[ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)

Sander,

On Mon, May 20, 2013 at 03:57:47PM +0200, Sander Steffann wrote:
>> i) whether these concerns are at least potentially valid (I am
>> convinced they are);
>The concerns are based on: 
>a) the majority of network operators using
>rPKI and dropping unsigned or invalid routes 

If this is not the case, rpki serves no useful (security) purpose and
its implementation is pointless.

>b) legislators giving power to law enforcement so that they can 
>force a Dutch entity (the RIPE NCC) to withdraw resources from 
>its members 

Wrong. The NCC must (and will, see Axel's recent message) comply with a
court order or injunction. Possibly any court order from an EU member
state, these are enforceable across borders, TTBOMK.
Neither legislation nor law enforcement need be involved, it could be
anyone (BREIN, GEMA, a pissed-off individual with money and lawyers)
and the right judge.
This does not even consider an attack from a non-legal actor, such as a
compromised CA. 

>c) legislators forcing network operators all over the world to keep 
>doing (a) even in the event of abuse by law enforcement

Nobody needs to *force* operators to do anything, they will probably not
even notice a route missing from a few hundred thousand or, indeed, care
that TPB is no longer reachable unless someone complains loudly. 

>show how to adjust local-pref based on rPKI while still accepting all
>routes. This is the network operator's choice!

True, but the security gain is nil to low if routes with invalid/
non-existing  ROAs aren't dropped. 
While some operators may use ROAs to adjust localpref, IMO the "lazy
default" and most-widely used implementation will be "drop
invalid/missing" and this is the case I base my argument on. 


>The RIPE NCC will only comply with such requests if a Dutch Court order
>is served by a Dutch LEA, as well as a binding order from
>law-enforcement or regulatory authorities that are operating as
>required under Dutch criminal and administrative law (such as the
>Public Prosecution Department, the Police, the Fiscal Intelligence and
>Investigation Service).

The NCC will comply with a valid court order as prescribed by law, or
the officers will go to jail for contempt until it does.

>If the Dutch legal system gets so bad that they require disproportional
>measures to be taken by the RIPE NCC then I think we have bigger issues
>and should move the RIPE NCC to a different country.

It already is (not just in .nl), please remember the various TPB-blocking
orders served to ISPs in .nl, .ie, .uk and so on. 
Moving the NCC would have little effect unless it'd be to a non-EU
jurisdiction. 
The only way to solve this would be to have a distributed trust-anchor
in multiple jurisdictions, so that a single point of failure/attack does
not exist. I've already indicated that I would support a RPKI policy if
this requirement was met, but not until then.

>I see no need at this point to take other steps, as I don't see (a),
>(b) and (c) happen simultaneously. If your concerns should approach
>reality (laws enabling remote control of the RIPE NCC, laws enforcing a
>very specific usage of rPKI, etc) then we should take steps. Until
>there is evidence that those concerns are more than fear, uncertainty
>and doubt we should not act on them.

And unless you deign to take these concerns seriously and even
*consider* steps to mitigate them, I will remain, in opposition,

your,

Sascha Luck