nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A top-down RPKI model a threat to human freedom? (was Re: Level 3's IRR Database)

From: Owen DeLong <owen () delong com>
Date: Tue, 1 Feb 2011 14:51:21 -0800

On Feb 1, 2011, at 1:57 PM, Alex Band wrote:



On 1 Feb 2011, at 22:20, Owen DeLong wrote:



On Feb 1, 2011, at 9:14 AM, Christopher Morrow wrote:


On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <millnert () gmail com> wrote:

Here be dragons,

<snip>

It should be fairly obvious, by most recently what's going on in
Egypt, why allowing a government to control the Internet is a Really
Bad Idea.



how is the egypt thing related to rPKI?
How is the propsed rPKI work related to gov't control?


RPKI is a big knob governments might be tempted to turn.


Of course we looked into this, cause we're running our service from Amsterdam, the Netherlands. The possibilities for 
law enforcement agencies to take measures against the Resource Certification service run by the RIPE NCC are 
extremely limited. Under Dutch law, the process of certification, as well as resource certificates themselves, do not 
qualify as goods that are capable of being confiscated.


Confiscated isn't the only possible issue. Being ordered to revoke a ROA or sign an alternate ROA isn't necessarily 
confiscation. It's court-ordered behavior. I'm not familiar enough with Dutch law to know if this is possible or not, 
but, regardless of the law today, the certificate issue remains after the law is changed. No country has immutable 
laws. Even the US Constitution can be (and has been) changed.


Then of course, the decision making process always lies in the hands of the network operator. Only if a government 
would mandate an ISP to respect an invalid ROA and drop the route, it would be effective. 


If the RIR is signing the "invalid" ROA, how does one distinguish the invalid from the valid?


So *both* these things would have to happen before there is an operational issue. Like you've seen in Egypt, pulling 
the plug is easier...


Today, pulling the plug is easier. In an automated RPKI environment where a revocation or alternate signed record can 
cause service impacts, 


YMMV on your side of the pond.

Alex Band
Product Manager, RIPE NCC


With the mere passage of a law, so could the mileage on your side of the pond.

Owen
Previous By Date Next
Previous By Thread Next

Current thread: