<div dir="ltr">Hi guys<div><br></div><div>I support this proposal, I don't think this costs so much money and effort.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 2, 2020 at 8:34 PM Melchior Aelmans <<a href="mailto:melchior@aelmans.eu">melchior@aelmans.eu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks for this very valuable feedback Thiago! Much appreciated!<div><br></div><div>Cheers,</div><div>Melchior</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 2, 2020 at 11:11 AM Thiago da Cruz <<a href="mailto:tdacruz@ripe.net" target="_blank">tdacruz@ripe.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><span style="font-style:normal"><font face="Monaco">Hi all,</font></span></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><font face="Monaco"><span style="font-style:normal"><font>Many of you might not know me, but I’m part of </font><span>RIPE’s software engineering team that takes care of RPKI.</span></span></font></div><div><span style="font-style:normal"><font face="Monaco"><br></font></span></div><div><font face="Monaco"><span style="font-style:normal"><font>I’ve been following this discussion closely and I've noticed some lack of clarity about our decision to </font><font>duplicate our </font><span>RPKI</span><span> infrastructure.</span></span></font></div><div><span style="font-style:normal"><font face="Monaco">So I think it’s important for us to tell a few things about our approach. </font></span></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><font face="Monaco" style="font-style:normal">First what we have today in production:</font></div><div><font face="Monaco" style="font-style:normal">- TA software (offline box)</font></div><div><font face="Monaco" style="font-style:normal">- HSM for the TA (plus backups and spare parts)</font></div><div><font face="Monaco" style="font-style:normal">- A few application servers running our RPKI software - I’ll call it RPKI-Core</font></div><div><font face="Monaco" style="font-style:normal">- Redundant HSMs used by RPKI-Core</font></div><div><font face="Monaco" style="font-style:normal">- RRDP publication service (cloud)</font></div><div><font face="Monaco" style="font-style:normal">- Some rsync nodes (internal infra)</font></div><div><font face="Monaco"><span style="font-style:normal"><br></span></font></div><div><font face="Monaco" style="font-style:normal">Something like the diagram below.</font></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><font face="Monaco" style="font-style:normal">For testing environment we have practically the same infra. </font></div><div><font face="Monaco" style="font-style:normal">And for public test (localcert) we use ‘soft' keys and no HSMs.</font></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><font face="Monaco"><span style="font-style:normal"><br></span></font></div><div><font face="Monaco"><span style="font-style:normal"><font>About the new AS0 TA, y</font>es, we could simplify our infra.</span></font></div><div><font face="Monaco" style="font-style:normal">One option would be to use ‘soft’ keys all around or use a HSM for TA only.</font></div><div><font face="Monaco" style="font-style:normal">We could also use third-party software for TA, Core and publication service.</font></div><div><font face="Monaco"><span style="font-style:normal"><span>It crossed my mind, f</span><span>or a </span><span>fraction of a second, </span><span>to skip AS0 TA instances for our internal and/or public test environments.</span></span></font></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><font face="Monaco" style="font-style:normal">But I don’t think we should treat it as a "second class citizen". </font></div><div><font face="Monaco"><span style="font-style:normal"><font>If we provide another TA, it’s worthy of receiving as much TLC as our production TA; m</font><font>eaning that it would also require the same (</font><span>or similar)</span><font> process around it as our production TA does. </font><font>That includes keeping track of HSM card holders, </font><font>defining a proper admin and operator quorum, scheduling </font><span>periodical</span><font> resigning sessions, etc…</font></span></font></div><div><font face="Monaco"><span style="font-style:normal"><br></span></font></div><div><font face="Monaco" style="font-style:normal">I’m not here to advocate against nor in favour of AS0 TA. </font></div><div><font face="Monaco" style="font-style:normal">But when discussing our implementation, this was our rationale to duplicate the infrastructure. </font></div><div><font face="Monaco" style="font-style:normal">And that’s why it would cost us a lot to implement it. </font></div><div><br></div><div><font face="Monaco">Let me know you need more info about this subject.</font></div><div><font face="Monaco"><span style="font-style:normal"><br></span></font></div><div><font face="Monaco" style="font-style:normal"><div><font>Kind regards, </font></div><div><font>Thiago da Cruz </font></div><div><font>Sr. software engineer - RPKI Team</font></div><div><font>RIPE NCC</font></div><div><font><br></font></div></font></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><font face="Monaco" style="font-style:normal"> +---------------------+</font></div><div><font face="Monaco" style="font-style:normal"> | | +-------+</font></div><div><font face="Monaco" style="font-style:normal"> | TA (offline) +------------+ HSM |</font></div><div><font face="Monaco" style="font-style:normal"> | | +-------+</font></div><div><font face="Monaco" style="font-style:normal"> +---------------------+</font></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><font face="Monaco" style="font-style:normal"> +------------------------+</font></div><div><font face="Monaco" style="font-style:normal"> | |</font></div><div><font face="Monaco" style="font-style:normal"> +-----------> | RRDP publication |</font></div><div><font face="Monaco" style="font-style:normal"> | | |</font></div><div><font face="Monaco" style="font-style:normal"> | | (cloud) |</font></div><div><font face="Monaco" style="font-style:normal"> | | |</font></div><div><font face="Monaco" style="font-style:normal"> +-------------------+ +-------------------+ | +------------------------+</font></div><div><font face="Monaco" style="font-style:normal"> | | | | Publication |</font></div><div><font face="Monaco" style="font-style:normal"> | RPKI-Core 1 | (...) | RPKI-Core n | ----------------------> * +></font></div><div><font face="Monaco" style="font-style:normal"> | | | | |</font></div><div><font face="Monaco" style="font-style:normal"> +--+-----+----+-----+ +--+------+-------+-+ | +----------------------------+</font></div><div><font face="Monaco" style="font-style:normal"> | | | | | | | | |</font></div><div><font face="Monaco" style="font-style:normal"> | | +---------------+ | | | | | Rsync publication |</font></div><div><font face="Monaco" style="font-style:normal"> | | | | | +----+ +-----------> | |</font></div><div><font face="Monaco" style="font-style:normal"> +-----+ +-----------+ +---------+ | | | (internal infra - x nodes) |</font></div><div><font face="Monaco" style="font-style:normal"> | | | | | | | |</font></div><div><font face="Monaco" style="font-style:normal"> | | | +-------------------+ | | |</font></div><div><font face="Monaco" style="font-style:normal"> | +-----------------------------------------+ | | +----------------------------+</font></div><div><font face="Monaco" style="font-style:normal"> | | | | | |</font></div><div><font face="Monaco" style="font-style:normal">+-+----+--+ + + +-+------++</font></div><div><font face="Monaco" style="font-style:normal">| HSM 1 | (......................) | HSM m |</font></div><div><font face="Monaco" style="font-style:normal">+---------+ +---------+</font></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><font face="Monaco" style="font-style:normal"><br></font></div><div><br></div><div><font face="Monaco"><br></font></div><div><font face="Monaco"><br></font></div><div><br><blockquote type="cite"><div>On 27 Feb 2020, at 23:51, George Michaelson <<a href="mailto:ggm@algebras.org" target="_blank">ggm@algebras.org</a>> wrote:</div><br><div><div>Anton pointed out I may have both misunderstood and not answered your question.<br><br>The testbed is a soft TA. In deployment, people will have to move to a<br>new (as yet not created) TAL for AS0, as long as it runs independently<br>of the mainline TAL.<br><br>We intend running a distinct TA for AS0 until we get a clear signal<br>our community wants it integrated. We have stated concerns about the<br>automatic adoption of ASO products worldwide without visible agreement<br>of this activity, a separate TAL turns the activity from opt-out to<br>opt-in.<br><br>We are duplicating the software signing infrastructure, but with lower<br>costs overall given commonalities.<br><br>We are still discussing if we can run the offline-TA HSM and the<br>online production key HSM for both activities, or if we need a<br>distinct infrastructure for AS0 and mainline. Duplication overall is<br>not in APNIC's model, we rely on spares and alternate use of the HSM,<br>but production signing systems are single instances. I believe they<br>are capable of some virtualisation or segmentation but that skirts the<br>underlying physical risk/dependency.<br><br>Sorry for not being clearer before<br><br>-George<br><br>On Wed, Feb 26, 2020 at 6:18 PM Carlos Friaças via routing-wg<br><<a href="mailto:routing-wg@ripe.net" target="_blank">routing-wg@ripe.net</a>> wrote:<br><blockquote type="cite"><br><br>Hi,<br><br>Any clue if APNIC has duplicated the infrastructure (and cost) as it is<br>foreseen in the NCC's impact analysis...?<br><br>Carlos<br><br><br><br>On Wed, 26 Feb 2020, JORDI PALET MARTINEZ via routing-wg wrote:<br><br><blockquote type="cite">Hi Max,<br><br>I think is too early to take a decision, and in fact I don't think we are yet in case A.<br><br>Consensus is about justified objections. I can see also people in favor and I understand, as we usually do in any proposal discussion, that non-objection is consent.<br><br>The only justification that I can see is from Job about possible cost. However, I don't see figures about how much it cost to develop this AS0 + how much it cost the operators to use it (if they want) vs developing the SLURM + making sure it is secure as RPKI + how much ti cost the operators to use it.<br><br>And by the way, the AS0 is compatible with the SLURM, so opeartors can choose.<br><br>Regards,<br>Jordi<br>@jordipalet<br><br><br><br>El 25/2/20 20:30, "routing-wg en nombre de Massimiliano Stucchi" <<a href="mailto:routing-wg-bounces@ripe.net" target="_blank">routing-wg-bounces@ripe.net</a> en nombre de <a href="mailto:max@stucchi.ch" target="_blank">max@stucchi.ch</a>> escribió:<br><br><br> Hi everyone,<br><br> On 20/02/2020 15:39, Petrit Hasani wrote:<br><br><blockquote type="cite">As per the RIPE Policy Development Process (PDP), the purpose of this four week Review Phase is to continue discussion of the proposal, taking the impact analysis into consideration, and to review the full draft RIPE Policy Document.<br><br>At the end of the Review Phase, the Working Group (WG) Chairs will determine whether the WG has reached rough consensus. It is therefore important to provide your opinion, even if it is simply a restatement of your input from the previous phase.<br></blockquote><br> Today, me and the other proposers of this policy change had a meeting to<br> discuss the feedback we have been receiving on the list.<br><br> We understand that many people find this proposal controversial, and<br> many have expressed themselves against it in the past days.<br><br> We would like to encourage discussion and provide us with a bit of<br> guidance on how the community would like to proceed. At present we have<br> identified three ways of progressing:<br><br> A) We can try to go ahead with this proposal, although it will be hard<br> to get consensus;<br><br> B) We can drop the proposal, and leave everything as is;<br><br> C) We can change the proposal to a different ask for RIPE NCC. The idea<br> could be to ask RIPE NCC to provide a SLURM file (similar to what APNIC<br> does), so that single users can decide if they want to feed it to their<br> validators.<br><br> From what we gathered in the discussions, I think B) could be the most<br> sought-after decision, but we would like to propose C) as the way<br> forward. It would give the possibility to those who want to implement<br> this solution to do it in a lightweight fashion. It would for sure be<br> much much cheaper to implement.<br><br> In any case, as Job already pointed out, I prepared a simple tool to<br> generate a SLURM file using either the Team Cymru bogons list, or<br> considering any unassigned space from the NRO delegated stats file.<br> RIPE NCC has kindly provided help and patches to improve it. If you<br> want to give it a go, you can find it here:<br><br> <a href="https://github.com/stucchimax/rpki-as0-bogons" target="_blank">https://github.com/stucchimax/rpki-as0-bogons</a><br><br> Thank you for any suggestion or any discussion around this.<br><br> Ciao!<br> --<br> Massimiliano Stucchi<br> MS16801-RIPE<br> Twitter/Telegram: @stucchimax<br><br><br><br><br><br>**********************************************<br>IPv4 is over<br>Are you ready for the new Internet ?<br><a href="http://www.theipv6company.com" target="_blank">http://www.theipv6company.com</a><br>The IPv6 Company<br><br>This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br><br><br><br><br><br></blockquote></blockquote><br></div></div></blockquote></div><br></div></blockquote></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><a href="http://about.me/AphroditeEmpire" target="_blank">http://about.me/AphroditeEmpire</a></div>