Here's another negative viewpoint.
https://iscloudflarerightyet.com/
Ron W6RZ
On 4/30/20 18:00, John Gilmore via 44Net wrote:
RPKI is not an unalloyed good thing.
The Internet routing system (based on BGP) is currently a completely decentralized system. There are no single points of control in it. If you want to route your own traffic to network X via interface Y, there is nobody who can tell you different; and you can advertise that route to any or all of your BGP neighbors, again no matter who cares to say no. (Those neighbors make their own individual decisions about which routes they will pick up from you, use themselves, and/or spread further.)
Globally distributed protocols with no central control mechanism are rare and fragile(*). We should not help to destroy this one blindly. A huge part of what enabled the Internet to grow worldwide over 40 years, yet remain reliable and uncensorable, is exactly this lack of central control. RPKI is an effort to destroy it.
RPKI puts the Regional Internet Registries (RIRs), at the top of a newly created cryptographic authentication pyramid for network routes. The RIRs are ARIN, RIPE, APNIC, LACNIC, and AfriNIC. Those nonprofits are "stewards" of the Internet address space, but like every person and every entity they tend to serve themselves better than they serve others. And they serve themselves more power by making themselves the arbiters of which addresses can be routed by whom.
If the RIRs succeed at capturing control of the routing system, then, indepedent of whether the RIRs are good stewards themselves, there's another problem. Every country with jurisdiction over them will start leaning on the RIRs to censor the things that that government doesn't want the public to have access to. We have already seen plenty of countries, including nominally liberal democracies like Australia and the UK, issue orders to their ISPs to block traffic that the government disapproves of. Whether it's "to save the children", to "combat terrorism", to "deter fraud", to "smash spammers", for "national security", to "stop fake news", to "allow people to outlive their past", or whatever. A long history of such censorship lists shows that the first thing they censor is the list of what's actually being censored, and then with no public oversight, all kinds of things get censored that don't deserve it.
Currently the RIRs have power over IP address allocations only in subnets allocated to them by IANA. And this power does not extend to any technical control over routing systems -- without RPKI, it's just advisory. Anyone foolish enough to sign a contract with an RIR has also granted the RIR the power to cancel their IP address allocation at will (and to demand significant annual payments just for keeping your few thousand bytes in a database entry). But, 70% of the Internet addresses were allocated before the RIRs even came into existence. Those "legacy" addresses, including 44/9 and 44.128/10, are NOT under the control of any RIR. The RIRs have always chafed at this limitation, and they tried to strangle the commercial market for IP addresses at birth, by passing rules outlawing sale of addresses, preferring instead that anybody who didn't want their IP addresses had to return them for free to their regional RIR, and then it would decide who would get them and on what terms, including what the recipients would pay for them. (Their effort failed.) The creation of a commercial market for IP addresses was a threat to them, because the RIRs' power always derived from their ability to rent you IP addresses that you couldn't get elsewhere. But that power is dissolving now that they have little or no IPv4 address space to hand out. They could have become honest registrars of third-party transactions, like any county's land deed registry (which doesn't also have a parallel business that allocates land to the needy), but they prefer a more powerful role. So they are looking for other levers of power.
By default, the RIRs have been the "deed registries" of IP address space, since they kept the database of their own numerous handouts, and copied in the small number of older IANA entries for earlier legacy allocations. They tried, unsuccessfully, to get legacy address holders to sign a contract with them, the LRSA contract, in return for keeping the legacy entries in the database up to date. But everyone quickly realized that if you DON'T sign with the RIR and if they DO let your database entry get out of date, then the RIR's database becomes less and less useful to everybody. Which lessens their power -- why would anyone even bother to consult a deliberately inaccurate "deed registry"? So at the moment, the RIRs cheerfully let you update your database entry if you're a legacy address holder. EXCEPT if you sell your space -- then their current rules "require" the buyer to sign a contract of adhesion with the RIR. Some RIRs also demand that the buyer "prove" bureacratically that they need the addresses that they're spending good money to purchase. I expect that those requirements, too, will go by the wayside, if they haven't already in practice, because there is no upside for the buyer in doing so, and there is a significant downside (they can reject your purchase attempt, you have to pay them annually, and they can make up new rules and/or cancel your addresses anytime). If buyers refuse to sign up and pay annually, and just go ahead and start using the addresses they bought, the RIR database again would go out of date, which is not to the RIR's advantage. It's better for the RIR AND better for the IP address users, to let sales proceed, and record them honestly, without long-term contracts, without control, without annual fees -- than for the RIR database to become completely irrelevant.
So, with this as background, RPKI looks like a great way for RIRs to assert control over legacy address space. Like a Mafia enforcer, "Nice IP addresses you've got there -- I hope you don't want to ROUTE THEM OVER THE INTERNET? You'll have to pay us for that privilege. See, we already have 18% of the Internet routers taking instructions from us, and if we don't sign your ROA, then 18% of the Internet won't be able to reach you." Every time an ISP newly demands ROAs, they incrementally add to the power of the RIRs as points of centralized control over things they formerly had no control over. RIPE has been the leader in developing RPKI and pushing the European region's ISPs to ask users to adopt it. It doesn't have much traction elsewhere.
You can see some global stats on deployment of RPKI here:
https://rpki-monitor.antd.nist.gov/
Currently 18.9% of global Internet routes have "valid" RPKI certificates, 0.82% have "Invalid" RPKI certificates, and 80.28% are not covered at all by RPKI certificates. In the ARIN region, 91% are not covered by RPKI. The RIRs don't like to point this out when encouraging ISPs to demand ROAs.
ARIN itself doesn't use RPKI to manage its own Internet routers; see:
https://www.arin.net/participate/community/acsp/suggestions/2018-13/
And there's a reliability issue. ARIN requires anyone who relies on their RPKI database to sign a contract that specifically absolves ARIN of any responsibility, if relying on them causes a problem. This contract specifically states that RPKI should *not* be used "in connection with equipment in hazardous circumstances or for uses requiring fail-safe performance, including uses in connection with the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control systems, or weapons control systems, where failure could lead to death, personal injury, or severe environmental damage." It also says that "ARIN DOES NOT REPRESENT, WARRANT OR COVENANT THAT ANY ORCP SERVICES, CERTIFICATE, OR ANY ACCESS OR USE THEREOF WILL (i) BE UNINTERRUPTED, (ii) BE FREE OF DEFECTS, INACCURACIES, OR ERRORS... IN NO EVENT ... WILL ARIN’S LIABILITY TO YOU OR ANY THIRD PARTY, INCLUDING ANY OF YOUR CLIENTS OR CUSTOMERS, EXCEED ONE HUNDRED U.S. DOLLARS (US$100.00) IN THE AGGREGATE." You're on your own, suckers! It gives us power, but we are NOT responsible!
https://www.arin.net/resources/manage/rpki/rpa.pdf
So if you're a ham providing emergency systems for disaster communications, don't use RPKI to control your routers. And find an ISP that doesn't use RPKI to control their routers either.
Don't get me wrong -- besides the Internet power politics, there is an actual problem with people hijacking other peoples' routes occasionally. Spy agencies cause their national ISPs to make "mistakes" that reroute large amounts of big companies' traffic past their wiretapping stations, "oops". Spammers like to borrow others' address space. ISP technicians mistype numeric IP prefixes and take out other peoples' addresses. Etc. See:
https://en.wikipedia.org/wiki/BGP_hijacking
I just don't think imposing a centralized RPKI system is a good solution to this problem. (Particularly with bureacracies desparate for new powers exerting the control. Look up Harry J. Anslinger for an instructive example.)
John (speaking for myself, not for ARDC nor for net44)
(*): How many globally distributed systems without centralized control can YOU think of? The Usenet used to be one, though I'd guess it's down to under a hundred sites now (maybe down to 3!). Kademlia-style distributed hash tables are another. Blockchains are another. Can you think of any more?
ALL of these rely on the global Internet routing tables today. (Usenet was formerly distributed by direct modem links among sites, and over internal company leased lines, but it has entirely moved onto the Internet now.) So, if you can centrally control the global Internet routing tables, you can centrally control ALL the globally distributed systems, even if they "have no centralized control" built into their own protocols. Nice power play if you can sneak it through!
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net