[rpd] Last Call - RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT03.

[Fernando Frediani]

Hi

On 15/06/2021 15:59, Job Snijders via RPD wrote:

> Dear Noah, others,

>

> This policy proposal strikes at the heart of the design of the global

> Internet routing system. The Internet works so well because it is a

> series of clever fail-open fail-safe mechanisms. This proposal converts

> a fail-open into a fail-closed.

>

> The policy 'protects' the wrong asset (the UNUSED resources), and in

> doing so puts the real valuable assets at risk (the IPs that we actually

> USE in our day to day communication).

Fair point of view although I don't see anything wrong in willing to 
protect unallocated addresses as well. They will be allocated at some 
point and and if used in the mean time it can damage its reputation for 
future members.

>

> <clip>

>

> The proposal also does nothing productive against BGP hijacking: the

> only _problematic_ BGP hijacks, are the ones where someone hijacks IP

> space that someone else already was USING for an Internet service!

> Even worse, the proposal puts RPKI's reputation at risk, so in an

> indirect way the policy proposal might make BGP hijacking worse!

Why don't you see as a hijack the usage of unallocated space ? When that 
happen it is likely to be used for something wrong, plus the issue 
stated above that damages the reputation of those stolen space that will 
be allocated for future members.
Any IP space (allocated or not) should be protected against usage by 
unauthorized. I agree the used ones are more important, but even the 
unallocated have their importance too.

>

> We know of multiple technical long-lasting Database Registration and

> RPKI incidents at the RIR level in the last two years. We know for sure

> that future incidents will happen too, because we can't build perfect

> software. This convinced me that this type of policy is a

> mis-application of the RPKI technology.  Deployment of AS 0 TALs

> decrease the overall reliability of the Internet. The proposal is akin

> to a ticking time bomb.

It would be a miss-application if used from a different propose than it 
was thought. AS0 ROAs are to be used to sign by the rightful resource 
holder that some IP space it not permitted to be announced. The rightful 
resource holder of most currently unallocated space are the RIRs.

>

> Multiple recognized experts in the field (from all over the world) have

> spoken against this proposal. This in itself should be a red flag that

> something is wrong.

Fair enough. But why didn't they come here at the time of the discussion 
to collaborate ? Or at least someone objecting it didn't share their 
reasons to object it so community could evaluate it ?

>

> Even worse, there are non-technical problems that affect entire

> countries, such as sanctions. When an entire country is banned from

> conducting business (parts of) the rest of the world... do we truly

> believe that also taking away their Internet access is the humane things

> to do? I don't! This proposal is a pathway towards such a future event.

With or without the existence of RPKI that would happen sooner or later 
they would loose access if it was the case.
But I fail to remember a situation as described where a RIR or even a 
local court in the country the RIR operates ordered such thing based on 
sanctions.

>

> I work to keep the Internet up, I work to keep communication lines open

> between communities.

Great, I think most of us too. But I prefer to do that within the 
current and well established rules so I would expect any organization to 
keep their lines opened inside the same rules.

>

> A BGP route to an unassigned IP block, might be your only route to a

> million fellow human beings.


Correct me if I am wrong, but are you justifying the missusage of 
unallocated space as long it provides connectivity to some human being ? 
If so I can't agree with it.

Regards
Fernando


>

> Kind regards,

>

> Job

>

> _______________________________________________

> RPD mailing list

> RPD at afrinic.net

> https://lists.afrinic.net/mailman/listinfo/rpd