[rpd] Last Call - RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT03.

[Gregoire EHOUMI]

Hi Job,


> On Jun 15, 2021, at 2:59 PM, Job Snijders via RPD <rpd at afrinic.net> wrote:

> 

> The point of that email was to show how SMALL the list of prefixes is! :-)

> All this effort (and risk!) to 'punish' a few tens of routes in the

> DFZ.

> 


Efforts?
⁃ Publishing AS0 ROA is just another way of publishing what is the delegated file as “reserve” and “available”
⁃ Normal ROAs validation for the networks who might decide to trust the AS0
TAL
⁃ local policy and decisions on what to do with “ invalid”
Risks?
Risk associated to RPKI and the operational concerns are well known and left to each party to manage through local policies
Punish only a Few tens?
We wait for this to become a “pandemic” to start addressing it?


> In the email you reference, I asked whether anyone could support the

> policy with actual data on network abuse. Nobody answered. Now, two

> years later, and I still haven't seen any evidence that this type of

> policy is helpful. Thus, I believe this policy proposal does nothing

> against 'hacking', or 'spamming'.

> 


Nobody answered you probably because the proposal does not aim to combat “ hacking” or “ spamming”.


> The proposal also does nothing productive against BGP hijacking: the

> only _problematic_ BGP hijacks, are the ones where someone hijacks IP

> space that someone else already was USING for an Internet service!


Once again, you seem to be looking for a wrong problem for the solution.


> Even worse, the proposal puts RPKI's reputation at risk, so in an

> indirect way the policy proposal might make BGP hijacking worse!

> 

> The proposal also does nothing to increase RIR Registry accuracy,

> because it deals exclusively with unassigned and unallocated space.


It depends on how you see things.
Verifiable non-existence of right to use resources helps registration accuracy.


> 

> We know of multiple technical long-lasting Database Registration and

> RPKI incidents at the RIR level in the last two years. We know for sure

> that future incidents will happen too, because we can't build perfect

> software. This convinced me that this type of policy is a

> mis-application of the RPKI technology.  Deployment of AS 0 TALs

> decrease the overall reliability of the Internet. The proposal is akin

> to a ticking time bomb.

> 

> Multiple recognized experts in the field (from all over the world) have

> spoken against this proposal. This in itself should be a red flag that

> something is wrong.

> 


experts even continue to speak and warn about how bad are RPKI and RoV and their dangerousness to the routing compared to their benefit... but we do see some adoption.
The experts’ warnings led to some extra cautious in the proposed solution and shall feed operational considerations inside networks and local policies..


> Even worse, there are non-technical problems that affect entire

> countries, such as sanctions. When an entire country is banned from

> conducting business (parts of) the rest of the world... do we truly

> believe that also taking away their Internet access is the humane things

> to do? I don't! This proposal is a pathway towards such a future event.

> 


Either AFRINIC is forced to follow the injunctions of the world “gendarmes” who banned countries from doing business with others and revoke all membership from these countries or the bans make membership fees payments impossible.
AFRINIC now has experience dealing with the second case... as on this continent, many events and situations lead to this.
As for the other case, the Internet might resist to the “gendarmes” by bypassing the “invalid” status caused.
Shouldn’t we expect orders to de-peer banned countries, to filter all prefixes to them? 
Should we stop publishing which country we allocate to ?


> I work to keep the Internet up, I work to keep communication lines open

> between communities.

> 


communications lines must be kept open all times and Internet has proven many times its resiliency..


> A BGP route to an unassigned IP block, might be your only route to a

> million fellow human beings.

> 


Let not encourage people going rogue. It open doors for many abuses.
Like these unassigned IP blocks are not supposed to be seen in the DFZ if current bogons filtering were followed, AS0 ROAs will just offer option to those who decide to follow them.

—Gregoire


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20210617/b5a1194e/attachment.html>