Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-opsawg-finding-geofeeds-06

Randy Bush <> Mon, 03 May 2021 17:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4EDCA3A1CB3; Mon, 3 May 2021 10:10:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YkEP1nIfjHRf; Mon, 3 May 2021 10:10:01 -0700 (PDT)
Received: from ( [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 86D423A1CB4; Mon, 3 May 2021 10:10:00 -0700 (PDT)
Received: from localhost ([] by with esmtp (Exim 4.90_1) (envelope-from <>) id 1ldc4x-000398-0e; Mon, 03 May 2021 17:09:55 +0000
Date: Mon, 03 May 2021 10:09:54 -0700
Message-ID: <>
From: Randy Bush <>
To: Kyle Rose <>
Cc:,,, IETF SecDir <>
In-Reply-To: <>
References: <> <> <>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-opsawg-finding-geofeeds-06
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 03 May 2021 17:10:06 -0000

just a quickie.  i will try to get to the other stuff after $dayjobs

assumptions that the rpki and the inetnum: are congruent in ip address
space are quite unsafe, sad to say.

the granularity of the rpki is not that of the inetnum: space.

for a tragic example, among other things, in the arin (noam) region,
most address space can not get rpki data for artificial political

and in a sane region, emea, if i am an LIR and get a /32 from ripe, and
get an rpki cert for it; i can delegate a /56 to a customer with an
inetnum: and sadly they tend not to get rpki certs, but have geoloc.

geofeed adoption is being driven by social pressure, customers want
their mtv and are loud about it.  rpki adoption is driven by operator
gossip, not money.

these conditions will continue for years, though not as long as ipv6
take-up.  the draft is deployable on today's internet with today's
administrative and technical infrastructure.  in fact, it is deployed
and working.

more later


[0] -