<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><font face="Monaco" class=""><span style="font-style: normal;" class="">Hi Jordi, </span></font><div class=""><font face="Monaco" class=""><span style="font-style: normal;" class=""><br class=""></span></font></div><div class=""><font face="Monaco" class=""><span style="font-style: normal;" class="">I’m not the budget guy, so I’m going to distance myself from the euros. </span></font></div><div class=""><font face="Monaco" class=""><span style="font-style: normal;" class="">When I say “it would cost us a lot to implement it” I mean in effort when compared with other options. </span></font></div><div class=""><br class=""></div><div class=""><font face="Monaco" class=""><span style="font-style: normal;" class="">Kind regards,</span></font></div><div class=""><div class=""><font class="" face="Monaco" style="font-style: normal;">Thiago da Cruz </font></div><div class=""><font class="" face="Monaco" style="font-style: normal;">Sr. software engineer - RPKI Team</font></div><div class=""><font class="" face="Monaco" style="font-style: normal;">RIPE NCC</font></div></div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 2 Mar 2020, at 18:25, JORDI PALET MARTINEZ via routing-wg <<a href="mailto:routing-wg@ripe.net" class="">routing-wg@ripe.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" style="font-size: 12pt;" class="">Hi Thiago,<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" style="font-size: 12pt;" class=""><o:p class=""> </o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" style="font-size: 12pt;" class="">The question here, I think, is to understand how much in euros is “a lot”?<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" style="font-size: 12pt;" class=""><o:p class=""> </o:p></span></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" style="font-size: 12pt;" class="">Regards,<o:p class=""></o:p></span></div><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-US" style="font-size: 12pt;" class="">Jordi<o:p class=""></o:p></span></p><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-US" style="font-size: 12pt;" class="">@jordipalet<o:p class=""></o:p></span></p><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-US" style="font-size: 12pt;" class=""><o:p class=""> </o:p></span></p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" style="font-size: 12pt;" class=""><o:p class=""> </o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" style="font-size: 12pt;" class=""><o:p class=""> </o:p></span></div><div class=""><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">El 2/3/20 11:11, "routing-wg en nombre de Thiago da Cruz" <<a href="mailto:routing-wg-bounces@ripe.net" style="color: blue; text-decoration: underline;" class="">routing-wg-bounces@ripe.net</a><span class="Apple-converted-space"> </span>en nombre de<span class="Apple-converted-space"> </span><a href="mailto:tdacruz@ripe.net" style="color: blue; text-decoration: underline;" class="">tdacruz@ripe.net</a>> escribió:<o:p class=""></o:p></div></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">Hi all,</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">Many of you might not know me, but I’m part of RIPE’s software engineering team that takes care of RPKI.</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">I’ve been following this discussion closely and I've noticed some lack of clarity about our decision to duplicate our RPKI infrastructure.</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">So I think it’s important for us to tell a few things about our approach. </span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">First what we have today in production:</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">- TA software (offline box)</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">- HSM for the TA (plus backups and spare parts)</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">- A few application servers running our RPKI software - I’ll call it RPKI-Core</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">- Redundant HSMs used by RPKI-Core</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">- RRDP publication service (cloud)</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">- Some rsync nodes (internal infra)</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">Something like the diagram below.</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">For testing environment we have practically the same infra. </span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">And for public test (localcert) we use ‘soft' keys and no HSMs.</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">About the new AS0 TA, yes, we could simplify our infra.</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">One option would be to use ‘soft’ keys all around or use a HSM for TA only.</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">We could also use third-party software for TA, Core and publication service.</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">It crossed my mind, for a fraction of a second, to skip AS0 TA instances for our internal and/or public test environments.</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">But I don’t think we should treat it as a "second class citizen". </span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">If we provide another TA, it’s worthy of receiving as much TLC as our production TA; meaning that it would also require the same (or similar) process around it as our production TA does. That includes keeping track of HSM card holders, defining a proper admin and operator quorum, scheduling periodical resigning sessions, etc…</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">I’m not here to advocate against nor in favour of AS0 TA. </span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">But when discussing our implementation, this was our rationale to duplicate the infrastructure. </span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">And that’s why it would cost us a lot to implement it. </span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">Let me know you need more info about this subject.</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">Kind regards, <o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">Thiago da Cruz <o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">Sr. software engineer - RPKI Team<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">RIPE NCC<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""><o:p class=""> </o:p></span></div></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> +---------------------+</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | +-------+</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | TA (offline) +------------+ HSM |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | +-------+</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> +---------------------+</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> +------------------------+</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> +-----------> | RRDP publication |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | (cloud) |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> +-------------------+ +-------------------+ | +------------------------+</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | | | Publication |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | RPKI-Core 1 | (...) | RPKI-Core n | ----------------------> * +></span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | | | |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> +--+-----+----+-----+ +--+------+-------+-+ | +----------------------------+</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | | | | | | | |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | +---------------+ | | | | | Rsync publication |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | | | | +----+ +-----------> | |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> +-----+ +-----------+ +---------+ | | | (internal infra - x nodes) |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | | | | | | |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | | +-------------------+ | | |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | +-----------------------------------------+ | | +----------------------------+</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class=""> | | | | | |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">+-+----+--+ + + +-+------++</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">| HSM 1 | (......................) | HSM m |</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-family: Monaco;" class="">+---------+ +---------+</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><br class=""><br class=""><o:p class=""></o:p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class="" type="cite"><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">On 27 Feb 2020, at 23:51, George Michaelson <<a href="mailto:ggm@algebras.org" style="color: blue; text-decoration: underline;" class="">ggm@algebras.org</a>> wrote:<o:p class=""></o:p></div></div><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Anton pointed out I may have both misunderstood and not answered your question.<br class=""><br class="">The testbed is a soft TA. In deployment, people will have to move to a<br class="">new (as yet not created) TAL for AS0, as long as it runs independently<br class="">of the mainline TAL.<br class=""><br class="">We intend running a distinct TA for AS0 until we get a clear signal<br class="">our community wants it integrated. We have stated concerns about the<br class="">automatic adoption of ASO products worldwide without visible agreement<br class="">of this activity, a separate TAL turns the activity from opt-out to<br class="">opt-in.<br class=""><br class="">We are duplicating the software signing infrastructure, but with lower<br class="">costs overall given commonalities.<br class=""><br class="">We are still discussing if we can run the offline-TA HSM and the<br class="">online production key HSM for both activities, or if we need a<br class="">distinct infrastructure for AS0 and mainline. Duplication overall is<br class="">not in APNIC's model, we rely on spares and alternate use of the HSM,<br class="">but production signing systems are single instances. I believe they<br class="">are capable of some virtualisation or segmentation but that skirts the<br class="">underlying physical risk/dependency.<br class=""><br class="">Sorry for not being clearer before<br class=""><br class="">-George<br class=""><br class="">On Wed, Feb 26, 2020 at 6:18 PM Carlos Friaças via routing-wg<br class=""><<a href="mailto:routing-wg@ripe.net" style="color: blue; text-decoration: underline;" class="">routing-wg@ripe.net</a>> wrote:<br class=""><br class=""><o:p class=""></o:p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class="" type="cite"><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><br class=""><br class="">Hi,<br class=""><br class="">Any clue if APNIC has duplicated the infrastructure (and cost) as it is<br class="">foreseen in the NCC's impact analysis...?<br class=""><br class="">Carlos<br class=""><br class=""><br class=""><br class="">On Wed, 26 Feb 2020, JORDI PALET MARTINEZ via routing-wg wrote:<br class=""><br class=""><br class=""><o:p class=""></o:p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class="" type="cite"><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Hi Max,<br class=""><br class="">I think is too early to take a decision, and in fact I don't think we are yet in case A.<br class=""><br class="">Consensus is about justified objections. I can see also people in favor and I understand, as we usually do in any proposal discussion, that non-objection is consent.<br class=""><br class="">The only justification that I can see is from Job about possible cost. However, I don't see figures about how much it cost to develop this AS0 + how much it cost the operators to use it (if they want) vs developing the SLURM + making sure it is secure as RPKI + how much ti cost the operators to use it.<br class=""><br class="">And by the way, the AS0 is compatible with the SLURM, so opeartors can choose.<br class=""><br class="">Regards,<br class="">Jordi<br class="">@jordipalet<br class=""><br class=""><br class=""><br class="">El 25/2/20 20:30, "routing-wg en nombre de Massimiliano Stucchi" <<a href="mailto:routing-wg-bounces@ripe.net" style="color: blue; text-decoration: underline;" class="">routing-wg-bounces@ripe.net</a><span class="Apple-converted-space"> </span>en nombre de<span class="Apple-converted-space"> </span><a href="mailto:max@stucchi.ch" style="color: blue; text-decoration: underline;" class="">max@stucchi.ch</a>> escribió:<br class=""><br class=""><br class=""> Hi everyone,<br class=""><br class=""> On 20/02/2020 15:39, Petrit Hasani wrote:<br class=""><br class=""><br class=""><o:p class=""></o:p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class="" type="cite"><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">As per the RIPE Policy Development Process (PDP), the purpose of this four week Review Phase is to continue discussion of the proposal, taking the impact analysis into consideration, and to review the full draft RIPE Policy Document.<br class=""><br class="">At the end of the Review Phase, the Working Group (WG) Chairs will determine whether the WG has reached rough consensus. It is therefore important to provide your opinion, even if it is simply a restatement of your input from the previous phase.<o:p class=""></o:p></div></blockquote><p class="MsoNormal" style="margin: 0cm 0cm 12pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br class=""> Today, me and the other proposers of this policy change had a meeting to<br class=""> discuss the feedback we have been receiving on the list.<br class=""><br class=""> We understand that many people find this proposal controversial, and<br class=""> many have expressed themselves against it in the past days.<br class=""><br class=""> We would like to encourage discussion and provide us with a bit of<br class=""> guidance on how the community would like to proceed. At present we have<br class=""> identified three ways of progressing:<br class=""><br class=""> A) We can try to go ahead with this proposal, although it will be hard<br class=""> to get consensus;<br class=""><br class=""> B) We can drop the proposal, and leave everything as is;<br class=""><br class=""> C) We can change the proposal to a different ask for RIPE NCC. The idea<br class=""> could be to ask RIPE NCC to provide a SLURM file (similar to what APNIC<br class=""> does), so that single users can decide if they want to feed it to their<br class=""> validators.<br class=""><br class=""> From what we gathered in the discussions, I think B) could be the most<br class=""> sought-after decision, but we would like to propose C) as the way<br class=""> forward. It would give the possibility to those who want to implement<br class=""> this solution to do it in a lightweight fashion. It would for sure be<br class=""> much much cheaper to implement.<br class=""><br class=""> In any case, as Job already pointed out, I prepared a simple tool to<br class=""> generate a SLURM file using either the Team Cymru bogons list, or<br class=""> considering any unassigned space from the NRO delegated stats file.<br class=""> RIPE NCC has kindly provided help and patches to improve it. If you<br class=""> want to give it a go, you can find it here:<br class=""><br class=""> <a href="https://github.com/stucchimax/rpki-as0-bogons" style="color: blue; text-decoration: underline;" class="">https://github.com/stucchimax/rpki-as0-bogons</a><br class=""><br class=""> Thank you for any suggestion or any discussion around this.<br class=""><br class=""> Ciao!<br class=""> --<br class=""> Massimiliano Stucchi<br class=""> MS16801-RIPE<br class=""> Twitter/Telegram: @stucchimax<br class=""><br class=""><br class=""><br class=""><br class=""><br class="">**********************************************<br class="">IPv4 is over<br class="">Are you ready for the new Internet ?<br class=""><a href="http://www.theipv6company.com/" style="color: blue; text-decoration: underline;" class="">http://www.theipv6company.com</a><br class="">The IPv6 Company<br class=""><br class="">This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br class=""><br class=""><br class=""><br class=""><br class=""><o:p class=""></o:p></p></blockquote></blockquote><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div></div></blockquote></div><div style="margin: 0cm 0cm 0.0001pt 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><br class=""><br class=""><o:p class=""></o:p></div></div><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">**********************************************</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">IPv4 is over</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Are you ready for the new Internet ?</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="http://www.theipv6company.com/" style="color: blue; text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">http://www.theipv6company.com</a><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">The IPv6 Company</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.</span></div></blockquote></div><br class=""></div></body></html>