<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Precious<div class=""><br class=""></div><div class="">Could you please clarify which policy proposal you are referencing?</div><div class=""><br class=""></div><div class="">Your comment does not seem to apply to the Inter RIR Transfer policy.</div><div class=""><br class=""></div><div class="">May be an issue with running too many identities at the same time?</div><div class=""><br class=""></div><div class="">Mike<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 17 Sep 2020, at 12:30, Precious Paul <<a href="mailto:preciousq43@gmail.com" class="">preciousq43@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 9.5pt; font-family: "Segoe UI", sans-serif; color: rgb(33, 37, 41); background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">This policy proposal is not the most expedient, as it could centralize the control of the internet, which generally speaking should be an absolutely free place to turn to. Therefore why would we allow to grow a risk for a potential overtake of the Government?<o:p class=""></o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 9.5pt; font-family: "Segoe UI", sans-serif; color: rgb(33, 37, 41); background-color: white; background-position: initial initial; background-repeat: initial initial;" class=""><o:p class=""> </o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 9.5pt; font-family: "Segoe UI", sans-serif; color: rgb(33, 37, 41); background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">With that I strongly oppose this proposal.<o:p class=""></o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 9.5pt; font-family: "Segoe UI", sans-serif; color: rgb(33, 37, 41); background-color: white; background-position: initial initial; background-repeat: initial initial;" class=""><o:p class=""> </o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 9.5pt; font-family: "Segoe UI", sans-serif; color: rgb(33, 37, 41); background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">I do not support this<o:p class=""></o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 9.5pt; font-family: "Segoe UI", sans-serif; color: rgb(33, 37, 41); background-color: white; background-position: initial initial; background-repeat: initial initial;" class=""><o:p class=""> </o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 9.5pt; font-family: "Segoe UI", sans-serif; color: rgb(33, 37, 41); background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">Best Regards,<o:p class=""></o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 9.5pt; font-family: "Segoe UI", sans-serif; color: rgb(33, 37, 41); background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">Precious Paul</span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Sent from<span class="Apple-converted-space"> </span><a href="https://go.microsoft.com/fwlink/?LinkId=550986" style="color: blue; text-decoration: underline;" class="">Mail</a><span class="Apple-converted-space"> </span>for Windows 10</div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0cm 0cm;" class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; border: none; padding: 0cm;" class=""><b class="">From:<span class="Apple-converted-space"> </span></b><a href="mailto:ahilefranc@gmail.com" style="color: blue; text-decoration: underline;" class="">Ahile shagba francis</a><br class=""><b class="">Sent:<span class="Apple-converted-space"> </span></b>Thursday, 17 September 2020 11:19 AM<br class=""><b class="">To:<span class="Apple-converted-space"> </span></b><a href="mailto:rpd@afrinic.net" style="color: blue; text-decoration: underline;" class="">rpd@afrinic.net</a><br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>[rpd] IPv4 Inter RIR Resource Transfer (Comprehensive Scope)</div></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Lets look at it from another point,</div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">If it is the other region’s policy to be applied when the resources are transferred from that region, it is then glaring that this could cause many confusions.</div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">We don't need to support such.</div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Let's be guided.</div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">On Thu, Sep 17, 2020, 10:25 AM <<a href="mailto:rpd-request@afrinic.net" style="color: blue; text-decoration: underline;" class="">rpd-request@afrinic.net</a>> wrote:</div></div></div><div style="margin: 0cm 0cm 0cm 4.8pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Send RPD mailing list submissions to<br class=""> <span class="Apple-converted-space"> </span><a href="mailto:rpd@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">rpd@afrinic.net</a><br class=""><br class="">To subscribe or unsubscribe via the World Wide Web, visit<br class=""> <span class="Apple-converted-space"> </span><a href="https://lists.afrinic.net/mailman/listinfo/rpd" target="_blank" style="color: blue; text-decoration: underline;" class="">https://lists.afrinic.net/mailman/listinfo/rpd</a><br class="">or, via email, send a message with subject or body 'help' to<br class=""> <span class="Apple-converted-space"> </span><a href="mailto:rpd-request@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">rpd-request@afrinic.net</a><br class=""><br class="">You can reach the person managing the list at<br class=""> <span class="Apple-converted-space"> </span><a href="mailto:rpd-owner@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">rpd-owner@afrinic.net</a><br class=""><br class="">When replying, please edit your Subject line so it is more specific<br class="">than "Re: Contents of RPD digest..."<br class=""><br class=""><br class="">Today's Topics:<br class=""><br class=""> 1. Re: RPKI ROAs for Unallocated and Unassigned AFRINIC Address<br class=""> Space AFPUB-2019-GEN-006-DRAFT02 (Ben Maddison)<br class=""> 2. Re: RPKI ROAs for Unallocated and Unassigned AFRINIC Address<br class=""> Space AFPUB-2019-GEN-006-DRAFT02 (Patrick Okui)<br class=""><br class=""><br class="">----------------------------------------------------------------------<br class=""><br class="">Message: 1<br class="">Date: Thu, 17 Sep 2020 11:08:16 +0200<br class="">From: Ben Maddison <<a href="mailto:benm@workonline.africa" class="">benm@workonline.africa</a>><br class="">To: Mark Elkins <<a href="mailto:mje@posix.co.za" target="_blank" style="color: blue; text-decoration: underline;" class="">mje@posix.co.za</a>><br class="">Cc: Marius Andioc via RPD <<a href="mailto:rpd@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">rpd@afrinic.net</a>><br class="">Subject: Re: [rpd] RPKI ROAs for Unallocated and Unassigned AFRINIC<br class=""> Address Space AFPUB-2019-GEN-006-DRAFT02<br class="">Message-ID: <20200917090816.nwkt44vwwjaun6wo@benm-laptop><br class="">Content-Type: text/plain; charset="utf-8"<br class=""><br class="">Hi all,<br class=""><br class="">I am currently undecided on this policy.<br class="">As others have pointed out, the objections to the proposal on the basis<br class="">of centralization of control are bogus: the current policy does not add<br class="">any additional control over the routing system beyond that which AFRINIC<br class="">already has as the result of RPKI origin validation deployment today.<br class=""><br class="">I agree with the fundamental basis of the proposal that:<br class="">a) it is generally undesirable to route traffic for bogon destinations;<br class=""> and<br class="">b) the RPKI is the best fit we have to securely communicate what is and<br class=""> isn't a bogon to relying parties in order to implement the necessary<br class=""> routing policy.<br class=""><br class="">However, it is also the case that the consequences (in terms of service<br class="">availability for end users) of a de-registration would be substantially<br class="">greater if the de-registration is accompanied by the issuance of an AS0<br class="">ROA for that address space.<br class=""><br class="">This is true for the following reasons:<br class="">- Non-RIR managed IRR databases exist that allow the creation of<br class=""> route(6) objects that are not covered by an RIR allocation<br class="">- Many networks do not filter by prefix based on IRR data at all<br class="">- Those that do generally do not filter their transits by prefix<br class="">- Transit-free networks generally do not filter their peers (or at least<br class=""> their transit-free peers) by prefix<br class=""><br class="">Thus, today, a de-registration probably results in a partial outage that<br class="">can be worked-around, rather than a near-total outage that cannot.<br class="">This is either a feature or a bug in the policy, depending on your point<br class="">of view regarding a specific de-registration case!<br class=""><br class="">I would suggest the following modifications, in order to alleviate some<br class="">of the risks inherent in the current draft:<br class="">1. The automatic creation of AS0 ROAs should be limited to space that<br class=""> has never been allocated by an RIR or part of a legacy allocation.<br class="">2. AFRINIC should require the explicit consent of the previous holder<br class=""> to issue AS0 ROAs in respect of re-claimed, returned, etc, space.<br class="">3. Any ROAs issued under this policy should be issued and published in<br class=""> a way that makes it operationally easy for an relying party to<br class=""> ignore them (probably by issuing under a separate TA)<br class=""><br class="">With the above amendments I would be inclined to support the proposal.<br class=""><br class="">Cheers,<br class=""><br class="">Ben<br class=""><br class="">On 09/17, Mark Elkins wrote:<br class="">> I support the RPKI ROA policy as written. I understand the technical aspects<br class="">> of the policy. I have a feeling that those objecting may not completely<br class="">> understand the technical aspects which is why they are objecting.<br class="">><span class="Apple-converted-space"> </span><br class="">> AFRINIC's job is to properly document the resources they have been provided<br class="">> by ICANN/IANA and this is simply part of the job. When new resources are<br class="">> provided to AFRINIC, they label it as such (AS0, etc). When it is then<br class="">> allocated/assigned to a member, the AS0 RPKI is removed. All this means is<br class="">> that the unallocated/unassigned resources that are with AFRINIC can be<br class="">> (optionally) identified as such and thus can not be easily misused by bad<br class="">> actors. This also means that when they are allocated/assigned to members,<br class="">> they are less lightly to have been made "dirty".<br class="">><span class="Apple-converted-space"> </span><br class="">> On 2020/09/17 08:26, Ibeanusi Elvis wrote:<br class="">> > Dear all,<br class="">> ><span class="Apple-converted-space"> </span><br class="">> > The AFRINIC as an organization specifically focuses?on the registration<br class="">> > database and thereby?having knowledge of where the prefix belongs to and<br class="">> > AFRINIC should just focus on this role and should not engage?in<br class="">> > authenticating or the authorization of various services. If such rights<br class="">> > are given to any organization, they have?the right to assign prefixes to<br class="">> > servers hence, having?control of the routing database at which a<br class="">> > technical or human error will lead to an immense catastrophe to the<br class="">> > internet society. This control is basically the specific definition of<br class="">> > centralization. This centralization is the major reason why most<br class="">> > providers do not trust the Resource Public Key Infrastructure (RPKI). I<br class="">> > am still in opposition to this policy proposal.<br class="">> ><span class="Apple-converted-space"> </span><br class="">> > Elvis.<br class="">> ><span class="Apple-converted-space"> </span><br class="">> > On Thu, Sep 17, 2020 at 3:01 PM Darwin Costa <<a href="mailto:dc@darwincosta.com" target="_blank" style="color: blue; text-decoration: underline;" class="">dc@darwincosta.com</a><br class="">> > <mailto:<a href="mailto:dc@darwincosta.com" target="_blank" style="color: blue; text-decoration: underline;" class="">dc@darwincosta.com</a>>> wrote:<br class="">> ><span class="Apple-converted-space"> </span><br class="">> > Cmon folks?.!<br class="">> ><span class="Apple-converted-space"> </span><br class="">> > @Elvis, I really don?t see your point here and also don?t really<br class="">> > understand why are you opposing against this proposal.<br class="">> ><span class="Apple-converted-space"> </span><br class="">> > As mentioned further on the thread - RPKI won?t change Afrnic?s<br class="">> > role at all?. Instead this proposal will certainly contribute to a<br class="">> > more secure routing advertisement.<br class="">> ><span class="Apple-converted-space"> </span><br class="">> > As such, other RIR?s have successfully implemented this in order<br class="">> > to protect our garden so called ?The Internet?.<br class="">> ><span class="Apple-converted-space"> </span><br class="">> > Darwin-.<br class="">> ><span class="Apple-converted-space"> </span><br class="">> ><span class="Apple-converted-space"> </span><br class="">> ><span class="Apple-converted-space"> </span><br class="">> > > On 17 Sep 2020, at 05:42, Fernando Frediani <<a href="mailto:fhfrediani@gmail.com" target="_blank" style="color: blue; text-decoration: underline;" class="">fhfrediani@gmail.com</a><br class="">> > > <mailto:<a href="mailto:fhfrediani@gmail.com" target="_blank" style="color: blue; text-decoration: underline;" class="">fhfrediani@gmail.com</a>>> wrote:<br class="">> > ><span class="Apple-converted-space"> </span><br class="">> > > I think there is a serious issue by some people totally<br class="">> > > misunderstanding what RPKI actually is.<br class="">> > ><span class="Apple-converted-space"> </span><br class="">> > > Some arguments saying something like 'Afrinic will centralize<br class="">> > > control of the internet and should not have such power' don't<br class="">> > > have relation to what what this proposal intends and the reasons<br class="">> > > to oppose it are not tied to real possible problems pointed.<br class="">> > ><span class="Apple-converted-space"> </span><br class="">> > > This proposal only follows what have been done in APNIC and<br class="">> > > LACNIC and is a natural move to make an internet more secure and<br class="">> > > avoid organizations to use space that is not assigned to anyone else.<br class="">> > > Therefore I support this proposal.<br class="">> > ><span class="Apple-converted-space"> </span><br class="">> > > Fernando<br class="">> > ><span class="Apple-converted-space"> </span><br class="">> > > On 16/09/2020 20:42, Noah wrote:<br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > > On Thu, Sep 17, 2020 at 2:30 AM Ibeanusi Elvis<br class="">> > > > <<a href="mailto:ibeanusielvis@gmail.com" target="_blank" style="color: blue; text-decoration: underline;" class="">ibeanusielvis@gmail.com</a><span class="Apple-converted-space"> </span><mailto:<a href="mailto:ibeanusielvis@gmail.com" target="_blank" style="color: blue; text-decoration: underline;" class="">ibeanusielvis@gmail.com</a>>> wrote:<br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > > I am strongly in opposition to this RPKI ROA proposal,<br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > > You oppose yet....<br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > > ?issuing an AS0 for AFRINIC address space<br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > > You must be clear on which AFRINIC address space rather than<br class="">> > > > presenting a rather vague statement.<br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > > The proposal is very clear and explicit and the AFRINIC space in<br class="">> > > > question is that which has not yet been allocated or assigned to<br class="">> > > > any entity or resource member.<br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > > I will quote for you section 2.0 of the proposal as written below;<br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > > *2.0 Summary of how this proposal addresses the problem*<br class="">> > > > *<br class="">> > > > *This proposal instructs AFRINIC to create ROAs for all<br class="">> > > > *unallocated and unassigned address space under its control.*<br class="">> > > > This will enable networks performing RPKI-based BGP Origin<br class="">> > > > Validation to easily reject all the bogon announcements covering<br class="">> > > > resources managed by AFRINIC.<br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > > So what are you talking about?<br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > > Noah<br class="">> > > ><span class="Apple-converted-space"> </span><br class="">> > > > _______________________________________________<br class="">> > > > RPD mailing list<br class="">> > > > <a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a> <mailto:<a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a>><br class="">> > > > <a href="https://lists.afrinic.net/mailman/listinfo/rpd" target="_blank" style="color: blue; text-decoration: underline;" class="">https://lists.afrinic.net/mailman/listinfo/rpd</a> <<a href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720490840&sdata=mOjgUTIarKfPnsD2h0TtixnR51E4wzIwqoo6rONHW%2FI%3D&reserved=0" target="_blank" style="color: blue; text-decoration: underline;" class="">https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720490840&sdata=mOjgUTIarKfPnsD2h0TtixnR51E4wzIwqoo6rONHW%2FI%3D&reserved=0</a>><br class="">> > > _______________________________________________<br class="">> > > RPD mailing list<br class="">> > > <a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a><span class="Apple-converted-space"> </span><mailto:<a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a>><br class="">> > > <a href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720510827&sdata=jlnsXCK7dATX4Jcg48%2BhurUnj1E5umTa2RZq7IMsb%2Fs%3D&reserved=0" target="_blank" style="color: blue; text-decoration: underline;" class="">https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720510827&sdata=jlnsXCK7dATX4Jcg48%2BhurUnj1E5umTa2RZq7IMsb%2Fs%3D&reserved=0</a><br class="">> ><span class="Apple-converted-space"> </span><br class="">> > _______________________________________________<br class="">> > RPD mailing list<br class="">> > <a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a><span class="Apple-converted-space"> </span><mailto:<a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a>><br class="">> > <a href="https://lists.afrinic.net/mailman/listinfo/rpd" target="_blank" style="color: blue; text-decoration: underline;" class="">https://lists.afrinic.net/mailman/listinfo/rpd</a><br class="">> ><span class="Apple-converted-space"> </span><br class="">> ><span class="Apple-converted-space"> </span><br class="">> > _______________________________________________<br class="">> > RPD mailing list<br class="">> ><span class="Apple-converted-space"> </span><a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a><br class="">> ><span class="Apple-converted-space"> </span><a href="https://lists.afrinic.net/mailman/listinfo/rpd" target="_blank" style="color: blue; text-decoration: underline;" class="">https://lists.afrinic.net/mailman/listinfo/rpd</a><br class="">> --<span class="Apple-converted-space"> </span><br class="">><span class="Apple-converted-space"> </span><br class="">> Mark James ELKINS? -? Posix Systems - (South) Africa<br class="">><span class="Apple-converted-space"> </span><a href="http://mje@posix.co.za/????" target="_blank" style="color: blue; text-decoration: underline;" class="">mje@posix.co.za????</a>?? Tel: +27.826010496 <<a href="tel:+27826010496" class="">tel:+27826010496</a>><br class="">> For fast, reliable, low cost Internet in ZA:<span class="Apple-converted-space"> </span><a href="https://ftth.posix.co.za/" target="_blank" style="color: blue; text-decoration: underline;" class="">https://ftth.posix.co.za</a><br class="">><span class="Apple-converted-space"> </span><br class="">> Posix SystemsVCARD for MJ Elkins<br class="">><span class="Apple-converted-space"> </span><br class=""><br class="">> _______________________________________________<br class="">> RPD mailing list<br class="">><span class="Apple-converted-space"> </span><a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a><br class="">><span class="Apple-converted-space"> </span><a href="https://lists.afrinic.net/mailman/listinfo/rpd" target="_blank" style="color: blue; text-decoration: underline;" class="">https://lists.afrinic.net/mailman/listinfo/rpd</a><br class=""><br class="">-------------- next part --------------<br class="">A non-text attachment was scrubbed...<br class="">Name: signature.asc<br class="">Type: application/pgp-signature<br class="">Size: 833 bytes<br class="">Desc: not available<br class="">URL: <<a href="https://lists.afrinic.net/pipermail/rpd/attachments/20200917/77e69095/attachment-0001.sig" target="_blank" style="color: blue; text-decoration: underline;" class="">https://lists.afrinic.net/pipermail/rpd/attachments/20200917/77e69095/attachment-0001.sig</a>><br class=""><br class="">------------------------------<br class=""><br class="">Message: 2<br class="">Date: Thu, 17 Sep 2020 12:24:06 +0300<br class="">From: "Patrick Okui" <<a href="mailto:pokui@psg.com" target="_blank" style="color: blue; text-decoration: underline;" class="">pokui@psg.com</a>><br class="">To: "Ibeanusi Elvis" <<a href="mailto:ibeanusielvis@gmail.com" target="_blank" style="color: blue; text-decoration: underline;" class="">ibeanusielvis@gmail.com</a>><br class="">Cc: Marius Andioc via RPD <<a href="mailto:rpd@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">rpd@afrinic.net</a>><br class="">Subject: Re: [rpd] RPKI ROAs for Unallocated and Unassigned AFRINIC<br class=""> Address Space AFPUB-2019-GEN-006-DRAFT02<br class="">Message-ID: <<a href="mailto:91E9F948-7128-4E24-903B-2033484E1DC3@psg.com" target="_blank" style="color: blue; text-decoration: underline;" class="">91E9F948-7128-4E24-903B-2033484E1DC3@psg.com</a>><br class="">Content-Type: text/plain; charset="utf-8"; Format="flowed"<br class=""><br class="">Dear Elvis,<br class=""><br class="">Thanks for speaking up and clarifying this viewpoint. Much as your<span class="Apple-converted-space"> </span><br class="">concerns<br class="">aren?t directly connected to this proposal but to RPKI in general I<span class="Apple-converted-space"> </span><br class="">think<br class="">they?re shared by many and worth addressing. (No I?m not one of the<span class="Apple-converted-space"> </span><br class="">authors of<br class="">this proposal).<br class=""><br class="">To have a mutual understanding (or agreement to disagree) we need to<span class="Apple-converted-space"> </span><br class="">iron out a<br class="">few points. Apologies for the long email that doesn?t discuss the<span class="Apple-converted-space"> </span><br class="">policy<br class="">itself.<br class=""><br class="">1. Allocation of IP addresses (and other resources) is in your words<br class=""> _?centralised?_. I prefer the word ?hierarchal?. I.E IANA<span class="Apple-converted-space"> </span><br class="">has the global pool<br class=""> of IP(v4 & v6) addresses. It then hands it out to RIRs like<span class="Apple-converted-space"> </span><br class="">AFRINIC. LIRS like<br class=""> ISPs then apply from the RIR. End users either get allocated<span class="Apple-converted-space"> </span><br class="">address space out<br class=""> of the LIR pool or can get addresses directly from the RIR and get<span class="Apple-converted-space"> </span><br class="">those<br class=""> routed. So, AFRINIC (and other RIRs) are not responsible to<span class="Apple-converted-space"> </span><br class="">allocate IP<br class=""> addresses to servers, but you can?t allocate a public IP address<span class="Apple-converted-space"> </span><br class="">to a server<br class=""> without somehow following this chain. Kindly confirm if you?re<span class="Apple-converted-space"> </span><br class="">fine with this<br class=""> state of affairs.<br class=""><br class="">2. I see you?re using a gmail address and you used the web interface<span class="Apple-converted-space"> </span><br class="">to compose<br class=""> your email. To do that your browser used SSL. The system that lets<span class="Apple-converted-space"> </span><br class="">SSL work is<br class=""> the X509 certificate system. This is another _?centralised?_ or<span class="Apple-converted-space"> </span><br class="">hierarchal<br class=""> system. Your browser or OS has a set of root trust information<span class="Apple-converted-space"> </span><br class="">(CA?s). These<br class=""> CAs can create ?signatures? (crypto information) that says that<span class="Apple-converted-space"> </span><br class="">a particular<br class=""> key XYZ is allowed to secure a domain (e.g<span class="Apple-converted-space"> </span><a href="http://gmail.com/" target="_blank" style="color: blue; text-decoration: underline;" class="">gmail.com</a>). They also<span class="Apple-converted-space"> </span><br class="">can create<br class=""> signatures that say a key ABC can also create signatures like their<span class="Apple-converted-space"> </span><br class="">own. In<br class=""> this case, gmail could chose to go to whoever runs ABC to get their<span class="Apple-converted-space"> </span><br class="">X509<br class=""> certificate instead of to any of the roots themselves. Your browser<span class="Apple-converted-space"> </span><br class="">is able to<br class=""> follow the chain of trust. Note that x509 aka SSL has methods by<span class="Apple-converted-space"> </span><br class="">which CAs can<br class=""> publish crypto information that revokes previously assigned<span class="Apple-converted-space"> </span><br class="">certificates if<br class=""> they were allocated in error. Please also confirm if this is<span class="Apple-converted-space"> </span><br class="">something you?re<br class=""> fine with.<br class=""><br class="">3. RPKI technically isn?t just for ROA validation. It is just another<span class="Apple-converted-space"> </span><br class="">public<br class=""> key infrastructure with *hierarchy* (you prefer the term<span class="Apple-converted-space"> </span><br class="">centralised). It also<br class=""> (like x509) requires some sort of root anchor or anchors. These are<span class="Apple-converted-space"> </span><br class="">what are<br class=""> installed in each client that wants to verify any of the crypto<span class="Apple-converted-space"> </span><br class="">information in<br class=""> the system. This isn?t new, DNSSEC works the same way. Once you<span class="Apple-converted-space"> </span><br class="">have well<br class=""> known/established roots each of these systems (DNSSEC, RPKI) have<span class="Apple-converted-space"> </span><br class="">ways to<br class=""> delegate authority for some information to the holder of a<span class="Apple-converted-space"> </span><br class="">different public<br class=""> key. And this goes down the chain. The decision of who the root<span class="Apple-converted-space"> </span><br class="">anchors for<br class=""> RPKI was debated on public lists like these and finally at the NRO<span class="Apple-converted-space"> </span><br class="">it was<br class=""> agreed that the easiest and cleanest solution was for all RIRs to<span class="Apple-converted-space"> </span><br class="">have a root<br class=""> 0/0 anchor. All RPKI validator clients simply have these anchors<span class="Apple-converted-space"> </span><br class="">configured and<br class=""> can therefore validate all crypto in the RPKI system.<br class=""><br class="">Kindly confirm if we?re on the same page (at least via understanding)<span class="Apple-converted-space"> </span><br class="">of these<br class="">three long points. Effectively the RPKI system in my opinion is more<br class="">trustworthy than the x509 one that secures the SSL you used to write<span class="Apple-converted-space"> </span><br class="">your<br class="">email. If you look at your OS/browser there are quite a number of root<span class="Apple-converted-space"> </span><br class="">CAs<br class="">there that given the choice I personally wouldn?t trust.<br class=""><br class="">Just like DNS, all these systems need hierarchy to operate. It is not<span class="Apple-converted-space"> </span><br class="">logical<br class="">to say you trust x509 (SSL) but not RPKI. Or that you?re fine using<span class="Apple-converted-space"> </span><br class="">the<br class="">internet with its allocation of IP but do not want to secure those<span class="Apple-converted-space"> </span><br class="">allocations<br class="">with a system that follows that same heirachy. Note that we haven?t<span class="Apple-converted-space"> </span><br class="">even<br class="">discussed the fact that publishing ROA information in RPKI is optional<span class="Apple-converted-space"> </span><br class="">for ISPs<br class="">and end users. We?re just discussing the trust hierarchy.<br class=""><br class="">On 17 Sep 2020, at 9:26 EAT, Ibeanusi Elvis wrote:<br class=""><br class="">> Dear all,<br class="">><br class="">> The AFRINIC as an organization specifically focuses on the<span class="Apple-converted-space"> </span><br class="">> registration database and thereby having knowledge of where the prefix<span class="Apple-converted-space"> </span><br class="">> belongs to and AFRINIC should just focus on this role and should not<span class="Apple-converted-space"> </span><br class="">> engage in authenticating or the authorization of various services. If<span class="Apple-converted-space"> </span><br class="">> such rights are given to any organization, they have the right to<span class="Apple-converted-space"> </span><br class="">> assign prefixes to servers hence, having control of the routing<span class="Apple-converted-space"> </span><br class="">> database at which a technical or human error will lead to an immense<span class="Apple-converted-space"> </span><br class="">> catastrophe to the internet society.<br class="">> This control is basically the specific definition of centralization.<span class="Apple-converted-space"> </span><br class="">> This centralization is the major reason why most providers do not<span class="Apple-converted-space"> </span><br class="">> trust the Resource Public Key Infrastructure (RPKI). I am still in<span class="Apple-converted-space"> </span><br class="">> opposition to this policy proposal.<br class="">><br class="">> Elvis.<br class="">><br class="">> On Thu, Sep 17, 2020 at 3:01 PM Darwin Costa <<a href="mailto:dc@darwincosta.com" target="_blank" style="color: blue; text-decoration: underline;" class="">dc@darwincosta.com</a>><span class="Apple-converted-space"> </span><br class="">> wrote:<br class="">><br class="">>> Cmon folks?.!<br class="">>><br class="">>> @Elvis, I really don?t see your point here and also don?t really<br class="">>> understand why are you opposing against this proposal.<br class="">>><br class="">>> As mentioned further on the thread - RPKI won?t change Afrnic?s<span class="Apple-converted-space"> </span><br class="">>> role at<br class="">>> all?. Instead this proposal will certainly contribute to a more<span class="Apple-converted-space"> </span><br class="">>> secure<br class="">>> routing advertisement.<br class="">>><br class="">>> As such, other RIR?s have successfully implemented this in order to<br class="">>> protect our garden so called ?The Internet?.<br class="">>><br class="">>> Darwin-.<br class="">>><br class="">>><br class="">>><br class="">>> On 17 Sep 2020, at 05:42, Fernando Frediani <<a href="mailto:fhfrediani@gmail.com" target="_blank" style="color: blue; text-decoration: underline;" class="">fhfrediani@gmail.com</a>><span class="Apple-converted-space"> </span><br class="">>> wrote:<br class="">>><br class="">>> I think there is a serious issue by some people totally<span class="Apple-converted-space"> </span><br class="">>> misunderstanding<br class="">>> what RPKI actually is.<br class="">>><br class="">>> Some arguments saying something like 'Afrinic will centralize control<span class="Apple-converted-space"> </span><br class="">>> of<br class="">>> the internet and should not have such power' don't have relation to<span class="Apple-converted-space"> </span><br class="">>> what<br class="">>> what this proposal intends and the reasons to oppose it are not tied<span class="Apple-converted-space"> </span><br class="">>> to<br class="">>> real possible problems pointed.<br class="">>><br class="">>> This proposal only follows what have been done in APNIC and LACNIC<span class="Apple-converted-space"> </span><br class="">>> and is<br class="">>> a natural move to make an internet more secure and avoid<span class="Apple-converted-space"> </span><br class="">>> organizations to<br class="">>> use space that is not assigned to anyone else.<br class="">>> Therefore I support this proposal.<br class="">>><br class="">>> Fernando<br class="">>> On 16/09/2020 20:42, Noah wrote:<br class="">>><br class="">>><br class="">>> On Thu, Sep 17, 2020 at 2:30 AM Ibeanusi Elvis<span class="Apple-converted-space"> </span><br class="">>> <<a href="mailto:ibeanusielvis@gmail.com" target="_blank" style="color: blue; text-decoration: underline;" class="">ibeanusielvis@gmail.com</a>><br class="">>> wrote:<br class="">>><br class="">>>><br class="">>>> I am strongly in opposition to this RPKI ROA proposal,<br class="">>>><br class="">>><br class="">>> You oppose yet....<br class="">>><br class="">>><br class="">>>> issuing an AS0 for AFRINIC address space<br class="">>>><br class="">>><br class="">>> You must be clear on which AFRINIC address space rather than<span class="Apple-converted-space"> </span><br class="">>> presenting a<br class="">>> rather vague statement.<br class="">>><br class="">>> The proposal is very clear and explicit and the AFRINIC space in<span class="Apple-converted-space"> </span><br class="">>> question<br class="">>> is that which has not yet been allocated or assigned to any entity or<br class="">>> resource member.<br class="">>><br class="">>> I will quote for you section 2.0 of the proposal as written below;<br class="">>><br class="">>> *2.0 Summary of how this proposal addresses the problem*<br class="">>><br class="">>> This proposal instructs AFRINIC to create ROAs for all *unallocated<span class="Apple-converted-space"> </span><br class="">>> and<br class="">>> unassigned address space under its control.* This will enable<span class="Apple-converted-space"> </span><br class="">>> networks<br class="">>> performing RPKI-based BGP Origin Validation to easily reject all the<span class="Apple-converted-space"> </span><br class="">>> bogon<br class="">>> announcements covering resources managed by AFRINIC.<br class="">>><br class="">>> So what are you talking about?<br class="">>><br class="">>> Noah<br class="">>><br class="">>><br class="">>> _______________________________________________<br class="">>> RPD mailing<span class="Apple-converted-space"> </span><br class="">>> <a href="mailto:listRPD@afrinic.nethttps" class="">listRPD@afrinic.nethttps</a>://<a href="http://lists.afrinic.net/mailman/listinfo/rpd" target="_blank" style="color: blue; text-decoration: underline;" class="">lists.afrinic.net/mailman/listinfo/rpd</a><span class="Apple-converted-space"> </span><br class="">>> <<a href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720490840&sdata=mOjgUTIarKfPnsD2h0TtixnR51E4wzIwqoo6rONHW%2FI%3D&reserved=0" target="_blank" style="color: blue; text-decoration: underline;" class="">https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720490840&sdata=mOjgUTIarKfPnsD2h0TtixnR51E4wzIwqoo6rONHW%2FI%3D&reserved=0</a>><br class="">>><br class="">>> _______________________________________________<br class="">>> RPD mailing list<br class="">>><span class="Apple-converted-space"> </span><a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a><br class="">>><br class="">>><span class="Apple-converted-space"> </span><a href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720510827&sdata=jlnsXCK7dATX4Jcg48%2BhurUnj1E5umTa2RZq7IMsb%2Fs%3D&reserved=0" target="_blank" style="color: blue; text-decoration: underline;" class="">https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720510827&sdata=jlnsXCK7dATX4Jcg48%2BhurUnj1E5umTa2RZq7IMsb%2Fs%3D&reserved=0</a><br class="">>><br class="">>><br class="">>> _______________________________________________<br class="">>> RPD mailing list<br class="">>><span class="Apple-converted-space"> </span><a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a><br class="">>><span class="Apple-converted-space"> </span><a href="https://lists.afrinic.net/mailman/listinfo/rpd" target="_blank" style="color: blue; text-decoration: underline;" class="">https://lists.afrinic.net/mailman/listinfo/rpd</a><br class="">>><br class=""><br class=""><br class=""><br class="">> _______________________________________________<br class="">> RPD mailing list<br class="">><span class="Apple-converted-space"> </span><a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a><br class="">><span class="Apple-converted-space"> </span><a href="https://lists.afrinic.net/mailman/listinfo/rpd" target="_blank" style="color: blue; text-decoration: underline;" class="">https://lists.afrinic.net/mailman/listinfo/rpd</a><br class=""><br class=""><br class="">--<br class="">patrick<br class="">-------------- next part --------------<br class="">An HTML attachment was scrubbed...<br class="">URL: <<a href="https://lists.afrinic.net/pipermail/rpd/attachments/20200917/63c1c6e8/attachment.html" target="_blank" style="color: blue; text-decoration: underline;" class="">https://lists.afrinic.net/pipermail/rpd/attachments/20200917/63c1c6e8/attachment.html</a>><br class=""><br class="">------------------------------<br class=""><br class="">Subject: Digest Footer<br class=""><br class="">_______________________________________________<br class="">RPD mailing list<br class=""><a href="mailto:RPD@afrinic.net" target="_blank" style="color: blue; text-decoration: underline;" class="">RPD@afrinic.net</a><br class=""><a href="https://lists.afrinic.net/mailman/listinfo/rpd" target="_blank" style="color: blue; text-decoration: underline;" class="">https://lists.afrinic.net/mailman/listinfo/rpd</a><br class=""><br class=""><br class="">------------------------------<br class=""><br class="">End of RPD Digest, Vol 168, Issue 82<br class="">************************************</div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><span style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">RPD mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class=""><a href="mailto:RPD@afrinic.net" class="">RPD@afrinic.net</a></span><br style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class=""><a href="https://lists.afrinic.net/mailman/listinfo/rpd" class="">https://lists.afrinic.net/mailman/listinfo/rpd</a></span></div></blockquote></div><br class=""></div></body></html>