This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ncc-services-wg@ripe.net/
[ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Previous message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Next message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sascha Luck
lists-ripe at c4inet.net
Mon May 20 16:48:51 CEST 2013
Sander, On Mon, May 20, 2013 at 03:57:47PM +0200, Sander Steffann wrote: >> i) whether these concerns are at least potentially valid (I am >> convinced they are); >The concerns are based on: >a) the majority of network operators using >rPKI and dropping unsigned or invalid routes If this is not the case, rpki serves no useful (security) purpose and its implementation is pointless. >b) legislators giving power to law enforcement so that they can >force a Dutch entity (the RIPE NCC) to withdraw resources from >its members Wrong. The NCC must (and will, see Axel's recent message) comply with a court order or injunction. Possibly any court order from an EU member state, these are enforceable across borders, TTBOMK. Neither legislation nor law enforcement need be involved, it could be anyone (BREIN, GEMA, a pissed-off individual with money and lawyers) and the right judge. This does not even consider an attack from a non-legal actor, such as a compromised CA. >c) legislators forcing network operators all over the world to keep >doing (a) even in the event of abuse by law enforcement Nobody needs to *force* operators to do anything, they will probably not even notice a route missing from a few hundred thousand or, indeed, care that TPB is no longer reachable unless someone complains loudly. >show how to adjust local-pref based on rPKI while still accepting all >routes. This is the network operator's choice! True, but the security gain is nil to low if routes with invalid/ non-existing ROAs aren't dropped. While some operators may use ROAs to adjust localpref, IMO the "lazy default" and most-widely used implementation will be "drop invalid/missing" and this is the case I base my argument on. >The RIPE NCC will only comply with such requests if a Dutch Court order >is served by a Dutch LEA, as well as a binding order from >law-enforcement or regulatory authorities that are operating as >required under Dutch criminal and administrative law (such as the >Public Prosecution Department, the Police, the Fiscal Intelligence and >Investigation Service). The NCC will comply with a valid court order as prescribed by law, or the officers will go to jail for contempt until it does. >If the Dutch legal system gets so bad that they require disproportional >measures to be taken by the RIPE NCC then I think we have bigger issues >and should move the RIPE NCC to a different country. It already is (not just in .nl), please remember the various TPB-blocking orders served to ISPs in .nl, .ie, .uk and so on. Moving the NCC would have little effect unless it'd be to a non-EU jurisdiction. The only way to solve this would be to have a distributed trust-anchor in multiple jurisdictions, so that a single point of failure/attack does not exist. I've already indicated that I would support a RPKI policy if this requirement was met, but not until then. >I see no need at this point to take other steps, as I don't see (a), >(b) and (c) happen simultaneously. If your concerns should approach >reality (laws enabling remote control of the RIPE NCC, laws enforcing a >very specific usage of rPKI, etc) then we should take steps. Until >there is evidence that those concerns are more than fear, uncertainty >and doubt we should not act on them. And unless you deign to take these concerns seriously and even *consider* steps to mitigate them, I will remain, in opposition, your, Sascha Luck
- Previous message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Next message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]