Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] AFPUB-2019-GEN-006-DRAFT02 - RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space

JORDI PALET MARTINEZ jordi.palet at consulintel.es
Wed Sep 30 19:05:04 UTC 2020


Hi Lamiaa,



Believe me, I’m always as constrictive as my knowledge allows me.



I think you’re missing a key point in your rationale.



According to it, then AFRINIC should not have any RPKI TAL at all, because it means AFRINIC is also acting at the wrong “routing” level.



And what you’re further missing is that the operators are free to decide if they want to use or not the TALs provided by AFRINIC.



So, no, AFRINIC is *only* providing a service, like the whois, to provide accuracy of what resources have been allocated to members and what are unallocated.



RPKI is just a different way to provide that information in order to allow members that *wish* to use them be able to.



AFRINIC will be interfering with routing if *forces* all the members to use RPKI, which is not the case.



The use of RPKI is optional, it is just a service.



I’m happy to change my mind with rational explanations that probe that having an RPKI service (with and without AS0, it doesn’ change that) open to everyone, and not being forced, it is an interference in routing, instead of a different way to offer the database information.



And I’m sure you will agree that having accurate database info is the basic principle of every RIR (otherwise we need to change bylaws, RSA, etc.).



Regards,

Jordi

@jordipalet







El 30/9/20 20:57, "Lamiaa Chnayti" <lamiaachnayti at gmail.com> escribió:



Hey Jordi,



The very fundamental objection to this policy, is that RIR is about registration polices, and not routing policies.



This is a policy that potentially asks AFRINIC to proactively interfere with routing, which is out of scope of RIR’s mandate.



Before this policy, all route object of AFRINIC or RPKI provided by AFRINIC, are created by its members, so those operate the networks, AFRINIC does not proactively create route object or change RPKI for any of resource it manages registration with.



And this policy changes that, and this is not what AFRINIC should or is meant to do.



And of course, when you ask Afrinic to interfere with routing, a mistake in registration does not immediately impact network operation, but a mistake in routing, it does, so others have raised concern over potential mistake of Afrinic or Afrinic staff, in which in the past there was serious mistakes made by staff members, and potential legal consequence of that is another major objection to this policy.



Please read and consider, and don’t act like everybody including chairs are fools and you are the only smart guy in the room, let’s discuss this matter in a constructive way



Regards,



Lamiaa



Le mer. 30 sept. 2020 à 15:43, JORDI PALET MARTINEZ via RPD <rpd at afrinic.net> a écrit :

Hi AK, Moses, all,



I will like you to reconsider your decision on this proposal, following CPM 3.5, on the grounds of my responses below, which have already been provided thru previous discussions and I don’t think any of those are valid-objections to the proposal.



See my points below, in-line.





Regards,

Jordi

@jordipalet



7. RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space

The proposal instructs AFRINIC to create ROAs for all unallocated and unassigned address space under its control. This will enable networks performing RPKI-based BGP Origin Validation to easily reject all the bogon announcements covering resources managed by AFRINIC. However, there are many oppositions such as:

a. Allowing resource holders to create AS0/ ROA will lead to an increase of even more invalid prefixes in the routing table.



This shows a lack of understanding of RPKI and the relevant RFCs. Resource holders *ALREADY CAN and DO* that (example IXPs), in fact they do. This has been explained in my presentation. The proposal is just adding clarity on this point, not changing anything.



b. Revocation time of AS0 state, and the time for new allocation doesn’t match.



This is not true, again a misunderstanding about how RPKI works. Several members discussed this in the list. If you get resources, normally you don’t publish them in minutes, so hours, or even days is perfectly valid. In addition to that, it can be improved thru implementation, as I already explained. The staff could tentatively release from the AS0 the resources that they plan to allocate (pending on final documentation, RSA signature, or review with the member, etc.).



c. Other RIRs don’t have a similar the policy therefore, it can not be effective



All the policies have different discussions in different RIRs at different times. This policy is already available in APNIC and LACNIC. There are policies in AFRINIC which aren’t in other RIRs. Does that make them invalid (or in other words, this is an invalid objection – is good that all RIRs do the same, but is not always that the case, or not at the same time).



d. This will become a uniform policy if it is not globally implemented, which causes additional stress.



Absolutely not, the way we suggest the staff, and they confirmed, with an independent TAL protects *as expected by the proposal* the resources of the RIR implementing it, not creating *any issue* in what is done in other RIRs to any operator.



e. Validity period: if members decide to implement it, is it not better to recover the space if it is kept unused for too long?



This doesn’t make sense, at least not as worded. This is not about recovering space, no relation. It is the unused space hold by AFRINIC.



e. How do we revoke the ROA? How long does it take to revoke it (chain/ refreshing )?



This is the same as b above, right? It doesn’t matter in practice, if it takes minutes or hours or even days.



f. What happens if AFRINIC accidentally issues a ROA for an address in error?



Exactly the same if the existing RPKI fails, and that’s why there are monitoring systems in place and caches, etc. This proposal doesn't change that.



g. It also might affect the neighbours and involves monitoring of unallocated spaces.



What is the meaning of neighbours here? Yes, the same monitoring that *right now* should be done by AFRINIC. This proposal ensures that it is improved so hijacking of unused space is less prone to occur, that the purpose of the proposal and RPKI, increase the routing security.



h. Possibility of it being used against a member who is yet to pay dues.

AFRINIC has the obligation to avoid members not paying to stop using the resources, so they are available to other members. Even if we don’t have this proposal, AFRINIC could, following the bylaws and RSA, do whatever actions, including technical ones, to make sure that they are not used.



Suggestions were made to improve the policy such as

a) The automatic creation of AS0 ROAs should be limited to space that has never been allocated by an RIR or part of a legacy allocation.



This doesn’t make any sense and has not been considered at all in other RIRs discussions. That will mean that even if a member return the space, and stop replying to AFRINIC, the space will never come to the AS0 ROAs. This is related also to the next point.



b) AFRINIC should require the explicit consent of the previous holder to issue AS0 ROAs in respect of re-claimed, returned, etc, space.



This doesn’t make any sense and has not been considered at all in other RIRs discussions. If a member is not following the established legal bindings, not just AFRINIC, but *any* organization, has the obligation, to ensure that the member is not cheating the other members and take any actions they can to fullfill the recovery or whatever is needed. The proposal doesn’t state if AFRINIC should take some intermediate steps in cases of litigation, disagreements, etc. however, the legal documents already state that they should try to remediate the situation before the recovery, so it is clearly part of the existing process and will not only affect this proposal but all the CPM. A member can just disappear (a bankruptcy), so if this is not done, the resources could never be recovered, while the legal documents, already state that!



c) Any ROAs issued under this policy should be issued and published in a way that makes it operationally easy for a relying party to ignore them (probably by issuing under a separate TA).



This is already explicit in the proposal and confirmed by the staff. Nevertheless, it is an operational decision, and could be changed over the time.



d) The proposal should include the clause “as used in APNIC as to dues not paid on time.”

Can you please point to the relevant presentation? I’ve followed, and reviewer all the APNIC work on this (I participated in all that) and I can’t find what you mean.





Chairs Decision: No consensus








**********************************************


IPv4 is over


Are you ready for the new Internet ?


http://www.theipv6company.com


The IPv6 Company





This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.







_______________________________________________

RPD mailing list

RPD at afrinic.net

https://lists.afrinic.net/mailman/listinfo/rpd

--

Lamiaa CHNAYTI





**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200930/aad16006/attachment-0001.html>


More information about the RPD mailing list