I suspect that if you want RPKI, you'll need to sign an agreement with the RIR. In ARIN region, this would be the LRSA or the RSA.
Owen
Since they pre-exist the RIR, it's not clear that any one RIR has authority until asked.
(For a discussion of rights, authority, etc, see http://ciara.fiu.edu/publications/Rubi%20-%20Property%20Rights%20in%20IP%20Numbers.pdf)
Thus, I think the legacy address holders will have to request "services" from an RIR. Or from a trusted third party.
(For instance, see http://www.circleid.com/posts/competition_to_regional_internet_registries_rir_for_post_allocation_service/)
Cheers,
-Benson
> In this context, at least, perhaps the NIR should be considered
> superfluous or redundant? What is the operational rationale behind the
> NIR level? Wouldn't a flatter RIR-LIR structure do just fine?and then, by inference, what is the use of the RIR level?
A meeting point for communities, potentially able to reflect a consensus
view of policies and moderate "NIR" and other might be more unilateral
initiatives. If one individual of a community goes "insane", enable the
remaing ones to modrate.
randy
mh
In this context, at least, perhaps the NIR should be considered
superfluous or redundant? What is the operational rationale behind the
NIR level? Wouldn't a flatter RIR-LIR structure do just fine?and then, by inference, what is the use of the RIR level?
A meeting point for communities, potentially able to reflect a consensus
view of policies and moderate "NIR" and other might be more unilateral
initiatives. If one individual of a community goes "insane", enable the
remaing ones to modrate.
and then, by inference, you can see how people justify the NIRs
randy
Neither do I, but I think it's a good thing to discuss. Any NIR rep's
around?
mh
In systems where the outputs from a computer system are very, very
critical, a sort of "consensus" takes place (I think they did this in
some space flights too) - two of three independent systems have to agree
that the information is correct before it can be acted upon.
Perhaps there is room at the top level for some such mechanism in RPKI?
That is, treat "the top" not as being one RIR, but as a confederation of
RIRs, possibly all with the SAME key. If different keys start appearing,
the one that comes from the most RIRs is considered correct, and the
other(s) as mavericks.
But I'm speaking from a very deep well of ignorance about RPKI.
Regards, K.
Right. To preserve the integrity of the system it is rather necessary
that multiple parties must agree to do some changes to it. This is
in many ways of course a very hard thing to do, but there are a lot of
good people out there with a much better understanding of cryptography
and real information security than I, who definitely should look into
this. Unless there already is a problem statement covering this
problem, perhaps we should make one.
Perhaps it is impossible to combine an easily managed system with a
totally secure and robust routing infrastructure.
At any rate, I consider censorship a failure of information routing.
Any secure and robust routing infrastructure will not invite more
censorship.
Regards,
Martin
Alex,
RPKI is a big knob governments might be tempted to turn.
Of course we looked into this, cause we're running our service from Amsterdam, the Netherlands. The possibilities for law enforcement agencies to take measures against the Resource Certification service run by the RIPE NCC are extremely limited. Under Dutch law, the process of certification, as well as resource certificates themselves, do not qualify as goods that are capable of being confiscated.
Then of course, the decision making process always lies in the hands of the network operator. Only if a government would mandate an ISP to respect an invalid ROA and drop the route, it would be effective.
So *both* these things would have to happen before there is an operational issue. Like you've seen in Egypt, pulling the plug is easier...
YMMV on your side of the pond.
Alex Band
Product Manager, RIPE NCC
As others pointed out, and as we especially have seen the past 10 and
a half years, laws can easily change.
I too believe it is somewhat necessary to have 'control' over the IPv4
prefix distribution in order for the RIRs to continue being
Registries. I understand and share the RIRs concern regarding this. I
also do believe we can expend at least two years (just to put a number
out there) more to make a system that is robust also against
censorship, that everybody can feel comfortable to trust. Operational
impact and cost, I believe, will be quite minor during this time.
In fact, I believe it is an investment that apart from being necessary
(IMO), will actually pay off, because only with a system that people
trust, will most network operators enable it by their free will, which
ought to be the goal for *everybody* involved. (Lest the dystopian
future takes hold, of course.)
Once a reliable system exists, I would be the first one to enable it
on my routers, and wouldn't shed a tear if illegitimately acquired or
traded routing information was lost at that time.
And to be extremely clear, nobody is suggesting that they do not trust
the people working at RIPE or any other RIR to do a good job here but
at the same time, "we are all human". We have a, in my opinion, very
big responsibility towards future generations in (re-)designing the
Internet in a way that continues to keep it open and robust towards
failures of various sorts. Even that of a single RIR.
Regards,
Martin
my recollection is that IANA COULD do that...
(presuming a single root of the tree not 5 roots)
-chris
Indeed... The key is how you identify the signature, essentially.
So, if the bodies all share the same key, then, any one of them can
sign anything and it is indistinguishable from something signed by
the others.
What would be needed would be a triple signature with different
keys (like bank checks that require more than one signature).
However, the usual process for getting something signed through that
system would probably be that A does the authentication process
and then asks B and C to "witness" their signature.
If A has a gun to their head, they're still going to likely be able to
get B and C to "witness" that signature, so, you're still in a fix.
This really isn't an easy problem to solve. Until it is solved, there
are serious questions about RPKI doing more harm than good.
Owen
Multiple parties alone, however is not sufficient. It needs to be multiple
parties that are unlikely to be unduly influenced by the same group of
governments or alliance of governments under any possible circumstance.
The existing RIRs may or may not be an adequate way to spread this out.
Certainly there is risk in the fact that IANA is in the US and subject by itself
to US government whims. The fact that IANA and ARIN are both in the US
is of particular concern because it means even combined there is no
check and balance between them, either ad both can be usurped by the
same power.
Owen