Dear Hans Petter and fellow members, In the draft activity plan, there is a page about the current RPKI cost and plans of the further development. The plans state on Page 14 - 1.6 RPKI: 6 FTE and a 963.000 euro budget ... <begin quote> Activities in 2021 Our priority over the coming period will be ensuring a stable and resilient RPKI Trust Anchor and Certificate Authority. In 2020, we carried out a third-party security and risk assessment of our RPKI platform. We are now working to define a complete audit framework for RPKI, with the aim of having the audit performed early next year by a third party. Next year we will implement changes to our internal processes and documented procedures on the basis of this audit, as well as things like more granular monitoring and small technical changes that ensure compliance with the relevant RFCs. Aside from that, we are planning significant improvements in our infrastructure to allow high availability and resiliency for the RPKI repositories. In last year’s Activity Plan, we said we would consider whether we should continue to support our RPKI Validator, as it needed further development to match the quality of alternative tools that were now available. Because our RPKI Validator remains the second most widely used tool (with 32% “market share”), we decided that we will continue to support it in 2021 and we aim to make a longer-term decision soon. Finally, we will continue to build awareness of RPKI through training, outreach and promotion efforts. </end quote> I would like to argue that further development of Proof of Concept software (the RPKI validator) isn't required anymore now that there are multiple open source tools available on the market. The RIPE NCC isn't a software development house .. and I don't recall the RIPE NCC has the planning to become one ... I would like to see further development of the RIPE NCC RPKI Validator discontinued as of Jan. 1st 2021. The backend software / infra for the signing of the RPKI environment still needs a lot of work and so does the training (awareness) about RPKI .. so I don't think that the resources or budgeted cost should be reduced, but is needs to be revised... I think that the efforts should be put somewhere else on RPKI. That the RIPE NCC RPKI Validator is widely used, is because of the training efforts from the RIPE NCC.. and I think the community is better served with a more open approach about the usage of other validators, instead of trying to keep members to use a Java based software package. When the RIPE NCC started with the development of the RPKI Validator, there was a lack of other software ... but as things stand today, there are multiple open source implementations and this is a nice moment to go back to the core activity of the RIPE NCC. I know that with the above, I would probably not give the internal development team enough credits for their work and effort in the past years. I do value their work to where they brought this, but it is time to put the focus on the core activities like the signing side of the RPKI and a more robust RPKI infra instead of the validation software. Regards, Erik Bais
Hi, On Mon, Sep 21, 2020 at 01:33:43PM +0000, Erik Bais wrote:
I would like to see further development of the RIPE NCC RPKI Validator discontinued as of Jan. 1st 2021.
This. When we looked at possible software options for our RPKI validator, we compared performance, memory, robustness, agility of development, and this all concluded in "this was nice as a demonstration vehicle, but I do not want to run it near a any production system, ever". Gert Doering -- system operator -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On Fri, Sep 25, 2020, at 16:21, Gert Doering wrote:
Hi,
On Mon, Sep 21, 2020 at 01:33:43PM +0000, Erik Bais wrote:
I would like to see further development of the RIPE NCC RPKI Validator discontinued as of Jan. 1st 2021.
This.
When we looked at possible software options for our RPKI validator, we compared performance, memory, robustness, agility of development, and this all concluded in "this was nice as a demonstration vehicle, but I do not want to run it near a any production system, ever".
This is a common refrain I have heard and experienced first hand. I would like to also add my voice to the suggestion of discontinuing (significant) software development costs in relation to the RPKI validator. --- Aaron A. Glenn +1 (877) 926-5767 AAGlenn Internetworking Company Cheyenne, WY 82001 | +1 (307) 316-5767
+1 on this aswell. I have been operating validators for a few years now in production at various companies, and I see no point to keep the RIPE Validator stack alive. Even with significant improvements to the code i don't see that we can "save" it and make it a viable choice going forward for real production enviroements, i dont think that RIPE is the right place to develop a replacement either.. Discontinue the support for the software as suggested on Jan 1st 2021. And then move the full suggested budget over to the operational department of RIPE NCC, strengthen the operations and scale around the RPKI CA. The RPKI CA, for RIPE and for others, plays a MAJOR role as critical internet infrastructure. This is services that needs Oncall 24/7 support, testing-enviroments, scaled out infrastructure, thoughtful crypto-implementations and other such things, nothing of this comes cheap and we might even need more budget allocated for this in the future. ------------ Best Regards Fredrik Korsbäck Amazon Web Services (but speaking for myself in this context) On Mon, Sep 28, 2020 at 6:01 PM Aaron A. Glenn <ripe@aagico.com> wrote:
On Fri, Sep 25, 2020, at 16:21, Gert Doering wrote:
Hi,
On Mon, Sep 21, 2020 at 01:33:43PM +0000, Erik Bais wrote:
I would like to see further development of the RIPE NCC RPKI Validator discontinued as of Jan. 1st 2021.
This.
When we looked at possible software options for our RPKI validator, we compared performance, memory, robustness, agility of development, and this all concluded in "this was nice as a demonstration vehicle, but I do not want to run it near a any production system, ever".
This is a common refrain I have heard and experienced first hand. I would like to also add my voice to the suggestion of discontinuing (significant) software development costs in relation to the RPKI validator.
--- Aaron A. Glenn
+1 (877) 926-5767 AAGlenn Internetworking Company Cheyenne, WY 82001 | +1 (307) 316-5767
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/fredrik.korsback%40gm...
When we looked at possible software options for our RPKI validator, we compared performance, memory, robustness, agility of development
i observe with sadness that technical correctness was not one of your criteria. as you will see from our imc paper next month, due to lack thereof, route origin validation is an operational daster waiting to happen. and the epicenter is in the netherlands, and not just at the ncc. we feared the dutch court attack. we got the dutch vendor attack. randy
Hi, I fully agree that while the budget on RPKI deployment should not be reduced currently, it should be used in other ways. I think 2021-01-01 is a bit too early as last I looked there was still a considerable number of RIPE NCC validators running. 2022-01-01 is probably more reasonable. Though feature updates could stop on 2020-01-01, fixes need to be done for at least a year more I would say. Potential other ways to use the budget includes setting up a way for resource holders to use delegated RPKI published to repositories hosted by the RIPE NCC. Such as I believe NIC.BR is doing. - Cynthia On Wed, 23 Sep 2020, 08:26 Erik Bais, <ebais@a2b-internet.com> wrote:
Dear Hans Petter and fellow members,
In the draft activity plan, there is a page about the current RPKI cost and plans of the further development.
The plans state on Page 14 - 1.6 RPKI:
6 FTE and a 963.000 euro budget ...
<begin quote>
Activities in 2021 Our priority over the coming period will be ensuring a stable and resilient RPKI Trust Anchor and Certificate Authority. In 2020, we carried out a third-party security and risk assessment of our RPKI platform. We are now working to define a complete audit framework for RPKI, with the aim of having the audit performed early next year by a third party. Next year we will implement changes to our internal processes and documented procedures on the basis of this audit, as well as things like more granular monitoring and small technical changes that ensure compliance with the relevant RFCs. Aside from that, we are planning significant improvements in our infrastructure to allow high availability and resiliency for the RPKI repositories. In last year’s Activity Plan, we said we would consider whether we should continue to support our RPKI Validator, as it needed further development to match the quality of alternative tools that were now available. Because our RPKI Validator remains the second most widely used tool (with 32% “market share”), we decided that we will continue to support it in 2021 and we aim to make a longer-term decision soon. Finally, we will continue to build awareness of RPKI through training, outreach and promotion efforts.
</end quote>
I would like to argue that further development of Proof of Concept software (the RPKI validator) isn't required anymore now that there are multiple open source tools available on the market.
The RIPE NCC isn't a software development house .. and I don't recall the RIPE NCC has the planning to become one ... I would like to see further development of the RIPE NCC RPKI Validator discontinued as of Jan. 1st 2021.
The backend software / infra for the signing of the RPKI environment still needs a lot of work and so does the training (awareness) about RPKI .. so I don't think that the resources or budgeted cost should be reduced, but is needs to be revised... I think that the efforts should be put somewhere else on RPKI.
That the RIPE NCC RPKI Validator is widely used, is because of the training efforts from the RIPE NCC.. and I think the community is better served with a more open approach about the usage of other validators, instead of trying to keep members to use a Java based software package.
When the RIPE NCC started with the development of the RPKI Validator, there was a lack of other software ... but as things stand today, there are multiple open source implementations and this is a nice moment to go back to the core activity of the RIPE NCC.
I know that with the above, I would probably not give the internal development team enough credits for their work and effort in the past years. I do value their work to where they brought this, but it is time to put the focus on the core activities like the signing side of the RPKI and a more robust RPKI infra instead of the validation software.
Regards, Erik Bais
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/me%40cynthia.re
Gert wrote:
When we looked at possible software options for our RPKI validator, we compared performance, memory, robustness, agility of development, and this all concluded in "this was nice as a demonstration vehicle, but I do not want to run it near a any production system, ever".
The real issue is: a lot of network operators do NOT have the time for this kind of assessment. They make a judgement call based on the good overall reputation of RIPE (and as Erik mentioned: training) and just go with it. I agree and support sunsetting the development of the RIPE RPKI validator. -- lukas
Hi all, Is it worth seeing if there is another organisation who could take RIPE's work and knowledge, and further the cause if RIPE are withdrawing development time? I suspect a lot more organisations would be interested in a product if it had the RIPE brand on it, even if RIPE were not completely involved in it's development. Just my 2 pence. Harry On Mon, Sep 28, 2020 at 5:09 PM Lukas Tribus <lukas@ltri.eu> wrote:
Gert wrote:
When we looked at possible software options for our RPKI validator, we compared performance, memory, robustness, agility of development, and this all concluded in "this was nice as a demonstration vehicle, but I do not want to run it near a any production system, ever".
The real issue is: a lot of network operators do NOT have the time for this kind of assessment. They make a judgement call based on the good overall reputation of RIPE (and as Erik mentioned: training) and just go with it.
I agree and support sunsetting the development of the RIPE RPKI validator.
-- lukas
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/me%40harrycross.me
Hi, On 28-09-2020 09:47, Cynthia Revström via members-discuss wrote:
Hi,
I fully agree that while the budget on RPKI deployment should not be reduced currently, it should be used in other ways.
+1
I think 2021-01-01 is a bit too early as last I looked there was still a considerable number of RIPE NCC validators running. 2022-01-01 is probably more reasonable.
Though feature updates could stop on 2020-01-01, fixes need to be done for at least a year more I would say.
Sounds reasonable.
Potential other ways to use the budget includes setting up a way for resource holders to use delegated RPKI published to repositories hosted by the RIPE NCC. Such as I believe NIC.BR <http://NIC.BR> is doing.
That does indeed sound like a much more constructive way to send the money. Cheers, Sander
Hello, Ten months ago we needed to integrate prefixes validation service in our IXP and network infrastructure. So we tested nearly all rpki validator softwares we found. Of course RIPE rpki validator was first, unfortunately I can clearly say, it is not and will never be reliable validator server. It is heavy, slow, resource hungry, easy to crash software, and it will become worse with time, when number of ROA signed networks grow. The problem is in the design - JAVA is not the right language for such software. Putting more money will not make it better, maybe RIPE rpki validator could be used for educational and demonstrational use, but for production I'm doubt. If we want to see more ROA signed networks and more bgp servers to run rpki validation, network administrators and engeneers needs better softwares. More than 7 months we are using in production FORT validator (I think its lacnic rpki server open source implementation in C ) and I can clearly say it is much better, runs much more stable and uses a lot less resources than RIPE rpki validator. From practical point it will be better if that budget is use to help FORT development process, creating and maintaining rpki validator packages for all major linux/bsd distributions, creating complete howtos install, use, maintain, connect bgp , best bgp rpki filtering practices, RIPE staff to push harder LIRs to ROA sign their globaly bgp announced networks (periodicaly phone calls , email reminders, etc). Ivaylo Josifov Varteh LTD Varna, Bulgaria On Mon, 28 Sep 2020, Sander Steffann wrote:
Hi,
On 28-09-2020 09:47, Cynthia Revstr?m via members-discuss wrote:
Hi,
I fully agree that while the budget on RPKI deployment should not be reduced currently, it should be used in other ways.
+1
I think 2021-01-01 is a bit too early as last I looked there was still a considerable number of RIPE NCC validators running. 2022-01-01 is probably more reasonable.
Though feature updates could stop on 2020-01-01, fixes need to be done for at least a year more I would say.
Sounds reasonable.
Potential other ways to use the budget includes setting up a way for resource holders to use delegated RPKI published to repositories hosted by the RIPE NCC. Such as I believe NIC.BR <http://NIC.BR> is doing.
That does indeed sound like a much more constructive way to send the money.
Cheers, Sander
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/ivaylo%40bglans.net
Dear colleagues, Thank you very much for the input about the future of our RPKI Validator. We are glad to hear that your feedback aligns closely with the internal discussions we are having about it. We will soon publish a RIPE Labs article with further details on our planning, and we will provide an update to the community during the Open Source Working Group at RIPE 81. I hope to see you there. Kind regards, Nathalie Trenaman Routing Security Programme Manager RIPE NCC
Op 29 sep. 2020, om 00:06 heeft ivaylo <ivaylo@bglans.net> het volgende geschreven:
Hello,
Ten months ago we needed to integrate prefixes validation service in our IXP and network infrastructure. So we tested nearly all rpki validator softwares we found. Of course RIPE rpki validator was first, unfortunately I can clearly say, it is not and will never be reliable validator server. It is heavy, slow, resource hungry, easy to crash software, and it will become worse with time, when number of ROA signed networks grow. The problem is in the design - JAVA is not the right language for such software. Putting more money will not make it better, maybe RIPE rpki validator could be used for educational and demonstrational use, but for production I'm doubt. If we want to see more ROA signed networks and more bgp servers to run rpki validation, network administrators and engeneers needs better softwares. More than 7 months we are using in production FORT validator (I think its lacnic rpki server open source implementation in C ) and I can clearly say it is much better, runs much more stable and uses a lot less resources than RIPE rpki validator.
From practical point it will be better if that budget is use to help FORT development process, creating and maintaining rpki validator packages for all major linux/bsd distributions, creating complete howtos install, use, maintain, connect bgp , best bgp rpki filtering practices, RIPE staff to push harder LIRs to ROA sign their globaly bgp announced networks (periodicaly phone calls , email reminders, etc).
Ivaylo Josifov Varteh LTD Varna, Bulgaria
On Mon, 28 Sep 2020, Sander Steffann wrote:
Hi,
On 28-09-2020 09:47, Cynthia Revstr?m via members-discuss wrote:
Hi,
I fully agree that while the budget on RPKI deployment should not be reduced currently, it should be used in other ways.
+1
I think 2021-01-01 is a bit too early as last I looked there was still a considerable number of RIPE NCC validators running. 2022-01-01 is probably more reasonable.
Though feature updates could stop on 2020-01-01, fixes need to be done for at least a year more I would say.
Sounds reasonable.
Potential other ways to use the budget includes setting up a way for resource holders to use delegated RPKI published to repositories hosted by the RIPE NCC. Such as I believe NIC.BR <http://NIC.BR> is doing.
That does indeed sound like a much more constructive way to send the money.
Cheers, Sander
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/ivaylo%40bglans.net
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/nathalie%40ripe.net
Hi Cynthia, Support from the RIPE NCC can be stopped around 2021-01-01, as the software is already open source … If you want to write a bug-fix and implement that.. you can do that today. You don’t need the NCC for that.. The only that the RIPE NCC would have to do is to update the README.md on github and state that it is no longer maintained. And probably also close the option to create new issues.. But feel free to fork if you like. Regards, Erik Bais From: Cynthia Revström <me@cynthia.re> Date: Monday 28 September 2020 at 09:47 To: Erik Bais <ebais@a2b-internet.com> Cc: Hans Petter Holen <hph@ripe.net>, Members Discuss <members-discuss@ripe.net>, "exec-board@ripe.net" <exec-board@ripe.net> Subject: Re: [members-discuss] Draft Activity Plan 2021 - RPKI development Hi, I fully agree that while the budget on RPKI deployment should not be reduced currently, it should be used in other ways. I think 2021-01-01 is a bit too early as last I looked there was still a considerable number of RIPE NCC validators running. 2022-01-01 is probably more reasonable. Though feature updates could stop on 2020-01-01, fixes need to be done for at least a year more I would say. Potential other ways to use the budget includes setting up a way for resource holders to use delegated RPKI published to repositories hosted by the RIPE NCC. Such as I believe NIC.BR<http://NIC.BR> is doing. - Cynthia On Wed, 23 Sep 2020, 08:26 Erik Bais, <ebais@a2b-internet.com<mailto:ebais@a2b-internet.com>> wrote: Dear Hans Petter and fellow members, In the draft activity plan, there is a page about the current RPKI cost and plans of the further development. The plans state on Page 14 - 1.6 RPKI: 6 FTE and a 963.000 euro budget ... <begin quote> Activities in 2021 Our priority over the coming period will be ensuring a stable and resilient RPKI Trust Anchor and Certificate Authority. In 2020, we carried out a third-party security and risk assessment of our RPKI platform. We are now working to define a complete audit framework for RPKI, with the aim of having the audit performed early next year by a third party. Next year we will implement changes to our internal processes and documented procedures on the basis of this audit, as well as things like more granular monitoring and small technical changes that ensure compliance with the relevant RFCs. Aside from that, we are planning significant improvements in our infrastructure to allow high availability and resiliency for the RPKI repositories. In last year’s Activity Plan, we said we would consider whether we should continue to support our RPKI Validator, as it needed further development to match the quality of alternative tools that were now available. Because our RPKI Validator remains the second most widely used tool (with 32% “market share”), we decided that we will continue to support it in 2021 and we aim to make a longer-term decision soon. Finally, we will continue to build awareness of RPKI through training, outreach and promotion efforts. </end quote> I would like to argue that further development of Proof of Concept software (the RPKI validator) isn't required anymore now that there are multiple open source tools available on the market. The RIPE NCC isn't a software development house .. and I don't recall the RIPE NCC has the planning to become one ... I would like to see further development of the RIPE NCC RPKI Validator discontinued as of Jan. 1st 2021. The backend software / infra for the signing of the RPKI environment still needs a lot of work and so does the training (awareness) about RPKI .. so I don't think that the resources or budgeted cost should be reduced, but is needs to be revised... I think that the efforts should be put somewhere else on RPKI. That the RIPE NCC RPKI Validator is widely used, is because of the training efforts from the RIPE NCC.. and I think the community is better served with a more open approach about the usage of other validators, instead of trying to keep members to use a Java based software package. When the RIPE NCC started with the development of the RPKI Validator, there was a lack of other software ... but as things stand today, there are multiple open source implementations and this is a nice moment to go back to the core activity of the RIPE NCC. I know that with the above, I would probably not give the internal development team enough credits for their work and effort in the past years. I do value their work to where they brought this, but it is time to put the focus on the core activities like the signing side of the RPKI and a more robust RPKI infra instead of the validation software. Regards, Erik Bais _______________________________________________ members-discuss mailing list members-discuss@ripe.net<mailto:members-discuss@ripe.net> https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/me%40cynthia.re
Hello Hans Petter and fellow members, On Mon, 21 Sep 2020, Erik Bais wrote:
I would like to argue that further development of Proof of Concept software (the RPKI validator) isn't required anymore now that there are multiple open source tools available on the market.
The RIPE NCC isn't a software development house .. and I don't recall the RIPE NCC has the planning to become one ... I would like to see further development of the RIPE NCC RPKI Validator discontinued as of Jan. 1st 2021.
I completely agree. On Fri, 25 Sep 2020, Gert Doering wrote:
When we looked at possible software options for our RPKI validator, we compared performance, memory, robustness, agility of development, and this all concluded in "this was nice as a demonstration vehicle, but I do not want to run it near a any production system, ever".
Yes, I agree with that, too. And: When looking to the current RIPE NCC RPKI Validator status, the average time of about 87+ days to fix security issues (based on #158, #159, #162, #232, #255 from ticket opening till closure) is not what I would like to see near a production system either...as of this moment some of the security issues are still unresolved! Even if one of the current alternative RPKI validators would disappear for whatever reason, I would nowadays not consider switching to the RIPE NCC RPKI Validator, sorry. I'm aware that I might not give enough credits to the RIPE NCC's internal development team while there was a lack of other software...and I really appreciate their past work, but I definitely would like to see the RIPE NCC shift the focus from the validator software development towards the RPKI infrastructure as soon as possible. Kind regards Robert Scheck -- Robert Scheck Mail: robert.scheck@etes.de ETES GmbH Fon : +49 (7 11) 48 90 83 - 12 Talstraße 106 Fax : +49 (7 11) 48 90 83 - 50 D-70188 Stuttgart Web : http://www.etes.de/ Registergericht: Amtsgericht Stuttgart HRB 721182 Geschäftsführender Gesellschafter: Markus Espenhain Sitz der Gesellschaft: Stuttgart USt.-Id.Nr.: DE814767446 Folgen Sie uns auch bei Facebook (https://www.facebook.com/ETES.IT) und Twitter (https://twitter.com/systemhaus). Wir würden uns freuen, wenn Sie unseren Newsletter (1x pro Monat) abonnieren würden. (https://www.etes.de/blog/newsletter/)
participants (12)
-
Aaron A. Glenn -
Cynthia Revström -
Erik Bais -
Fredrik Korsbäck -
Gert Doering -
Harry Cross -
ivaylo -
Lukas Tribus -
Nathalie Trenaman -
Randy Bush -
Robert Scheck -
Sander Steffann