[ncc-services-wg] Certifying of PI End User Address Space
Alex Band alexb at ripe.net
Tue Mar 26 14:39:22 CET 2013
Hi Niall, Randy, The cost estimate is based on treating option 2 and 3 completely individually, but there is indeed a lot of overlap in the implementation. Most of the development work goes into building the framework for associating a certificate with address space to a non-member. This means implementing both option 2 and 3 would not result in a significantly higher cost than offering just one of them. There is overlap in the running cost as well, for example in terms of support and auditing. With regards to scaling, there are two elements to keep in mind: a) Users requesting a certificate and entering data into the hosted RPKI system b) Users querying the RPKI repository for the content we publish With regards to a), the current RPKI infrastructure that the RIPE NCC runs is capable of handling certificates for all members and non-members and any ROAs they might create. There is no additional scaling needed on that end. As for b), depending on the amount of queries that our RPKI repository will receive, it will need to be scaled up. As more people enter data into the system, the usefulness of RPKI as a whole grows and with it the likelihood that people will want to query the repository. It is very hard to estimate at what pace data usage will grow, all we can say now is that the amount of queries to our repository is very low. Lastly, the RIPE NCC doesn't necessarily need to be responsible for distributing the RPKI related content set all by itself. I hope this puts things in perspective for you. Kind regards, Alex Band (filling in for Andrew) Product Manager RIPE NCC On 25 Mar 2013, at 12:17, Niall O'Reilly <Niall.oReilly at ucd.ie> wrote: > > On 25 Mar 2013, at 10:55, Andrew de la Haye wrote: > >> For option 2 (going through the sponsoring LIR) and option 3 (going to the RIPE NCC directly), there is a possibility to provide an automated solution for which only PI End Users who have submitted a 2007-01 End User Assignment Agreement are eligible. This means the RIPE NCC will need to develop a solution where the following informational elements are cross-referenced with each other: >> >> a) The authoritative control over the address space (i.e. the ability to authenticate against the relevant objects in the RIPE Database) >> b) The End User Assignment Agreement that was submitted and verified by the RIPE NCC >> c) The RIPE NCC Access credentials for accessing the certification management interface >> >> Please keep in mind that in both estimates, where the actual cost falls in the given broadband depends on the amount of manual verification that is desired, which can range from random periodic audits to verification of every application by RIPE NCC staff. Also, the additional costs with smaller or larger uptake are estimated to be quite low. >> >> Option 2: >> A one time cost of 65 kEUR, with a running cost of 45 kEUR, based on an estimated uptake of 15% or approximately 2,500 PI End Users. >> >> Option 3: >> A one time cost of 70kEUR, with a running cost of 70 kEUR, based on an estimated uptake of 15% or approximately 2,500 PI End Users. >> >> Lastly, it is important to point out that as the certificate is valid for only one year, providing this service to PI End Users creates an opportunity for periodic confirmation of the 2007-01 End User Assignment Agreement, further improving the robustness of our Registry. > > Thank you for this useful information, Andrew. > > I'ld appreciate some further clarification, if you wouldn't mind. > > It seems to me that there must be significant overlap in the elements needed to implement either > Option 2 or Option 3. Should we understand that the estimates you give correspond to the respective > costs of implementing either option on its own, without implementing the other? If so, would it > be reasonable to assume that implementing both might be done for a one-time cost nearer to €75k > than to €135k and a running cost somewhere between your estimates, depending on the mix of > PI End Users deciding for each of the options?