Search RPD Archives
[SPAM] RE: [AfriNIC-rpd] Afrinic and RPKI
ALAIN AINA
aalain at trstech.net
Thu Feb 17 07:13:14 UTC 2011
On Feb 15, 2011, at 7:40 PM, Andrew Alston wrote:
>
> >> Hi Guys,
> >>
> >> While I was considering developing a policy proposal around RPKI in Africa,
>
> > What is the problem statement for the policy ??
>
> The problem is RPKI in its current form, and myself, like many others I have spoken to around the world are opposed to its current form and implementation because of the dangers it creates.
>
> I am prepared to go as far as saying, that unless there are a lot more assurances given about ways to prevent interference from political entities, I will propose a statement of rejection of RPKI from the African community.
>
hmmm. RPKI is global security framework in which RIRs only issue certificates covering allocations they made and publish/maintain repository. What you do with the certificates is not really RIRs business.
So what will your policy of rejection say? "Do not issue the certificates"? or "Do not use the certificates to routing purposes" ?, etc......
Is this a matter of policy ? i doubt.
>
> > I figured before I attempt that one, and its a bit of a minefield, I'd like
> > to open some discussion on the list about RPKI.
>
>
> > Great. We also have rpki-discuss at afrinic.net for RPKI related discussions.
>
> >> A.) When a government declares that ISP X must be turned off, and issues
> >> AfriNIC with an order to turn them off, that is generated in a court in the
> >> country that the ISP resides in, how is AfriNIC planning on responding.
>
> > Not a RPKI issue
>
> Very definitely an RPKI issue. At this point, if governments want to shut off ISPs they have to go after each ISP individually and actually force the ISP to do something. With RPKI there is a potential situation where they can come after the ISPs VIA the RIR, and the get the certificates revoked at the RIR, dropping the ISP off the face of the net without even talking to the ISP. That is DEFINITELY an RPKI issue.
>
different reasons(payment, issues with the RSA, etc....) can lead to membership closure and resource revocation and with RPKI, certificate revocation. So my point here is that the issue is about legal aspects of the INRs management: governments/local laws implications in the INRs management.
So if governments or courts decisions have to be executed by AFRINIC, then RPKI certificate will just follow the implementation. So fix that and don't blame RPKI.
Without RPKI:
1- close membership
2- remove your numbers from the whois/IRRs
3-inform the world of the illegality of the routing of your former prefixes
with RPKI:
1-close membership
2- remove your numbers from whois/IRRs
3- revoke your Certificate
4- inform the world of the illegality of the routing of your former prefixes
NB:routing and other filtering decisions are made elsewhere.....
>
> >> B.) With the acceptance of RPKI we effectively allow outside forces to
> >> control the issuing and revocation of IP space,
>
> > Nope. RPKI reflects what AfriNIC members and allocations databases say. If you are member and have resources, you will have a
> > RPKI certificate to say so.
>
> In an ideal world, are you telling me that AfriNIC will give guarantees that under court order they will not withdraw certification of a route to shut down an ISP if a meddling political entity tries to force it? Are you really telling me there is no danger here? Sorry... gonna need a lot of convincing to believe that one.
>
>
>
political interferences in the INR management as in many aspects of the NET is a potential danger. So we shall be careful and deal with them as much as possible, and not stop technologies needed to make the NET more reliable, secure, etc.....
> >> and if we look at the
> >> actions taken recently in Tunisia, Egypt and rumour has it now in Algeria,
> >> is this really a road we want to walk down?
>
> > Nobody wants to go there. Open and free access to the Internet should a goal for every net citizen.
>
> No sane person wants to go there, governments and the powers that be can be far from sane. RPKI gives them a method to exercise this insanity unless we are extremely careful. I seek reassurances that we have ways to address these issues. At this point, as pointed out here, and as pointed out by a LONG mail thread on NANOG, there are others that share the concern that we are creating a huge "internet kill switch", and this I have to oppose. Once RPKI starts being used for "negative" testing of routes, I.E, no cert, no route, we develop a major problem. Further more, part of the redundancy and the reliability of the Internet is based in its highly distributed nature, RPKI seriously reduces this and makes it reliant on a number of smaller authorities. This is not something that I can see happen without serious objection.
>
>
Route validation or other filtering will always be a local policy decision:
"No Cert: no route" is an option
"CERT: route, CERT: route more trusted" could be another one.
>
>
> >> C.) Has AfriNIC done any work with regards to RPKI to prepare for if this
> >> does become a reality?
>
> > For the RPKI, we have a CP and CPS and are looking at the legal related aspects with the Legal adviser. This does include Legal > aspects on the Internet Number resources management.
>
> I am glad to hear there are legal opinions being sort on this, and I would like to hear opinions from the legal side on this. I can tell you that before we walk down the RPKI route, I wouldn't feel comfortable without having our own legal council take a serious look at this as well.
>
> >>
> >> Right now, I see the world discussing RPKI as a solution for IP hijacking,
> >> which is likely to become far more commonplace now that IP space is running
> >> out, at the same time, I see us being years away from RPKI implementations.
> >> (There is no code in the routers to support this yet,
>
> > you can just use the RPKI objects to generate filters for routers for now.
>
> If you do negative route testing right now with RPKI objects you'd end up filtering 99% of the table, we're a long way from that being viable
>
> >> there are immense
> >> technical and political hurdles to be crossed, and its a fundemental change
> >> to the way the Internet actually operates and in my opinion a grave threat
> >> to the autonomy of ISPs).
>
> > I thought you were in favor of solutions for IP hijacking and BGP threats :-)
>
> You thought correctly. I am in favor of solutions that prevent IP hijacking and BGP threats, including but not limited to, a complete overhaul of the current IRR system (which I believe if implemented properly on a global scale would solve half the problems RPKI is supposed to address). I am NOT in favor of creating a mechanism that allows for political and other outside entities to influence the reachability of independent ISPs. Nor am I favor of creating mechanisms that reduce the highly distributed nature of the internet that lends it the current level of redundancy and reliability.
>
RPKI is not replacing or killing IRRs. Improving the IRRs to get it solved half of what RPKI is intended to do will be a good move. On the way, we will see many other options of solving the problems and not only RPKI.
What will think of using a DNSSEC-enable RDNS to publish what we need ? Aie !!!!! i forgot: DNS is hierarchical and in the RDNS, you need delegations from RIRs and RIRs may be under governments pressure:-)
>
> It was once written (and forgive me, I forget who said it), that the internet is the worlds largest and more successful demonstration of anarchy that exists. Some people don't like that, but the fact is, it works. Go down the RPKI route as it is currently being discussed, and we walk down a road where the control is transferred to a few and we lose this.
>
> Pray tell as well, what happens if one of the root issuing systems is compromised? Do we really want to risk that?
>
> Anyway, this is an academic debate at the moment, and I am not saying that I am beyond being convinced that this is the right way to go, but call me highly skeptical and highly cynical, but at the moment, looking at this system as I understand it, I consider this one guilty until proven innocent.
>
On the general, does the "non RPKI situation" really defeat governments actions on shutting down ISPs ? Will an ISP continue to operate in a country with a government/courts decision which deny that ?
We all share your concerns, but with different perspectives :-)
--alain
>
> Just my 2c
>
> Andrew
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20110217/bf26f920/attachment.html>
More information about the RPD
mailing list