[routing-wg] 2019-08 Review Phase (RPKI ROAs for Unallocated and Unassigned RIPE NCC Address Space)

On Wed, Mar 04, 2020 at 11:36:55AM +0000, Nick Hilliard wrote:
> Carlos Friaças via routing-wg wrote on 04/03/2020 07:23:
> > Unfortunately, you will only "run AS0" over non-distributed APNIC space.
> > 
> > If you were able to do it for the full problem space, those who will
> > continue to explore this weakness in the global routing system would not
> > have an excellent alternative by simply choosing to abuse
> > non-distributed space by the other RIRs...
> 
> are you seriously suggesting that APNIC or any other RIR should use a TAL
> for 0/0 to claim authority over unallocated space from other RIRs?
> 
> This would be an extraordinary breach of trust in the RIR community.

Should any RIR would start interfering with potentially unassigned or
unallocated resources from another RIR in such a manner, I'd consider
the RIR CA akin to compromised and suggest to remove the associated TAL
from our RPKI Cache Validators. Thus the outlined approach would result
in negative impact for the NIRs and LIRs under that RIR CA in the
affected region, but probably outweighs the complications of one RIR
claiming space is Unassigned/Unallocated while the actual managing RIR
might think otherwise.

In short, this would be a misuse of the current certificate structure
that that implemented 0.0.0.0/0 + ::/0 to facilitate inter-RIR
transfers. That mechanism was not intended to help RIRs step on each
other's toes.

Let's continue to focus on deploying RPKI Origin Validation as-is on all
Internet EBGP sessions first. At best it seems premature to overload the
functionality of the RPKI in this way.

Kind regards,

Job