[rpd] AFPUB-2019-GEN-006-DRAFT02 - RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space

[Lamiaa Chnayti]

Hey Jordi,

The very fundamental objection to this policy, is that RIR is about
registration polices, and not routing policies.

This is a policy that potentially asks AFRINIC to proactively interfere
with routing, which is out of scope of RIR’s mandate.

Before this policy, all route object of AFRINIC or RPKI provided by
AFRINIC, are created by its members, so those operate the networks, AFRINIC
does not proactively create route object or change RPKI for any of resource
it manages registration with.

And this policy changes that, and this is not what AFRINIC should or is
meant to do.

And of course, when you ask Afrinic to interfere with routing, a mistake in
registration does not immediately impact network operation, but a mistake
in routing, it does, so others have raised concern over potential mistake
of Afrinic or Afrinic staff, in which in the past there was serious
mistakes made by staff members, and potential legal consequence of that is
another major objection to this policy.

Please read and consider, and don’t act like everybody including chairs are
fools and you are the only smart guy in the room, let’s discuss this matter
in a constructive way

Regards,

Lamiaa

Le mer. 30 sept. 2020 à 15:43, JORDI PALET MARTINEZ via RPD <rpd at afrinic.net>
a écrit :


> Hi AK, Moses, all,

>

>

>

> I will like you to reconsider your decision on this proposal, following

> CPM 3.5, on the grounds of my responses below, which have already been

> provided thru previous discussions and I don’t think any of those are

> valid-objections to the proposal.

>

>

>

> See my points below, in-line.

>

>

>

>

>

> Regards,

>

> Jordi

>

> @jordipalet

>

>

>

> 7.       RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space

>

> The proposal instructs AFRINIC to create ROAs for all unallocated and

> unassigned address space under its control. This will enable networks

> performing RPKI-based BGP Origin Validation to easily reject all the bogon

> announcements covering resources managed by AFRINIC. However, there are

> many oppositions such as:

>

> a.                      Allowing resource holders to create AS0/ ROA will

> lead to an increase of even more invalid prefixes in the routing table.

>

>

>

> This shows a lack of understanding of RPKI and the relevant RFCs. Resource

> holders **ALREADY CAN and DO** that (example IXPs), in fact they do. This

> has been explained in my presentation. The proposal is just adding clarity

> on this point, not changing anything.

>

>

>

> b.                      Revocation time of AS0 state, and the time for

> new allocation doesn’t match.

>

>

>

> This is not true, again a misunderstanding about how RPKI works. Several

> members discussed this in the list. If you get resources, normally you

> don’t publish them in minutes, so hours, or even days is perfectly valid.

> In addition to that, it can be improved thru implementation, as I already

> explained. The staff could tentatively release from the AS0 the resources

> that they plan to allocate (pending on final documentation, RSA signature,

> or review with the member, etc.).

>

>

>

> c.                       Other RIRs don’t have a similar the policy

> therefore, it can not be effective

>

>

>

> All the policies have different discussions in different RIRs at different

> times. This policy is already available in APNIC and LACNIC. There are

> policies in AFRINIC which aren’t in other RIRs. Does that make them invalid

> (or in other words, this is an invalid objection – is good that all RIRs do

> the same, but is not always that the case, or not at the same time).

>

>

>

> d.                      This will become a uniform policy if it is not

> globally implemented, which causes additional stress.

>

>

>

> Absolutely not, the way we suggest the staff, and they confirmed, with an

> independent TAL protects **as expected by the proposal** the resources of

> the RIR implementing it, not creating **any issue** in what is done in

> other RIRs to any operator.

>

>

>

> e.                  Validity period:   if members decide to implement it,

> is it not better to recover the space if it is kept unused for too long?

>

>

>

> This doesn’t make sense, at least not as worded. This is not about

> recovering space, no relation. It is the unused space hold by AFRINIC.

>

>

>

> e.                      How do we revoke the ROA? How long does it take

> to revoke it (chain/ refreshing )?

>

>

>

> This is the same as b above, right? It doesn’t matter in practice, if it

> takes minutes or hours or even days.

>

>

>

> f.                        What happens if AFRINIC accidentally issues a

> ROA for an address in error?

>

>

>

> Exactly the same if the existing RPKI fails, and that’s why there are

> monitoring systems in place and caches, etc. This proposal doesn't change

> that.

>

>

>

> g.                      It also might affect the neighbours and involves

> monitoring of unallocated spaces.

>

>

>

> What is the meaning of neighbours here? Yes, the same monitoring that **right

> now** should be done by AFRINIC. This proposal ensures that it is

> improved so hijacking of unused space is less prone to occur, that the

> purpose of the proposal and RPKI, increase the routing security.

>

>

>

> h.                      Possibility of it being used against a member who

> is yet to pay dues.

>

> AFRINIC has the obligation to avoid members not paying to stop using the

> resources, so they are available to other members. Even if we don’t have

> this proposal, AFRINIC could, following the bylaws and RSA, do whatever

> actions, including technical ones, to make sure that they are not used.

>

>

>

> Suggestions were made to improve the policy such as

>

> a)                  The automatic creation of AS0 ROAs should be limited

> to space that has never been allocated by an RIR or part of a legacy

> allocation.

>

>

>

> This doesn’t make any sense and has not been considered at all in other

> RIRs discussions. That will mean that even if a member return the space,

> and stop replying to AFRINIC, the space will never come to the AS0 ROAs.

> This is related also to the next point.

>

>

>

> b)                  AFRINIC should require the explicit consent of the

> previous holder to issue AS0 ROAs in respect of re-claimed, returned, etc,

> space.

>

>

>

> This doesn’t make any sense and has not been considered at all in other

> RIRs discussions. If a member is not following the established legal

> bindings, not just AFRINIC, but **any** organization, has the obligation,

> to ensure that the member is not cheating the other members and take any

> actions they can to fullfill the recovery or whatever is needed. The

> proposal doesn’t state if AFRINIC should take some intermediate steps in

> cases of litigation, disagreements, etc. however, the legal documents

> already state that they should try to remediate the situation before the

> recovery, so it is clearly part of the existing process and will not only

> affect this proposal but all the CPM. A member can just disappear (a

> bankruptcy), so if this is not done, the resources could never be

> recovered, while the legal documents, already state that!

>

>

>

> c)                   Any ROAs issued under this policy should be issued

> and published in a way that makes it operationally easy for a relying party

> to ignore them (probably by issuing under a separate TA).

>

>

>

> This is already explicit in the proposal and confirmed by the staff.

> Nevertheless, it is an operational decision, and could be changed over the

> time.

>

>

>

> d)                  The proposal should include the clause “as used in

> APNIC as to dues not paid on time.”

>

> Can you please point to the relevant presentation? I’ve followed, and

> reviewer all the APNIC work on this (I participated in all that) and I

> can’t find what you mean.

>

>

>

>

>

> Chairs Decision: No consensus

>

>

>

>

>

>

>

>

> **********************************************

>

>

> IPv4 is over

>

>

> Are you ready for the new Internet ?

>

>

> http://www.theipv6company.com

>

>

> The IPv6 Company

>

>

>

>

>

> This electronic message contains information which may be privileged or

> confidential. The information is intended to be for the exclusive use of

> the individual(s) named above and further non-explicilty authorized

> disclosure, copying, distribution or use of the contents of this

> information, even if partially, including attached files, is strictly

> prohibited and will be considered a criminal offense. If you are not the

> intended recipient be aware that any disclosure, copying, distribution or

> use of the contents of this information, even if partially, including

> attached files, is strictly prohibited, will be considered a criminal

> offense, so you must reply to the original sender to inform about this

> communication and delete it.

>

>

>

>

>

>

>

> _______________________________________________

>

> RPD mailing list

>

> RPD at afrinic.net

>

> https://lists.afrinic.net/mailman/listinfo/rpd

>

> --

Lamiaa CHNAYTI
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200930/4502994d/attachment-0001.html>