[rpd] RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT02

[Owen DeLong]

> On Sep 17, 2020, at 1:55 AM, Lamiaa Chnayti <lamiaachnayti at gmail.com> wrote:

> 

> Hey everyone,

> 

> 

> 

> I, on the other hand, am having issues with this policy due to the following reasons :

> 

> 

> 

> - It potentially can turn registration error into operation disaster, if Afrinic mistakenly labour one of the member’s ip into their own pool, it has a great chance for end users to lose their connection vs just a wrong registration data.


That’s true with the existing ROA structure also. With any BGP related tool, there is the potential for an error to cause a problem in connectivity.

It’s true of the IRR as well.

The likelihood of an incorrect AS0 ROA being issued is very small. Further, providers are free to ignore any or all AS0 ROAs even if they implement RPKI in other respects.

AFRINIC publishing the same information about their free pool in this mechanism vs. any other does not change the potential for error.

Further, technically any entity could track AFRINIC’s unallocated resources relatively easily and produce their own AS0 feed. This would be far more dangerous if ISPs started subscribing to it as an alternative to AFRINIC. This objection has been repeated many times and has been debunked each and every time.


> - RPKI for unallocated space is rather a global policy issue rather than a regional policy issue, all regions should have the same view on the topic, if only AFRINIC implements it, it will create an operational inconsistency.


APNIC and LACNIC have already passed nearly identical policy to this… That’s 40% of the RIRs in the world. APNIC has already implemented it and is already publishing AS0 ROAs without incident.


> - There is a potential huge risk that will be created if Ernest’s case happens again, AFRINIC’s own staff potentially has the power to rob other members space by “AS0” it.


This is simply not true.  Quite the opposite, in fact, in that AS0 ROAs properly implemented could serve as a tool to safeguard against another Ernest case.

Owen


> Regards,

>  

> Lamiaa

> 

> 

> 

> Le jeu. 17 sept. 2020 à 09:04, Mark Elkins <mje at posix.co.za <mailto:mje at posix.co.za>> a écrit :

> I support the RPKI ROA policy as written. I understand the technical aspects of the policy. I have a feeling that those objecting may not completely understand the technical aspects which is why they are objecting.

> 

> AFRINIC's job is to properly document the resources they have been provided by ICANN/IANA and this is simply part of the job. When new resources are provided to AFRINIC, they label it as such (AS0, etc). When it is then allocated/assigned to a member, the AS0 RPKI is removed. All this means is that the unallocated/unassigned resources that are with AFRINIC can be (optionally) identified as such and thus can not be easily misused by bad actors. This also means that when they are allocated/assigned to members, they are less lightly to have been made "dirty".

> 

> On 2020/09/17 08:26, Ibeanusi Elvis wrote:

>> Dear all, 

>> 

>> The AFRINIC as an organization specifically focuses on the registration database and thereby having knowledge of where the prefix belongs to and AFRINIC should just focus on this role and should not engage in authenticating or the authorization of various services. If such rights are given to any organization, they have the right to assign prefixes to servers hence, having control of the routing database at which a technical or human error will lead to an immense catastrophe to the internet society. This control is basically the specific definition of centralization. This centralization is the major reason why most providers do not trust the Resource Public Key Infrastructure (RPKI). I am still in opposition to this policy proposal. 

>> 

>> Elvis. 

>> 

>> On Thu, Sep 17, 2020 at 3:01 PM Darwin Costa <dc at darwincosta.com <mailto:dc at darwincosta.com>> wrote:

>> Cmon folks….!

>> 

>> @Elvis, I really don’t see your point here and also don’t really understand why are you opposing against this proposal.

>> 

>> As mentioned further on the thread - RPKI won’t change Afrnic´s role at all…. Instead this proposal will certainly contribute to a more secure routing advertisement.

>> 

>> As such, other RIR´s have successfully implemented this in order to protect our garden so called “The Internet”.

>> 

>> Darwin-.

>> 

>> 

>> 

>>> On 17 Sep 2020, at 05:42, Fernando Frediani <fhfrediani at gmail.com <mailto:fhfrediani at gmail.com>> wrote:

>>> 

>>> I think there is a serious issue by some people totally misunderstanding what RPKI actually is.

>>> 

>>> Some arguments saying something like 'Afrinic will centralize control of the internet and should not have such power' don't have relation to what what this proposal intends and the reasons to oppose it are not tied to real possible problems pointed.

>>> 

>>> This proposal only follows what have been done in APNIC and LACNIC and is a natural move to make an internet more secure and avoid organizations to use space that is not assigned to anyone else.

>>> Therefore I support this proposal.

>>> 

>>> Fernando

>>> 

>>> On 16/09/2020 20:42, Noah wrote:

>>>> 

>>>> On Thu, Sep 17, 2020 at 2:30 AM Ibeanusi Elvis <ibeanusielvis at gmail.com <mailto:ibeanusielvis at gmail.com>> wrote:

>>>> 

>>>> I am strongly in opposition to this RPKI ROA proposal,

>>>> 

>>>> You oppose yet....

>>>>  

>>>>  issuing an AS0 for AFRINIC address space 

>>>> 

>>>> You must be clear on which AFRINIC address space rather than presenting a rather vague statement. 

>>>> 

>>>> The proposal is very clear and explicit and the AFRINIC space in question is that which has not yet been allocated or assigned to any entity or resource member.

>>>> 

>>>> I will quote for you section 2.0 of the proposal as written below;

>>>> 

>>>> 2.0 Summary of how this proposal addresses the problem

>>>> 

>>>> This proposal instructs AFRINIC to create ROAs for all unallocated and unassigned address space under its control. This will enable networks performing RPKI-based BGP Origin Validation to easily reject all the bogon announcements covering resources managed by AFRINIC.

>>>> 

>>>> So what are you talking about?

>>>> 

>>>> Noah 

>>>>  

>>>> 

>>>> 

>>>> _______________________________________________

>>>> RPD mailing list

>>>> RPD at afrinic.net <mailto:RPD at afrinic.net>

>>>> https://lists.afrinic.net/mailman/listinfo/rpd <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720490840&sdata=mOjgUTIarKfPnsD2h0TtixnR51E4wzIwqoo6rONHW%2FI%3D&reserved=0>

>>> _______________________________________________

>>> RPD mailing list

>>> RPD at afrinic.net <mailto:RPD at afrinic.net>

>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720510827&sdata=jlnsXCK7dATX4Jcg48%2BhurUnj1E5umTa2RZq7IMsb%2Fs%3D&reserved=0 <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720510827&sdata=jlnsXCK7dATX4Jcg48%2BhurUnj1E5umTa2RZq7IMsb%2Fs%3D&reserved=0>

>> 

>> _______________________________________________

>> RPD mailing list

>> RPD at afrinic.net <mailto:RPD at afrinic.net>

>> https://lists.afrinic.net/mailman/listinfo/rpd <https://lists.afrinic.net/mailman/listinfo/rpd>

>> 

>> 

>> _______________________________________________

>> RPD mailing list

>> RPD at afrinic.net <mailto:RPD at afrinic.net>

>> https://lists.afrinic.net/mailman/listinfo/rpd <https://lists.afrinic.net/mailman/listinfo/rpd>

> -- 

> Mark James ELKINS  -  Posix Systems - (South) Africa

> mje at posix.co.za <mailto:mje at posix.co.za>       Tel: +27.826010496 <tel:+27826010496>

> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za <https://ftth.posix.co.za/>

> 

> <abessive_logo.jpg><QR-MJElkins.png>

> 

> _______________________________________________

> RPD mailing list

> RPD at afrinic.net <mailto:RPD at afrinic.net>

> https://lists.afrinic.net/mailman/listinfo/rpd <https://lists.afrinic.net/mailman/listinfo/rpd>

> _______________________________________________

> RPD mailing list

> RPD at afrinic.net

> https://lists.afrinic.net/mailman/listinfo/rpd


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20210212/ff83916b/attachment-0001.html>