A top-down RPKI model a threat to human freedom? (was Re: Level 3's IRR Database)

Here be dragons,

The solution to this problem (theoretical at least) already exist in
the form of RPKI.

Any top-down RPKI model is intrinsically flawed.

Deploying an overlay of single-point(s) of failure on top of a
well-functional distributed system such as the Internet does not seem
like a solution to much. The Internet works reasonably well only
because it is reasonably distributed.

I acknowledge that:
1) there are occasionally routing problems,
2) that IPv4 will deteriorate further very rapidly as it runs out and
second-hand markets pick up,
3) that spammers run BGP and abuse, seemingly primarily, the non-RIR IRR-dbs.

The answer to these issues is not by default RPKI IMO. For example, how about:
1, fix them - are there any problems that hasn't been fixed or were
seriously hard to fix? Enumerate and let's go specific; let's not
deploy a tank to push in a screw.
2, IPv6?
3, improve/remove non-RIR IRR-dbs

It should be fairly obvious, by most recently what's going on in
Egypt, why allowing a government to control the Internet is a Really
Bad Idea.

While it is true that governments are more or less in control of the
*geographic area* they govern, as is evident in Egypt, there is a
serious and big difference between the ease of removing a prefix from
the Internet today in a country and how easy it will be in the fully
network-deployed RPKI case, because of the hierarchical model (send
your tanks to the RIR office(s) instead of every single country).
Yes, governments exploit capabilities given to them by technological
means ("we do it just because we can" is a standing motto).

A top-down RPKI model would be a severely negative development of the
resilience of the Internet, especially for freedom-aspiring people
(approximately equal to humankind?), who need to avert government
suppression.

If we are to go down this path, at the very least it must stay
architecturally/technologically *impossible* for a entity from country
A to via-the-hierarchical-trust-model block a prefix assigned to some
entity in country B, that is assigned by B's RIR and in full
accordance with the RIR policies and in no breach of any contract.
  If not, we're doing humanity a disservice. One that I have no doubt
would simply spawn/grow further overlay-networks to counter the
problem.

Cheers,
Martin

Here be dragons,

<snip>

It should be fairly obvious, by most recently what's going on in
Egypt, why allowing a government to control the Internet is a Really
Bad Idea.

how is the egypt thing related to rPKI?
How is the propsed rPKI work related to gov't control?

architecturally/technologically *impossible* for a entity from country
A to via-the-hierarchical-trust-model block a prefix assigned to some
entity in country B, that is assigned by B's RIR and in full
accordance with the RIR policies and in no breach of any contract.

countries do not have RIR's, countries have NIR's... regions have RIR's.

Here be dragons,

<snip>

It should be fairly obvious, by most recently what's going on in
Egypt, why allowing a government to control the Internet is a Really
Bad Idea.

how is the egypt thing related to rPKI?
How is the propsed rPKI work related to gov't control?

RPKI is a big knob governments might be tempted to turn.

architecturally/technologically *impossible* for a entity from country
A to via-the-hierarchical-trust-model block a prefix assigned to some
entity in country B, that is assigned by B's RIR and in full
accordance with the RIR policies and in no breach of any contract.

countries do not have RIR's, countries have NIR's... regions have RIR's.

RIRs live in countries with governments.
RIRs are unlikely to mount a successful challenge against an organization
with tanks and mortars.

Owen

In theory at least, entities closer to the RPKI root (RIRs, IANA) could invalidate routes for any sort of policy reasons. This might provide leverage to certain governments, perhaps even offering the ability to control routing beyond their jurisdiction.

As an example, it's imaginable that the US government could require IANA or ARIN to delegate authority to the NSA for a Canadian ISP's routes. Feel free to replace the RIR/LIR and country names, to suit your own example.

Cheers,
-Benson

> Here be dragons,
<snip>
> It should be fairly obvious, by most recently what's going on in
> Egypt, why allowing a government to control the Internet is a Really
> Bad Idea.
>

how is the egypt thing related to rPKI?
How is the propsed rPKI work related to gov't control?

> architecturally/technologically *impossible* for a entity from country
> A to via-the-hierarchical-trust-model block a prefix assigned to some
> entity in country B, that is assigned by B's RIR and in full
> accordance with the RIR policies and in no breach of any contract.

countries do not have RIR's, countries have NIR's... regions have RIR's.

In this context, at least, perhaps the NIR should be considered
superfluous or redundant? What is the operational rationale behind the
NIR level? Wouldn't a flatter RIR-LIR structure do just fine?

mh

>> Here be dragons,
> <snip>
>> It should be fairly obvious, by most recently what's going on in
>> Egypt, why allowing a government to control the Internet is a Really
>> Bad Idea.
>>
>
> how is the egypt thing related to rPKI?
> How is the propsed rPKI work related to gov't control?
>
RPKI is a big knob governments might be tempted to turn.

>> architecturally/technologically *impossible* for a entity from country
>> A to via-the-hierarchical-trust-model block a prefix assigned to some
>> entity in country B, that is assigned by B's RIR and in full
>> accordance with the RIR policies and in no breach of any contract.
>
> countries do not have RIR's, countries have NIR's... regions have RIR's.

RIRs live in countries with governments.
RIRs are unlikely to mount a successful challenge against an organization
with tanks and mortars.

Yes, right. But RIR is (at least supposed to be) regional, so
(hopefully) more stable from a policy point of view (since the number of
national "stake holders" need to agree on a common policy). In theory,
at least...

mh

Is it really a better alternative? Do we want to pay the cost of a fully distributed RPKI architecture?

  Or do we just abandon the idea of protecting the routing infrastructure?

  There is no free-lunch, we just need to select the price that we want to pay.

-as

There is not a single RIR that is not physically located in a country.

You can hope they are more stable from a policy point of view, but, the
reality is that if someone shows up at the front door with tanks and
mortars, my money is not on the RIR.

Owen

For Europe and RIPE, the EU commission at your service...

Regards,
Martin

Of course we looked into this, cause we're running our service from Amsterdam, the Netherlands. The possibilities for law enforcement agencies to take measures against the Resource Certification service run by the RIPE NCC are extremely limited. Under Dutch law, the process of certification, as well as resource certificates themselves, do not qualify as goods that are capable of being confiscated.

Then of course, the decision making process always lies in the hands of the network operator. Only if a government would mandate an ISP to respect an invalid ROA and drop the route, it would be effective.

So *both* these things would have to happen before there is an operational issue. Like you've seen in Egypt, pulling the plug is easier...

YMMV on your side of the pond.

Alex Band
Product Manager, RIPE NCC

> But RIR is (at least supposed to be) regional, so
> (hopefully) more stable from a policy point of view (since the number of
> national "stake holders" need to agree on a common policy). In theory,
> at least...

For Europe and RIPE, the EU commission at your service...

Yeah, good point... ... as was Owen's...

So, what's next hop forward?

mh

In this context, at least, perhaps the NIR should be considered
superfluous or redundant? What is the operational rationale behind the
NIR level? Wouldn't a flatter RIR-LIR structure do just fine?

and then, by inference, what is the use of the RIR level?

randy

  Is it really a better alternative? Do we want to pay the cost of a fully distributed RPKI architecture?

  Or do we just abandon the idea of protecting the routing infrastructure?

  There is no free-lunch, we just need to select the price that we want to pay.

I agree there is no free-lunch.

Randy Bush addressed the problem, in a recent email, by contrasting his "security" personality against his mistrust of authority. (That's my summary, not his words.) And I think that's exactly what I'm struggling with. I want to secure the routing infrastructure, but I don't completely trust centralized regimes. At their best, they're a target for exploitation - at their worst, they're authoritarian.

Randy was kind enough to point me toward draft-ietf-sidr-ltamgmt-00 which I'm in the process of reading. Perhaps there is a way to balance between "fully distributed" and "centralized", e.g. by supporting multiple roots and different trust domains.

Cheers,
-Benson

Although I support Rpki as a technology, there are legitimate concerns that it could be abused. I now believe that Rpki needs work in this area at IETF level so the concerns are adressed.

I imagine some form of secret sharing among different parties or sme form of key escrow. I am sure that it is not an easy problem, but maybe some progress can be made in this direction.

Regards

Carlos

There is not a single RIR that is not physically located in a country.

You can hope they are more stable from a policy point of view, but, the
reality is that if someone shows up at the front door with tanks and
mortars, my money is not on the RIR.

But they might choose a country in that region that is less likely to
mess with the RIR. For instance, ARIN would probably be a lot safer in
Canada than in the US... RIPE could relocate to Swiss or Sweden
(although I think Holland is not that much of a risk), for instance.
LACNIC in Uruguay seems a good choice to me, the same with AfriNIC in
Mauritius.

Rubens

Great theory, but:

ARIN (and IANA for that matter) are _IN_ the US.

RIPE _IS_ in the Netherlands.

APNIC _IS_ in Australia. Where would you put it? I notice you didn't
list it above.

Even Canada has their occasional bouts of wanting to censor the internet in strange ways. Government policies change over time and counting on governments to remain sane has its perils.

Owen

Here be dragons,

<snip>

It should be fairly obvious, by most recently what's going on in
Egypt, why allowing a government to control the Internet is a Really
Bad Idea.

how is the egypt thing related to rPKI?
How is the propsed rPKI work related to gov't control?

RPKI is a big knob governments might be tempted to turn.

Of course we looked into this, cause we're running our service from Amsterdam, the Netherlands. The possibilities for law enforcement agencies to take measures against the Resource Certification service run by the RIPE NCC are extremely limited. Under Dutch law, the process of certification, as well as resource certificates themselves, do not qualify as goods that are capable of being confiscated.

Confiscated isn't the only possible issue. Being ordered to revoke a ROA or sign an alternate ROA isn't necessarily confiscation. It's court-ordered behavior. I'm not familiar enough with Dutch law to know if this is possible or not, but, regardless of the law today, the certificate issue remains after the law is changed. No country has immutable laws. Even the US Constitution can be (and has been) changed.

Then of course, the decision making process always lies in the hands of the network operator. Only if a government would mandate an ISP to respect an invalid ROA and drop the route, it would be effective.

If the RIR is signing the "invalid" ROA, how does one distinguish the invalid from the valid?

So *both* these things would have to happen before there is an operational issue. Like you've seen in Egypt, pulling the plug is easier...

Today, pulling the plug is easier. In an automated RPKI environment where a revocation or alternate signed record can cause service impacts,

YMMV on your side of the pond.

Alex Band
Product Manager, RIPE NCC

With the mere passage of a law, so could the mileage on your side of the pond.

Owen

some parts of the world are invested in the NIR ocncept... not my
part, but I do admit other folks like it. (and I didn't want to leave
someone out of the mix)

Since we are already talking about RIRs, I am curious, who will sign
the legacy blocks in RPKI?

Dongting

I don't believe the NIRs would be part of the RPKI chain if I understand it
correctly.

Owen