Alex, On May 9, 2011, at 10:21 AM, Alex Band wrote:
On 9 May 2011, at 22:06, Sascha Luck wrote:
Right now, this does *not* work effectively because the internet routes around such censorship attempts and there is no LEA that can reach *everyone* in the world. This policy proposal changes that. Again, it doesn't change that. Yes, it could potentially change that in some future where laws are changed, but right now revoking a certificate has no effect on routing whatsoever.
Of course, because no one is using it right now. Presumably, the point of deploying RPKI is that people are going to use it. My understanding is that once people start using it, ISPs, under their own free will, will presumably implement routing policy based on certification status. At that point, revoking a certification would have an effect on routing. That effect can be anything from dropping de-certified objects on the floor to making them last resort to not doing anything special. Yes, it is my decision as a network operator what I choose. However, if "most" ISPs make the decision that a de-certified resource should be dropped on the floor, then the result is that every entity in the resource certification chain above that resource (LIR, {NIR,} RIR, IANA/ICANN) has the ability to cause that resource to be ignored for "most" ISPs. Is my understanding wrong?
In the way the system is designed, everything revolves around preferences. At the end of the day, it it up to the network operator to base a decision on the information that is available to him/her.
Of course. And RPKI is providing a hierarchical system to provide information regarding resource certification. The implication of the hierarchical authorization model chosen by the RIRs for RPKI is that parents (and grandparents, etc) can impose policy on their children. Or do I misunderstand the technology here (entirely possible -- been buried under other things and have lost track of RPKI/SIDR developments)? Thanks, -drc