[ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Previous message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Next message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sander Steffann
sander at steffann.nl
Mon May 20 16:57:33 CEST 2013
Hi, >>> i) whether these concerns are at least potentially valid (I am >>> convinced they are); >> The concerns are based on: a) the majority of network operators using >> rPKI and dropping unsigned or invalid routes > > If this is not the case, rpki serves no useful (security) purpose and > its implementation is pointless. Incorrect: rPKI can serve as a warning system, it can be used to adjust local-prefs and other local policy decisions. Not just for dropping or ignoring routes. >> b) legislators giving power to law enforcement so that they can force a Dutch entity (the RIPE NCC) to withdraw resources from its members > > Wrong. The NCC must (and will, see Axel's recent message) comply with a > court order or injunction. Possibly any court order from an EU member > state, these are enforceable across borders, TTBOMK. > Neither legislation nor law enforcement need be involved, it could be > anyone (BREIN, GEMA, a pissed-off individual with money and lawyers) > and the right judge. > This does not even consider an attack from a non-legal actor, such as a > compromised CA. Please read the legal statement from the NCC I linked to. You are contradicting it. If you have better legal advice than the RIPE NCC's own lawyers then please contact the NCC. >> c) legislators forcing network operators all over the world to keep doing (a) even in the event of abuse by law enforcement > > Nobody needs to *force* operators to do anything, they will probably not > even notice a route missing from a few hundred thousand or, indeed, care > that TPB is no longer reachable unless someone complains loudly. Operators not caring about their routing tables is a problem out of scope for this policy. There are thousands of other factors besides rPKI, so this is not specific to this policy. >> show how to adjust local-pref based on rPKI while still accepting all >> routes. This is the network operator's choice! > > True, but the security gain is nil to low if routes with invalid/ > non-existing ROAs aren't dropped. Not true, see above > While some operators may use ROAs to adjust localpref, IMO the "lazy > default" and most-widely used implementation will be "drop > invalid/missing" and this is the case I base my argument on. Ah, ok. But since your assumption is invalid (there is no default, and the quick-start examples which would probably be used for such a "lazy default" are completely different from what you assume) then your case isn't very interesting to discuss any further. Cheers, Sander
- Previous message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Next message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]