Search RPD Archives
[rpd] Last Call - RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT03.
Job Snijders
job at fastly.com
Tue Jun 15 18:59:05 UTC 2021
Dear Noah, others,
This policy proposal strikes at the heart of the design of the global
Internet routing system. The Internet works so well because it is a
series of clever fail-open fail-safe mechanisms. This proposal converts
a fail-open into a fail-closed.
The policy 'protects' the wrong asset (the UNUSED resources), and in
doing so puts the real valuable assets at risk (the IPs that we actually
USE in our day to day communication).
On Tue, Jun 15, 2021 at 06:27:21PM +0300, Noah wrote:
> > The best measure to put in place to curb incidents is to not implement
> > this type of policy.
>
> There are several of us who support this policy for valid reasons, some of
> which are founded on the premise [1] that you shared with the APNIC region
> back in 2019.
>
> [1] https://mailman.apnic.net/mailing-lists/sig-policy/archive/2019/08/msg00065.html
The point of that email was to show how SMALL the list of prefixes is! :-)
All this effort (and risk!) to 'punish' a few tens of routes in the
DFZ.
In the email you reference, I asked whether anyone could support the
policy with actual data on network abuse. Nobody answered. Now, two
years later, and I still haven't seen any evidence that this type of
policy is helpful. Thus, I believe this policy proposal does nothing
against 'hacking', or 'spamming'.
The proposal also does nothing productive against BGP hijacking: the
only _problematic_ BGP hijacks, are the ones where someone hijacks IP
space that someone else already was USING for an Internet service!
Even worse, the proposal puts RPKI's reputation at risk, so in an
indirect way the policy proposal might make BGP hijacking worse!
The proposal also does nothing to increase RIR Registry accuracy,
because it deals exclusively with unassigned and unallocated space.
We know of multiple technical long-lasting Database Registration and
RPKI incidents at the RIR level in the last two years. We know for sure
that future incidents will happen too, because we can't build perfect
software. This convinced me that this type of policy is a
mis-application of the RPKI technology. Deployment of AS 0 TALs
decrease the overall reliability of the Internet. The proposal is akin
to a ticking time bomb.
Multiple recognized experts in the field (from all over the world) have
spoken against this proposal. This in itself should be a red flag that
something is wrong.
Even worse, there are non-technical problems that affect entire
countries, such as sanctions. When an entire country is banned from
conducting business (parts of) the rest of the world... do we truly
believe that also taking away their Internet access is the humane things
to do? I don't! This proposal is a pathway towards such a future event.
I work to keep the Internet up, I work to keep communication lines open
between communities.
A BGP route to an unassigned IP block, might be your only route to a
million fellow human beings.
Kind regards,
Job
More information about the RPD
mailing list