Hi, On Wed, Jun 1, 2011 at 5:04 PM, Sander Steffann <sander@steffann.nl> wrote:
Hi,
How can the "risk" of the government being minimized or limited? Or maybe being build in such a way that its not easy/possible for government to do damange? (quite impossible task since the government pretty much can do whatever they want when they are in power... and the power are giving to them by the people in most countries)
My personal opinion is that the best way to stop any abuse in the future is to leave open the possibility of reverting 2008-08 in the future when such abuse becomes a reality. And we already have that possibility already: a proposal to withdraw or change a policy will always be handled according to the PDP (Policy Development Process). If things go really bad we can change the policy, the NCC can shut down the CA and all certificates can be withdrawn. The end result will be the same internet as we have today: one without (valid) certificates for resources. As long as the certificate system doesn't get abused we get to enjoy the benefits...
It will take some time (it can be done in about 10 weeks) to do this should the need ever occur, but as this is a last-resort exit strategy I think this is acceptable. Is this an acceptable solution for everybody?
No. First and foremost I do not want a hierarchical, centralized routing control infrastructure on the Internet. I think the bad outweigh the good by far. I do not oppose a fully decentralized secure/trusted routing, but by design, my peers should provide me this information. No single authority should be allowed to speak on behalf of others, unless *they* grant that power to it. And for this, the core issue to solve is resource holder/ownership identification -- which seems to me to contradict the current RIR model. And this tells me that we have a much, much larger problem at our hands for the future, made blatantly evident by these debates. By extension, this means that the RIPE NCC cannot run a trust anchor in the intended way, and there should be no deployed technology in routers supporting a trust anchor such as the proposals today in the first place, since it invites abuse and censorship even if the RIPE NCC itself does not run one, because someone else could. If, for argument's sake, doing the right thing is impossible, and consensus really is that doing something is better than doing nothing in this matter, the RIPE NCC should have very clearly defined (but not limited-to) set of rules for when the hierarchical, centralized routing control infrastructure self-destructs *up front*, such that it would be pointless to attempt to abuse it in this way. This suggests that the "self-regulation" we perform, overrules law, since abusive laws is what we fear. Additionally, since the attack will be on the integrity of registry itself, this essentially means we need a complete fail-over registry... If you think this can work, then this may be a useful approach. :)
... and yes, the problem are there on the hijack side, don't think many disagree on that..
And I would really like to get a solution for this problem, because I am much more afraid of IPv4 address space hijacks once the NCC IPv4 pool runs out...
I'm not afraid at all. It's quite easy to detect incorrect origins today, not sure why that would change. Run-out suggests further incentives to ramp up the traditional IRR filtering. (I'm not suggesting IRR filtering is the optimal solution to securing routing on the Internet, but that should be pretty obvious given what I wrote above.) Increased censorship is a clear and present danger. It's our duty to confront this danger wherever we can. Best, Martin