A top-down RPKI model a threat to human freedom? (was Re: Level 3's IRR Database)
Here be dragons, On Sun, Jan 30, 2011 at 12:39 PM, Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> wrote:
The solution to this problem (theoretical at least) already exist in the form of RPKI.
Any top-down RPKI model is intrinsically flawed. Deploying an overlay of single-point(s) of failure on top of a well-functional distributed system such as the Internet does not seem like a solution to much. The Internet works reasonably well only because it is reasonably distributed. I acknowledge that: 1) there are occasionally routing problems, 2) that IPv4 will deteriorate further very rapidly as it runs out and second-hand markets pick up, 3) that spammers run BGP and abuse, seemingly primarily, the non-RIR IRR-dbs. The answer to these issues is not by default RPKI IMO. For example, how about: 1, fix them - are there any problems that hasn't been fixed or were seriously hard to fix? Enumerate and let's go specific; let's not deploy a tank to push in a screw. 2, IPv6? 3, improve/remove non-RIR IRR-dbs It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea. While it is true that governments are more or less in control of the *geographic area* they govern, as is evident in Egypt, there is a serious and big difference between the ease of removing a prefix from the Internet today in a country and how easy it will be in the fully network-deployed RPKI case, because of the hierarchical model (send your tanks to the RIR office(s) instead of every single country). Yes, governments exploit capabilities given to them by technological means ("we do it just because we can" is a standing motto). A top-down RPKI model would be a severely negative development of the resilience of the Internet, especially for freedom-aspiring people (approximately equal to humankind?), who need to avert government suppression. If we are to go down this path, at the very least it must stay architecturally/technologically *impossible* for a entity from country A to via-the-hierarchical-trust-model block a prefix assigned to some entity in country B, that is assigned by B's RIR and in full accordance with the RIR policies and in no breach of any contract. If not, we're doing humanity a disservice. One that I have no doubt would simply spawn/grow further overlay-networks to counter the problem. Cheers, Martin
On Sun, Jan 30, 2011 at 6:23 AM, Andrew Alston <aa@tenet.ac.za> wrote:
Hi All,
I've just noticed that Level 3 is allowing people to register space in its IRR database that A.) is not assigned to the people registering it and B.) is not assigned via/to Level 3.
So, I have two queries
A.) Are only customers of Level 3 allowed to use this database B.) Can someone from Level 3 please clarify if there are any plans to lock this down slightly
At this point, it would seem that if you are a customer of level 3's, you can register any space you feel like in there, and announce anything you feel like once the filters propagate, which in my opinion completely nullifies the point of IRR in the first place.
Though I think this also raises the question about IRR databases in general. Would it not be far more sane to have each RIR run a single instance each which talk to each other, which can be verified against IP address assignments, and scrap the distributed IRR systems that allow for issues like this to occur?
(In the mean time I've emailed the relevant people to try and get the entries falsely registered in that database removed, and will wait and see if I get a response).
Andrew Alston TENET - Chief Technology Officer Phone: +27 21 763 7181
-- -- ========================= Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =========================
On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert@gmail.com> wrote:
Here be dragons, <snip> It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea.
how is the egypt thing related to rPKI? How is the propsed rPKI work related to gov't control?
architecturally/technologically *impossible* for a entity from country A to via-the-hierarchical-trust-model block a prefix assigned to some entity in country B, that is assigned by B's RIR and in full accordance with the RIR policies and in no breach of any contract.
countries do not have RIR's, countries have NIR's... regions have RIR's.
On Feb 1, 2011, at 9:14 AM, Christopher Morrow wrote:
On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert@gmail.com> wrote:
Here be dragons, <snip> It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea.
how is the egypt thing related to rPKI? How is the propsed rPKI work related to gov't control?
RPKI is a big knob governments might be tempted to turn.
architecturally/technologically *impossible* for a entity from country A to via-the-hierarchical-trust-model block a prefix assigned to some entity in country B, that is assigned by B's RIR and in full accordance with the RIR policies and in no breach of any contract.
countries do not have RIR's, countries have NIR's... regions have RIR's.
RIRs live in countries with governments. RIRs are unlikely to mount a successful challenge against an organization with tanks and mortars. Owen
Le mardi 01 février 2011 à 13:20 -0800, Owen DeLong a écrit :
On Feb 1, 2011, at 9:14 AM, Christopher Morrow wrote:
On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert@gmail.com> wrote:
Here be dragons, <snip> It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea.
how is the egypt thing related to rPKI? How is the propsed rPKI work related to gov't control?
RPKI is a big knob governments might be tempted to turn.
architecturally/technologically *impossible* for a entity from country A to via-the-hierarchical-trust-model block a prefix assigned to some entity in country B, that is assigned by B's RIR and in full accordance with the RIR policies and in no breach of any contract.
countries do not have RIR's, countries have NIR's... regions have RIR's.
RIRs live in countries with governments. RIRs are unlikely to mount a successful challenge against an organization with tanks and mortars.
Yes, right. But RIR is (at least supposed to be) regional, so (hopefully) more stable from a policy point of view (since the number of national "stake holders" need to agree on a common policy). In theory, at least... mh
Owen
On Feb 1, 2011, at 1:36 PM, Michael Hallgren wrote:
Le mardi 01 février 2011 à 13:20 -0800, Owen DeLong a écrit :
On Feb 1, 2011, at 9:14 AM, Christopher Morrow wrote:
On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert@gmail.com> wrote:
Here be dragons, <snip> It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea.
how is the egypt thing related to rPKI? How is the propsed rPKI work related to gov't control?
RPKI is a big knob governments might be tempted to turn.
architecturally/technologically *impossible* for a entity from country A to via-the-hierarchical-trust-model block a prefix assigned to some entity in country B, that is assigned by B's RIR and in full accordance with the RIR policies and in no breach of any contract.
countries do not have RIR's, countries have NIR's... regions have RIR's.
RIRs live in countries with governments. RIRs are unlikely to mount a successful challenge against an organization with tanks and mortars.
Yes, right. But RIR is (at least supposed to be) regional, so (hopefully) more stable from a policy point of view (since the number of national "stake holders" need to agree on a common policy). In theory, at least...
There is not a single RIR that is not physically located in a country. You can hope they are more stable from a policy point of view, but, the reality is that if someone shows up at the front door with tanks and mortars, my money is not on the RIR. Owen
There is not a single RIR that is not physically located in a country.
You can hope they are more stable from a policy point of view, but, the reality is that if someone shows up at the front door with tanks and mortars, my money is not on the RIR.
But they might choose a country in that region that is less likely to mess with the RIR. For instance, ARIN would probably be a lot safer in Canada than in the US... RIPE could relocate to Swiss or Sweden (although I think Holland is not that much of a risk), for instance. LACNIC in Uruguay seems a good choice to me, the same with AfriNIC in Mauritius. Rubens
On Feb 1, 2011, at 2:40 PM, Rubens Kuhl wrote:
There is not a single RIR that is not physically located in a country.
You can hope they are more stable from a policy point of view, but, the reality is that if someone shows up at the front door with tanks and mortars, my money is not on the RIR.
But they might choose a country in that region that is less likely to mess with the RIR. For instance, ARIN would probably be a lot safer in Canada than in the US... RIPE could relocate to Swiss or Sweden (although I think Holland is not that much of a risk), for instance. LACNIC in Uruguay seems a good choice to me, the same with AfriNIC in Mauritius.
Rubens
Great theory, but: ARIN (and IANA for that matter) are _IN_ the US. RIPE _IS_ in the Netherlands. APNIC _IS_ in Australia. Where would you put it? I notice you didn't list it above. Even Canada has their occasional bouts of wanting to censor the internet in strange ways. Government policies change over time and counting on governments to remain sane has its perils. Owen
On Tue, Feb 1, 2011 at 4:36 PM, Michael Hallgren <m.hallgren@free.fr> wrote:
But RIR is (at least supposed to be) regional, so (hopefully) more stable from a policy point of view (since the number of national "stake holders" need to agree on a common policy). In theory, at least...
For Europe and RIPE, the EU commission at your service... Regards, Martin
Le mardi 01 février 2011 à 16:54 -0500, Martin Millnert a écrit :
On Tue, Feb 1, 2011 at 4:36 PM, Michael Hallgren <m.hallgren@free.fr> wrote:
But RIR is (at least supposed to be) regional, so (hopefully) more stable from a policy point of view (since the number of national "stake holders" need to agree on a common policy). In theory, at least...
For Europe and RIPE, the EU commission at your service...
Yeah, good point... ... as was Owen's... :) So, what's next hop forward? mh
Regards, Martin
On 1 Feb 2011, at 22:20, Owen DeLong wrote:
On Feb 1, 2011, at 9:14 AM, Christopher Morrow wrote:
On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert@gmail.com> wrote:
Here be dragons, <snip> It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea.
how is the egypt thing related to rPKI? How is the propsed rPKI work related to gov't control?
RPKI is a big knob governments might be tempted to turn.
Of course we looked into this, cause we're running our service from Amsterdam, the Netherlands. The possibilities for law enforcement agencies to take measures against the Resource Certification service run by the RIPE NCC are extremely limited. Under Dutch law, the process of certification, as well as resource certificates themselves, do not qualify as goods that are capable of being confiscated. Then of course, the decision making process always lies in the hands of the network operator. Only if a government would mandate an ISP to respect an invalid ROA and drop the route, it would be effective. So *both* these things would have to happen before there is an operational issue. Like you've seen in Egypt, pulling the plug is easier... YMMV on your side of the pond. Alex Band Product Manager, RIPE NCC
On Feb 1, 2011, at 1:57 PM, Alex Band wrote:
On 1 Feb 2011, at 22:20, Owen DeLong wrote:
On Feb 1, 2011, at 9:14 AM, Christopher Morrow wrote:
On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert@gmail.com> wrote:
Here be dragons, <snip> It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea.
how is the egypt thing related to rPKI? How is the propsed rPKI work related to gov't control?
RPKI is a big knob governments might be tempted to turn.
Of course we looked into this, cause we're running our service from Amsterdam, the Netherlands. The possibilities for law enforcement agencies to take measures against the Resource Certification service run by the RIPE NCC are extremely limited. Under Dutch law, the process of certification, as well as resource certificates themselves, do not qualify as goods that are capable of being confiscated.
Confiscated isn't the only possible issue. Being ordered to revoke a ROA or sign an alternate ROA isn't necessarily confiscation. It's court-ordered behavior. I'm not familiar enough with Dutch law to know if this is possible or not, but, regardless of the law today, the certificate issue remains after the law is changed. No country has immutable laws. Even the US Constitution can be (and has been) changed.
Then of course, the decision making process always lies in the hands of the network operator. Only if a government would mandate an ISP to respect an invalid ROA and drop the route, it would be effective.
If the RIR is signing the "invalid" ROA, how does one distinguish the invalid from the valid?
So *both* these things would have to happen before there is an operational issue. Like you've seen in Egypt, pulling the plug is easier...
Today, pulling the plug is easier. In an automated RPKI environment where a revocation or alternate signed record can cause service impacts,
YMMV on your side of the pond.
Alex Band Product Manager, RIPE NCC
With the mere passage of a law, so could the mileage on your side of the pond. Owen
On Tue, 2011-02-01 at 14:51 -0800, Owen DeLong wrote:
If the RIR is signing the "invalid" ROA, how does one distinguish the invalid from the valid?
In systems where the outputs from a computer system are very, very critical, a sort of "consensus" takes place (I think they did this in some space flights too) - two of three independent systems have to agree that the information is correct before it can be acted upon. Perhaps there is room at the top level for some such mechanism in RPKI? That is, treat "the top" not as being one RIR, but as a confederation of RIRs, possibly all with the SAME key. If different keys start appearing, the one that comes from the most RIRs is considered correct, and the other(s) as mavericks. But I'm speaking from a very deep well of ignorance about RPKI. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/kauer/ +61-428-957160 (mob) GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
On Feb 1, 2011, at 3:53 PM, Karl Auer wrote:
On Tue, 2011-02-01 at 14:51 -0800, Owen DeLong wrote:
If the RIR is signing the "invalid" ROA, how does one distinguish the invalid from the valid?
In systems where the outputs from a computer system are very, very critical, a sort of "consensus" takes place (I think they did this in some space flights too) - two of three independent systems have to agree that the information is correct before it can be acted upon.
Perhaps there is room at the top level for some such mechanism in RPKI? That is, treat "the top" not as being one RIR, but as a confederation of RIRs, possibly all with the SAME key. If different keys start appearing, the one that comes from the most RIRs is considered correct, and the other(s) as mavericks.
But I'm speaking from a very deep well of ignorance about RPKI.
Indeed... The key is how you identify the signature, essentially. So, if the bodies all share the same key, then, any one of them can sign anything and it is indistinguishable from something signed by the others. What would be needed would be a triple signature with different keys (like bank checks that require more than one signature). However, the usual process for getting something signed through that system would probably be that A does the authentication process and then asks B and C to "witness" their signature. If A has a gun to their head, they're still going to likely be able to get B and C to "witness" that signature, so, you're still in a fix. This really isn't an easy problem to solve. Until it is solved, there are serious questions about RPKI doing more harm than good. Owen
Alex, On Tue, Feb 1, 2011 at 4:57 PM, Alex Band <alexb@ripe.net> wrote:
On 1 Feb 2011, at 22:20, Owen DeLong wrote:
RPKI is a big knob governments might be tempted to turn.
Of course we looked into this, cause we're running our service from Amsterdam, the Netherlands. The possibilities for law enforcement agencies to take measures against the Resource Certification service run by the RIPE NCC are extremely limited. Under Dutch law, the process of certification, as well as resource certificates themselves, do not qualify as goods that are capable of being confiscated.
Then of course, the decision making process always lies in the hands of the network operator. Only if a government would mandate an ISP to respect an invalid ROA and drop the route, it would be effective.
So *both* these things would have to happen before there is an operational issue. Like you've seen in Egypt, pulling the plug is easier...
YMMV on your side of the pond.
Alex Band Product Manager, RIPE NCC
As others pointed out, and as we especially have seen the past 10 and a half years, laws can easily change. I too believe it is somewhat necessary to have 'control' over the IPv4 prefix distribution in order for the RIRs to continue being Registries. I understand and share the RIRs concern regarding this. I also do believe we can expend at least two years (just to put a number out there) more to make a system that is robust also against censorship, that everybody can feel comfortable to trust. Operational impact and cost, I believe, will be quite minor during this time. In fact, I believe it is an investment that apart from being necessary (IMO), will actually pay off, because only with a system that people trust, will most network operators enable it by their free will, which ought to be the goal for *everybody* involved. (Lest the dystopian future takes hold, of course.) Once a reliable system exists, I would be the first one to enable it on my routers, and wouldn't shed a tear if illegitimately acquired or traded routing information was lost at that time. And to be extremely clear, nobody is suggesting that they do not trust the people working at RIPE or any other RIR to do a good job here but at the same time, "we are all human". We have a, in my opinion, very big responsibility towards future generations in (re-)designing the Internet in a way that continues to keep it open and robust towards failures of various sorts. Even that of a single RIR. Regards, Martin
On Feb 1, 2011, at 11:14 AM, Christopher Morrow wrote:
On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert@gmail.com> wrote:
Here be dragons, <snip> It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea.
how is the egypt thing related to rPKI? How is the propsed rPKI work related to gov't control?
In theory at least, entities closer to the RPKI root (RIRs, IANA) could invalidate routes for any sort of policy reasons. This might provide leverage to certain governments, perhaps even offering the ability to control routing beyond their jurisdiction. As an example, it's imaginable that the US government could require IANA or ARIN to delegate authority to the NSA for a Canadian ISP's routes. Feel free to replace the RIR/LIR and country names, to suit your own example. Cheers, -Benson
Is it really a better alternative? Do we want to pay the cost of a fully distributed RPKI architecture? Or do we just abandon the idea of protecting the routing infrastructure? There is no free-lunch, we just need to select the price that we want to pay. -as On 1 Feb 2011, at 16:29, Benson Schliesser wrote:
On Feb 1, 2011, at 11:14 AM, Christopher Morrow wrote:
On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert@gmail.com> wrote:
Here be dragons, <snip> It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea.
how is the egypt thing related to rPKI? How is the propsed rPKI work related to gov't control?
In theory at least, entities closer to the RPKI root (RIRs, IANA) could invalidate routes for any sort of policy reasons. This might provide leverage to certain governments, perhaps even offering the ability to control routing beyond their jurisdiction.
As an example, it's imaginable that the US government could require IANA or ARIN to delegate authority to the NSA for a Canadian ISP's routes. Feel free to replace the RIR/LIR and country names, to suit your own example.
Cheers, -Benson
On Feb 1, 2011, at 3:43 PM, Arturo Servin wrote:
Is it really a better alternative? Do we want to pay the cost of a fully distributed RPKI architecture?
Or do we just abandon the idea of protecting the routing infrastructure?
There is no free-lunch, we just need to select the price that we want to pay.
I agree there is no free-lunch. Randy Bush addressed the problem, in a recent email, by contrasting his "security" personality against his mistrust of authority. (That's my summary, not his words.) And I think that's exactly what I'm struggling with. I want to secure the routing infrastructure, but I don't completely trust centralized regimes. At their best, they're a target for exploitation - at their worst, they're authoritarian. Randy was kind enough to point me toward http://tools.ietf.org/html/draft-ietf-sidr-ltamgmt-00 which I'm in the process of reading. Perhaps there is a way to balance between "fully distributed" and "centralized", e.g. by supporting multiple roots and different trust domains. Cheers, -Benson
On 1 Feb 2011, at 16:29, Benson Schliesser wrote:
On Feb 1, 2011, at 11:14 AM, Christopher Morrow wrote:
On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert@gmail.com> wrote:
Here be dragons, <snip> It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea.
how is the egypt thing related to rPKI? How is the propsed rPKI work related to gov't control?
In theory at least, entities closer to the RPKI root (RIRs, IANA) could invalidate routes for any sort of policy reasons. This might provide leverage to certain governments, perhaps even offering the ability to control routing beyond their jurisdiction.
As an example, it's imaginable that the US government could require IANA or ARIN to delegate authority to the NSA for a Canadian ISP's routes. Feel free to replace the RIR/LIR and country names, to suit your own example.
Cheers, -Benson
Le mardi 01 février 2011 à 12:14 -0500, Christopher Morrow a écrit :
On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert@gmail.com> wrote:
Here be dragons, <snip> It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea.
how is the egypt thing related to rPKI? How is the propsed rPKI work related to gov't control?
architecturally/technologically *impossible* for a entity from country A to via-the-hierarchical-trust-model block a prefix assigned to some entity in country B, that is assigned by B's RIR and in full accordance with the RIR policies and in no breach of any contract.
countries do not have RIR's, countries have NIR's... regions have RIR's.
In this context, at least, perhaps the NIR should be considered superfluous or redundant? What is the operational rationale behind the NIR level? Wouldn't a flatter RIR-LIR structure do just fine? mh
In this context, at least, perhaps the NIR should be considered superfluous or redundant? What is the operational rationale behind the NIR level? Wouldn't a flatter RIR-LIR structure do just fine?
and then, by inference, what is the use of the RIR level? randy
Le mercredi 02 février 2011 à 07:04 +0900, Randy Bush a écrit :
In this context, at least, perhaps the NIR should be considered superfluous or redundant? What is the operational rationale behind the NIR level? Wouldn't a flatter RIR-LIR structure do just fine?
and then, by inference, what is the use of the RIR level?
A meeting point for communities, potentially able to reflect a consensus view of policies and moderate "NIR" and other might be more unilateral initiatives. If one individual of a community goes "insane", enable the remaing ones to modrate.
randy
mh
In this context, at least, perhaps the NIR should be considered superfluous or redundant? What is the operational rationale behind the NIR level? Wouldn't a flatter RIR-LIR structure do just fine?
and then, by inference, what is the use of the RIR level?
A meeting point for communities, potentially able to reflect a consensus view of policies and moderate "NIR" and other might be more unilateral initiatives. If one individual of a community goes "insane", enable the remaing ones to modrate.
and then, by inference, you can see how people justify the NIRs randy
Although I support Rpki as a technology, there are legitimate concerns that it could be abused. I now believe that Rpki needs work in this area at IETF level so the concerns are adressed. I imagine some form of secret sharing among different parties or sme form of key escrow. I am sure that it is not an easy problem, but maybe some progress can be made in this direction. Regards Carlos On Feb 1, 2011, at 7:33 PM, Michael Hallgren <m.hallgren@free.fr> wrote:
Le mardi 01 février 2011 à 12:14 -0500, Christopher Morrow a écrit :
On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert@gmail.com> wrote:
Here be dragons, <snip> It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea.
how is the egypt thing related to rPKI? How is the propsed rPKI work related to gov't control?
architecturally/technologically *impossible* for a entity from country A to via-the-hierarchical-trust-model block a prefix assigned to some entity in country B, that is assigned by B's RIR and in full accordance with the RIR policies and in no breach of any contract.
countries do not have RIR's, countries have NIR's... regions have RIR's.
In this context, at least, perhaps the NIR should be considered superfluous or redundant? What is the operational rationale behind the NIR level? Wouldn't a flatter RIR-LIR structure do just fine?
mh
On Tue, Feb 1, 2011 at 5:15 PM, Carlos M. Martinez <carlosm3011@gmail.com> wrote:
Although I support Rpki as a technology, there are legitimate concerns that it could be abused. I now believe that Rpki needs work in this area at IETF level so the concerns are adressed.
I imagine some form of secret sharing among different parties or sme form of key escrow. I am sure that it is not an easy problem, but maybe some progress can be made in this direction.
Right. To preserve the integrity of the system it is rather necessary that multiple parties must agree to do some changes to it. This is in many ways of course a very hard thing to do, but there are a lot of good people out there with a much better understanding of cryptography and real information security than I, who definitely should look into this. Unless there already is a problem statement covering this problem, perhaps we should make one. Perhaps it is impossible to combine an easily managed system with a totally secure and robust routing infrastructure. At any rate, I consider censorship a failure of information routing. Any secure and robust routing infrastructure will not invite more censorship. Regards, Martin
On Feb 1, 2011, at 3:58 PM, Martin Millnert wrote:
On Tue, Feb 1, 2011 at 5:15 PM, Carlos M. Martinez <carlosm3011@gmail.com> wrote:
Although I support Rpki as a technology, there are legitimate concerns that it could be abused. I now believe that Rpki needs work in this area at IETF level so the concerns are adressed.
I imagine some form of secret sharing among different parties or sme form of key escrow. I am sure that it is not an easy problem, but maybe some progress can be made in this direction.
Right. To preserve the integrity of the system it is rather necessary that multiple parties must agree to do some changes to it. This is in many ways of course a very hard thing to do, but there are a lot of good people out there with a much better understanding of cryptography and real information security than I, who definitely should look into this. Unless there already is a problem statement covering this problem, perhaps we should make one.
Perhaps it is impossible to combine an easily managed system with a totally secure and robust routing infrastructure.
At any rate, I consider censorship a failure of information routing. Any secure and robust routing infrastructure will not invite more censorship.
Regards, Martin
Multiple parties alone, however is not sufficient. It needs to be multiple parties that are unlikely to be unduly influenced by the same group of governments or alliance of governments under any possible circumstance. The existing RIRs may or may not be an adequate way to spread this out. Certainly there is risk in the fact that IANA is in the US and subject by itself to US government whims. The fact that IANA and ARIN are both in the US is of particular concern because it means even combined there is no check and balance between them, either ad both can be usurped by the same power. Owen
On Tue, Feb 1, 2011 at 4:33 PM, Michael Hallgren <m.hallgren@free.fr> wrote:
Le mardi 01 février 2011 à 12:14 -0500, Christopher Morrow a écrit :
countries do not have RIR's, countries have NIR's... regions have RIR's.
In this context, at least, perhaps the NIR should be considered superfluous or redundant? What is the operational rationale behind the NIR level? Wouldn't a flatter RIR-LIR structure do just fine?
some parts of the world are invested in the NIR ocncept... not my part, but I do admit other folks like it. (and I didn't want to leave someone out of the mix)
Since we are already talking about RIRs, I am curious, who will sign the legacy blocks in RPKI? Dongting
On Feb 1, 2011, at 3:13 PM, Dongting Yu wrote:
Since we are already talking about RIRs, I am curious, who will sign the legacy blocks in RPKI?
Dongting
I suspect that if you want RPKI, you'll need to sign an agreement with the RIR. In ARIN region, this would be the LRSA or the RSA. Owen
On Feb 1, 2011, at 5:13 PM, Dongting Yu wrote:
Since we are already talking about RIRs, I am curious, who will sign the legacy blocks in RPKI?
Since they pre-exist the RIR, it's not clear that any one RIR has authority until asked. (For a discussion of rights, authority, etc, see http://ciara.fiu.edu/publications/Rubi%20-%20Property%20Rights%20in%20IP%20N...) Thus, I think the legacy address holders will have to request "services" from an RIR. Or from a trusted third party. (For instance, see http://www.circleid.com/posts/competition_to_regional_internet_registries_ri...) Cheers, -Benson
On Tue, Feb 1, 2011 at 6:13 PM, Dongting Yu <dongting.yu@cl.cam.ac.uk> wrote:
Since we are already talking about RIRs, I am curious, who will sign the legacy blocks in RPKI?
my recollection is that IANA COULD do that... (presuming a single root of the tree not 5 roots) -chris
On Feb 1, 2011, at 3:01 PM, Christopher Morrow wrote:
On Tue, Feb 1, 2011 at 4:33 PM, Michael Hallgren <m.hallgren@free.fr> wrote:
Le mardi 01 février 2011 à 12:14 -0500, Christopher Morrow a écrit :
countries do not have RIR's, countries have NIR's... regions have RIR's.
In this context, at least, perhaps the NIR should be considered superfluous or redundant? What is the operational rationale behind the NIR level? Wouldn't a flatter RIR-LIR structure do just fine?
some parts of the world are invested in the NIR ocncept... not my part, but I do admit other folks like it. (and I didn't want to leave someone out of the mix)
I don't believe the NIRs would be part of the RPKI chain if I understand it correctly. Owen
Le mardi 01 février 2011 à 18:01 -0500, Christopher Morrow a écrit :
On Tue, Feb 1, 2011 at 4:33 PM, Michael Hallgren <m.hallgren@free.fr> wrote:
Le mardi 01 février 2011 à 12:14 -0500, Christopher Morrow a écrit :
countries do not have RIR's, countries have NIR's... regions have RIR's.
In this context, at least, perhaps the NIR should be considered superfluous or redundant? What is the operational rationale behind the NIR level? Wouldn't a flatter RIR-LIR structure do just fine?
some parts of the world are invested in the NIR ocncept... not my part, but I do admit other folks like it. (and I didn't want to leave someone out of the mix)
Neither do I, but I think it's a good thing to discuss. Any NIR rep's around? mh
participants (12)
-
Alex Band
-
Arturo Servin
-
Benson Schliesser
-
Carlos M. Martinez
-
Christopher Morrow
-
Dongting Yu
-
Karl Auer
-
Martin Millnert
-
Michael Hallgren
-
Owen DeLong
-
Randy Bush
-
Rubens Kuhl