[routing-wg] 2019-08 New Policy Proposal (RPKI ROAs for Unallocated and Unassigned RIPE NCC Address Space)

Dear Gert,

On Fri, Nov 01, 2019 at 09:56:32AM +0100, Gert Doering wrote:
> On Fri, Nov 01, 2019 at 07:09:42AM +0100, Job Snijders wrote:
> > So we really have to wonder whether this is worth it, or whether a
> > few emails or phone calls can also solve the issue.
> 
> Isn't that the whole question underlying RPKI deployment?

I don't think it is. RPKI isn't the 'SDN controller for the Internet' :-)

> What is it that we want to stop with RPKI?  Only classic "prefix
> hijacking" (announcing space that is formally delegated somewhere) or
> other misuses of BGP, like "announce unallocated space, use that for
> spamming or other sorts of network attacks, withdraw announcement
> before people can track things back to you".

Yeah, in my mind RPKI exists to facilitate that people can better
communicate their routing intentions to each other, with the RIR as a
middle man certifiying that formal relations exist (in their role of
assigning globally unique number resources to their stakeholders).

The RPKI exists so that you and I can protect each other against misuse
or misconfigurations of the our resources, and I consider the resources
which don't (yet) have a holder are out of scope. That's also not where
the money is, our business depend on the number resources that were
assigned to us, the rest is less relevant.

In this context, it again seems not entirely helpful that all RIRs are
sitting on a 0.0.0.0/0 + ::/0 root cert, I wish we could come up with
some way to restrict those certs to just the resources they actually
manage, and perhaps through delegations from one RIR to another RIR keep
transfers working. But this would only work if we have a coherent view
on the RPKI which would in turn depend on certain legal barriers not
existing... but alas, I'm getting off topic

Kind regards,

Job