Carlos, On Sun, Jan 30, 2011 at 9:22 PM, Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> wrote:
Hi,
this is the second mention I see of RPKI and Egypt in the same context. I sincerely fail to see the connection between both situations.
It is quite simple actually. 1. Governments (eventually) want to take pieces of the Internet offline, and Egypt is only the latest abundantly clear proof of this desire. 2. RPKI might make this easier to accomplish than before, effectively leading to more censorship than without it. My fear is that of the big red DELETE-FROM-THE-INTERNET-button: If the system becomes widely deployed, it is an even shorter step to make for various lawmakers in various countries to legislate how RPKI is to be used. There are obviously other ways for your local autocrat to cut the Internet down, but this would undoubtedly add a potential fine-grained mechanism on top of it that I fail to see how it will not be abused. Eg, it'd be possible to, with the right hand, require that all ISPs treats RPKI in a certain way (abstract away the censorship to all ISPs, even those in other countries(!), own routers, once the technology is in place), and with the left hand cherry pick what can be on and what can be off, at a much, much lower cost than unplugging everything (Egypt), or buying lots of cool hardware (China). (This is a bad thing, btw.) I'd happily see an explanation of RPKI that clears these fears from my mind, and I'm fairly sure that I am not crazy for having them... (Meanwhile I will read all of Randy's recommended reading.) And yes there are a myriad of other ways to shut things down from the Internet, but none of them are as integrated with the Internet as RPKI would be, right? Plus, I don't really see adding another way to shut things down as a positive thing, because of the apparent abuse-vector it represents. Regards, Martin (With tiny, tiny steps, nobody will understand how we ended up where we end up, and by then it's hard to retract.)
On Sun, Jan 30, 2011 at 7:53 PM, Brandon Butterworth <brandon@rd.bbc.co.uk> wrote:
I think it is too early in the deployment process to start dropping routes based on RPKI alone. We'll get there at some point, I guess.
Do we really *want* to get to that point?
I thought that was the point and the goal of securing the routing infrastructure is laudable. But the voices in my head say don't trust them with control of your routes, see what happened in Egypt.
brandon
-- -- ========================= Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =========================