Search RPD Archives
[rpd] RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT02
Nishal Goburdhan
nishal at controlfreak.co.za
Thu Sep 17 00:12:31 UTC 2020
On 16 Sep 2020, at 23:13, Ekaterina Kalugina wrote:
> I believe this policy would extend AFRINIC's power way beyond its
> control.
please explain how? today, we rely on afrinic’s whois database to
provide us with allocation/assignment information. additionally, we
rely on the IRR databases (one of which is operated by afrinic) to relay
which ASN _intends_ to originate a routing advertisement for a prefix.
RPKI does not change that. and if you think it does, please, explain
*how*, and why. all that RPKI does, is provide a verifiable
cryptographic means, so that *if* a party chose to apply verification,
they could. yes, you read right - it’s voluntary!
RPKI, does not change afrinic’s role. if anything, if provides you
(the end network operator) with a means to cryptographically verify the
advertisement is, as the network owner intended. what you choose to do,
with the answer, is up to you. afrinic does not control your routing,
and if you think this, you are incorrect.
> AFRINIC is a registration entity and should not have authority over
> RPKI.
that is not an argument that is relevant to this policy. ROAs are
nothing more than a *voluntary* attestation of which ASN is meant to
originate which prefixes. that voluntary attestation is done *by* the
network themselves, and not afrinic.
to help you understand how the proposed policy ties into this, all that
will happen is that address space that has been allocated to afrinic, by
the IANA, and which afrinic has *not* yet allocated/assigned to its
membership, will have a ROA with an origin of AS0. since this is, by
definition, *unallocated space*, this is perfectly acceptable, and has
no negative impact to anyone. no network on the internet should have
any claim to these addresses anyway.
it’s very easy to be critical of afrinic for many things; but,
there’s no way here, that you can claim that they are over-stepping
their role, because all they are doing, is providing a registration
system that can be cryptographically verified. if you think that RPKI
is anything else, you are incorrect.
> Having such would run the risk of Internet centralization and
> undermine the
> legitimacy of AFRINIC as an impartial institution.
aside from your very generic statement being off-topic, frankly,
you’re about 14years too late. RPKI usage is wide-spread, and
continuing across the world, and, from all measurable viewpoints [1],
the internet has continued to grow, and operate just fine. some would
say, even better.
it is ok for you to not like RPKI. but this policy is not about your
(or my) like of the technology. it’s about whether, or not, afrinic
should have AS0 ROAs registered for their *unallocated* address space.
so, dear co-chairs, if you’re still reading, the personal statement of
dissent against the technology is *not* relevant to the discussion of
why AS0 ROAs are good, or bad for unallocated blocks. please remind our
colleagues to argue either for, or against, the topic at hand.
(btw afrinic has other mailing lists/support groups if you want to speak
more generally about RPKI. so, if you want to learn about RPKI, or
learn more about why your fears of internet centralisation are
unfounded, those lists are where you’ll want to have _that_
discussions. i am sure that many people on this list could probably
explain it here, but that would be off-topic for RPD!)
> In addition, currently if there is a registration error, it is just a
> registration error. However, if a registration error occurs with RPKI
> AS0,
> people will actually lose their connectivity.
i think here, what you meant to write, was something like:
# if afrinic accidentally changes a valid allocation/assignment, to
unallocated, and thus applies an AS0 ROA to this, then, there is a
chance that the network that had the allocation earlier, might face
routing difficulties. is that correct?
if that is what you meant, then yes, this is a risk. however, that risk
already exists *now*, and a ROA does *not* making that inherently worse.
and, by the way, this is not in any way, a new risk. networks face this
same risk that afrinic might accidentally de-register them, everyday.
are you familiar with how network operators build routing policies from
IRR information? a “mistake” leading to incorrect IRR information
registration, is *just* as disastrous as an errant AS0 ROA [2], because
more and more networks are becoming stricter by mandating IRR usage,
every day. and *this* is a Good Thing. go lookup the afnog/afrinic
meeting archives from the nairobi 2006 meeting, where gaurab presented
this quite well. or, ask afrinic why they are now teaching classes on
IRR usage. and there’s rDNS removal. or being added to services like
team cymru’s bogon list. or …
there is risk inherent in everything. what we all want, is for afrinic
to come up with a belt-and-bracers approach to ensuring that mistakes
are mitigated against, but at the same time, improving the operational
environment that we work in. so, with your in-depth knowledge of rpki,
you probably want to be one of the first volunteers to help read through
their implementation plan, look for flaws, and ensure that the edge case
that you mention above, is protected against. (personally, i think that
this is not a difficult feature to code, but my perspective might be
skewed…) but again - that’s an implementation issue, and many, many
moons ago, this working group agreed that implementation issues, should
remain separate from policy.
dear co-chairs,
this is about the time, where you step up, and explain to the sudden
influx of new list members, that parroting falsities does not add to the
value of the discussion. we really need you to see beyond “belief”
and to focus on operational realities.
is this policy a good idea? honestly, when i first read it, i gave it
a “meh”. i, mostly, still think the same. what i *do* care about,
is that the “arguments” (and i used that word loosely) that are
being put forward to derail this policy, are not grounded in any reality
that is tied to the working operations of the internet.
—n.
[1] this isn’t a random claim. lookup nlnetlabs, nist, and geoff’s
measurements.
[2] i have AS0 ROAs. and regular non-AS0 ROAs. they don’t scare me.
More information about the RPD
mailing list