This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ncc-services-wg@ripe.net/
[ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Previous message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Next message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sander Steffann
sander at steffann.nl
Mon May 20 16:57:33 CEST 2013
Hi, >>> i) whether these concerns are at least potentially valid (I am >>> convinced they are); >> The concerns are based on: a) the majority of network operators using >> rPKI and dropping unsigned or invalid routes > > If this is not the case, rpki serves no useful (security) purpose and > its implementation is pointless. Incorrect: rPKI can serve as a warning system, it can be used to adjust local-prefs and other local policy decisions. Not just for dropping or ignoring routes. >> b) legislators giving power to law enforcement so that they can force a Dutch entity (the RIPE NCC) to withdraw resources from its members > > Wrong. The NCC must (and will, see Axel's recent message) comply with a > court order or injunction. Possibly any court order from an EU member > state, these are enforceable across borders, TTBOMK. > Neither legislation nor law enforcement need be involved, it could be > anyone (BREIN, GEMA, a pissed-off individual with money and lawyers) > and the right judge. > This does not even consider an attack from a non-legal actor, such as a > compromised CA. Please read the legal statement from the NCC I linked to. You are contradicting it. If you have better legal advice than the RIPE NCC's own lawyers then please contact the NCC. >> c) legislators forcing network operators all over the world to keep doing (a) even in the event of abuse by law enforcement > > Nobody needs to *force* operators to do anything, they will probably not > even notice a route missing from a few hundred thousand or, indeed, care > that TPB is no longer reachable unless someone complains loudly. Operators not caring about their routing tables is a problem out of scope for this policy. There are thousands of other factors besides rPKI, so this is not specific to this policy. >> show how to adjust local-pref based on rPKI while still accepting all >> routes. This is the network operator's choice! > > True, but the security gain is nil to low if routes with invalid/ > non-existing ROAs aren't dropped. Not true, see above > While some operators may use ROAs to adjust localpref, IMO the "lazy > default" and most-widely used implementation will be "drop > invalid/missing" and this is the case I base my argument on. Ah, ok. But since your assumption is invalid (there is no default, and the quick-start examples which would probably be used for such a "lazy default" are completely different from what you assume) then your case isn't very interesting to discuss any further. Cheers, Sander
- Previous message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Next message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]