RPKI adoption (was: Re: 2749 routes AT RISK )

Tue Apr 5 01:59:37 UTC 2022

On 4 Apr 2022, at 8:16 PM, John Gilmore <gnu at toad.com<mailto:gnu at toad.com>> wrote:
...
Also, centralizing control over route acceptance can be used for
censorship.  If the RIRs succeed in convincing "enough of the net" to
reject any route that doesn't come with an RIR signature, then any
government with jurisdiction over those RIRs can force them to not sign
routes for sites that are politically incorrect.  How convenient -- for
authoritarians.  You can have all the IP addresses you want, you just
can't get 90% of the ISPs in the world to route packets to them.

There is no shortage of Horsemen of the Infopocalypse (child porn,
terrorism, sex slavery, Covid misinformation, manipulative propaganda,
war news, copyright violations, etc, etc, etc) that Absolutely Need To
Be Stamped Out Today whenever politicians decide that Something Must Be
Done.  As an example, we have regularly seen courts force centralized
domain registrars to reject perfectly good applicants for just such
reasons (e.g. SciHub).  The distributed Internet has "routed around"
their ability to censor such information via the routing table.  ISPs
should not hand governments a tool that they have abused so many times
in the past.

There’s a pretty serious misunderstanding here – ARIN certainly offers RPKI services and we’ll help someone get ROAs setup for their resources, but that’s about as far as we go…

We do point folks to resources on how to perform route origin validation (ROV) so they can know the steps involved, but it is truly is up to each network operator to decide whether they wish to take that step – which as you note comes with some real-world implications (both good & bad) as a result of new linkages with additional parties for your network routing…

Would the Internet be a better place if everyone did ROV?  I could easily argue some of the upsides such as potential mitigation of routing hijack attempts, but the centralization of control and corresponding risks do also need to be weighed here.   For example, while ARIN has done exceptionally well historically avoiding any government interference in the operation of the registry, that is obviously no assurance of future outcomes in this regard.  In this end, network operators need to consider the potential benefits and the potential risks applicable to their own circumstances, determine _their_ desired outcomes, and then shouldn’t hesitate to speak up with regard how they want the Internet networking layer to evolve.

Along these lines, I’d like to remind everyone of a fairly important consultation that Andrew Hadenfeldt posted here last month <https://mailman.nanog.org/pipermail/nanog/2022-March/218365.html> –

https://www.federalregister.gov/documents/2022/03/11/2022-05121/secure-internet-routing
https://www.fcc.gov/document/fcc-launches-inquiry-internet-routing-vulnerabilities

(FCC) seeks comment on vulnerabilities threatening the security and integrity of
the Border Gateway Protocol (BGP), which is central to the Internet's global
routing system, its impact on the transmission of data from email,
e-commerce, and bank transactions to interconnected Voice-over Internet
Protocol (VoIP) and 9-1-1 calls, and how best to address them.

Comments are due on or before April 11, 2022

If you have particular views on this important consultation, please take the time to file comments as appropriate.

Best wishes,
/John

John Curran
President and CEO
American Registry for Internet Numbers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220405/3779ee81/attachment.html>