Re: Towards an RPKI-rich Internet (and the appropriate allocation of responsibility in the event an RIR RPKI CA outage)

[Alex Band <alex () nlnetlabs nl>]

Hello,

To avoid any misunderstanding in this discussion going forward, I would like to reiterate that an RPKI ROA is a 
positive attestation. An unavailable, expired or invalid ROA will result in a BGP announcement with the status 
NotFound. The announcement will *not* become INVALID, thereby being dropped.

Please read Section 5 of RFC 7115 that John linked carefully:

Bush                      Best Current Practice                 [Page 7]

RFC 7115             RPKI-Based Origin Validation Op        January 2014


  Announcements with NotFound origins should be preferred over those
  with Invalid origins.

  Announcements with Invalid origins SHOULD NOT be used, but may be
  used to meet special operational needs.  In such circumstances, the
  announcement should have a lower preference than that given to Valid
  or NotFound.

Thus, a continued outage of an RPKI CA (or publication server) will result in announcements with status NotFound. This 
means that the prefixes held by this CA will no longer benefit from protection by the RPKI. However, since only 
*invalid* announcements should be dropped, this should not lead to large scale outages in routing.

It is important to be aware of the impact of such an outage when considering questions of liability.

Kind regards,

Alex Band
NLnet Labs

> On 1 Oct 2018, at 01:21, John Curran <jcurran () arin net> wrote:
>
> Folks - 
>
> Perhaps it would be helpful to confirm that we have common goals in the network operator community regarding RPKI, 
> and then work from those goals on the necessary plans to achieve them. 
>
> It appears that many network operators would like to improve the integrity of their network routing via RPKI 
> deployment.  The Regional Internet Registries (RIRs) have all worked to support RPKI services, and while there are 
> different opinions among operators regarding the cost/benefit tradeoffs of RPKI Route Origin Validation (ROV), it is 
> clear that we have to collectively work together now if we are ever to have overall RPKI deployment sufficient to 
> create the network effects that will ensure compelling long-term value for its deployment. 
>
> Let’s presume that we’ve achieved that very outcome at some point in future; i.e. we’re have an Internet where nearly 
> all network operators are publishing Route Origin Authorizations (ROAs) via RIR RPKI services and are using RPKI data 
> for route validation.  It is reasonable to presume that over the next decade the Internet will become even more 
> pervasive in everyday life, including being essential for many connected devices to function, and relied upon for 
> everything from daily personal communication and conducting business to even more innovative uses such as payment & 
> sale systems, delivery of medical care, etc. 
>
> Recognizing that purpose of RPKI is improve integrity of routing, and not add undo fragility to the network, it is 
> reasonable to expect that many network operators will take due care with the introduction of route validation into 
> their network routing, including best practices such as falling back successfully in the event of unavailability of 
> an RIR RPKI Certificate Authority (CA) and resulting cache timeouts.  It is also reasonable expect that RIR RPKI CA 
> services are provisioned with appropriate robustness of systems and controls that befit the highly network-critical 
> nature of these services. 
>
> Presuming we all share this common goal, the question that arises is whether we have a common vision regarding what 
> should happen when something goes wrong in this wonderful RPKI-rich Internet of the future…   More than anyone, 
> network operators realize that even with excellent systems, procedures, and redundancy, outages can (and do) still 
> occur.  Hopefully, these are quite rare, and limited to occasions where Murphy’s Law has somehow resulted in nearly 
> unimaginable patterns of coincident failures, but it would irresponsible to not consider the “what if” scenarios for 
> RPKI failure and whether there is shared vision of the resulting consequences. 
>
> In particular, it would be good to consider the case of an RIR RPKI CA system failure, one sufficient to result in 
> widespread cache expirations for relying parties.  Ideally, we will never have to see this scenario when RPKI is 
> widely deployed, but it also not completely inconceivable that an RIR RPKI CA experience such an outage [1]. For 
> network operators following reasonable deployment practices, an RIR RPKI CA outage should result in a fallback to 
> unvalidated network routing data and no significant network impacts.  However, it’s likely not a reasonable 
> assumption that all network operators will have properly designed and implemented best practices in this regard, so 
> there will very likely be some networks that experience significant impacts consequential to any RIR RPKI CA outage.  
> Even if this is only 1 or 2 percent of network operators with such configuration issues, it will mean hundreds of ISP 
> outages occurring simultaneously throughout the Internet and millions of customers (individuals and businesses) 
> effected globally.  While the Internet is the world’s largest cooperative endeavor, there inevitably will be many 
> folks impacted of a RIR RPKI outage, including some asking (appropriately) the question of “who should bear 
> responsibility” for the harm that they suffered. 
>
> It is worth understanding what the network community believes is the most appropriate answer to this question, since 
> a common outlook on this question can be used to guide implementation details to match.   Additionally, a common 
> understanding on this question will provide real insight into how the network community intends risk of the system to 
> be distributed among the participants.  
>
> There are several possible options worth considering: 
>
>      A) The most obvious answer for the party that should be held liable for the impacts that result from an RPKI CA 
> failure would be the respective RIR that experienced the outage.  This seems rather straightforward until one 
> considers that the RIRs are providing these services specifically noting that they may not be (despite all 
> precautions) available 100% percent of the time, and clearly documented expectations that those relying on RPKI CA 
> information for routing origin validation should be fallback to routing with not validated state [2].   The impacted 
> parties are those customers of ISPs that improperly handled the unavailability of RPKI data; thus escalating 
> situation into a network-affecting outage.  Under these circumstances, directing the claims from customers of all the 
> improperly-configured ISP’s to the RIR completely ignores the responsibility of these ISPs to prepare for this 
> precise eventuality, as was done by the fellow network operators. 
>
>      B) One of the more interesting theories on who should be held liable is that those who are publishing ROA’s are 
> the appropriate responsible parties in the event of RPKI CA failure; one can achieve such a position on the logic 
> that they consciously decided to use RPKA CA services and thus asserted globally that they would henceforth have 
> validated routes – an RPKI CA failure is a case of their “vendor" (the RIR) letting them down on the publication. 
> This also has equity issues, since those publishing ROA information don’t have a clear contributory role, and the 
> damages accruing to them are coming from customers from those operators who failed their duty. 
>
>      C) Another potential answer for the party that should be responsible is that each of the ISPs that failed to 
> appropriately configure their route validation and thus experience a network outage should be responsible for their 
> own customers impacted as a result.  In addition to keeping the liability proportional to the customers served, this 
> encourages each such ISP to consider appropriate corrective measures.  
>
> It is possible to architect the various legalities surrounding RPKI to support any of the above outcomes, but it 
> first requires a shared understanding of what the network community believes is the correct outcome.   There is 
> likely some on the nanog mailing list who have a view on this matter, so I pose the question of "who should be 
> responsible" for consequences of RPKI RIR CA failure to this list for further discussion.
>
> Thanks!
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
> [1] https://www.ietf.org/mail-archive/web/sidr/current/msg05621.html
> [2] https://www.rfc-editor.org/rfc/rfc7115.txt