This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/address-policy-wg@ripe.net/
[address-policy-wg] Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region)
- Previous message (by thread): [address-policy-wg] Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region)
- Next message (by thread): [address-policy-wg] Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Martin Millnert
millnert at gmail.com
Mon May 9 22:39:19 CEST 2011
On Mon, May 9, 2011 at 4:21 PM, Alex Band <alexb at ripe.net> wrote: > > On 9 May 2011, at 22:06, Sascha Luck wrote: > >> On Mon, May 09, 2011 at 10:01:14PM +0200, Sander Steffann wrote: >>> I fully agree. Mind you, they could just as well just make a law that says >>> "You may not route any packets to/from addresses that appear on list X" and we >>> would have exactly the situation everyone seems to be afraid of, and it doesn't >>> need RPKI. As soon as laws don't allow 'your network, your rules' anymore then >>> anything can happen... But that is something that we'll have to steer through >>> voting, not address policy :) > >- Sander > >> >> Right now, this does *not* work effectively because the internet routes around such censorship attempts and there is no LEA that can reach *everyone* in the world. This policy proposal changes that. > > Again, it doesn't change that. > > Yes, it could potentially change that in some future where laws are changed, but right now revoking a certificate has no effect on routing whatsoever. In the way the system is designed, everything revolves around preferences. At the end of the day, it it up to the network operator to base a decision on the information that is available to him/her. Accepting an invalid prefix because of a revoked certificate is always an option, unless the law is changed in *every* country where this system is used. Yeah, new laws, and regarding the Internet, has that ever happened? Oh wait. See block-lists in various countries. > Reread Randy's post from just now where draft-ietf-sidr-origin-ops-07 is quoted. > > -Alex RIPE NCC re-assigns resource R from ISP A to LEA L, and issues it a new resource certificate. A does not use RPKI. LEA L creates a ROA and starts announcing R. In accordance with Randy's post, this means the *minimum* RPKI policy will impose the DDoS. Kind Regards, Martin
- Previous message (by thread): [address-policy-wg] Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region)
- Next message (by thread): [address-policy-wg] Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]