit there). That ROA would currently be stored in the RIPE database, but it could be stored anywhere, with a pointer in your certificate "look *there* for my ROAs". Then whoever is interested runs a software that collects the various bits and pieces from whever they are stored - guided by referrals, or (again!) by local policy - "this guys I trust, their networks I always grab from *that* store, authenticated by *this* trust anchor". One such solution is Randy's RCynic, another one would be what BBN (Steve Kent) has developed, and a third one would be the RIPE NCC validator. Google sends me to these links for a list of RPKI validation tools and their interop tests: http://www.ietf.org/proceedings/80/slides/sidr-12.pdf http://www.ietf.org/proceedings/80/slides/sidr-10.pdf This stuff then generates a list of <network|AS> pairs from the data, and sends it to your routers - no crypto involved on the routers, no 10000-lines-prefixlists for peer validation, very lightweight operation - where it is then used for policy decisions. Gert Doering -- Address Policy WG -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279