2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Hello working group, The review period for the new RIPE Document described in proposal 2008-08 has ended. During the review phase we have seen on the mailing list: - one positive comment (Bais) - one comment to go forward in the PDP with some extra comments intended for the future evolution of a more comprehensive certification policy (Volk) Based on this feedback we (the address policy working group chairs) have decided to move this policy proposal to the Concluding Phase and start the Last Call for Comments. The documents on the website will be updated to reflect this and an official announcement will be sent out once this is done. Thank you all for your contributions, Sander Steffann RIPE Address Policy WG co-chair
On Tue, Apr 26, 2011 at 01:46:01PM +0200, Sander Steffann wrote:
Based on this feedback we (the address policy working group chairs) have decided to move this policy proposal to the Concluding Phase and start the Last Call for Comments.
I do object to the proposal on the grounds much better described by Malcolm Hutty and Martin Millnert than I could. My feeling is that we're dealing here with a possible Pandora's box, and the implications of RPKI are not fully and widely discussed and understood. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
On Tue, 3 May 2011, Daniel Roesen wrote:
On Tue, Apr 26, 2011 at 01:46:01PM +0200, Sander Steffann wrote:
Based on this feedback we (the address policy working group chairs) have decided to move this policy proposal to the Concluding Phase and start the Last Call for Comments.
I do object to the proposal on the grounds much better described by Malcolm Hutty and Martin Millnert than I could.
My feeling is that we're dealing here with a possible Pandora's box, and the implications of RPKI are not fully and widely discussed and understood.
I Think to call it a Pandora's box is to put it lightly... so I'm also against this proposal for reasons given better by Malcolm Hutty and others. -- ------------------------------ Roger Jorgensen | - ROJO9-RIPE - RJ85P-NORID roger@jorgensen.no | - IPv6 is The Key! -------------------------------------------------------
A few idle thoughts on this without being fuelled by Krasnapolsky coffee and chocolates... 2008-08 is about creating a mechanism to use public key cryptography to verify the contents of the RIPE database. Both the allocation records (inet(6)nums) via certificates and the RPSL records (route objects) via ROAs. It does not yet cover aut-nums or any other objects. One of the strengths of the RIPE database has been that of all the RIRs it was the only one to tie those together in the same database. Ironically, this tie now appears to be the stumbling block for moving the resource certification process forward in our region. The thought that in a system where allocation and routing records are tied together by certificates and signed objects the enforced withdrawal of one could lead to isolation from "the Internet." However, 2008-08 does not cover routing, it simply concerns itself with providing a way of cryptographically verifying (I have no idea if that is a real term) the contents of the RIPE database's allocation records. Mechanisms for coupling the allocation records more tightly to routing do indeed need ways for operators to influence the policy they apply -- "my network, my rules." That is currently there with the suggested way to implement this via routing policy, but nobody thinks this solution won't be improved in the future. If there is a requirement to show revoked certificates, that will be part of it. If "law enforcement" mandates the NCC to withdraw an allocation, could it also not mandate that the NCC originates a competing route with a valid ROA that will "trump" the now-invalid ROA? Is this necessarily a problem? By the time it gets to that stage won't the legal system have performed sufficient due process that it believes this is the right way to go? The law is, after all, the law. I fear that is a much more involved discussion though. I value Malcolm's opinion greatly, and when he is this concerned about a proposal it scares me, it scares me a lot, but I think calling a halt to 2008-08 is cutting off our nose to spite our face. 2008-08 is about as simple as it can get, "the certificates will reflect the registration status of the resource." There are many people that are far more expert in creating complicated policy than we are, we should do what we do best, simple policy and flexibility in the technical mechanisms of how this is implemented that leaves control in the hands of the operators (for some definition of "best"). This, though, is in the mechanisms of how we tie this to the routing system. I support a way of being able to verify the holder of address space and 2008-08 is the first step forward in that for some limited set of resources, and I support its progress. It does not require universal deployment to be useful for those that choose to use it, whether for verifying the "owner" of address space, or giving the routing systems hints over preference. All the best, Rob
On 8 May 2011, at 12:28, Rob Evans wrote:
If "law enforcement" mandates the NCC to withdraw an allocation, could it also not mandate that the NCC originates a competing route with a valid ROA that will "trump" the now-invalid ROA? Is this necessarily a problem? By the time it gets to that stage won't the legal system have performed sufficient due process that it believes this is the right way to go?
Rob, I think this is an interesting but probably irrelevant question. The NCC would almost definitely be in contempt of court -- ie jail time for Axel and the Board -- if it issued some kind of alternate certificate after being given a court order to revoke one. However since Sander said the lawyer says there's no way the Dutch courts could issue such a court order, this seems to be unrealistic unless there's new legislation. Though I wonder about the EU dimension here. Perhaps a court order in one EU state can be enforced in another along the lines of the European Arrest Warrant? I'm thinking here about forum shopping, eg something comparable to starting libel actions in the very accommodating English courts because of the stupid laws they have.
I value Malcolm's opinion greatly, and when he is this concerned about a proposal it scares me, it scares me a lot
Same here. Since none of us here are lawyers (thankfully), I think the next stage will be to get relevant legal advice and have it published on the list. Perhaps the WG could help to compose the questions or scenarios for the lawyer to consider. In light of Malcolm's comments, we should go carefully here. The PDP allows for an impact assessment. The current state of this proposal is why it's there. I would hope too that the NCC Board formally approves implementation of this policy if/ when we reach that point. I am not worried about the RPKI being used as a vector for takedown requests by law enforcement or others. I am worried about more informal situations. What does the NCC do when the cops knock on the door and say "We don't have a court order and *really* want you to revoke this cert. Please co-operate."? And although I mentioned law enforcement, there may well be others who would wish to push those boundaries.
Since none of us here are lawyers (thankfully)
that is not clearly the case
I think the next stage will be to get relevant legal advice and have it published on the list.
i thought sander and gert did that and we now seem to be in the stage of second-guessing it. randy
On 9 May 2011, at 11:15, Randy Bush wrote:
I think the next stage will be to get relevant legal advice and have it published on the list.
i thought sander and gert did that and we now seem to be in the stage of second-guessing it.
Please point me/us at the email containing the brief given to the lawyer and the one containing their reply. Sander and Gert will of course have done a competent and responsible job here, as will the lawyer. But that has to be seen to have been done.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/05/2011 11:15, Randy Bush wrote:
I think the next stage will be to get relevant legal advice and have it published on the list.
i thought sander and gert did that and we now seem to be in the stage of second-guessing it.
Nothing I said disagreed with the legal advice given. I did disagree with the inferences the RIPE NCC apparently drew from it (which Sander appended to the legal advice). That's quite different. Any good lawyer will do as the NCC's one did and limit their advice to what is current and known, and the question asked. He can't be blamed if his advice is represented as meaning something more than he said. Malcolm. - -- Malcolm Hutty | tel: +44 20 7645 3523 Head of Public Affairs | Read the LINX Public Affairs blog London Internet Exchange | http://publicaffairs.linx.net/ London Internet Exchange Ltd Maya House, 134-138 Borough High Street, London SE1 1LB Company Registered in England No. 3137929 Trinity Court, Trinity Street, Peterborough PE1 1DA -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3HxrIACgkQJiK3ugcyKhTrNACfUJXoOt8iY9p4DozX108bgLpQ kSEAoJoMzuBFNiJu0DWfWPxNJPlM8xjR =nMn1 -----END PGP SIGNATURE-----
Hi Malcolm,
Nothing I said disagreed with the legal advice given. I did disagree with the inferences the RIPE NCC apparently drew from it (which Sander appended to the legal advice). That's quite different.
I didn't add anything to the legal advise. The text that I sent comes as-is from the legal department: ========== The RIPE NCC is an association under Dutch law and therefore subject to the Dutch legislation. RIPE NCC has consulted several external lawyers, and has obtained an analysis of the legal situation based on current, existing Dutch legislation. This analysis takes into account Dutch Criminal, Civil and Administrative law. Certificates are directly linked to the registration of the Internet number resources. There is no specific Dutch legislation that can be used to order the deregistration of Internet number resources or change the registration details of Internet number resources. Nor is there any legislation that applies to the revocation of certificates over Internet number resources. In the absence of such legislation, a court cannot order the revocation of certificates. It is the RIPE NCC’s view, based on this analysis, that the RIPE NCC cannot be ordered to revoke resource certificates. ========== Thanks, Sander
Hi, Am Mon, 9 May 2011 11:05:31 +0100 schrieb Jim Reid <jim@rfc1035.com>: ...
However since Sander said the lawyer says there's no way the Dutch courts could issue such a court order, this seems to be unrealistic unless there's new legislation. Though I wonder about the EU
Go and ask the lawyers if a court can order "effective measures" to stop a certain route being announced. This can be a filtering at AMS-IX and other exchanges, blocking it at a peer level or revoking a certificate. I a worst case szenarion, interpretation is up the the LEA and the NCC the most likely target. Regards, Andreas -- Andreas Schachtner afs Holding GmbH communication technologies & solutions http://afs-com.de/ Geschaeftsfuehrer Andreas Schachtner HRB 15448, Amtsgericht Dortmund
Hi Andreas,
However since Sander said the lawyer says there's no way the Dutch courts could issue such a court order, this seems to be unrealistic unless there's new legislation. Though I wonder about the EU
Go and ask the lawyers if a court can order "effective measures" to stop a certain route being announced. This can be a filtering at AMS-IX and other exchanges, blocking it at a peer level or revoking a certificate. I a worst case szenarion, interpretation is up the the LEA and the NCC the most likely target.
I strongly disagree with you here. If one would like to stop a route to be announced, the best way is at the originating router. The AMS-IX or any other IX don't have ANYTHING to say in what an ISP is announcing. They don't want too and since they are not in the AS path of the routes, they simply can't. Trying to depeering a party is 'probably' the second best option, especially if the originating router / infrastructure is owned by the same (offending ?) party. However the experiences with that in the past with parties like McColo and alikes, that isn't something that will happen overnight. Erik
Hi Jim,
On 8 May 2011, at 12:28, Rob Evans wrote:
If "law enforcement" mandates the NCC to withdraw an allocation, could it also not mandate that the NCC originates a competing route with a valid ROA that will "trump" the now-invalid ROA? Is this necessarily a problem? By the time it gets to that stage won't the legal system have performed sufficient due process that it believes this is the right way to go?
Rob, I think this is an interesting but probably irrelevant question. The NCC would almost definitely be in contempt of court -- ie jail time for Axel and the Board -- if it issued some kind of alternate certificate after being given a court order to revoke one.
That isn't the case under Dutch law. The certificate isn't a seizable asset ... or something law-enforcement could force to revoke. Ask anyone who was involved in the actual process from within RIPE NCC, that they have done the legal checks and the feedback from the lawyers in a really THICK document was that what you are second guessing here isn't an issue. It simply can't be revoked by 'law enforcement' ...
I value Malcolm's opinion greatly, and when he is this concerned about a proposal it scares me, it scares me a lot
Same here.
I have great respect for others their opinion, having said that I make my own decisions on what would actually scare me. In this case, all the 'scary' questions have already been answered in the past, the legal part was already looked at.
Since none of us here are lawyers (thankfully), I think the next stage will be to get relevant legal advice and have it published on the list.
Perhaps you should have a look in the archive. This has already been done the first time those questions came up. And all questions have been answered.
Perhaps the WG could help to compose the questions or scenarios for the lawyer to consider. In light of Malcolm's comments, we should go carefully here. The PDP allows for an impact assessment.
Again, I'm repeating myself here .. That was already done.
I am not worried about the RPKI being used as a vector for takedown requests by law enforcement or others. I am worried about more informal situations. What does the NCC do when the cops knock on the door and say "We don't have a court order and *really* want you to revoke this cert. Please co-operate."? And although I mentioned law enforcement, there may well be others who would wish to push those boundaries.
That is a good one :) That one really made me smile. As a Dutch LIR we get questions like this, but come on, get real. Kind requests like these get waived at the reception, even before someone would look at it. I'm sure someone from RIPE NCC could provide a summary of their policy in requests like that. Erik Bais
On Mon, May 09, 2011 at 12:52:15PM +0200, Erik Bais wrote:
I am not worried about the RPKI being used as a vector for takedown requests by law enforcement or others. I am worried about more informal situations. What does the NCC do when the cops knock on the door and say "We don't have a court order and *really* want you to revoke this cert. Please co-operate."? And although I mentioned law enforcement, there may well be others who would wish to push those boundaries.
Kind requests like these get waived at the reception, even before someone would look at it.
I guarantee you they won't if someone shows up with a "National Security Letter" or whatever the EU equivalent may be that orders you to comply *and keep your mouth shut about it*. http://en.wikipedia.org/wiki/Nicholas_Merrill You may also want to watch his presentation at 27C3...
I'm sure someone from RIPE NCC could provide a summary of their policy in requests like that.
If they can, see above. Folks, this proposal fundamentally changes the very nature of the internet as a loose association of independent networks without any central or hierarchical authority other than that of the network owners over *their* network. I think it is only right to perform a detailed and very careful technical *and political* risk assessment of all and any "unintended" consequences of such a change. rgds, Sascha Luck
participants (10)
-
Andreas Schachtner
-
Daniel Roesen
-
Erik Bais
-
Jim Reid
-
Malcolm Hutty
-
Randy Bush
-
Rob Evans
-
Roger Jorgensen
-
Sander Steffann
-
Sascha Luck