Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] AFPUB-2019-GEN-006-DRAFT02 - RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space

JORDI PALET MARTINEZ jordi.palet at consulintel.es
Wed Sep 30 14:42:38 UTC 2020


Hi AK, Moses, all,



I will like you to reconsider your decision on this proposal, following CPM 3.5, on the grounds of my responses below, which have already been provided thru previous discussions and I don’t think any of those are valid-objections to the proposal.



See my points below, in-line.





Regards,

Jordi

@jordipalet



7. RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space

The proposal instructs AFRINIC to create ROAs for all unallocated and unassigned address space under its control. This will enable networks performing RPKI-based BGP Origin Validation to easily reject all the bogon announcements covering resources managed by AFRINIC. However, there are many oppositions such as:

a. Allowing resource holders to create AS0/ ROA will lead to an increase of even more invalid prefixes in the routing table.



This shows a lack of understanding of RPKI and the relevant RFCs. Resource holders *ALREADY CAN and DO* that (example IXPs), in fact they do. This has been explained in my presentation. The proposal is just adding clarity on this point, not changing anything.



b. Revocation time of AS0 state, and the time for new allocation doesn’t match.



This is not true, again a misunderstanding about how RPKI works. Several members discussed this in the list. If you get resources, normally you don’t publish them in minutes, so hours, or even days is perfectly valid. In addition to that, it can be improved thru implementation, as I already explained. The staff could tentatively release from the AS0 the resources that they plan to allocate (pending on final documentation, RSA signature, or review with the member, etc.).



c. Other RIRs don’t have a similar the policy therefore, it can not be effective



All the policies have different discussions in different RIRs at different times. This policy is already available in APNIC and LACNIC. There are policies in AFRINIC which aren’t in other RIRs. Does that make them invalid (or in other words, this is an invalid objection – is good that all RIRs do the same, but is not always that the case, or not at the same time).



d. This will become a uniform policy if it is not globally implemented, which causes additional stress.



Absolutely not, the way we suggest the staff, and they confirmed, with an independent TAL protects *as expected by the proposal* the resources of the RIR implementing it, not creating *any issue* in what is done in other RIRs to any operator.



e. Validity period: if members decide to implement it, is it not better to recover the space if it is kept unused for too long?



This doesn’t make sense, at least not as worded. This is not about recovering space, no relation. It is the unused space hold by AFRINIC.



e. How do we revoke the ROA? How long does it take to revoke it (chain/ refreshing )?



This is the same as b above, right? It doesn’t matter in practice, if it takes minutes or hours or even days.



f. What happens if AFRINIC accidentally issues a ROA for an address in error?



Exactly the same if the existing RPKI fails, and that’s why there are monitoring systems in place and caches, etc. This proposal doesn't change that.



g. It also might affect the neighbours and involves monitoring of unallocated spaces.



What is the meaning of neighbours here? Yes, the same monitoring that *right now* should be done by AFRINIC. This proposal ensures that it is improved so hijacking of unused space is less prone to occur, that the purpose of the proposal and RPKI, increase the routing security.



h. Possibility of it being used against a member who is yet to pay dues.

AFRINIC has the obligation to avoid members not paying to stop using the resources, so they are available to other members. Even if we don’t have this proposal, AFRINIC could, following the bylaws and RSA, do whatever actions, including technical ones, to make sure that they are not used.



Suggestions were made to improve the policy such as

a) The automatic creation of AS0 ROAs should be limited to space that has never been allocated by an RIR or part of a legacy allocation.



This doesn’t make any sense and has not been considered at all in other RIRs discussions. That will mean that even if a member return the space, and stop replying to AFRINIC, the space will never come to the AS0 ROAs. This is related also to the next point.



b) AFRINIC should require the explicit consent of the previous holder to issue AS0 ROAs in respect of re-claimed, returned, etc, space.



This doesn’t make any sense and has not been considered at all in other RIRs discussions. If a member is not following the established legal bindings, not just AFRINIC, but *any* organization, has the obligation, to ensure that the member is not cheating the other members and take any actions they can to fullfill the recovery or whatever is needed. The proposal doesn’t state if AFRINIC should take some intermediate steps in cases of litigation, disagreements, etc. however, the legal documents already state that they should try to remediate the situation before the recovery, so it is clearly part of the existing process and will not only affect this proposal but all the CPM. A member can just disappear (a bankruptcy), so if this is not done, the resources could never be recovered, while the legal documents, already state that!



c) Any ROAs issued under this policy should be issued and published in a way that makes it operationally easy for a relying party to ignore them (probably by issuing under a separate TA).



This is already explicit in the proposal and confirmed by the staff. Nevertheless, it is an operational decision, and could be changed over the time.



d) The proposal should include the clause “as used in APNIC as to dues not paid on time.”

Can you please point to the relevant presentation? I’ve followed, and reviewer all the APNIC work on this (I participated in all that) and I can’t find what you mean.





Chairs Decision: No consensus











**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200930/98a680ef/attachment-0001.html>


More information about the RPD mailing list