Dear Gert, On Fri, Nov 01, 2019 at 09:56:32AM +0100, Gert Doering wrote:
On Fri, Nov 01, 2019 at 07:09:42AM +0100, Job Snijders wrote:
So we really have to wonder whether this is worth it, or whether a few emails or phone calls can also solve the issue.
Isn't that the whole question underlying RPKI deployment?
I don't think it is. RPKI isn't the 'SDN controller for the Internet' :-)
What is it that we want to stop with RPKI? Only classic "prefix hijacking" (announcing space that is formally delegated somewhere) or other misuses of BGP, like "announce unallocated space, use that for spamming or other sorts of network attacks, withdraw announcement before people can track things back to you".
Yeah, in my mind RPKI exists to facilitate that people can better communicate their routing intentions to each other, with the RIR as a middle man certifiying that formal relations exist (in their role of assigning globally unique number resources to their stakeholders). The RPKI exists so that you and I can protect each other against misuse or misconfigurations of the our resources, and I consider the resources which don't (yet) have a holder are out of scope. That's also not where the money is, our business depend on the number resources that were assigned to us, the rest is less relevant. In this context, it again seems not entirely helpful that all RIRs are sitting on a 0.0.0.0/0 + ::/0 root cert, I wish we could come up with some way to restrict those certs to just the resources they actually manage, and perhaps through delegations from one RIR to another RIR keep transfers working. But this would only work if we have a coherent view on the RPKI which would in turn depend on certain legal barriers not existing... but alas, I'm getting off topic Kind regards, Job