rpki vs. secure dns?

Sat Apr 28 11:35:15 UTC 2012

* Alex Band:

>> I don't know if we can get RPKI to deployment because RIPE and RIPE
>> NCC have rather serious issues with it.  On the other hand, there
>> doesn't seem to be anything else which keeps RIRs relevant in the
>> post-scarcity world, so we'll see what happens.
>
> Could you elaborate on what those issues are? 

A year ago, RIPE NCC received legal advice that RPKI-based takedowns
would not happen under Dutch law because Dutch law lacked any
provisions for that.  This was used to deflect criticism that RPKI
deployment would result in too much concentration of power:

<http://www.ripe.net/ripe/mail/archives/address-policy-wg/2011-May/005858.html>

The legal analysis turned out to be incomplete and the results
incorrect---legal counsel failed to consider public order legislation.
The validaty of such an order (issued in the Dnschanger context) is
currently being challenged in a Dutch court.

>From the comments on these events, I infer that RIPE NCC still does
not want to exercise this level of control over routing, and the RIPE
community does not want RIPE to have such control.  But assuming that
the order stands, RPKI will provide RIPE NCC with a tool that nobody
wants it to have, and RIPE NCC can be forced to use it.  Depending on
the seriousness of those concerns, that's the end of RPKI deployment.

(However, the most likely outcome of the current court case is that
this particular police order will be found invalid on a formality,
such as lack of effectiveness, providing little insight on the
validity of future orders which are more carefully crafted.)

Regarding the post-scarcity future, if most address holders never have
to come back to the RIR to request more addresses, the number of
address-related RIR/LIR transactions will decrease.  Organizations
have a tendency to resist decreases in business (even non-profits),
and RPKI is an obvious source of future business.