Re: rpki vs. secure dns?

[Alex Band <alexb () ripe net>]

At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote on RPKI at the general meeting. The result was 
that the RIPE NCC has the green light to continue offering the Resource Certification service, including all BGP Origin 
Validation related functionality. It's correct that concerns were raised in the area of security, resilience and 
operator autonomy, as you mention. These concerns are continuously being evaluated and addressed. The response to the 
update that was given at RIPE 64 two weeks ago indicated that the membership and Community are happy with the approach 
the RIPE NCC is taking in this regard. Of course I realize that some people will never be convinced, no matter which 
steps are taken… 

Looking at the bigger picture though, we shouldn't forget that what RPKI, ROVER and the IRR facilitate is merely the 
ability make a *statement* about routing (with varying degrees of reliability) and doesn't have a direct impact on BGP 
routing itself. Ultimately, it is up to the network operator to interpret the data that is entered in the system, allow 
them to make an informed decision and take action they deem appropriate. Everyone has the ability to apply an override 
on data they do not trust, or have a specific local policy for. In the toolsets for using the RPKI data set for routing 
decisions, such as the RIPE NCC RPKI Validator, every possible step is taken is taken to ensure that the operator is in 
the driver's seat. 

Have a look here for a public example: http://rpki.netsign.net:8080/
Or install and try it yourself: http://www.ripe.net/certification/tools-and-resources

Cheers,

Alex

On 28 Apr 2012, at 13:35, Florian Weimer wrote:

> * Alex Band:
>
> > > I don't know if we can get RPKI to deployment because RIPE and RIPE
> > > NCC have rather serious issues with it.  On the other hand, there
> > > doesn't seem to be anything else which keeps RIRs relevant in the
> > > post-scarcity world, so we'll see what happens.
> >
> > Could you elaborate on what those issues are? 
>
> A year ago, RIPE NCC received legal advice that RPKI-based takedowns
> would not happen under Dutch law because Dutch law lacked any
> provisions for that.  This was used to deflect criticism that RPKI
> deployment would result in too much concentration of power:
>
> <http://www.ripe.net/ripe/mail/archives/address-policy-wg/2011-May/005858.html>
>
> The legal analysis turned out to be incomplete and the results
> incorrect---legal counsel failed to consider public order legislation.
> The validaty of such an order (issued in the Dnschanger context) is
> currently being challenged in a Dutch court.
>
> From the comments on these events, I infer that RIPE NCC still does
> not want to exercise this level of control over routing, and the RIPE
> community does not want RIPE to have such control.  But assuming that
> the order stands, RPKI will provide RIPE NCC with a tool that nobody
> wants it to have, and RIPE NCC can be forced to use it.  Depending on
> the seriousness of those concerns, that's the end of RPKI deployment.
>
> (However, the most likely outcome of the current court case is that
> this particular police order will be found invalid on a formality,
> such as lack of effectiveness, providing little insight on the
> validity of future orders which are more carefully crafted.)
>
> Regarding the post-scarcity future, if most address holders never have
> to come back to the RIR to request more addresses, the number of
> address-related RIR/LIR transactions will decrease.  Organizations
> have a tendency to resist decreases in business (even non-profits),
> and RPKI is an obvious source of future business.

Attachment: smime.p7s
Description: