Re: [sidr] WGLC: draft-ietf-sidr-origin-ops

Rob Austein <> Mon, 14 November 2011 13:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6BCCA11E80E9 for <>; Mon, 14 Nov 2011 05:37:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.244
X-Spam-Status: No, score=-102.244 tagged_above=-999 required=5 tests=[AWL=-0.356, BAYES_00=-2.599, HELO_MISMATCH_NET=0.611, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 50ehbN0vDAmY for <>; Mon, 14 Nov 2011 05:37:12 -0800 (PST)
Received: from ( [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by (Postfix) with ESMTP id 2F27111E80DA for <>; Mon, 14 Nov 2011 05:37:12 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "", Issuer "Grunchweather Associates" (verified OK)) by (Postfix) with ESMTPS id A999B2846B for <>; Mon, 14 Nov 2011 13:37:08 +0000 (UTC)
Received: from (localhost []) by (Postfix) with ESMTP id 72C05654865 for <>; Mon, 14 Nov 2011 21:37:04 +0800 (CST)
Date: Mon, 14 Nov 2011 21:37:04 +0800
From: Rob Austein <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <>
Subject: Re: [sidr] WGLC: draft-ietf-sidr-origin-ops
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Nov 2011 13:37:29 -0000

At Mon, 14 Nov 2011 18:45:09 +0800, Shane Amante wrote:
> More specifically, what I've been attempting to ask here is how one
> configures, in one's _local_ RPKI cache (that syncs to the outside
> world), /where/ the RIR's publication points are on Day 1.  Do I
> contact one RIR (which maintains a list of other RIR's publication
> points) -or- each RIR individually to ask what is their publication
> point?  (If you can help provide an answer as to what is the
> expectation on the operator, I can then potentially help to provide
> text).

Starting point is most likely one or more Trust Anchor Locator (TAL)
files, see draft-ietf-sidr-ta.  On that glorious day when the RIRs and
IANA have all their ducks in a row, there will be one public TAL for
the root of the promised single tree; in the meantime, you'll likely
have a small collection of TALs.

Where do the TALs come from?  Depends on whose TAL it is.  Some of the
RIRs publish their TALs on their web sites (one RIR, on the other
hand, appears to be hiding the TAL for their pilot system in a locked
filing cabinet in a disused lavatory in a subbasement with a sign
reading "Beware Of Leopard", but that's neither here nor there).
Those of us who write RPKI validation software collect these TALs when
we can find and verify them, and I, at least, include them with my

Ultimately, the problem is the same as distributing DNSSEC TAs, or any
other TA for that matter.  Pretty much by definition, these things
have to be configured outside the automated system, because they're
the bootstrap data.  Inclusion in distributions of software using the
system seems to be the most common way, but one could envision other
methods (T shirts handed out at IETF or *OG meetings, publication in
major newspapers, perhaps as QR codes, invent your own mechanism --
the key point is that grounds for believing the TAL come from outside
the system we're trying to bootstrap).