Search RPD Archives
[rpd] Last Call - RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT03.
Owen DeLong
owen at delong.com
Tue Jun 29 09:48:22 UTC 2021
> On Jun 29, 2021, at 01:56 , Noah <noah at neo.co.tz> wrote:
>
>
>
> On Tue, 29 Jun 2021, 11:37 Owen DeLong, <owen at delong.com <mailto:owen at delong.com>> wrote:
>
>
>> On Jun 27, 2021, at 14:55 , Noah <noah at neo.co.tz <mailto:noah at neo.co.tz>> wrote:
>>
>>
>>
>> On Sat, Jun 26, 2021 at 11:35 AM Owen DeLong <owen at delong.com <mailto:owen at delong.com>> wrote:
>>>>
>>>> So in the AFRINIC region, network abuse incidents have been reported on this very list as recent as this year and we have had incidents of misappropriation [1] of INR as well.
>>>>
>>>> [1] https://lists.afrinic.net/pipermail/community-discuss/2020-August/003678.html <https://lists.afrinic.net/pipermail/community-discuss/2020-August/003678.html>
>>>
>>> Your example cites resources that were misappropriated in such a way that they could have had ROAs issued that would have further masked the misappropriation.
>>>
>>> I read "further masked" ... eeeh heh ?
>>
>> In other words, given the way those resources were misappropriated, they could have still had (apparently) valid ROAs attesting to their origin ASN providing an additional
>> assurance that this stolen space was in legitimate use.
>>
>> Are we talking about bogons ROA'd with the AS0 tag?
>
> No, I’m saying that the example you cite likely would not have received AS0 ROAs even with this policy in place
>
>
> That is an assumption you are making. If the policy was in place, chances are the misappropriation would be limited because the implementation would reduce such loopholes.
The misappropriation happened with the full cooperation of an AFRINIC staff member actively engaged in the misappropriation.
I think it is safe to assume that if there were AS0 ROAs, he would have been able to go through the normal allocation process to have them removed and/or issue
new signatures/keys to allow new ROAs issued/signed by the receiving entities.
What is your basis for believing otherwise? Please share.
>
> and likely could well have had ROAs
> attesting to the ASN that was advertising the misappropriated space.
>
> This is an assumption absent the policy.
No, it is an assumption given the role of the person doing the misappropriating on the AFRINIC staff.
>
>
>>
>> Hence providing additional disguise…further masking…
>>
>>
>> How?
>
> Are you serious? If you have an AS X that receives misappropriated addresses at the end of the misappropriation chain that is able to get the RIR to
> sign ROAs attesting to their origination of the prefix, given that the misappropriation happened at the hands of an RIR insider, how are you not able
> to see this plainly?
>
> Absent the AS0 policy, we can only assume.
With the AS0 policy, this would not be prevented when the person misappropriating the address is an AFRINIC staff member with full access to update
the registration database (as was the case here).
>
>> Does that clarify for you?
>>
>> No it does not...
>
> Wow… Well, hopefully the above rather detailed explanation is simple enough for you this time.
>
> There is nothing detailed but assumptions.
So you’re saying that you do not believe that Ernest would have been able to issue (apparently) valid ROAs for the misappropriated space
if this policy were in effect?
Talk about assumptions.
Owen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20210629/4020d4c5/attachment-0001.html>
More information about the RPD
mailing list