[rpd] RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT02

[Nishal Goburdhan]

On 16 Sep 2020, at 23:13, Ekaterina Kalugina wrote:


> I believe this policy would extend AFRINIC's power way beyond its 

> control.


please explain how?  today, we rely on afrinic’s whois database to 
provide us with allocation/assignment information.  additionally, we 
rely on the IRR databases (one of which is operated by afrinic) to relay 
which ASN _intends_ to originate a routing advertisement for a prefix.  
RPKI does not change that.  and if you think it does, please, explain 
*how*, and why.  all that RPKI does, is provide a verifiable 
cryptographic means, so that *if* a party chose to apply verification, 
they could.  yes, you read right - it’s voluntary!

RPKI, does not change afrinic’s role.  if anything, if provides you 
(the end network operator) with a means to cryptographically verify the 
advertisement is, as the network owner intended.  what you choose to do, 
with the answer, is up to you.  afrinic does not control your routing, 
and if you think this, you are incorrect.



> AFRINIC is a registration entity and should not have authority over 

> RPKI.


that is not an argument that is relevant to this policy.  ROAs are 
nothing more than a *voluntary* attestation of which ASN is meant to 
originate which prefixes.  that voluntary attestation is done *by* the 
network themselves, and not afrinic.

to help you understand how the proposed policy ties into this, all that 
will happen is that address space that has been allocated to afrinic, by 
the IANA, and which afrinic has *not* yet allocated/assigned to its 
membership, will have a ROA with an origin of AS0.  since this is, by 
definition, *unallocated space*, this is perfectly acceptable, and has 
no negative impact to anyone.  no network on the internet should have 
any claim to these addresses anyway.
it’s very easy to be critical of afrinic for many things;  but, 
there’s no way here, that you can claim that they are over-stepping 
their role,  because all they are doing, is providing a registration 
system that can be cryptographically verified.  if you think that RPKI 
is anything else, you are incorrect.



> Having such would run the risk of Internet centralization and 

> undermine the

> legitimacy of AFRINIC as an impartial institution.


aside from your very generic statement being off-topic, frankly, 
you’re about 14years too late.  RPKI usage is wide-spread, and 
continuing across the world, and, from all measurable viewpoints [1], 
the internet has continued to grow, and operate just fine.  some would 
say, even better.

it is ok for you to not like RPKI.  but this policy is not about your 
(or my) like of the technology.  it’s about whether, or not, afrinic 
should have AS0 ROAs registered for their *unallocated* address space.  
so, dear co-chairs, if you’re still reading, the personal statement of 
dissent against the technology is *not* relevant to the discussion of 
why AS0 ROAs are good, or bad for unallocated blocks.  please remind our 
colleagues to argue either for, or against, the topic at hand.

(btw afrinic has other mailing lists/support groups if you want to speak 
more generally about RPKI.  so, if you want to learn about RPKI, or 
learn more about why your fears of internet centralisation are 
unfounded, those lists are where you’ll want to have _that_ 
discussions.  i am sure that many people on this list could probably 
explain it here, but that would be off-topic for RPD!)



> In addition, currently if there is a registration error, it is just a

> registration error. However, if a registration error occurs with RPKI 

> AS0,

> people will actually lose their connectivity.


i think here, what you meant to write, was something like:
# if afrinic accidentally changes a valid allocation/assignment, to 
unallocated, and thus applies an AS0 ROA to this, then, there is a 
chance that the network that had the allocation earlier, might face 
routing difficulties.  is that correct?

if that is what you meant, then yes, this is a risk.  however, that risk 
already exists *now*, and a ROA does *not* making that inherently worse. 
and, by the way, this is not in any way, a new risk.  networks face this 
same risk that afrinic might accidentally de-register them, everyday.
are you familiar with how network operators build routing policies from 
IRR information?  a “mistake” leading to incorrect IRR information 
registration, is *just* as disastrous as an errant AS0 ROA [2], because 
more and more networks are becoming stricter by mandating IRR usage, 
every day.  and *this* is a Good Thing.  go lookup the afnog/afrinic 
meeting archives from the nairobi 2006 meeting, where gaurab presented 
this quite well.  or, ask afrinic why they are now teaching classes on 
IRR usage.  and there’s rDNS removal.  or being added to services like 
team cymru’s bogon list.  or …
there is risk inherent in everything.  what we all want, is for afrinic 
to come up with a belt-and-bracers approach to ensuring that mistakes 
are mitigated against, but at the same time, improving the operational 
environment that we work in.  so, with your in-depth knowledge of rpki, 
you probably want to be one of the first volunteers to help read through 
their implementation plan, look for flaws, and ensure that the edge case 
that you mention above, is protected against.  (personally, i think that 
this is not a difficult feature to code, but my perspective might be 
skewed…)  but again - that’s an implementation issue, and many, many 
moons ago, this working group agreed that implementation issues, should 
remain separate from policy.


dear co-chairs,
this is about the time, where you step up, and explain to the sudden 
influx of new list members, that parroting falsities does not add to the 
value of the discussion.  we really need you to see beyond “belief” 
and to focus on operational realities.

is this policy a good idea?   honestly, when i first read it, i gave it 
a “meh”.  i, mostly, still think the same.  what i *do* care about, 
is that the “arguments” (and i used that word loosely) that are 
being put forward to derail this policy, are not grounded in any reality 
that is tied to the working operations of the internet.


—n.

[1]  this isn’t a random claim.  lookup nlnetlabs, nist, and geoff’s 
measurements.
[2]  i have AS0 ROAs.  and regular non-AS0 ROAs.  they don’t scare me.