[address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call

Hi John,

On Wed, May 4, 2011 at 5:58 PM, John Curran <jcurran at arin.net> wrote:
> On May 4, 2011, at 5:33 PM, Martin Millnert wrote:
>
>> At the same time, I think the data already existing in for example
>> RIPE's whois database and present technology is sufficient for the
>> validation of customer and peer route announcements.
>
> It's likely that many feel that way, but there appears that there are
> also folks who wish to have an additional form of validation via RPKI.

That is fine, modulo the implementation of RPKI.

>> A good solution, I believe, to this question lies not in an external
>> party declaring who's the holder or not of a prefix, but the holder of
>> the prefix itself.
>
> Are you saying that those who wish to make use of RPKI should not be
> able to, even if that's their choice of technology and yours is a more
> "multi-source peer based policy" choice?

If the proposal involves a central point of authority with the ability
to revoke resources from a holder, or otherwise change, I do not wish
this system implemented, no. Especially not if the central authority
is a RIR, in this case RIPE. More on why below.

>> Following the analogy, no central authority would be able to take my
>> stone away from me - that would be theft. Also, no central authority
>> is able to take the power to speak away from individuals in a room
>> full of stone-holding people.
>
> ... but apparently *would* be able to specify that no one may use
> RPKI even if that is someone else's particular preferred technology
> for securing their own stones?

No, that's not correct.  One can not know, but one can imagine that a
successful resource registry would be one where *only* the resource
owner itself has the rights to register or de-register its resources.
This is key, as is the resource-owning concept in this model -- there
is no database which can be rewritten, somehow magically taking away
someone's stone.

> A statement that an RIR shall not
> support RPKI for the resources in its database is equivalent to
> deciding "no" on behalf those who want to make use of the optional
> service, correct?

Yeah, that seems correct.

> I understand concerns regarding cost or risk for an RIR considering
> RPKI (and in the ARIN region these are presently actively under
> consideration) and questions about return on investment also seem
> reasonable (since you can't support everything, and need to make
> sure you prioritize to services that will be actively used by the
> community),

These are aspects I myself do not consider nearly as important as the
greater Internet architecture aspect of these services.

> but this is first time I've heard an argument to the
> effect that simply offering the RPKI service will harm those not
> using it, and I really want to understand since that's not likely
> to be an effect specific to any one region.

Right.  The proliferation of any system which uses single authorities
(the RIR:s databases) to form routing decisions exposes itself for
abuse, more so the more it is proliferated. All it does is require a
change of the database for the abuse to occur, obviously, which very
likely would affect not only the users who have chosen to opt-in to
this system, but also those who have not.

It's already been said that in order to get the desired use out RPKI
in terms of preventing youtube hijacking, a network is required to
configure its RPKI-policies strictly.

Thus, an abuse of the network's CA will then also possibly affect
peers of this network, who may themselves not use RPKI for any number
of reasons.

If RPKI proliferates significantly, to the point where carriers start
requiring signed resources from their customers, the abuse exposure of
the single CA increases much, much more. I claim that the abuse risk
exposure grows with the number of networks its removal or change of a
resource can affect. (Not only revocation is a concern, but
rewrite-to-other, for example, as well)


Kind Regards,
Martin