<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I totally agree with you regarding...</p>
<pre class="moz-quote-pre" wrap="">1. The automatic creation of AS0 ROAs should be limited to space that
has never been allocated by an RIR or part of a legacy allocation.
2. AFRINIC should require the explicit consent of the previous holder
to issue AS0 ROAs in respect of re-claimed, returned, etc, space.
3. Any ROAs issued under this policy should be issued and published in
a way that makes it operationally easy for an relying party to
ignore them (probably by issuing under a separate TA)
If these points are emphasised - then I have no issues at all!
I actually though that point (1) was implied by the wording already!
</pre>
<div class="moz-cite-prefix">On 2020/09/17 11:08, Ben Maddison
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20200917090816.nwkt44vwwjaun6wo@benm-laptop">
<pre class="moz-quote-pre" wrap="">Hi all,
I am currently undecided on this policy.
As others have pointed out, the objections to the proposal on the basis
of centralization of control are bogus: the current policy does not add
any additional control over the routing system beyond that which AFRINIC
already has as the result of RPKI origin validation deployment today.
I agree with the fundamental basis of the proposal that:
a) it is generally undesirable to route traffic for bogon destinations;
and
b) the RPKI is the best fit we have to securely communicate what is and
isn't a bogon to relying parties in order to implement the necessary
routing policy.
However, it is also the case that the consequences (in terms of service
availability for end users) of a de-registration would be substantially
greater if the de-registration is accompanied by the issuance of an AS0
ROA for that address space.
This is true for the following reasons:
- Non-RIR managed IRR databases exist that allow the creation of
route(6) objects that are not covered by an RIR allocation
- Many networks do not filter by prefix based on IRR data at all
- Those that do generally do not filter their transits by prefix
- Transit-free networks generally do not filter their peers (or at least
their transit-free peers) by prefix
Thus, today, a de-registration probably results in a partial outage that
can be worked-around, rather than a near-total outage that cannot.
This is either a feature or a bug in the policy, depending on your point
of view regarding a specific de-registration case!
I would suggest the following modifications, in order to alleviate some
of the risks inherent in the current draft:
1. The automatic creation of AS0 ROAs should be limited to space that
has never been allocated by an RIR or part of a legacy allocation.
2. AFRINIC should require the explicit consent of the previous holder
to issue AS0 ROAs in respect of re-claimed, returned, etc, space.
3. Any ROAs issued under this policy should be issued and published in
a way that makes it operationally easy for an relying party to
ignore them (probably by issuing under a separate TA)
With the above amendments I would be inclined to support the proposal.
Cheers,
Ben
On 09/17, Mark Elkins wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">I support the RPKI ROA policy as written. I understand the technical aspects
of the policy. I have a feeling that those objecting may not completely
understand the technical aspects which is why they are objecting.
AFRINIC's job is to properly document the resources they have been provided
by ICANN/IANA and this is simply part of the job. When new resources are
provided to AFRINIC, they label it as such (AS0, etc). When it is then
allocated/assigned to a member, the AS0 RPKI is removed. All this means is
that the unallocated/unassigned resources that are with AFRINIC can be
(optionally) identified as such and thus can not be easily misused by bad
actors. This also means that when they are allocated/assigned to members,
they are less lightly to have been made "dirty".
On 2020/09/17 08:26, Ibeanusi Elvis wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Dear all,
The AFRINIC as an organization specifically focuses on the registration
database and thereby having knowledge of where the prefix belongs to and
AFRINIC should just focus on this role and should not engage in
authenticating or the authorization of various services. If such rights
are given to any organization, they have the right to assign prefixes to
servers hence, having control of the routing database at which a
technical or human error will lead to an immense catastrophe to the
internet society. This control is basically the specific definition of
centralization. This centralization is the major reason why most
providers do not trust the Resource Public Key Infrastructure (RPKI). I
am still in opposition to this policy proposal.
Elvis.
On Thu, Sep 17, 2020 at 3:01 PM Darwin Costa <<a class="moz-txt-link-abbreviated" href="mailto:dc@darwincosta.com">dc@darwincosta.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:dc@darwincosta.com"><mailto:dc@darwincosta.com></a>> wrote:
Cmon folks….!
@Elvis, I really don’t see your point here and also don’t really
understand why are you opposing against this proposal.
As mentioned further on the thread - RPKI won’t change Afrnic´s
role at all…. Instead this proposal will certainly contribute to a
more secure routing advertisement.
As such, other RIR´s have successfully implemented this in order
to protect our garden so called “The Internet”.
Darwin-.
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap=""> On 17 Sep 2020, at 05:42, Fernando Frediani <<a class="moz-txt-link-abbreviated" href="mailto:fhfrediani@gmail.com">fhfrediani@gmail.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:fhfrediani@gmail.com"><mailto:fhfrediani@gmail.com></a>> wrote:
I think there is a serious issue by some people totally
misunderstanding what RPKI actually is.
Some arguments saying something like 'Afrinic will centralize
control of the internet and should not have such power' don't
have relation to what what this proposal intends and the reasons
to oppose it are not tied to real possible problems pointed.
This proposal only follows what have been done in APNIC and
LACNIC and is a natural move to make an internet more secure and
avoid organizations to use space that is not assigned to anyone else.
Therefore I support this proposal.
Fernando
On 16/09/2020 20:42, Noah wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
On Thu, Sep 17, 2020 at 2:30 AM Ibeanusi Elvis
<<a class="moz-txt-link-abbreviated" href="mailto:ibeanusielvis@gmail.com">ibeanusielvis@gmail.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:ibeanusielvis@gmail.com"><mailto:ibeanusielvis@gmail.com></a>> wrote:
I am strongly in opposition to this RPKI ROA proposal,
You oppose yet....
issuing an AS0 for AFRINIC address space
You must be clear on which AFRINIC address space rather than
presenting a rather vague statement.
The proposal is very clear and explicit and the AFRINIC space in
question is that which has not yet been allocated or assigned to
any entity or resource member.
I will quote for you section 2.0 of the proposal as written below;
*2.0 Summary of how this proposal addresses the problem*
*
*This proposal instructs AFRINIC to create ROAs for all
*unallocated and unassigned address space under its control.*
This will enable networks performing RPKI-based BGP Origin
Validation to easily reject all the bogon announcements covering
resources managed by AFRINIC.
So what are you talking about?
Noah
_______________________________________________
RPD mailing list
<a class="moz-txt-link-abbreviated" href="mailto:RPD@afrinic.net">RPD@afrinic.net</a> <a class="moz-txt-link-rfc2396E" href="mailto:RPD@afrinic.net"><mailto:RPD@afrinic.net></a>
<a class="moz-txt-link-freetext" href="https://lists.afrinic.net/mailman/listinfo/rpd">https://lists.afrinic.net/mailman/listinfo/rpd</a> <a class="moz-txt-link-rfc2396E" href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720490840&sdata=mOjgUTIarKfPnsD2h0TtixnR51E4wzIwqoo6rONHW%2FI%3D&reserved=0"><https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720490840&sdata=mOjgUTIarKfPnsD2h0TtixnR51E4wzIwqoo6rONHW%2FI%3D&reserved=0></a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap=""> _______________________________________________
RPD mailing list
<a class="moz-txt-link-abbreviated" href="mailto:RPD@afrinic.net">RPD@afrinic.net</a> <a class="moz-txt-link-rfc2396E" href="mailto:RPD@afrinic.net"><mailto:RPD@afrinic.net></a>
<a class="moz-txt-link-freetext" href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720510827&sdata=jlnsXCK7dATX4Jcg48%2BhurUnj1E5umTa2RZq7IMsb%2Fs%3D&reserved=0">https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720510827&sdata=jlnsXCK7dATX4Jcg48%2BhurUnj1E5umTa2RZq7IMsb%2Fs%3D&reserved=0</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
_______________________________________________
RPD mailing list
<a class="moz-txt-link-abbreviated" href="mailto:RPD@afrinic.net">RPD@afrinic.net</a> <a class="moz-txt-link-rfc2396E" href="mailto:RPD@afrinic.net"><mailto:RPD@afrinic.net></a>
<a class="moz-txt-link-freetext" href="https://lists.afrinic.net/mailman/listinfo/rpd">https://lists.afrinic.net/mailman/listinfo/rpd</a>
_______________________________________________
RPD mailing list
<a class="moz-txt-link-abbreviated" href="mailto:RPD@afrinic.net">RPD@afrinic.net</a>
<a class="moz-txt-link-freetext" href="https://lists.afrinic.net/mailman/listinfo/rpd">https://lists.afrinic.net/mailman/listinfo/rpd</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">--
Mark James ELKINS - Posix Systems - (South) Africa
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: <a class="moz-txt-link-freetext" href="https://ftth.posix.co.za">https://ftth.posix.co.za</a>
Posix SystemsVCARD for MJ Elkins
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">_______________________________________________
RPD mailing list
<a class="moz-txt-link-abbreviated" href="mailto:RPD@afrinic.net">RPD@afrinic.net</a>
<a class="moz-txt-link-freetext" href="https://lists.afrinic.net/mailman/listinfo/rpd">https://lists.afrinic.net/mailman/listinfo/rpd</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: <a href="tel:+27826010496">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za">https://ftth.posix.co.za</a><br>
<br>
<img moz-do-not-send="false"
src="cid:part3.D49E0D29.7A0B0450@posix.co.za" alt="Posix
Systems" width="250" height="165"><img moz-do-not-send="false"
src="cid:part4.4C8CD2B9.1286FE6C@posix.co.za" alt="VCARD for
MJ Elkins" title="VCARD, Scan me please!" width="164"
height="164"><br>
</p>
</div>
</body>
</html>