Search RPD Archives
[rpd] Last Call - RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT03.
JORDI PALET MARTINEZ
jordi.palet at consulintel.es
Tue Jun 8 15:12:13 UTC 2021
Then we should “cancel” the AFRINIC whois, IRR, etc., right?
El 8/6/21 17:01, "Taiwo Oye" <taiwo.oyewande88 at gmail.com> escribió:
Hi Jordi,
You will agree with me that all policies are different and can / should be handled differently. IMHO once there is no timeline stipulated in this policy, It automatically becomes a weapon.
I have always been against policies that are hidden weapons, hence my reason for being vocal on this. These 5 “excuses”you listed below are the exact reason why we need a timeline. I just simply don’t trust Afrinic will not be tempted sooner or later to use the power that this policy gives them for illegitimate use. One way to ensure this doesn’t happen is to have a strict timeline in policy (this can be achieved after proper liaison with staff).
I will really like if the community can come up with other ways we can make sure this policy is used only for good, then we include these points in the policy for the greater good of the African internet region.
Kind regards
Taiwo
On Jun 8, 2021, at 15:36, JORDI PALET MARTINEZ via RPD <rpd at afrinic.net> wrote:
Hi Taiwo,
I recall comments about possible text improvements, but not objections. Some of those improvements are still possible if they are editorial. If I’m wrong, please let me know the specific minutes in the video of the meeting and I will re-read them and even provide possible alternative wording if needed (at the time being I don’t think so, but I may be wrong).
Meanwhile, not being objections, don’t change the consensus decision, according to the RFC7282.
Do you remember how your policy about inter-RIR got *many chances* during the last call for that? And remember that they were not just editorial, but that’s a different discussion. In fact, a literal interpretation of the PDP doesn’t even allow editorial changes, but I’m sure that if we find something really broken (such as a typo or grammar error) all will accept that. Otherwise, not an issue, because we can keep the mistake in the CPM and send a new proposal to correct the typo.
What I mean is that you should be fair and accept, for other proposals, the same you accepted for your proposal. You don’t think so?
The proposal is clear about other operational details, such the one that you mention, and we have explained this many times: “This and other operational details are left to the discretion of AFRINIC”.
It is normal that every RIR takes operational decisions, why:
1) Because otherwise we will never reach consensus in anything.
2) Because it may depend on specific implementation details.
3) Because it may change along the time or with protocol changes in IETF or learning across the implementation, etc.
4) Because there are many details that depend on other operational issues.
5) Etc.
Is it not only bad, but near to impossible, to tell the RIRs *every detail* about how they should do *everything*. A policy should, “in general”, look for overal goals, thinks to do, verify, etc.
I only see that we should tell the RIRs about operational details when it has been proved that they are doing it wrong, we give them ample opportunities to correct that, and they still do it wrong.
It was explained in the meeting by the staff and other: If they make mistakes in the AS0, is because those mistakes come from the whois itself. So with your point, you will be saying “AFRINIC shouldn’t manage the whois they can make mistakes”.
And remember: it is better to advance than to go backwards. If we make a mistake (I don’t think we are doing it, because it has been done already in other 2 RIRs), or if the policy proposal can be further enhanced, there is time to do so (specially because this proposal, once ratified, will not be implemented for at least 6-9 months, if I recall correctly) and the PDP is meant for *evolution*.
Regards,
Jordi
@jordipalet
El 8/6/21 16:12, "Taiwo Oye" <taiwo.oyewande88 at gmail.com> escribió:
Hi everyone,
I truly hope the co chairs are not being coerced to forcefully pass this policy by any party.
There were several objections stated in meeting and on mailing list. In the meeting, the only two individuals who stated their support for the policy also added that the policy needs some adjustments before being passed. To my surprise, the policy was moved to the last call.
There are several objections that have not been resolved to the satisfaction of some members of the community. Personally I see the fact as there is no clear timeline - in policy - to when the AS0 should be removed for reacquired resources or in the case of wrongfully assignment of AS0.
On a more general note. I am very skeptical about giving the current Afrinic such duties (power /weapon). An Afrinic where emails sent or unsent disappears, an Afrinic where the board selects where certain rules are followed and where some can be overlooked (like in d case of ongoing appeals). I see a bigger picture where “wrong assignment” of AS0 to “disliked” resource holder resources will be a norm. More especially as there is no stated timeline for this resolve.
I understand the value of this policy. But I think some part of the policies still needs to be further discussed, To achieve the actual goal of the authors.
Kind regards.
Taiwo
On Jun 8, 2021, at 14:24, jeffery_sky via RPD <rpd at afrinic.net> wrote:
Hello,
To clarify, these concerns are becoming repetitive due to the lack of adequate responses from the concerned stakeholders. Also, I want to address the fact that the real problem here is not RPKI in any way. What is really bothering me is that RIR is injecting its own data into RPKI, which makes the previous argument about how signing space is invalid.Further, the usage of RPKI will lead toAS0 all unallocated space for you. Consequently, the routing changes.
I understand that some of these concerns are repeated, but I think it is because they were not addressed properly. The responses provided are mainly vague and it seems to me that you are dodging the comments by bringing the Last call phase procedure and calling out the PDWG co-chairs.
The last call phase is dedicated to this type of discussions, and if several people are not convinced, it simply means that the co-authors should try providing insightful responses that go straight to the point, not vague ones. If this vicious cycle and the lack of proper answers continues, consensus will never happen, and the policy cannot be implemented. Also, most of the raised objections have nothing to do with technicalities, therefore, they are meant to be discussed on the RPD. Finally, the arguments you perceive repeated, have not been received accurate replies, which means they will keep popping out. Consequently, the best thing to do, is to dig deeper in this proposal, instead of labelling the arguments as invalid.In the hope of receiving insightful answers...
Best.
On Tuesday, June 8, 2021, 9:40:10 PM GMT+9, Fernando Frediani <fhfrediani at gmail.com> wrote:
+1
Excelent and simple answer.
Em 6/8/2021 3:01 AM, Frank Habicht escreveu:
> Hi
>
> On 08/06/2021 01:45, Daniel Yakmut via RPD wrote:
>> Hi,
>>
>> Are you postulating here that Resources not allocated are susceptible to
>> hijack?
> - resources are susceptible to hijack.
> - if a ROA with AS0 was published for an unallocated resource, it would
> be less susceptible to hijack.
>
>
>> My other understanding is an RIR is a resource dispenser.
> When I get my next resource from AfriNIC, I will prefer one that was not
> previously hijacked and used for spamming and network abuse, and got
> blacklisted and a bad reputation everywhere.
>
> What about you?
>
>
> Thanks,
> Frank
>
>
>> Simply
>> Daniel
>>
>> On Mon, Jun 7, 2021, 11:30 PM Fernando Frediani <fhfrediani at gmail.com
>> <mailto:fhfrediani at gmail.com>> wrote:
>>
>> AfriNic (or any other RIR) is the resource holder for IP space that
>> IANA has allocated to it. So who else could secure that space until
>> it is assigned to an organization issuing ROAs if not the current
>> resource holder ?
>>
>> Must we have a policy accepted by either RIPE or ARIN first in order
>> to accept it in AfriNic afterwards ?
>> This is not a worry to the RIR, it is actually an additional
>> guarantee that no one else will try to make usage of IP space under
>> its responsability.
>>
>> Fernando
>>
>> On 07/06/2021 19:14, Daniel Yakmut via RPD wrote:
>>> Dear Jordi,
>>>
>>> Just out of curiosity why has RIPE and ARIN refused to adopt the
>>> RPKI ROA and make it their responsibility that it is used by
>>> resource holder?. I will agree that RPKI ROA is a good tool to
>>> secure BGP routing, however I don't see as the responsibility of
>>> an RIR to implement it.
>>>
>>> My strong opinion is that any resource holder should be
>>> responsible for securing its resources and if RPKI ROA is the best
>>> way to prevent hijack, then it will enjoy patronage. Making it a
>>> job of AfriNIC, will possibly be going over board.
>>>
>>> Responding to my opening question, I believe RIPE and ARIN are not
>>> keen on accepting your arguments because they are mundane. This
>>> means resource holders should handle this issue, without making it
>>> a worry of the RIR.
>>>
>>> In this regard, AfriNIC should concentrate on handling other more
>>> important issues, hence this policy is not relevant.
>>>
>>>
>>> Simply
>>>
>>> Daniel
>>>
>>> On 07/06/2021 6:3pm, JORDI PALET MARTINEZ via RPD wrote:
>>>> Ni Mimi,____
>>>>
>>>> __ __
>>>>
>>>> No, is not ideological, the legal counsel already confirmed the
>>>> being bookkeepers has many other **related** implications, such
>>>> as provide a trustable source of accurate data, and this is what
>>>> RPKI and AS0 improve.____
>>>>
>>>> __ __
>>>>
>>>> The fact that in RIPE has not been accepted yet is just one more
>>>> excuse, if you compare it with the fact that the other TWO RIRs
>>>> where it has been submitted (APNIC and LACNIC) accepted it and in
>>>> none of those regions there have been any of the excuses and lack
>>>> of knowledge about RPKI that we are hearing here. As I’ve
>>>> explained already, I don’t think the RIPE chairs decision was
>>>> correct, and we will make sure to resubmit the proposal there
>>>> once a consistent appeal process is available, in case chairs
>>>> take again a wrong decision. Also, then the experience in APNIC,
>>>> LACNIC and AFRINIC will show that those motivations are
>>>> ridiculous.____
>>>>
>>>> __ __
>>>>
>>>> From time to time is good that ARIN and RIPE aren’t the leaders,
>>>> you don’t think so? It shows that very smart people exist in
>>>> other regions as well!____
>>>>
>>>> __ __
>>>>
>>>> Once more, sometimes policies in one or the other region fail to
>>>> reach consensus, but it happens sooner or later.____
>>>>
>>>> __ __
>>>>
>>>> If you have a simple and trustable tool such as RPKI to drop
>>>> invalids, you have a better way (if you want) to avoid bad actors
>>>> to use prefixes that don’t belong to them as they are still on
>>>> the hands of AFRINIC. This is just facts. Not ideological, not
>>>> opinions or personal view points. So yes, AS0 avoids, if you
>>>> operate your network in a consistent way, to be faked with
>>>> prefixes not allocated/assigned by AFRINIC, and thus helps to
>>>> prevent hijacking.____
>>>>
>>>> __ __
>>>>
>>>> Regards,____
>>>>
>>>> Jordi____
>>>>
>>>> @jordipalet____
>>>>
>>>> __ __
>>>>
>>>> __ __
>>>>
>>>> __ __
>>>>
>>>> El 7/6/21 18:47, "Mimi dy" <dym5328 at gmail.com
>>>> <mailto:dym5328 at gmail.com>> escribió:____
>>>>
>>>> __ __
>>>>
>>>> Dear WG,____
>>>>
>>>> ____
>>>>
>>>> I think the issue here is ideological. Many people believe that
>>>> RIRs are mere bookkeepers, and it is not in their mandate to
>>>> inject data into the routing database. That is the reason why
>>>> RIPE did not approve a similar proposal, which I totally agree
>>>> with. Moreover, I wanted to react to Jordi’s statement, saying
>>>> that these objections are based on practical and technical
>>>> matters. There is not only one routing database, there are many,
>>>> isn’t it kind of messy? And that is not even the main reason why
>>>> I object to this policy. ____
>>>>
>>>> From another perspective, since people can adjust and control
>>>> their routers, can you precise how this policy can potentially
>>>> prevent/ reduce hijacking?____
>>>>
>>>> ____
>>>>
>>>> Best.____
>>>>
>>>> _______________________________________________ RPD mailing list
>>>> RPD at afrinic.net <mailto:RPD at afrinic.net>
>>>> https://lists.afrinic.net/mailman/listinfo/rpd
>>>> <https://lists.afrinic.net/mailman/listinfo/rpd> ____
>>>>
>>>>
>>>> **********************************************
>>>> IPv4 is over
>>>> Are you ready for the new Internet ?
>>>> http://www.theipv6company.com <http://www.theipv6company.com>
>>>> The IPv6 Company
>>>>
>>>> This electronic message contains information which may be
>>>> privileged or confidential. The information is intended to be for
>>>> the exclusive use of the individual(s) named above and further
>>>> non-explicilty authorized disclosure, copying, distribution or
>>>> use of the contents of this information, even if partially,
>>>> including attached files, is strictly prohibited and will be
>>>> considered a criminal offense. If you are not the intended
>>>> recipient be aware that any disclosure, copying, distribution or
>>>> use of the contents of this information, even if partially,
>>>> including attached files, is strictly prohibited, will be
>>>> considered a criminal offense, so you must reply to the original
>>>> sender to inform about this communication and delete it.
>>>>
>>>>
>>>> _______________________________________________
>>>> RPD mailing list
>>>> RPD at afrinic.net <mailto:RPD at afrinic.net>
>>>> https://lists.afrinic.net/mailman/listinfo/rpd <https://lists.afrinic.net/mailman/listinfo/rpd>
>>> _______________________________________________
>>> RPD mailing list
>>> RPD at afrinic.net <mailto:RPD at afrinic.net>
>>> https://lists.afrinic.net/mailman/listinfo/rpd <https://lists.afrinic.net/mailman/listinfo/rpd>
>> _______________________________________________
>> RPD mailing list
>> RPD at afrinic.net <mailto:RPD at afrinic.net>
>> https://lists.afrinic.net/mailman/listinfo/rpd
>> <https://lists.afrinic.net/mailman/listinfo/rpd>
>>
>>
>> _______________________________________________
>> RPD mailing list
>> RPD at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
> _______________________________________________
> RPD mailing list
> RPD at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/rpd
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
_______________________________________________ RPD mailing list RPD at afrinic.net https://lists.afrinic.net/mailman/listinfo/rpd
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20210608/ddb5a426/attachment-0001.html>
More information about the RPD
mailing list