Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[AfriNIC-rpd] Afrinic and RPKI

Terry Manderson terry.manderson at
Wed Feb 16 00:47:58 UTC 2011


So before this runs off into a governments are evil and want to control us
line (maybe to late?) I'll put on my IETF SIDR Work Group participant hat
and hopefully clarify some items in regard to RPKI.

So to be clear, I am speaking as a IETF participant involved in the SIDR
work group. I am NOT speaking for ICANN or IANA.

The RPKI allows a hierarchical PKI structure anchored at the root of the
allocation hierarchy (see the IAB statement here:
and when done in this fashion ensures that allocated identifiers are unique.

The RPKI is the current school of thought on how to say, in cryptography
terms, "The entity with the private key for this certificate has been
allocated these resources". It does not specifically name that entity. There
may be a process in the RIR that creates some linkage between the RIR
member, and the holder of the private key.

This RPKI hierarchy only provides a mechanism to certify that a party has
been allocated a resource. Additional objects have been defined which allow
_that_ party (the one that holds the private key) to make statements about
the resource allocated. One of those objects is a Route Origination
Authorization (ROA).

It is true that a revoked certificate will revoke a ROA.
It is true that a ROA with an autonomous system number of 0 (AS0 ROA) CAN be
interpreted as 'do not route this prefix'.

However, RIRs do not control routing. RIRs do not permit people to advertise
or withdraw routes. Network operators do. This is based on business
arrangements. This is how it has always been and this is how, I suspect, it
will always be.

The effort to take RPKI statements and make automated routing decisions on
them is being worked on by some vendors. However a network operator enables
it, and controls it.

Also consider some nice work in draft-ietf-sidr-ltamgmt-00 which allows
any/every network operator to take the entire RPKI hierarchy and modify it
for their OWN local policy. That can then then fed into their automated
routing machinery. Remember network operators control routing.

Also it is worth stating that even when a ROA does not exist (ie is revoked)
the interpretation by such rpki automated routing machines is that a route
is always valid unless proven otherwise. With no ROA in place, it might be
less secure, but cannot be proven to be 'invalid'.

There might be some validity in working in the RIR policy framework for when
and who can issue an AS0 ROA. But irrespective of that the network operator
can choose to ignore any AS0 ROA.

So in all of this, since network operators control routing and really RPKI
is just an informational statement of allocation, how does it hand control
to government entities? The governments would have to control the routers
themselves and I just don't see that as realistic.


On 16/02/11 5:52 AM, "Andrew Alston" <aa at> wrote:

> I need also, in addition to my last email, recall an incident in Cairo, at
> Afrinic in 2005.
> The ITU stood up there, and very basically, if memory serves me correctly,
> proposed that IP space be split up between NIRs (national internet
> registries), with the amount of space being split between the countries based
> on a number of factors, and in effect, handing control of IP space to
> governments.
> The proposal caused anger in the room to levels that shocked me, so much so
> that the floor took only 2 or 3 questions before very smartly closing for
> questions because of the vehemence that was coming from the floor over the
> proposal. 
> Why did the proposal meet such tremendous opposition?  Because it took the
> control of the net out of the hands of the people and placed it in the hands
> of entities that may or may not have the good of the internet at heart.  (That
> and the basis of splitting up the IP space and how much each country would get
> etc was... beyond bizarre)
> Now, lets look at a scenario here for a second.  We implement RPKI, the ITU
> then attempts to get it legislated that RPKI and negative testing becomes
> mandatory.  At that point, it is one small step from the RIR being coerced
> into accepting "member STATE" decisions about certifications.  The state now
> controls who they can turn on and who they can turn off.
> Far fetched?  Conspiracy theory?  Some would have said so, until Egypt,
> Tunisia, Algeria, Iran, the statements by the ANCYL that they would "Shut down
> twitter", I can keep listing....
> I really believe that over the last few years, governments have begun to
> realize that the internet is dangerous to them, they have been, and will
> continue to attempt to legislate and take back the control, to protect
> themselves and limit the power of communication by the people.  Look back at
> history, the first thing any dictatorial government has gone after in most
> cases is freedom of the media.  Why?  Its a communication mechanism.  The
> internet reduces their ability to do this.  RPKI plays into their hands and
> could unless very carefully considered hand back more control to these
> entities.
> Andrew Alston
> TENET - Chief Technology Officer
> Phone: +27 21 763 7181
> -----Original Message-----
> From: aalain at on behalf of ALAIN AINA
> Sent: Tue 2/15/2011 9:09 PM
> To: Andrew Alston
> Cc: AfriNIC List
> Subject: Re: [AfriNIC-rpd] Afrinic and RPKI
> On Feb 13, 2011, at 3:45 PM, Andrew Alston wrote:
>> Hi Guys,
>> While I was considering developing a policy proposal around RPKI in Africa,
> What is the problem statement for the policy ??
>> I figured before I attempt that one, and its a bit of a minefield, I'd like
>> to open some discussion on the list about RPKI.
> Great. We also have rpki-discuss at for RPKI related discussions.
>> While I am not going to attempt to go into the details of RPKI in this
>> email, and will leave that up to the reader to do some research (its a
>> complex topic), I would like someone from AfriNIC to respond to the
>> following questions that can help guide policy formation on this issue.
> I will respond only  to RPKI part :-)
>> A.) When a government declares that ISP X must be turned off, and issues
>> AfriNIC with an order to turn them off, that is generated in a court in the
>> country that the ISP resides in, how is AfriNIC planning on responding.
> Not a RPKI issue
>> B.) With the acceptance of RPKI we effectively allow outside forces to
>> control the issuing and revocation of IP space,
> Nope. RPKI reflects what  AfriNIC members and allocations databases say. If
> you are member and have resources, you will have a RPKI certificate to say so.
>> and if we look at the
>> actions taken recently in Tunisia, Egypt and rumour has it now in Algeria,
>> is this really a road we want to walk down?
> Nobody wants to go there. Open and free access to the Internet should a goal
> for every net citizen.
>> C.) Has AfriNIC done any work with regards to RPKI to prepare for if this
>> does become a reality?
> For the RPKI, we have a CP and CPS and are looking at the legal related
> aspects with the Legal adviser. This does  include Legal aspects on the
> Internet Number resources management.
>> Right now, I see the world discussing RPKI as a solution for IP hijacking,
>> which is likely to become far more commonplace now that IP space is running
>> out, at the same time, I see us being years away from RPKI implementations.
>> (There is no code in the routers to support this yet,
>  you can just use the RPKI  objects  to generate filters for  routers  for
> now.
>> there are immense
>> technical and political hurdles to be crossed, and its a fundemental change
>> to the way the Internet actually operates and in my opinion a grave threat
>> to the autonomy of ISPs).
> I thought you were in favor of solutions  for  IP hijacking and  BGP threats
> :-)
>> However, with the global debate on this
>> increasing I think it would be irresponsible of us in the AfriNIC region if
>> we did not start taking a long hard look at this and deciding how we as the
>> African community want to respond.
> Agreed.
> thanks
> --alain
>> So, I'd like to issue an invitation for some discussion on this subject on
>> the list.  Do some reading, do some research, and lets hear some thoughts so
>> that we can develop some sensible policies around this within the community,
>> before its far to late and we are forced to accept something implemented by
>> the rest of the world without our thoughts being heard.
>> I would strongly suggest reading
>> Thanks
>> Andrew Alston
>> TENET - Chief technology Officer
>> _______________________________________________
>> rpd mailing list
>> rpd at

More information about the RPD mailing list