Here be dragons, On Sun, Jan 30, 2011 at 12:39 PM, Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> wrote:
The solution to this problem (theoretical at least) already exist in the form of RPKI.
Any top-down RPKI model is intrinsically flawed. Deploying an overlay of single-point(s) of failure on top of a well-functional distributed system such as the Internet does not seem like a solution to much. The Internet works reasonably well only because it is reasonably distributed. I acknowledge that: 1) there are occasionally routing problems, 2) that IPv4 will deteriorate further very rapidly as it runs out and second-hand markets pick up, 3) that spammers run BGP and abuse, seemingly primarily, the non-RIR IRR-dbs. The answer to these issues is not by default RPKI IMO. For example, how about: 1, fix them - are there any problems that hasn't been fixed or were seriously hard to fix? Enumerate and let's go specific; let's not deploy a tank to push in a screw. 2, IPv6? 3, improve/remove non-RIR IRR-dbs It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea. While it is true that governments are more or less in control of the *geographic area* they govern, as is evident in Egypt, there is a serious and big difference between the ease of removing a prefix from the Internet today in a country and how easy it will be in the fully network-deployed RPKI case, because of the hierarchical model (send your tanks to the RIR office(s) instead of every single country). Yes, governments exploit capabilities given to them by technological means ("we do it just because we can" is a standing motto). A top-down RPKI model would be a severely negative development of the resilience of the Internet, especially for freedom-aspiring people (approximately equal to humankind?), who need to avert government suppression. If we are to go down this path, at the very least it must stay architecturally/technologically *impossible* for a entity from country A to via-the-hierarchical-trust-model block a prefix assigned to some entity in country B, that is assigned by B's RIR and in full accordance with the RIR policies and in no breach of any contract. If not, we're doing humanity a disservice. One that I have no doubt would simply spawn/grow further overlay-networks to counter the problem. Cheers, Martin
On Sun, Jan 30, 2011 at 6:23 AM, Andrew Alston <aa@tenet.ac.za> wrote:
Hi All,
I've just noticed that Level 3 is allowing people to register space in its IRR database that A.) is not assigned to the people registering it and B.) is not assigned via/to Level 3.
So, I have two queries
A.) Are only customers of Level 3 allowed to use this database B.) Can someone from Level 3 please clarify if there are any plans to lock this down slightly
At this point, it would seem that if you are a customer of level 3's, you can register any space you feel like in there, and announce anything you feel like once the filters propagate, which in my opinion completely nullifies the point of IRR in the first place.
Though I think this also raises the question about IRR databases in general. Would it not be far more sane to have each RIR run a single instance each which talk to each other, which can be verified against IP address assignments, and scrap the distributed IRR systems that allow for issues like this to occur?
(In the mean time I've emailed the relevant people to try and get the entries falsely registered in that database removed, and will wait and see if I get a response).
Andrew Alston TENET - Chief Technology Officer Phone: +27 21 763 7181
-- -- ========================= Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =========================