Search RPD Archives
[rpd] Last Call - RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT03.
JORDI PALET MARTINEZ
jordi.palet at consulintel.es
Tue Jun 8 15:10:31 UTC 2021
Hi Job, all,
The implementation of AS0 will be done in a different TAL, same as with APNIC and LACNIC.
Are you them meaning that the staff of 3 RIRs are so bad that they can't do the things correctly?
AFRINIC, the same as any other RIR, has to follow the rules set by both the community (policies) and the membership (bylaws, RSA, etc.). As a consequence of those rules, they have the right to reclaim resources. This is NOT different to the fact of the de-registration in the whois, IRR, and related databases or sources of information from where the AS0 will be sourced. So, there is no difference, and this has been stated by staff.
In addition to that, you can use the AS0 or not, you can even use the AS0 and not drop invalids. So, it is not creating any enforceable "bad" situation for members.
This proposal has clearly stated (change from v2 to v3) that only when the reclamation is over the resources become unallocated/unassigned and thus added to the AS0, exactly *the same* as AFRINIC is doing now in case of disputes.
Mistakes: Yes, they can happen, but they will happen even before the AS0, as confirmed by staff, whois, IRR, etc.
I don't think lessons from a wrong discussion in RIPE make sense here, especially with the current PDP system which has a broken appeal process, etc.
And yes, APNIC and LACNIC implementations have been there for very short time. Do you remember how much time took to gain some uptake in IPv6, or even in RPKI itself? I think it is perfectly comparable.
Regards,
Jordi
@jordipalet
El 8/6/21 16:43, "Job Snijders via RPD" <rpd at afrinic.net> escribió:
Dear Internet friends - close-by and far away,
I wish to comment on the proposal at hand. I am NOT in support of this
draft, or future versions of it. This proposal is a type of
weaponization of the RPKI that is harmful to everyone who wishes to make
productive use of AFRINIC's RPKI services.
I believe hands-on experience with RPKI and BGP are a prerequisite to
make informed decisions in this space. The proposal at hands looks great
'in theory', but is detached from operational reality. I will elaborate
on unintended consequences and detrimental effects of this policy
proposal.
Ask yourself whether the proponents of this proposal have experience
developing RPKI software, or have been involved in notable RPKI based
BGP Route Origin Validation deployment projects, or are known for their
work on BGP routing security....
At the moment of writing, the AFRINIC Trust Anchor has excellent
standing in the global community. If AFRINIC starts publishing RPKI
ROAs for Unallocated or Unassigned space, unfortunately, I'll have to
consider the AFRINIC RPKI Trust Anchor to be UNFIT FOR RELYING.
Implementation of this proposal will put years of AFRINIC's work and
investment in RPKI at risk, ... a pretty crazy situation! :-(
Danger to AFRINIC members
=========================
If this policy proposal is implemented, the ultimate consequences is
that certain types of disputes between members and AFRINIC will result
in severe connectivity problems for the member. Some members might
think, "that will never happen to me, I always pay my bills on time!"
But we cannot know the future! If five years from now there is a banking
issue between AFRINIC's bank and a member's bank (for example, because
of sanctions, war conflict, or any other issue) - the member suddenly
might find themselves in a situation where not only the AFRINIC
registration of IP addresses falters (a serious problem), but
additionally the member's internet connectivity is forcefully taken
offline (an even bigger problem!). This seems disproportional.
ASPECT #2: Any mistake AFRINIC makes in the AS0 publication will result
in significant problems for third parties. (Possibly outside AFRINIC
region) What if a typo is made? The wrong prefix added to the AS0 block
list? Why would we voluntarily increase our global risk? The proposal
authors will blow off these concerns as 'surely AFRINIC will never make
a mistake', ... but that simply is not how things work.
In the current RPKI service model, most problems can only be caused by
AFRINIC members themselves, and only related to their own prefixes. It
is a Good Thing [tm] when people can only negatively impact themselves.
However, in the proposed model a whole new level of mistakes become
possible!
Lessons from the RIPE Region
============================
The RIPE Routing Working Group considered the AS0 proposal extensively,
and rejected it for sound reasons. JORDI disagrees, but this wouldn't be
the first time that a policy proposer does not receive the support they
hoped for.
RIPE NCC is subject to EU Regulations and Sanctions. Iranian and Syrian
internet participants would have been at risk of losing internet
connectivity (on top of an already challenging and devastating
situation) if the idea of AS0 TALs was implemented. This shows that the
idea of AS0 policies is at odds with the Internet's architecture.
https://www.ripe.net/ripe/mail/archives/routing-wg/2020-June/004131.html
Even if this policy proposal is implemented under a distinct TAL, there
will be some networks somewhere that misunderstand the risks and
consequences of 'AS0 TAL', and subsequently end up losing connectivity
towards some Internet destinations for no good reason.
Another aspect: almost no operators are using the APNIC/LACNIC AS 0 TAL!
It appears many people recognize that it brings additional risk, for no
reward. Success stories of the AS0 TAL in LACNIC and APNIC do not exist.
Conclusion
==========
RPKI has been designed to be used as optional security feature to help
grow the Internet, not as a 'punishment' or 'censorship' tool. To
reclaim unassigned space, AFRINIC can continue to work with global
carriers on a case-by-case basis. The 'problem' this proposal 'solves'
is NOT proportional to the risks the proposal introduces.
If this policy is accepted - it'll be a waste of AFRINIC engineering and
financial resources (even under a separate TAL!), and needlessly
introduce risk where no risk needs to exist, for no benefit.
Kind regards,
Job
--
AS 54113 / Fastly
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
More information about the RPD
mailing list