Search RPD Archives
[rpd] REPORT ON Appeal against the non-consensus determination on proposal AFPUB-2019-GEN-006-DRAFT02 (RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space – Draft 2).
Wijdane Goubi
wijdan.goubi at gmail.com
Mon Feb 8 21:24:09 UTC 2021
Dear community,
I have gone through the document sent by the chairperson, and it was very
clear on all mentioned points.
As it was noted, the appeal fails. After the discussion took place, a fair
vote led the committee to confirm that, as determined by the co-chairs, the
policy did not reach consensus.
Regarding consensus determination, as mentioned in the document, it is to
be decided by the co-chairs and it is their job to determine consensus
which makes absolute sense, since the section 3.4.3 of the CPM states
clearly “The Working Group Chair(s) shall evaluate the feedback received
during the Public Policy Meeting and during this period and decide whether
consensus has been achieved”. Whereas, it states clearly again the only
case the appeal committee can annul and cancel a co-chair decision is when
they fail to follow the PDP: “The Appeal Committee may direct that the
Chair(s) decision be annulled if the Policy Development Process has not
been followed”.
In addition, since both of the co-chairs and appeal committee adequately
established that the policy did not reach consensus, I find it more
important and prudent that the author addresses the objections for the next
meeting in order to make it ,first and foremost, less liable to cause
confusion, and of course to make it solve the raised issues and that’s will
avoid us the waste of time and save us the back and forth on this matter,
as well as taking us a step further towards more important things that are
very much of interest to the community.
Finally, I personally believe that the decision taken by the appeal
committee was very objective, fair and impartial because simply they
reviewed, treated and walked through the documents including the PPM
videos, the chat, the RPD e-mails during the PPM and went through the
videos as well.
Best Regards,
Wijdane
Le lun. 8 févr. 2021 à 12:34, JORDI PALET MARTINEZ via RPD <rpd at afrinic.net>
a écrit :
> Hi Wafa,
>
>
>
> I will re-read all the documents, in case I’m wrong or misunderstood
> something, however, I think I already did carefully and it was clear to me
> that you indicated that the duty of the AC is not to judge if the consensus
> decision was right or not, which is where I basically disagree and also the
> results of the Recall Committee show the same.
>
>
>
> For that, the AC need to justify if the objections are valid or invalid,
> which I don’t think you did. It is not a matter of “chairs did correctly or
> not”, is a matter of “it as acceptable (for example) as an objection to say
> that with AS0 RPKI AFRINIC or the governments will be able to inject
> information in the routing tables of LIRs ?”.
>
>
>
> In your meeting minutes and/or report on this proposal, I recall you
> stated that the objections where valid, which clearly is wrong. In this
> concrete example, it is a technical misunderstanding on how RPKI works.
>
>
>
> I also recall that in your minutes, you mention that for the appeal you’re
> considering the email discussions before the meeting. How come???? The
> chairs clearly stated that the consensus determination is done following
> both discussions in the list and the meeting. In the meeting there is NO
> SUFFICIENT TIME, neither for objections, neither for authors to respond
> with detail, neither for other community members to support or reject
> objections. This fully invalidate then the appeals!
>
>
>
> According to the CPM, “A person who disagrees with the actions taken by
> the Chair(s) shall discuss the matter with the PDWG Chair(s) or with the
> PDWG. If the disagreement cannot be resolved in this way, the person may
> file an appeal with an Appeal Committee appointed by the AFRINIC Board of
> Directors”.
>
>
>
> IF THE CHAIRS ARE CONSIDERING FOR THEIR DECISION ALL THE PREVIOUS
> DISCUSSIONS, then, the AC MUST also review them!
>
>
>
> I understand that the CPM indicates: “The Chair(s) determine(s) whether
> rough consensus has been achieved during the Public Policy Meeting.”, and
> this may be interpreted as:
>
> 1. Chairs **decide** during the meeting, but they consider all the
> discussions.
>
> or
>
> 1. Chairs **decide** during the meeting based only what happened
> during the meeting.
>
>
>
> Another policy proposal is suggesting to improve the wording to avoid that
> possible discrepancy in the interpretation, however, both chairs and staff,
> always, since many years ago, clearly stated that all the discussion is
> being considered for the consensus determination.
>
>
>
> The AC mandate following the CPM it is clear, permit me to insist: Your
> mandate is to resolve the chairs decision, so if they based the decision in
> **all the complete discussion** you should review **all that discussion**
> not just the meeting to confirm if the objections are valid or invalid.
> This is also the way is being done in other RIRs, as it couldn’t be in any
> other way.
>
>
>
> I fully understand that your job is not easy, and you may not have the
> complete technical knowledge on all the topics that could be proposed to
> the PDWG and then face an appeal (for or against, never mind), but in those
> cases, you may need to ask for staff support, or from experts from other
> RIRs, etc., that can illuminate your decision with facts.
>
>
>
> I want to take the opportunity to thank the AC for your work. It is a
> difficult time for everybody and we often forget that we are all unpaid
> volunteers and we have our daily job, families, etc., but we also need to
> recognize that when we volunteer for doing something, we must do it (in
> this case with any required help provided by AFRINIC) well, otherwise, we
> must not volunteer, because we can create more damage that good, especially
> when we see contradictions in the support of the co-chair decision by the
> AC and the non-support by the Recall Committee.
>
>
>
> Regards,
>
> Jordi
>
> @jordipalet
>
>
>
>
>
>
>
> El 8/2/21 11:55, "wafa Dahmani" <wafatn7604 at gmail.com> escribió:
>
>
>
> The appeal committee acknowledges the reception of the emails.
>
> The appeal committee will take it into consideration in its next meeting
>
> Please note that the reports are published joined with the minutes
> describing the work and the assessment of the appeals
>
>
>
> Best
>
> Wafa
>
>
>
> Le dim. 7 févr. 2021 à 20:49, JORDI PALET MARTINEZ via RPD <
> rpd at afrinic.net> a écrit :
>
> Could the Appeal Committee respond to this, and reconsider the work they
> are doing, as I just explained in my previous email, taking the inputs of
> the Recall Committee?
>
>
>
> Regards,
>
> Jordi
>
> @jordipalet
>
>
>
>
>
>
>
> El 26/1/21 12:14, "JORDI PALET MARTINEZ via RPD" <rpd at afrinic.net>
> escribió:
>
>
>
> In case the Appeal Committee is not subscribed to the RPD list.
>
>
>
> Waiting for your response.
>
>
>
> Regards,
>
> Jordi
>
> @jordipalet
>
>
>
>
>
> El 26/1/21 11:50, "JORDI PALET MARTINEZ" <jordi.palet at consulintel.es>
> escribió:
>
>
>
> Hi Wafa, all,
>
>
>
> First of all, don’t take anything that I say personally, but in general I
> see a total failure of the Appeal Committee and lack of compliance with the
> PDP.
>
>
>
> Your judgment must be on the grounds of a correct decision of the chairs.
>
>
>
> In taking such decision the Appeal Committee must be based on facts, never
> on personal opinions (from the community or the chairs or the Appeal
> Committee itself). Being based on objective facts means checking if what
> the policy proposal said, what were the objections, and if those objections
> **are real**, not just “illusions” or “lack of knowledge” or “untrue” or
> “personal preferences”.
>
>
>
> If the Appeal Committee doesn’t have the right knowledge, as I already
> said I believe was the reason the chairs took the wrong decision, then they
> should ask for help to the staff or third parties.
>
>
>
> Any objection to a policy proposal must be duly justified and that
> justification not addressed by the authors or other community members.
>
>
>
> Any policy proposal that has objections, the objections MUST BE VALID,
> even if the objections come from 99% of the community. This is not
> democracy, is not number of votes or voices, is based on non-addressed
> objections. It is not based on untrue objections. None of the objections to
> this policy proposal were valid. They are mostly based on lack of
> sufficient knowledge, and never lack of knowledge can be a VALID reason.
> Again, not only the authors, but many other expert community members have
> confirmed that those objections are invalid.
>
>
>
> A policy proposal never can be based in “I don’t like it”. You need to
> state “I don’t like it because it breaks this RFC” (for example). And even
> in that cases authors can respond showing why the perception of “breaking
> this RFC” is wrong (so addressing the objection will nullify it). Policies
> are not based on personal preferences, but in what is the best **technically
> correct choice** for the community.
>
>
>
> Last but not least, the Appeal Committee seems to be working as a
> democratic body, which is wrong. ALL THE PDP is based in consensus
> approach. The Appeal Committee must also follow that approach, otherwise,
> it is breaking the ICP-2, which is the higher mandate of how the policy
> making process works. If 3 members of the Appeal Committee believe that the
> opposition was correct, they should **demonstrate with facts why** and
> this must be done using the responses provided by the authors and community
> to those objections.
>
>
>
> If 3 members of the Appeal Committee believe that any of the objections
> has not been addressed, they need to **demonstrate why**, taking in
> consideration the community and author responses, and those must be crystal
> clear in the report, which is not the case.
>
>
>
> The Appeal Committee must respond to the authors, in a consensus based
> approach, not a democratic one to all what the authors confirmed in the
> Appeal Document.
>
>
>
> Note also that there is a paragraph in the Appeal Report that completely
> kills the PDP and demonstrates that the Appeal Committee HAS NOT UNDERSTOOD
> THEIR JOB AT ALL:
>
>
>
> “The 3 members who observed significant opposition to the policy,
> however, also observed that it is the PDWG that builds consensus and
> decides whether issues of opposition are addressed to the satisfaction of
> the PDWG which is where the PDP requires that consensus is assessed by the
> Co-Chairs.”
>
>
>
> The PDP states clearly that the Appeal Committee need to review the chairs
> decision. If the chairs have considered as VALID objections that
> OBJECTIVELY ARE INVALID, it is clear that the Appeal Committee must declare
> the lack of consensus declaration is invalid, and consequently, the
> proposal reached consensus.
>
>
>
> Let’s go the details and I ask the Appeal Committee to respond to each of
> the objections included and refuted in the Appeal Document:
>
>
>
> 2.1. “a. Allowing resource holders to create AS0/ ROA will lead to an
> increase of even more invalid prefixes in the routing table”
>
> Following RFC6483, section 4 (“A ROA with a subject of AS 0 (AS 0 ROA) is
> an attestation by the holder of a prefix that the prefix described in the
> ROA, and any more specific prefix, should not be used in a routing
> context”) resource holders, as part of the RPKI system already can and
> actually do this (example IXPs), in fact they do. This has been explained
> several times, including my presentation at the PPM. The proposal is just
> adding light about actual facts regarding this aspect, not changing
> anything, so it *can’t be a valid objection for the policy proposal*.
>
>
>
> 2.2. “b. Revocation time of AS0 state, and the time for new allocation
> doesn’t match”
>
> This is not true, again a misunderstanding about how RPKI works. The
> authors and other several community experts have discussed this in the
> list. If you get number resources from AFRINIC, normally you don’t announce
> them in minutes, or hours, or even days. There is some work to do in your
> network, you need to do changes in systems and routers, and this takes
> hours, and normally you can’t “touch” systems during the day, but only in
> “maintenance windows” in the night. That means that if AFRINIC revokes an
> AS0 certificate, it will be done in a few minutes during the day. So even
> if the worldwide caches take hours to see that, there is no negative impact.
>
>
>
> In addition to that, this it can be improved thru implementation, as I
> already explained also in the list. The staff could tentatively release
> from the AS0 the resources that they plan to allocate once a week or every
> couple of days, etc. For example, when they are processing a request, and
> they are pending on final documentation, the RSA signature for new members,
> or the review with the member of the justified need. Many other examples
> can be provided about how to do it. The proposal doesn’t go into any of
> those details, because the understanding is that those are too depth
> operational, and in fact the staff could decide an approach during the
> implementation, and based on experience improve it afterwards.
>
>
>
> The conclusion is that there is no such “matching”, neither “unmatching”,
> so this *can’t be taken as a valid objection for the proposal*.
>
>
>
> 2.3. “c. Other RIRs don’t have a similar the policy therefore, it can
> not be effective”
>
> All the policies have different discussions in different RIRs at different
> times. This policy is already available (reached consensus and implemented)
> in APNIC and LACNIC (reached consensus, being implemented). There is work
> being done in ARIN and RIPE (the first proposal was not accepted), not yet
> public. So, this is untrue if you look at all the RIRs.
>
>
>
> The effectivity of a policy is not only related to how many RIRs implement
> it. In this case, any RIR having this policy is actually stronger than the
> other RIRs not having it, in terms of routing security. It shows the
> commitment of that RIR about the RPKI usage with all its possibilities. It
> facilitates the operators in the region and outside the region to identify
> in a simpler and automated way, what prefixes should not be in the routing
> tables and consequently allow them in an opt-in basis, to discard them. So,
> it is in the other way around, any RIR with this policy could be said that
> it is more “effective” (even if it is not probably the right wording for
> this topic) that the others. We should rather say that “a RIR with this
> policy is offering a more secure view of their routing information”.
>
>
>
> In addition to that, there are policies in AFRINIC which aren’t available
> in other RIRs. That, clearly, doesn’t make them invalid (or in other words,
> this is an invalid objection – is good that all RIRs do the same, but is
> not always the case, or not at the same time), clearly this shows that this *can’t
> be taken as a valid objection against this policy proposal*.
>
>
>
> 2.4. “d. This will become a uniform policy if it is not globally
> implemented, which causes additional stress“
>
> This is almost a duplicate of the previous one. Absolutely not. We can add
> that the way we suggest the staff, and they confirmed, with an independent
> TAL protects, as intended by the proposal, the resources of the RIR
> implementing it, not creating any issues in what is done in other RIRs to
> any operator, so it *can’t be taken as a valid objection against this
> policy proposal*.
>
>
>
> It is difficult to understand what it means “additional stress” in this
> context, but clearly, it will be in the other way around. As more RIRs
> implement it, less manual work in terms of filtering, is needed to be done
> by operators, if they opt to use the AS0 ROA service from the RIRs that
> have implemented it. So, it is not correct and thus, *not a valid
> objection*.
>
>
>
> If the question is about if this policy should be a Global Policy, the
> response has also been provided in the discussion. Ideally, a Global Policy
> will be only able to protect the IANA unallocated resources, but not the
> resources that IANA already allocated to each RIR. In fact, I’m already
> working (when time permits it will be made public) in a Global Policy for
> that, but this is irrelevant versus having a policy at every RIR (or a few
> of them), so again, objectively *not a valid objection*.
>
>
>
> 2.5. “e. Validity period: if members decide to implement it, is it
> not better to recover the space if it is kept unused for too long?”
>
> This doesn’t make sense, at least not as worded. This is not about
> recovering space, no relation. It is the unused space hold by AFRINIC,
> regardless of if it was never allocated/assigned, returned by members, or
> recovered by AFRINIC. Once more, *not a valid objection*.
>
>
>
> 2.6. “f. How do we revoke the ROA? How long does it take to revoke it
> (chain/ refreshing )?”
>
> This looks the same as 2.2 above. It doesn’t matter in practice, if it
> takes minutes or hours or even days. Community and staff provided some
> facts about this, just to cite a couple of them:
>
> https://lists.afrinic.net/pipermail/rpd/2020/011335.html
>
> https://lists.afrinic.net/pipermail/rpd/2020/011348.html
>
>
>
> 2.7. “g. What happens if AFRINIC accidentally issues a ROA for an
> address in error?”
>
> What happens if AFRINIC accidentally issues a ROA without an address
> already allocated to members?
>
>
>
> Exactly the same if the existing RPKI fails, and that’s why there are
> monitoring systems in place and as reported by the staff impact analysis,
> this proposal will ensure that the monitoring is improved, so it is
> actually helping on the right direction, not in the other way around.
>
>
>
> Further to that, because the systems of operators have caches, it is all
> depending (for the existing TAL and for the new one implemented with this
> proposal) on how much time it takes to AFRINIC to resolve the error and the
> specific configuration of the operators and if they actually drop invalid
> prefixes or they only create alerts, trigger some processes, etc. Note that
> RPKI doesn’t force the operators to drop the prefixes even if they are
> using RPKI, there are different ways to take advantage of this.
>
>
>
> This proposal doesn't change that, it is provided as an opt-in service and
> consequently it is *not a valid objection*.
>
>
>
> 2.8. “h. It also might affect the neighbours and involves monitoring of
> unallocated spaces”
>
> It is not clear if neighbours here is referring to BGP peering ones.
>
>
>
> The same monitoring that right now is done AFRINIC for
> unallocated/unassigned spaces could be improved with this proposal. AFRINIC
> already, today, needs to make sure that they get alerts if
> unallocated/unassigned space appears in the routing tables, because that
> may imply that a member may be violating the RSA, bylaws, policies, etc.
>
>
>
> Exactly the same as for operators connected to Internet with BGP. The
> proposal allows them, as an opt-in service, to improve if they wish, the
> automation of all that, and to use the service in the way they decide. The
> proposal is not forcing operators any specific usage for the service, it is
> entirely at their own decision/discretion.
>
>
>
> This proposal ensures that the service is improved so, hijacking of unused
> space is less prone to occur, that’s the purpose of the proposal and RPKI,
> increase the routing security, without making it mandatory for any
> operator. Consequently, once more, this *can’t be considered a valid
> objection*.
>
>
>
> 2.9. “i. Possibility of it being used against a member who is yet to
> pay dues”
>
> According to AFRINIC bylaws and RSA, AFRINIC has the *obligation* to
> avoid members not paying to stop using the resources, so they are available
> to other members.
>
>
>
> It will be unfair and discriminatory to other members not doing so, and
> that’s the reason, even if we don’t have this proposal, AFRINIC could at
> any time, following the bylaws and RSA, do whatever actions, including
> legal and technical ones, to make sure that unallocated, or unassigned, or
> returned, or recovered resources are not used. As part of those actions,
> AFRINIC could even ask in courts to stop routing those resources, even to
> other operators. It is AFRINIC duty, practically will probably not make
> sense in terms of the cost (unless a major hijacking of AFRINIC resources
> occurs). Most probably just the cooperation among operators, without any
> legal requirement, will make that happen. So, this proposal doesn’t change
> that in the sense of adding to AFRINIC any new prerogative because already
> have that right and duty regarding the responsible use of the resources
> only to the allocated/assigned parties and in compliance with the legal
> bindings.
>
>
>
> To further explain this, if a member decides to stop paying, AFRINIC,
> following legal bindings, will follow a procedure to try to fix it, and if
> it doesn’t succeed, will remove whois data (which in turn will cause the
> removal of route objects that depend on them), RDNS (which means the
> address space becomes in general unusable), etc.
>
>
>
> Clearly, once more, this *can’t be considered a valid objection, on the
> other way around is a fundamental AFRINIC’s right and duty*.
>
>
>
> I urge you to respond to each of those objections, accepted by the chairs
> to declare the lack of consensus, that the authors and other community
> members DEMONSTRATED with OBJECTIVE information, are invalid.
>
>
>
> Again, please, Appeal Committee members, respond OBJECTIVELY AND BASED ON
> FACTS, NOT PERSONAL PREFERENCES. The report MUST contain detailed
> demonstration of why the Appeal Committee (not individual members) say each
> of those objections has not been addressed, while the authors and community
> believe otherwise.
>
>
>
> This is what we expect from an Appeal Committee, to OBJECTIVELY review
> what the chairs objserved, when the Appeal Document clearly demonstrated
> that it is invalid and consequently the chairs took a wrong decision, based
> on personal preferences of community members or lack of knowledge, or other
> not objective or untrue facts.
>
>
>
> Regards,
>
> Jordi
>
> @jordipalet
>
>
>
>
>
>
>
> El 22/1/21 13:59, "wafa Dahmani" <wafatn7604 at gmail.com> escribió:
>
>
>
> Dear Community,
>
>
>
> This is to inform you that the Report on Appeal against the non-consensus
> determination on proposal AFPUB-2019-GEN-006-DRAFT02 (RPKI ROAs for
> Unallocated and Unassigned AFRINIC Address Space – Draft 2) and the minutes
> have been published following the links below:
>
>
>
> https://afrinic.net/ast/pdf/policy/20210121-rpki-roa-appeal-report.pdf
>
>
>
> https://afrinic.net/policy/appeal-committee#appeals
>
>
>
> Best Regards
>
> Wafa Dahmani
>
> Chair of the Appeal Committee
>
>
>
> _______________________________________________ RPD mailing list
> RPD at afrinic.net https://lists.afrinic.net/mailman/listinfo/rpd
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the exclusive use of
> the individual(s) named above and further non-explicilty authorized
> disclosure, copying, distribution or use of the contents of this
> information, even if partially, including attached files, is strictly
> prohibited and will be considered a criminal offense. If you are not the
> intended recipient be aware that any disclosure, copying, distribution or
> use of the contents of this information, even if partially, including
> attached files, is strictly prohibited, will be considered a criminal
> offense, so you must reply to the original sender to inform about this
> communication and delete it.
>
> _______________________________________________ RPD mailing list
> RPD at afrinic.net https://lists.afrinic.net/mailman/listinfo/rpd
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the exclusive use of
> the individual(s) named above and further non-explicilty authorized
> disclosure, copying, distribution or use of the contents of this
> information, even if partially, including attached files, is strictly
> prohibited and will be considered a criminal offense. If you are not the
> intended recipient be aware that any disclosure, copying, distribution or
> use of the contents of this information, even if partially, including
> attached files, is strictly prohibited, will be considered a criminal
> offense, so you must reply to the original sender to inform about this
> communication and delete it.
>
> _______________________________________________
> RPD mailing list
> RPD at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/rpd
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the exclusive use of
> the individual(s) named above and further non-explicilty authorized
> disclosure, copying, distribution or use of the contents of this
> information, even if partially, including attached files, is strictly
> prohibited and will be considered a criminal offense. If you are not the
> intended recipient be aware that any disclosure, copying, distribution or
> use of the contents of this information, even if partially, including
> attached files, is strictly prohibited, will be considered a criminal
> offense, so you must reply to the original sender to inform about this
> communication and delete it.
>
> _______________________________________________
> RPD mailing list
> RPD at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/rpd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20210208/72794a13/attachment-0001.html>
More information about the RPD
mailing list