[ncc-services-wg] New on RIPE Labs: RPKI Repositories and the RIPE Database in the Cloud
- Previous message (by thread): [ncc-services-wg] New on RIPE Labs: RPKI Repositories and the RIPE Database in the Cloud
- Next message (by thread): [ncc-services-wg] New on RIPE Labs: RPKI Repositories and the RIPE Database in the Cloud
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Shane Kerr
shane at time-travellers.org
Wed May 19 01:05:23 CEST 2021
Friends, On 10/05/2021 13.40, Alun Davies wrote: > > The mission critical services the RIPE NCC provides to the Internet community require a solid technical foundation. In this new article on RIPE Labs, Felipe Silveira looks at plans to use cloud infrastructure as a means to that end. The full article is available here: > > https://labs.ripe.net/author/felipe_victolla_silveira/rpki-repositories-and-the-ripe-database-in-the-cloud/ I am unable to attend the NCC Services Working Group session at RIPE 82, so I thought that I would say something here. My main concern with moving RPKI repositories and the RIPE Database to the cloud is with the choice of AWS as provider, basically because Amazon is a US-based company. We know that tech companies in the US have handed over data to the US government - sometimes without a warrant, sometimes with. We know that the US law has provisions for secret subpoenas, where a service provider cannot reveal that subpoenas were issued. Using any US-based cloud provider means basically hoping that none of the data that RIPE puts there or the meta-data derived from usage of the service is interesting for any part of the US government. I know all of the big cloud providers are US-based, except for Alibaba Cloud. I would not feel a lot safer with a Chinese-based cloud provider for RIPE data and associated services. Not using one of the big cloud providers means going with smaller cloud providers. I think that's probably fine - the RIPE NCC's requirements are surely quite small, and can surely be met by at least two cloud vendors in Europe. I realize that using a European vendor might not be especially comforting for people outside of the EU sphere of influence. I don't think this can be completely resolved, although since the RIPE NCC is already a Dutch-based member association it should not add much extra legal or technical risk. A separate concern is with vendor lock-in. If the RIPE NCC really deploys their stuff to multiple cloud providers, then this won't be a problem, but the very real, seemingly firm choice of AWS and the hand-waving about what a second provider might look like doesn't fill me with confidence. My own suggestion would be to not use a second provider as a back-up but to run two cloud providers at all times (not necessarily with an equal split of load though). I wasn't sure whether I should bother sending this mail, because I worry that this effort is being run like a Dutch government project. That means that people are fully informed, their opinions are listened to, and then the project proceeds exactly as the government planned without change. 😉 Hopefully that is not the case here. Cheers, -- Shane -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x3732979CF967B306.asc Type: application/pgp-keys Size: 11589 bytes Desc: not available URL: <https://lists.ripe.net/ripe/mail/archives/ncc-services-wg/attachments/20210519/b3e46490/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <https://lists.ripe.net/ripe/mail/archives/ncc-services-wg/attachments/20210519/b3e46490/attachment.sig>
- Previous message (by thread): [ncc-services-wg] New on RIPE Labs: RPKI Repositories and the RIPE Database in the Cloud
- Next message (by thread): [ncc-services-wg] New on RIPE Labs: RPKI Repositories and the RIPE Database in the Cloud
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]