++ From: NANOG <nanog-bounces+vasilenko.eduard=huawei.com@nanog.org> On Behalf Of Alex Sent: Friday, November 15, 2024 03:46 To: nanog@nanog.org Subject: Re: Implementing Decentralized RPKI with Blockchain Technology Haven't we seen this pattern enough times? 1. some organization maintains some database with some data 2. someone asks what if the government forces it to falsify/censor data 3. someone says it would ruin trust and nobody would use the database any more 4. government forces organization to falsify/censor data 5. everyone keeps using that database because it's the low friction path 6. amount of false/censored data increases Governments already censor everything they can physically get their hands on: * IP ranges * DNS (ISP/open resolvers, registries *and* registrars) * messaging apps * social media * end device software and data (only when the vendor already controls it, by pressuring the vendor) If a little birdie told a censor that if they force *this* organization to publish this data block, *that* organization would automatically block *that* resource they don't like, they would go for it. There's absolutely no reason to think they would not. And no, the 1st Amendment won't prevent it, even in the USA. On 14/11/24 23:44, Tom Beecher wrote: William- Yes, you're correct on that point. Fundamentally though, if an RIR actually did that, it's effectively the end of RPKI, and seismic damage to the internet at large. The entire foundation of this system is that everything must trust that the RIRs are the source of truth over what IPs are allocated and to whom. RPKI just provides a way to cryptographically verify it. If an RIR was forced to pull an allocation by an external party for "non-normal" reasons, then trust in that RIR is irrevocably broken, and we have much larger issues to deal with. On Thu, Nov 14, 2024 at 5:28 PM Brandon Z. <Brandon@huize.asia<mailto:Brandon@huize.asia>> wrote: Yeah ,that's what I meant. They can remove the certificate for the resource holder and sign a new certificate for these resources and set ROA for as0 only. Technically speaking. Brandon Z. HUIZE LTD www.huize.asia <https://huize.asia/> | www.ixp.su<https://www.ixp.su/> | Twitter [https://ci3.googleusercontent.com/mail-sig/AIorK4w5mVhfW4gNpNNG4wjzSr6YXLPGs...] This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. On Fri, Nov 15, 2024 at 01:21 William Herrin <bill@herrin.us<mailto:bill@herrin.us>> wrote: On Thu, Nov 14, 2024 at 9:03 AM Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:
As explained earlier, RIRs cannot "create" INVALIDs.
Hi Tom, Wouldn't they just withdraw the delegation and issue an AS0 ROA covering the address block? Does that not cause the associated route advertisements to become RPKI invalid? Regards, Bill Herrin -- William Herrin bill@herrin.us<mailto:bill@herrin.us> https://bill.herrin.us/