Implementing Decentralized RPKI with Blockchain Technology

William-

Yes, you’re correct on that point.

Fundamentally though, if an RIR actually did that, it’s effectively the end of RPKI, and seismic damage to the internet at large. The entire foundation of this system is that everything must trust that the RIRs are the source of truth over what IPs are allocated and to whom. RPKI just provides a way to cryptographically verify it. If an RIR was forced to pull an allocation by an external party for “non-normal” reasons, then trust in that RIR is irrevocably broken, and we have much larger issues to deal with.

We're talking about what an RIR can do if ordered by a court with
jurisdiction. Remember: a court ordered AFRINIC to do some pretty
remarkable things in the not too distant past.

Regards,
Bill Herrin

Haven’t we seen this pattern enough times?

  1. some organization maintains some database with some data
  2. someone asks what if the government forces it to falsify/censor data
  3. someone says it would ruin trust and nobody would use the database any more
  4. government forces organization to falsify/censor data
  5. everyone keeps using that database because it’s the low friction path
  6. amount of false/censored data increases

Governments already censor everything they can physically get their hands on:

  • IP ranges
  • DNS (ISP/open resolvers, registries and registrars)
  • messaging apps
  • social media
  • end device software and data (only when the vendor already controls it, by pressuring the vendor)

If a little birdie told a censor that if they force this organization to publish this data block, that organization would automatically block that resource they don’t like, they would go for it. There’s absolutely no reason to think they would not.

And no, the 1st Amendment won’t prevent it, even in the USA.

We’re talking about what an RIR can do if ordered by a court with
jurisdiction. Remember: a court ordered AFRINIC to do some pretty
remarkable things in the not too distant past.

Sure, but my point is still the same. If at any point, we cannot trust that an RIR is the authoritative record holder of IP allocations , be it malfeasance/negligence, or a legal/government entity forcing them to take an action outside of established policy, then RPKI is severely crippled, if not useless.

However, I think it’s an overblown concern. If a government entity has the courts in their pocket to force an RIR to do a thing, they have the power to do abou 10 other much easier things that would actually prevent full access to the thing they don’t like. ( I’m taking your servers, I’m forcing you to unplug routers, etc)

Doesn’t really make sense for them to force the RIR to do a think that would only disrupt access, not prevent it entirely.

William-

Yes, you're correct on that point.

Fundamentally though, if an RIR actually did that, it's effectively the end of RPKI, and seismic damage to the internet at large.

Tom,

Bill Woodcock announced a framework around this concept on NANOG back in March of 2022.

https://mailman.nanog.org/pipermail/nanog/2022-March/218056.html

The linked document discusses manipulation of RPKI records specifically:

https://www.pch.net/resources/Papers/Multistakeholder-Imposition-of-Internet-Sanctions.pdf

" A manipulation of RPSL and RPKI records in centralized registries would flow through to all networks employing
these common routing security mechanisms, some of which would then automatically stop routing traffic to and
from the specified networks, without affecting other “adjacent” civilian networks or being subject to trivial “workarounds.”"

The opinion of that section of the document, at the time it was published, appears to be that fiddling with RPKI in that way constitutes and "unacceptable risk". However simple incrementalism will have that opinion changed as soon as it is more politically palatable. The fact that these frameworks are seriously proposed at all is the chilling part IMHO.

Brandon

This email may contain confidential information or privileged material and is intended for use solely by the above referenced recipient. Any review, copying, printing, disclosure, distribution, or other use by any other person or entity is strictly prohibited and may be illegal. If you are not the named recipient, or believe you have received this email in error, please immediately notify the City of Sherwood at (503) 625-5522 and delete the copy you received.

One country whose internet resources are nominally controlled by a RIR that’s located in an enemy jurisdiction is Russia.
The Netherlands could not physically invade Russia to disconnect its servers or routers, but it could easily require the invalidation of Russian internet resources since RIPE NCC falls under its jurisdiction.
This would, as has already been stated, shatter the illusion of the Internet being a cohesive whole – some people would be unable to access Russian internet sites, while other people would be unable to access European internet sites to which the formerly Russian resources were reallocated.

Possibly the main reason this hasn’t happened yet is that politicians don’t understand what internet resources are, or how they’re allocated, or what could be achieved by forcibly changing allocations.

Tom,

However, I think it's an overblown concern. If a government entity has the courts in their pocket to force an RIR to do a thing, they have the power to do abou 10 other much easier things that would actually prevent full access to the thing they don't like. ( I'm taking your servers, I'm forcing you to unplug routers, etc)

RIRs serve multiple (potentially overlapping) jurisdictions, thereby providing a way for effects to cross national boundaries.

Doesn't really make sense for them to force the RIR to do a think that would only disrupt access, not prevent it entirely.

Forcing registrars and resolver operators to block the lookup of certain names does not prevent access entirely, yet it is a very common technique imposed by national regulators and courts all over the world.

Regards,
-drc

Thanks for raising this topic. In all the rush to deploy RPKI I fear these issues are not talked
about enough.

you missed ~8yrs of hand wringing and such... so sad.

Fair enough. I suppose I wasn't reading the right corner of the internet to find it. Either way there's basically no mitigations in place for these issues today, so hand wringing or not, nothing came of it.

To address this, one approach is for autonomous networks within a region to establish two trusted
RPKI CA servers: one from the major RIRs and another locally managed. The locally managed CA would
take precedence, allowing autonomous networks to submit their IP resources to the RPKI server of
their peers (and potentially backed by a national mandate to trust this CA). This setup could
prevent a scenario where an entire country’s IP resources are revoked, leading to all IPs being
marked as invalid.

A variant of this could make some sense, the issue is that it doesn't do you a whole lot of good to
have a local RPKI anchor that you and your local community look to if the global internet community
isn't looking at it - sure, your IPs are routable to a few of your friends, but they can't reach
Google...oops.

this is slurm, actually... but sure.
There's even a federated version of slurm being discussed.
you might like that conversation over in sidrops@ietf.org

How is this SLURM? SLURM lets you allow some nets to have a local view of RPKI, which is great as long as there is some covering route in the global DFZ to reach the nets with a local view. The OP didn't mention anything about a covering route, but instead talked about where the RIR that manages the resources from the global internet's PoV decides to AS0-ROA the IPs and make them unroutable.

Another variant I've suggested before relies on timeouts for removal - for networks that have RPKI
anchors deployed, if their RIR wants to remove their anchors the RIR must publish an intent to

'anchor' is not an RPKI word, maybe you mean something else, please
try a correct version of the word you mean?
(if you mean, effectively, ROA.. then basically all ROA have an
expiry..so yay we already have the thing you want?)
perhaps you actually mean the 'trust-anchor' - of which (today) there
are one per RIR?

Apologies, I had written the email somewhat in haste. Indeed, ROA is what I'd meant. Sadly, just the existence of an expiry doesn't address the issue unless (a) all RPKI RPs take full advantage of the expiry to cache entries (and MUST do so), which as far as I understand they do not (and generally isn't practical given the full-rsync+validate approach most take), (b) RIRs always maintain ROAs with timeouts at least a week (or some N) in the future (I assume most do? But I'm unaware of the exact policy).

remove the anchor a week (or some other N) prior to the removal, with validators ignoring immediate
removal. This takes the issue from "I woke up one morning and my IPs weren't routable" to "I spent a
week arguing on *NOG and the internet community added a new temporary workaround to avoid my ISP
losing all its resources due to a runaway RIR".

removal of a trust-anchor would have relatively high impact on the
RPKi system and possibly the routing
system depending on what decisions were made in bgp policy. I think
over time we've tried to make the
whole of the system a bit more resilient, though... a missing
trust-anchor (or broken one) SHOULD just
end up with a bunch of 'not found' or 'unknown' routes... which
probably you aren't tossing in the bucket.
(because ~40% of the internet is still unsigned/unknown)

Apologies, again I meant ROAs, the email was written in some haste prior to a flight :slight_smile:

Matt

Apologies if it came across as insulting, indeed I wasn't spending my time reading IETF mailing lists in the early 2010s :). That said, the reality today is that RPKI trust anchors are perfectly capable of (through malice or cybersecurity incidents) AS0-routing as much IP space as they want, taking entire swaths of the internet offline for a day or more at a time. So even if there was a ton of hand-wringing about it prior to deployment, that didn't translate into any best practices which actually reduce the trust the RPKI system has.

Matt

Eh, semantics. Many people (including myself!) refer to CT as a blockchain. What you're referring to, where there are many entities collaboratively advancing a blockchain, I'd call a cryptocurrency :).

In any case, my point in the prior email was that a non-decentralized blockchain is probably the only relevant design in this space, as there is a natural operator already, so there's no need for any of the (attempts at) decentralized approaches.

Matt

That said, the reality today is that RPKI trust anchors are perfectly
capable of (through malice or cybersecurity incidents) AS0-routing as much IP space as they want,
taking entire swaths of the internet offline for a day or more at a time. So even if there was a ton
of hand-wringing about it prior to deployment, that didn’t translate into any best practices which
actually reduce the trust the RPKI system has.

I mean, I’m still confused about what best practices people think should exist.

The entire point of RPKI is to validate the announcement instructions in the ROA were created by authorized assignee of the IP space. The authoritative party as to who the assignee of the IP space is is the RIR . This means the RIR is inherently the root of trust.

What proposals are out there that can perform the same function without that RIR being at the root of it?

  • Possibly the main reason this hasn’t happened yet is that politicians don’t understand what internet resources are, or how they’re allocated, or what could be achieved by forcibly changing allocations.

Nope, you underestimate politicians, they have consultants that are very smart.

Isolation is a tool of weakness. Some could not win, hence he isolates himself from the danger.

West/NATO still leading the war on the Internet. Then isolation does not make sense. The Internet is a good channel for influence. Hundreds of millions are spent on spreading FUD, and a different sort of propaganda.

The Internet has been a battlefield for a long time. I have seen it as it was started and progressed over 20 years. Russia was feeble initially, not capable at all (they could say “it was started not by us”). Russia is still weaker, thousands of blocked sites is a sign of weakness.

I do not believe that Russia would ever be as professional as the West in brainwashing (Russia has strengths in different fields). Hence, the West would never start isolation on a wide scope.

Some particular ASes would be probably blocked sooner or later. Despite it would be a confession of some weaknesses.

West public opinion is the only thing that refrains politicians from starting blocking some ASes. IMHO: it would happen because there would be not enough progress on the other battlefields. Politicians would become a little desperate.

IMHO: the war would be driven to the Internet, like you or not. Fighting in all arenas/spaces was advice from all the biggest war theoretics (Clausewitz, Sun Tzu, etc).

Ed/

* nanog@as397444.net (Matt Corallo) [Sun 17 Nov 2024, 20:41 CET]:

Fair enough. I suppose I wasn't reading the right corner of the internet to find it. Either way there's basically no mitigations in place for these issues today, so hand wringing or not, nothing came of it.

I'm not sure what technical mitigations are possible against lawful court orders. Calling on RIPE NCC employees to ignore them is not workable.

Let's not rehash here the decades of work spent on exchanging views with lawmakers, regulators, lobbyists etc. There are archives, both of mailing lists and of board meetings.

  -- Niels.

* nanog@as397444.net (Matt Corallo) [Sun 17 Nov 2024, 20:44 CET]:

Apologies if it came across as insulting, indeed I wasn't spending my time reading IETF mailing lists in the early 2010s :). That said, the reality today is that RPKI trust anchors are perfectly capable of (through malice or cybersecurity incidents) AS0-routing as much IP space as they want, taking entire swaths of the internet offline for a day or more at a time. So even if there was a ton of hand-wringing about it prior to deployment, that didn't translate into any best practices which actually reduce the trust the RPKI system has.

Please take some time to read up on what countermeasures against RIRs "AS0-routing as much IP space as they want" are being taken by developers of validators before posting here again.

  -- Niels.

I mean you could read my original email :).

But, no, of course a RIR won’t ignore a court order, indeed that’d be nuts, but we could ensure that doing so takes some nontrivial (human) time during which the operator community can decide whether they wish to respond with a new anchor/ignoring the new ROA/etc.

Matt

I didn’t suggest changing the root of trust. Indeed, the RIR is ultimately responsible for its IP space, and there’s no reason to suggest changing that.

RPKI did, however, materially change the process for revoking IP space - instead of removing IP space from Whois and then needing to email various networks to get it removed from filters, RIRs can simply AS0-ROA the space and it’s gone overnight.

Forcing some human timescale (via software changes in validators) onto that process pulls us one step in between the two cases.

Matt

You mean obstruction of justice, with intent?

Let us know how that goes.

Nick

No, obviously this would have to be done in software on the validator end.

Matt

Feel free to provide a link, the only constraining I'm aware of is what's documented in draft-snijders-constraining-rpki-trust-anchors, which does not, as far as I understand, constrain AS 0 at all.

Given no one else in this thread has commented about any specific constraints, it seems like a great chance to educate lots of people!

Matt

i have not seen mention that a single validing roa wins over any number
of 'coerced' invalidating roas. this has implications in the space of
'saving' action(s) by an other rir, iana, an alternate registry, etc.

randy