> I think it is too early in the deployment process to start dropping
> routes based on RPKI alone. We'll get there at some point, I guess.Do we really *want* to get to that point?
I thought that was the point and the goal of securing the routing
infrastructure is laudable. But the voices in my head say don't trust
them with control of your routes, see what happened in Egypt.
brandon
I would hope the response to the USG pressuring ARIN to diddle the RPKI db would be disabling of RPKI queries by most BGP speakers.
I would hope the response to the USG pressuring ARIN to diddle the RPKI
db would be disabling of RPKI queries by most BGP speakers.
no need. break down, take a break from typing, and actually read
draft-ietf-sidr-rpki-origin-ops-04.txt
Hi,
this is the second mention I see of RPKI and Egypt in the same
context. I sincerely fail to see the connection between both
situations.
Egypt cut their links the old fashioned way: they pulled the plug. I
fail to see how such a situation could be made worse by RPKI. It
simply has nothing to do.
Not deploying RPKI won't prevent your local friendly autocrat from
ordering "cut all wires" or something like that.
regards
Carlos
Carlos,
Hi,
this is the second mention I see of RPKI and Egypt in the same
context. I sincerely fail to see the connection between both
situations.
It is quite simple actually.
1. Governments (eventually) want to take pieces of the Internet
offline, and Egypt is only the latest abundantly clear proof of this
desire.
2. RPKI might make this easier to accomplish than before, effectively
leading to more censorship than without it.
My fear is that of the big red DELETE-FROM-THE-INTERNET-button:
If the system becomes widely deployed, it is an even shorter step to
make for various lawmakers in various countries to legislate how RPKI
is to be used.
There are obviously other ways for your local autocrat to cut the
Internet down, but this would undoubtedly add a potential fine-grained
mechanism on top of it that I fail to see how it will not be abused.
Eg, it'd be possible to, with the right hand, require that all ISPs
treats RPKI in a certain way (abstract away the censorship to all
ISPs, even those in other countries(!), own routers, once the
technology is in place), and with the left hand cherry pick what can
be on and what can be off, at a much, much lower cost than unplugging
everything (Egypt), or buying lots of cool hardware (China). (This is
a bad thing, btw.)
I'd happily see an explanation of RPKI that clears these fears from my
mind, and I'm fairly sure that I am not crazy for having them...
(Meanwhile I will read all of Randy's recommended reading.)
And yes there are a myriad of other ways to shut things down from the
Internet, but none of them are as integrated with the Internet as RPKI
would be, right? Plus, I don't really see adding another way to shut
things down as a positive thing, because of the apparent abuse-vector
it represents.
Regards,
Martin
(With tiny, tiny steps, nobody will understand how we ended up where
we end up, and by then it's hard to retract.)
Hey Martin,
I see your point and I believe it is a concern that should be addressed.
tks
Carlos