[rpd] Last Call - RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT03.

[Noah]

On Tue, Jun 8, 2021 at 5:43 PM Job Snijders via RPD <rpd at afrinic.net> wrote:


> Dear Internet friends - close-by and far away,

>


Hi Job,



>

> Ask yourself whether the proponents of this proposal have experience

> developing RPKI software, or have been involved in notable RPKI based

> BGP Route Origin Validation deployment projects, or are known for their

> work on BGP routing security....

>


Yes many of us have real world deployment projects across real networks in
AFRICA.[1]



> Danger to AFRINIC members

> =========================

>

> If this policy proposal is implemented, the ultimate consequences is

> that certain types of disputes between members and AFRINIC will result

> in severe connectivity problems for the member. Some members might

> think, "that will never happen to me, I always pay my bills on time!"

>


This already happens and Covid was one such situation that affected most
businesses but like with any responsible organization, AFRINIC has had to
adjust on how it deals with its members including those that have struggled
as a result of the Covid force majeure.

In anycase, AFRINIC is not a briefcase organization, it has processes which
it follows to the benefit of its members whether they pay in time or delay
payment for there is always a reason.



> But we cannot know the future! If five years from now there is a banking

> issue between AFRINIC's bank and a member's bank (for example, because

> of sanctions, war conflict, or any other issue) -



In our region, this is already happening as some countries within AFRINIC
service region have faced civil wars in the recent past (Somalia, South
Sudan, Libya, CAR, DRC) and some Sanctions (Sudan) yet AFRINIC members in
this countries forge on and AFRINIC whose responsibility is known to us
all, has continued to serve this countries.  The AFRINIC website I believe
has a members list across its service region, please look at it.

Nothing new.... All it takes is being realistic to the situation as no
single country wishes to find itself in some civil war or sanctions yet our
people can not be denied services for explanations that are reasonable to
us all.


the member suddenly

> might find themselves in a situation where not only the AFRINIC

> registration of IP addresses falters (a serious problem), but

> additionally the member's internet connectivity is forcefully taken

> offline (an even bigger problem!). This seems disproportional.

>


None has happened and I stand to be corrected. Has AFRINIC cancelled
memberships in our AFRICAN countries of CAR, Libya, Tunisia, Egypt, South
Sudan, Somalia etc...? which have faced conflicts in recent years.



>

> ASPECT #2: Any mistake AFRINIC makes in the AS0 publication will result

> in significant problems for third parties. (Possibly outside AFRINIC

> region) What if a typo is made? The wrong prefix added to the AS0 block

> list? Why would we voluntarily increase our global risk? The proposal

> authors will blow off these concerns as 'surely AFRINIC will never make

> a mistake', ... but that simply is not how things work.

>


There have been so many global Internet outages in the past 24hrs and as
recently as earlier today [2].

I wonder if they are all related to the RPKI AS0 TAL implementation gone
south due to human error.

Yet they have been fixed because we humans error and we humans fix mistakes
and we have been doing that since the beginning of time.

So nothing new hey....



> In the current RPKI service model, most problems can only be caused by

> AFRINIC members themselves, and only related to their own prefixes. It

> is a Good Thing [tm] when people can only negatively impact themselves.

> However, in the proposed model a whole new level of mistakes become

> possible!

>


And yet mistakes never stop after all.  But we fix them, that is why they
are referred to us as MISTAKES.

That does not mean that we don't have the capacity to be cautious while
following BCP's.

We will error brother, because we are human.



>

> Lessons from the RIPE Region

> ============================

>

> The RIPE Routing Working Group considered the AS0 proposal extensively,

> and rejected it for sound reasons. JORDI disagrees, but this wouldn't be

> the first time that a policy proposer does not receive the support they

> hoped for.

>


That is the RIPE region and this is the AFRINIC region.



>

> RIPE NCC is subject to EU Regulations and Sanctions. Iranian and Syrian

> internet participants would have been at risk of losing internet

> connectivity (on top of an already challenging and devastating

> situation) if the idea of AS0 TALs was implemented. This shows that the

> idea of AS0 policies is at odds with the Internet's architecture.

>


Do you mean RIPE members who have been rightfully allocated INR.?

Or do you mean those using unallocated RIPE INR.?



>

> https://www.ripe.net/ripe/mail/archives/routing-wg/2020-June/004131.html

>

> Even if this policy proposal is implemented under a distinct TAL, there

> will be some networks somewhere that misunderstand the risks and

> consequences of 'AS0 TAL', and subsequently end up losing connectivity

> towards some Internet destinations for no good reason.



Nothing new. Operational mistakes happen all the time and they are fixed
while lessons are taken.



>

>

> Another aspect: almost no operators are using the APNIC/LACNIC AS 0 TAL!

> It appears many people recognize that it brings additional risk, for no

> reward. Success stories of the AS0 TAL in LACNIC and APNIC do not exist.

>


It is proposed that operators shall have a choice.  It ain't mandatory.



> Conclusion

> ==========

>

> RPKI has been designed to be used as optional security feature to help

> grow the Internet, not as a 'punishment' or 'censorship' tool.



Can you please share any such real world situation in APNIC or LACNIC who
have implemented the same policy, and there has been a resource member in
those regions who was punished or censored.




> To

> reclaim unassigned space, AFRINIC can continue to work with global

> carriers on a case-by-case basis. The 'problem' this proposal 'solves'

> is NOT proportional to the risks the proposal introduces.

>



AFRINIC has been reporting to the community and members about recovered
address space that had been misappropriated from the free pool. Please
check the mailing list archives in case you missed the announcements.

 Anything that further helps with dealing with bogons is welcome to say the
least. Why should an LIR suffer because the newly allocated space had been
blacklisted in the past because it had been hijacked and used to SPAM or
DDOS or used in some Internet related Abuse.



> If this policy is accepted - it'll be a waste of AFRINIC engineering and

> financial resources (even under a separate TAL!), and needlessly

> introduce risk where no risk needs to exist, for no benefit.

>


This remains for AFRINIC staff to proclaim as such.

Just to state on the record, that I am yet to find any of the reasons you
have stated, as valid objections.

Cheers,
Noah
[1] My boss would confirm the same
[2] https://downdetector.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20210608/e59729db/attachment-0001.html>