On Wed, Jun 13, 2018 at 12:39:49PM +0100, Sascha Luck [ml] via db-wg wrote:
On Wed, Jun 13, 2018 at 11:11:09AM +0000, Job Snijders via db-wg wrote:
I am sympathetic, but RIPE has no obligation to keep a glaring security hole open to accommodate another RIR's lack of expedience.
There was a time when it would have been seen as the obligation of any RIR to keep the internet running as smoothly as possible. This boat seems to have sailed and not just in an internet context.This paradigm shift mirrors one in general society as well, where it has become acceptable to cause any amount of pain and inconvenience to the general population in the name of 'security'...
The above would be true if there was no alternatives and RIPE NCC was the exclusive provider of this registration service. However, as I pointed out before you can simply register your routes in other IRRs.
Secondly, there is an unintended consequence to this, namely that, if you make it impossible for a segment of resource holders to register their routes properly, some transit providers and IXPs will have no choice but to accept their advertisements anyway without any filter. How that improves 'security', I don't know.
As pointed out, it is not impossible.
IMO such actions should be delayed until there is a mechanism for every resource holder to register their advertisements properly, no matter where they are. Presumably this is something the RIRs themselves could be pushing as they are coordinating among themselves and with ICANN anyway.
Such a mechanism already exists. There is the RPKI registration system and there are multiple IRR systems. Kind regards, Job