Job, This looks fantastic, thank you! For my edification and clarification, the reason you don't need a deny 2000::/3 or deny 0::/0 at the bottom of the ARIN list of allows is that every file comes with an implicit "deny all", is that correct? Is there a drawback to adding the explicit "deny 0::/0" at the bottom of the file, to make it clear that everything else will return "invalid"? I tend to prefer being explicit in my configurations, rather than depending upon implicit behaviours which might change with future versions of software releases. Thanks! Matt On Tue, Sep 26, 2023 at 9:57 AM Job Snijders via NANOG <nanog@nanog.org> wrote:
Dear all,
Two weeks ago AFRINIC was placed under receivership by the Supreme Court of Mauritius. This event prompted me to rethink the RPKI trust model and associated risk surface.
The RPKI technology was designed to be versatile and flexible to accommodate a myriad of real-world deployment scenarios including multiple trust anchors existing, inter-registry transfers, multiple transports, and permissionless innovation for signed objects, for example. All good and well ... but ofcouse there is a fine print. :-)
Over the years various people have expressed astonishment about each RIR having issued so-called 'all-resources' (0.0.0.0/0 + ::/0) trust anchor certificates, but this aspect often is misunderstood: the risk is not necessarily in the listing of 'all-resources' itself, it is in the RIR being able to issue an 'all-resources' certificate in the first place. RPKI trust anchor operators indeed can voluntarily reduce the scope of subordinate Internet Number Resources, but just as easily increase the scope of their authority. In other words, a trust anchor cannot truly constrain itself.
Upon reconsideration on how exactly RPKI hooks into the real world; I concluded trust anchors do not require unbounded trust in order to provide constructive services in the realm of BGP routing security.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it would not make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a cryptographically valid certificate path existed. Along these lines AFRINIC doesn't support inter-RIR transfers of any kind; and none of the RIRs have authority over private resources like 10.0.0.0/8 or AS 65535. It seems feasible to paint constraints around RPKI trust anchors in broad strokes.
Over the last two weeks I've diligently worked with Theo Buehler to research RIR transfer policies, untangle the history of the IANA->RIR and RIR->RIR allocation spaghetti, design & implement a maintainable constraints mechanism for rpki-client(8), and publicly document the concept of applying operator-defined policy to derived trust arcs.
Please take a moment to read
https://www.ietf.org/archive/id/draft-snijders-constraining-rpki-trust-ancho...
Your feedback is appreciated.
Kind regards,
Job