[db-wg] A test on AFRINIC range announcing without RIPE route object

On Wed, Jun 13, 2018 at 11:11:09AM +0000, Job Snijders via db-wg wrote:
>I am sympathetic, but RIPE has no obligation to keep a glaring
>security hole open to accommodate another RIR's lack of expedience.

There was a time when it would have been seen as the obligation
of any RIR to keep the internet running as smoothly as possible.
This boat seems to have sailed and not just in an internet
context. This paradigm shift mirrors one in general society as
well, where it has become acceptable to cause any amount of pain
and inconvenience to the general population in the name of
'security'...

Secondly, there is an unintended consequence to this, namely
that, if you make it impossible for a segment of resource holders
to register their routes properly, some transit providers and
IXPs will have no choice but to accept their advertisements
anyway without any filter. How that improves 'security', I don't
know.

IMO such actions should be delayed until there is a mechanism for
every resource holder to register their advertisements properly,
no matter where they are. Presumably this is something the RIRs
themselves could be pushing as they are coordinating among
themselves and with ICANN anyway.

rgds,
Sascha Luck

>
>As I mentioned at the microphone at the last DB-WG session, right now
>I can simply register ALL not-yet-registered IP space in the RIPE NCC
>database and in doing so lock out anyone else from making any
>registrations for non-RIPE-managed space. There is nothing in place to
>stop anyone from doing so, this would immediately fix the security
>problem. I hope this both illustrates the size of the security hole
>and the problem of any business process relying on the existence of
>the hole.
>
>Kind regards,
>
>Job
>