Level 3's IRR Database

Martin Millnert millnert at gmail.com
Sun Jan 30 23:59:59 CST 2011


On Sun, Jan 30, 2011 at 9:22 PM, Carlos Martinez-Cagnazzo
<carlosm3011 at gmail.com> wrote:
> Hi,
> this is the second mention I see of RPKI and Egypt in the same
> context. I sincerely fail to see the connection between both
> situations.

It is quite simple actually.

1. Governments (eventually) want to take pieces of the Internet
offline, and Egypt is only the latest abundantly clear proof of this
2. RPKI might make this easier to accomplish than before, effectively
leading to more censorship than without it.

My fear is that of the big red DELETE-FROM-THE-INTERNET-button:

If the system becomes widely deployed, it is an even shorter step to
make for various lawmakers in various countries to legislate how RPKI
is to be used.
There are obviously other ways for your local autocrat to cut the
Internet down, but this would undoubtedly add a potential fine-grained
mechanism on top of it that I fail to see how it will not be abused.
  Eg, it'd be possible to, with the right hand, require that all ISPs
treats RPKI in a certain way (abstract away the censorship to all
ISPs, even those in other countries(!), own routers, once the
technology is in place), and with the left hand cherry pick what can
be on and what can be off, at a much, much lower cost than unplugging
everything (Egypt), or buying lots of cool hardware (China). (This is
a bad thing, btw.)

I'd happily see an explanation of RPKI that clears these fears from my
mind, and I'm fairly sure that I am not crazy for having them...
(Meanwhile I will read all of Randy's recommended reading.)
And yes there are a myriad of other ways to shut things down from the
Internet, but none of them are as integrated with the Internet as RPKI
would be, right? Plus, I don't really see adding another way to shut
things down as a positive thing, because of the apparent abuse-vector
it represents.


(With tiny, tiny steps, nobody will understand how we ended up where
we end up, and by then it's hard to retract.)

> On Sun, Jan 30, 2011 at 7:53 PM, Brandon Butterworth
> <brandon at rd.bbc.co.uk> wrote:
>>> > I think it is too early in the deployment process to start dropping
>>> > routes based on RPKI alone. We'll get there at some point, I guess.
>>> Do we really *want* to get to that point?
>> I thought that was the point and the goal of securing the routing
>> infrastructure is laudable. But the voices in my head say don't trust
>> them with control of your routes, see what happened in Egypt.
>> brandon
> --
> --
> =========================
> Carlos M. Martinez-Cagnazzo
> http://www.labs.lacnic.net
> =========================

More information about the NANOG mailing list