<html><head></head><body><div class="ydp90a14a57yahoo-style-wrap" style="font-family: courier new, courier, monaco, monospace, sans-serif; font-size: 16px;"><div><div dir="ltr" data-setdir="false">That correct, you said it all</div><div><br></div><div class="ydp90a14a57signature"><div style="font-family:courier, monaco, monospace, sans-serif;font-size:16px;"><span><div style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;background:white;"><span lang="FR" style="font-size:12.0pt;color:#212121;"><br></span></div><div style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;background:white;"><span lang="FR" style="font-size:12.0pt;color:#212121;">Meilleures salutations</span></div><p class="ydp11326a05MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;background:white;"><span style="font-size:12.0pt;font-family:Courier;color:#212121;"></span></p>
<p class="ydp11326a05MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;background:white;"><span style="font-size:13.5pt;font-family:Courier;color:#212121;">Henry </span><span style="font-size:12.0pt;font-family:Courier;color:#212121;"></span></p></span><br></div></div></div>
<div><br></div><div><br></div>
</div><div id="ydp220a06e0yahoo_quoted_2603772883" class="ydp220a06e0yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Thursday, January 28, 2021, 01:56:18 PM GMT+1, Fernando Frediani <fhfrediani@gmail.com> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">Very good email Frank !<br clear="none">That's it. It is a tool and people looking after routing in <br clear="none">organizations are free to use or not.<br clear="none"><br clear="none">I encourage everyone, specially those who feared and objected this <br clear="none">proposal to read carefully the message below in order to understand the <br clear="none">difference.<br clear="none"><br clear="none">Regards<br clear="none">Fernando<br clear="none"><br clear="none">On 28/01/2021 03:10, Frank Habicht wrote:<br clear="none">> Hi,<br clear="none">><br clear="none">> in my opinion AfriNIC is providing a tool here. RPKI.<br clear="none">><br clear="none">> Where "owners" of IP address space can publish statements about which<br clear="none">> ASNs are allowed to originate advertisements of a given address space<br clear="none">> (or subnets). These statements are organised so that computers and<br clear="none">> routers can confirm authenticity of the statement - with a certificate<br clear="none">> chain from a trust anchor.<br clear="none">><br clear="none">> That's the tool.<br clear="none">><br clear="none">> Network engineers *can* use the *tool* then to make routing decisions.<br clear="none">> One of the things that is generally considered useful among network<br clear="none">> engineers is the decision to refuse/drop all advertisements that<br clear="none">> correspond to "INVALID" RPKI information.<br clear="none">><br clear="none">> That's the network engineer's decision. Not AfriNIC's.<br clear="none">><br clear="none">> All of the above is the status quo. Existing now.<br clear="none">><br clear="none">> Like some others I'm responsible for some IP space.<br clear="none">> Some of this is IXP peering LANs [unnecessary detail] and I want<br clear="none">> everyone to know that this should never be advertised and seen on the<br clear="none">> Internet. Also through RPKI.<br clear="none">><br clear="none">> So I published a ROA with AS0.<br clear="none">> So everyone who wants their routers to make routing decisions based on<br clear="none">> RPKI data will also get this information from me that 196.223.5.0/24<br clear="none">> should not be accepted.<br clear="none">><br clear="none">> Now:<br clear="none">><br clear="none">> AfriNIC is also responsible for some address space.<br clear="none">> We know from experience that address space held at RIRs is sometimes<br clear="none">> advertised and used by spammers and other "bad actors".<br clear="none">> I don't want this to happen that easily.<br clear="none">><br clear="none">> Why should AfriNIC not have the ability to publish information in a tool?<br clear="none">> The routing decisions are with the network engineers.<br clear="none">> If they want (yes, not scalable) they could tell the routers to fist<br clear="none">> accept a certain prefix, and then apply RPKI filtering - not sure why<br clear="none">> anyone would do that, but technically possible.<br clear="none">><br clear="none">> There could also be tweaks applied in the validators.<br clear="none">><br clear="none">> We could also ask AfriNIC to publish the ROAs for AfriNIC-held IPs with<br clear="none">> AS0 under a separate trust anchor. We could even leave that decision to<br clear="none">> AfriNIC staff - ie we allow them to do any of these two options.<br clear="none">><br clear="none">> In that case the network engineers can make the informed decision<br clear="none">> whether to use the second trust anchor or not.<br clear="none">><br clear="none">> Still: AfriNIC would be publishing information in a tool. Like I am<br clear="none">> publishing information in the same tool.<br clear="none">><br clear="none">> Routing decisions are made by the network engineers.<br clear="none">> I believe that many would like to have that information in RPKI so that<br clear="none">> they can automatically reject advertisements of 196.216.0.0/24<br clear="none">><br clear="none">> And what changes?<br clear="none">> before: network engineers decide to not accept routing information where<br clear="none">> the older of the address space stated that it should not be seen on the<br clear="none">> internet<br clear="none">> after this policy: network engineers decide to not accept routing<br clear="none">> information where the older of the address space stated that it should<br clear="none">> not be seen on the internet<br clear="none">><br clear="none">> I believe AfriNIC have a responsibility to use the tool to avoid<br clear="none">> spamming and abuse through "misoriginations" of IP address space that<br clear="none">> AfriNIC is responsible for.<br clear="none">><br clear="none">> PS: disputes.<br clear="none">> In case there is a dispute about address space, AfriNIC already have the<br clear="none">> same kind of control over IRR data like route objects.<br clear="none">> The root cause is the dispute and it needs to get resolved - not the<br clear="none">> publishing of information in a tool.<br clear="none">><br clear="none">><br clear="none">> Thanks,<br clear="none">> Frank<br clear="none">> co-author<br clear="none">><br clear="none">><br clear="none">> On 27/01/2021 17:47, Anthony Ubah wrote:<br clear="none">>> Hello Jordi,<br clear="none">>><br clear="none">>> This is not an opt-in service; this is created as an additional element<br clear="none">>> in the RPKI service and forcefully asks the operator (who accepts the<br clear="none">>> RPKI) to accept it. Taking RPKI as an opt-in service, and claiming the<br clear="none">>> element you have added here, are already part of that opt-in service.<br clear="none">>> When the operator accepts it then, it would be misguiding as they may<br clear="none">>> not admit such additional elements. However, they have no choice if this<br clear="none">>> policy passes, so this is a valid objection and a critical one.<br clear="none">>><br clear="none">>> The very fundamental principle which I believe you fail to understand<br clear="none">>> (and the most crucial objection) is that we do not want to get AFRINIC<br clear="none">>> involved in routing. This is an ideological difference, and this is no<br clear="none">>> way to address it.<br clear="none">>><br clear="none">>> *This is the very first policy to ask an RIR to proactively inject data<br clear="none">>> into routing (something that was never done before), and this also goes<br clear="none">>> beyond what we believe an RIR should be, simply offering a registration<br clear="none">>> service, and if you think otherwise, that is entirely up to you. This<br clear="none">>> would then constitute an ideological difference, and there is no<br clear="none">>> acceptable way you can address it. This is also why this policy does not<br clear="none">>> have consensus because forcing an ideology on others that fundamentally<br clear="none">>> disagree with you is not how PDP works, regardless of how many appeals<br clear="none">>> filed. Lastly, an ideological difference is the very definition of<br clear="none">>> nonconsensus.*<br clear="none">>><br clear="none">>> *<br clear="none">>> *<br clear="none">>><br clear="none">>> *Best Regards,*<br clear="none">>><br clear="none">>> *UBAH ANTHONY *<br clear="none">>><br clear="none">>><br clear="none">> _______________________________________________<br clear="none">> RPD mailing list<br clear="none">> <a shape="rect" href="mailto:RPD@afrinic.net" rel="nofollow" target="_blank">RPD@afrinic.net</a><br clear="none">> <a shape="rect" href="https://lists.afrinic.net/mailman/listinfo/rpd" rel="nofollow" target="_blank">https://lists.afrinic.net/mailman/listinfo/rpd</a><div class="ydp220a06e0yqt0970195306" id="ydp220a06e0yqtfd92524"><br clear="none"><br clear="none">_______________________________________________<br clear="none">RPD mailing list<br clear="none"><a shape="rect" href="mailto:RPD@afrinic.net" rel="nofollow" target="_blank">RPD@afrinic.net</a><br clear="none"><a shape="rect" href="https://lists.afrinic.net/mailman/listinfo/rpd" rel="nofollow" target="_blank">https://lists.afrinic.net/mailman/listinfo/rpd</a><br clear="none"></div></div></div>
</div>
</div></body></html>