This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/address-policy-wg@ripe.net/
[address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Martin Millnert
millnert at gmail.com
Thu May 5 02:48:07 CEST 2011
Hi John, On Wed, May 4, 2011 at 7:19 PM, John Curran <jcurran at arin.net> wrote: > On May 4, 2011, at 6:40 PM, Martin Millnert wrote: >> >> It's already been said that in order to get the desired use out RPKI >> in terms of preventing youtube hijacking, a network is required to >> configure its RPKI-policies strictly. >> >> Thus, an abuse of the network's CA will then also possibly affect >> peers of this network, who may themselves not use RPKI for any number >> of reasons. > > I understand how it would impact the network which has decided to make > use of strict RPKI-based route validation (and therefore the network's > customers by extension), but can you explain how it would otherwise > effect that network's peers? I'm glad you understand there is a risk an abuse of "RPKI" can have significant effects on the internet, since no doubt you are aware of "Tier 1" internet transit providers. I used the term "peer" in the general meaning, not applying any special significance to what kind of route or monetary exchange occurs using it. > I am again left trying to understand how the use of RPKI technology for > route assurance affects the networks of those who don't use it (other > than in the normal manner that all the routing technology is relied on) Nonetheless, I can illustrate it realistically for you, in an example using clear present-day industry terms: Network A is a transit customer of tier-1 network B. Network C and D are transit customers of tier-1 network E. Network C is exchanging full table with A, without any monetary exchange. Network B and E are exchanging full table with each other, also without any monetary exchange (they are tier-1). Network D announces prefix 1 to E. Transit provider E, being a very large company, has after some government pressure decided to enable strict RPKI filtering because of some tax breaks it received for doing so. It did not wish to enable it otherwise, because of some strong internal voices. But money speaks. Network E's CA is called Z. Prefix 1 is now suddenly removed from Z, after pressure on Z from unidentified entity X. Network E consequently ceases to forward prefix 1 to their non-paying peer network, B, and their other customer C. As a result, A, B, C, E all now have no way to reach D's prefix 1: this internet has now been partitioned, by unidentified entity X. Only a single network, E, implemented strict filtering of RPKI, yet A, not being a customer of E, lost access to 1, and all involved hardware is still functional. Unidentified entity X did not have to communicate with E at all. Kind Regards, Martin
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]