<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8">
</head>
<body>
<div style="font-family:sans-serif"><div style="white-space:normal">
<p dir="auto">Dear Elvis,</p>
<p dir="auto">Thanks for speaking up and clarifying this viewpoint. Much as your concerns<br>
aren’t directly connected to this proposal but to RPKI in general I think<br>
they’re shared by many and worth addressing. (No I’m not one of the authors of <br>
this proposal).</p>
<p dir="auto">To have a mutual understanding (or agreement to disagree) we need to iron out a<br>
few points. Apologies for the long email that doesn’t discuss the policy<br>
itself.</p>
<ol>
<li value="1"><p dir="auto">Allocation of IP addresses (and other resources) is in your words<br>
<em>”centralised”</em>. I prefer the word “hierarchal”. I.E IANA has the global pool<br>
of IP(v4 & v6) addresses. It then hands it out to RIRs like AFRINIC. LIRS like<br>
ISPs then apply from the RIR. End users either get allocated address space out<br>
of the LIR pool or can get addresses directly from the RIR and get those<br>
routed. So, AFRINIC (and other RIRs) are not responsible to allocate IP<br>
addresses to servers, but you can’t allocate a public IP address to a server<br>
without somehow following this chain. Kindly confirm if you’re fine with this<br>
state of affairs.</p></li>
<li value="2"><p dir="auto">I see you’re using a gmail address and you used the web interface to compose<br>
your email. To do that your browser used SSL. The system that lets SSL work is<br>
the X509 certificate system. This is another <em>”centralised”</em> or hierarchal<br>
system. Your browser or OS has a set of root trust information (CA’s). These<br>
CAs can create “signatures” (crypto information) that says that a particular<br>
key XYZ is allowed to secure a domain (e.g gmail.com). They also can create<br>
signatures that say a key ABC can also create signatures like their own. In<br>
this case, gmail could chose to go to whoever runs ABC to get their X509<br>
certificate instead of to any of the roots themselves. Your browser is able to<br>
follow the chain of trust. Note that x509 aka SSL has methods by which CAs can<br>
publish crypto information that revokes previously assigned certificates if<br>
they were allocated in error. Please also confirm if this is something you’re<br>
fine with.</p></li>
<li value="3"><p dir="auto">RPKI technically isn’t just for ROA validation. It is just another public<br>
key infrastructure with <em>hierarchy</em> (you prefer the term centralised). It also<br>
(like x509) requires some sort of root anchor or anchors. These are what are<br>
installed in each client that wants to verify any of the crypto information in<br>
the system. This isn’t new, DNSSEC works the same way. Once you have well<br>
known/established roots each of these systems (DNSSEC, RPKI) have ways to<br>
delegate authority for some information to the holder of a different public<br>
key. And this goes down the chain. The decision of who the root anchors for<br>
RPKI was debated on public lists like these and finally at the NRO it was<br>
agreed that the easiest and cleanest solution was for all RIRs to have a root<br>
0/0 anchor. All RPKI validator clients simply have these anchors configured and<br>
can therefore validate all crypto in the RPKI system.</p></li>
</ol>
<p dir="auto">Kindly confirm if we’re on the same page (at least via understanding) of these<br>
three long points. Effectively the RPKI system in my opinion is more<br>
trustworthy than the x509 one that secures the SSL you used to write your<br>
email. If you look at your OS/browser there are quite a number of root CAs<br>
there that given the choice I personally wouldn’t trust.</p>
<p dir="auto">Just like DNS, all these systems need hierarchy to operate. It is not logical<br>
to say you trust x509 (SSL) but not RPKI. Or that you’re fine using the<br>
internet with its allocation of IP but do not want to secure those allocations<br>
with a system that follows that same heirachy. Note that we haven’t even<br>
discussed the fact that publishing ROA information in RPKI is optional for ISPs<br>
and end users. We’re just discussing the trust hierarchy.</p>
<p dir="auto">On 17 Sep 2020, at 9:26 EAT, Ibeanusi Elvis wrote:</p>
</div>
<div style="white-space:normal"></div>
<blockquote style="border-left:2px solid #5855D5; color:#5855D5; margin:0 0 5px; padding-left:5px"><div id="323DC261-3551-4B99-9D03-DD6C5774BC82"><div dir="ltr">Dear all, <div><br></div><div>The AFRINIC as an organization specifically focuses on the registration database and thereby having knowledge of where the prefix belongs to and AFRINIC should just focus on this role and should not engage in authenticating or the authorization of various services. If such rights are given to any organization, they have the right to assign prefixes to servers hence, having control of the routing database at which a technical or human error will lead to an immense catastrophe to the internet society. This control is basically the specific definition of centralization. This centralization is the major reason why most providers do not trust the Resource Public Key Infrastructure (RPKI). I am still in opposition to this policy proposal. </div><div><br></div><div>Elvis. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 17, 2020 at 3:01 PM Darwin Costa <<a href="mailto:dc@darwincosta.com">dc@darwincosta.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;">Cmon folks….!<div><br></div><div>@Elvis, I really don’t see your point here and also don’t really understand why are you opposing against this proposal.</div><div><br></div><div>As mentioned further on the thread - RPKI won’t change Afrnic´s role at all…. Instead this proposal will certainly contribute to a more secure routing advertisement.</div><div><br></div><div>As such, other RIR´s have successfully implemented this in order to protect our garden so called “The Internet”.</div><div><br></div><div>Darwin-.</div><div><br></div><div><br><div><br><blockquote type="cite"><div>On 17 Sep 2020, at 05:42, Fernando Frediani <<a href="mailto:fhfrediani@gmail.com" target="_blank">fhfrediani@gmail.com</a>> wrote:</div><br><div>
<div><p>I think there is a serious issue by some people totally
misunderstanding what RPKI actually is.</p><p>Some arguments saying something like 'Afrinic will centralize
control of the internet and should not have such power' don't have
relation to what what this proposal intends and the reasons to
oppose it are not tied to real possible problems pointed.<br>
</p><p>This proposal only follows what have been done in APNIC and
LACNIC and is a natural move to make an internet more secure and
avoid organizations to use space that is not assigned to anyone
else.<br>
Therefore I support this proposal.</p><p>Fernando<br>
</p>
<div>On 16/09/2020 20:42, Noah wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Sep 17, 2020 at 2:30
AM Ibeanusi Elvis <<a href="mailto:ibeanusielvis@gmail.com" target="_blank">ibeanusielvis@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>I am strongly in opposition to this RPKI ROA
proposal,</div>
</div>
</blockquote>
<div><br>
</div>
<div>You oppose yet....</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div> issuing an AS0 for AFRINIC address space </div>
</div>
</blockquote>
<div><br>
</div>
<div>You must be clear on which AFRINIC address space rather
than presenting a rather vague statement. </div>
<div><br>
</div>
<div>The proposal is very clear and explicit and the AFRINIC
space in question is that which has not yet been allocated
or assigned to any entity or resource member.</div>
<div><br>
</div>
<div>I will quote for you section 2.0 of the proposal as
written below;</div>
<div><br>
</div>
<div><b>2.0 Summary of how this proposal addresses the problem</b></div>
<div><b><br>
</b>This proposal instructs AFRINIC to create ROAs for all <b>unallocated
and unassigned address space under its control.</b> This
will enable networks performing RPKI-based BGP Origin
Validation to easily reject all the bogon announcements
covering resources managed by AFRINIC.<br>
</div>
<div><br>
</div>
<div>So what are you talking about?</div>
<div><br>
</div>
<div>Noah </div>
<div> </div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
RPD mailing list
<a href="mailto:RPD@afrinic.net" target="_blank">RPD@afrinic.net</a>
<a href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720490840&sdata=mOjgUTIarKfPnsD2h0TtixnR51E4wzIwqoo6rONHW%2FI%3D&reserved=0" target="_blank">https://lists.afrinic.net/mailman/listinfo/rpd</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>RPD mailing list<br><a href="mailto:RPD@afrinic.net" target="_blank">RPD@afrinic.net</a><br><a href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720510827&sdata=jlnsXCK7dATX4Jcg48%2BhurUnj1E5umTa2RZq7IMsb%2Fs%3D&reserved=0" target="_blank">https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720510827&sdata=jlnsXCK7dATX4Jcg48%2BhurUnj1E5umTa2RZq7IMsb%2Fs%3D&reserved=0</a><br></div></blockquote></div><br></div></div>_______________________________________________<br>
RPD mailing list<br>
<a href="mailto:RPD@afrinic.net" target="_blank">RPD@afrinic.net</a><br>
<a href="https://lists.afrinic.net/mailman/listinfo/rpd" rel="noreferrer" target="_blank">https://lists.afrinic.net/mailman/listinfo/rpd</a><br>
</blockquote></div></div></blockquote>
<div style="white-space:normal">
<blockquote style="border-left:2px solid #5855D5; color:#5855D5; margin:0 0 5px; padding-left:5px">
</blockquote><br><blockquote style="border-left:2px solid #5855D5; color:#5855D5; margin:0 0 5px; padding-left:5px"><p dir="auto">_______________________________________________<br>
RPD mailing list<br>
RPD@afrinic.net<br>
<a href="https://lists.afrinic.net/mailman/listinfo/rpd">https://lists.afrinic.net/mailman/listinfo/rpd</a></p>
</blockquote></div>
<div style="white-space:normal">
<p dir="auto">--<br>
patrick</p>
</div>
</div>
</body>
</html>