RPKI is not an unalloyed good thing.
The Internet routing system (based on BGP) is currently a completely
decentralized system. There are no single points of control in it. If
you want to route your own traffic to network X via interface Y, there
is nobody who can tell you different; and you can advertise that route
to any or all of your BGP neighbors, again no matter who cares to say no.
(Those neighbors make their own individual decisions about which routes
they will pick up from you, use themselves, and/or spread further.)
Globally distributed protocols with no central control mechanism are
rare and fragile(*). We should not help to destroy this one blindly. A
huge part of what enabled the Internet to grow worldwide over 40 years,
yet remain reliable and uncensorable, is exactly this lack of central
control. RPKI is an effort to destroy it.
RPKI puts the Regional Internet Registries (RIRs), at the top of a newly
created cryptographic authentication pyramid for network routes. The
RIRs are ARIN, RIPE, APNIC, LACNIC, and AfriNIC. Those nonprofits are
"stewards" of the Internet address space, but like every person and every
entity they tend to serve themselves better than they serve others. And
they serve themselves more power by making themselves the arbiters of
which addresses can be routed by whom.
If the RIRs succeed at capturing control of the routing system, then,
indepedent of whether the RIRs are good stewards themselves, there's
another problem. Every country with jurisdiction over them will start
leaning on the RIRs to censor the things that that government doesn't
want the public to have access to. We have already seen plenty of
countries, including nominally liberal democracies like Australia and
the UK, issue orders to their ISPs to block traffic that the government
disapproves of. Whether it's "to save the children", to "combat
terrorism", to "deter fraud", to "smash spammers", for
"national
security", to "stop fake news", to "allow people to outlive their
past",
or whatever. A long history of such censorship lists shows that the
first thing they censor is the list of what's actually being censored,
and then with no public oversight, all kinds of things get censored that
don't deserve it.
Currently the RIRs have power over IP address allocations only in
subnets allocated to them by IANA. And this power does not extend to
any technical control over routing systems -- without RPKI, it's just
advisory. Anyone foolish enough to sign a contract with an RIR has also
granted the RIR the power to cancel their IP address allocation at will
(and to demand significant annual payments just for keeping your few
thousand bytes in a database entry). But, 70% of the Internet addresses
were allocated before the RIRs even came into existence. Those "legacy"
addresses, including 44/9 and 44.128/10, are NOT under the control of
any RIR. The RIRs have always chafed at this limitation, and they tried
to strangle the commercial market for IP addresses at birth, by passing
rules outlawing sale of addresses, preferring instead that anybody who
didn't want their IP addresses had to return them for free to their
regional RIR, and then it would decide who would get them and on what
terms, including what the recipients would pay for them. (Their effort
failed.) The creation of a commercial market for IP addresses was a
threat to them, because the RIRs' power always derived from their
ability to rent you IP addresses that you couldn't get elsewhere. But
that power is dissolving now that they have little or no IPv4 address
space to hand out. They could have become honest registrars of
third-party transactions, like any county's land deed registry (which
doesn't also have a parallel business that allocates land to the needy),
but they prefer a more powerful role. So they are looking for other
levers of power.
By default, the RIRs have been the "deed registries" of IP address
space, since they kept the database of their own numerous handouts, and
copied in the small number of older IANA entries for earlier legacy
allocations. They tried, unsuccessfully, to get legacy address holders
to sign a contract with them, the LRSA contract, in return for keeping
the legacy entries in the database up to date. But everyone quickly
realized that if you DON'T sign with the RIR and if they DO let your
database entry get out of date, then the RIR's database becomes less and
less useful to everybody. Which lessens their power -- why would anyone
even bother to consult a deliberately inaccurate "deed registry"? So at
the moment, the RIRs cheerfully let you update your database entry if
you're a legacy address holder. EXCEPT if you sell your space -- then
their current rules "require" the buyer to sign a contract of adhesion
with the RIR. Some RIRs also demand that the buyer "prove"
bureacratically that they need the addresses that they're spending good
money to purchase. I expect that those requirements, too, will go by
the wayside, if they haven't already in practice, because there is no
upside for the buyer in doing so, and there is a significant downside
(they can reject your purchase attempt, you have to pay them annually,
and they can make up new rules and/or cancel your addresses anytime).
If buyers refuse to sign up and pay annually, and just go ahead and
start using the addresses they bought, the RIR database again would go
out of date, which is not to the RIR's advantage. It's better for the
RIR AND better for the IP address users, to let sales proceed, and
record them honestly, without long-term contracts, without control,
without annual fees -- than for the RIR database to become completely
irrelevant.
So, with this as background, RPKI looks like a great way for RIRs to
assert control over legacy address space. Like a Mafia enforcer, "Nice
IP addresses you've got there -- I hope you don't want to ROUTE THEM
OVER THE INTERNET? You'll have to pay us for that privilege. See, we
already have 18% of the Internet routers taking instructions from us,
and if we don't sign your ROA, then 18% of the Internet won't be able to
reach you." Every time an ISP newly demands ROAs, they incrementally
add to the power of the RIRs as points of centralized control over
things they formerly had no control over. RIPE has been the leader in
developing RPKI and pushing the European region's ISPs to ask users to
adopt it. It doesn't have much traction elsewhere.
You can see some global stats on deployment of RPKI here:
https://rpki-monitor.antd.nist.gov/
Currently 18.9% of global Internet routes have "valid" RPKI
certificates, 0.82% have "Invalid" RPKI certificates, and 80.28% are not
covered at all by RPKI certificates. In the ARIN region, 91% are not
covered by RPKI. The RIRs don't like to point this out when encouraging
ISPs to demand ROAs.
ARIN itself doesn't use RPKI to manage its own Internet routers; see:
https://www.arin.net/participate/community/acsp/suggestions/2018-13/
And there's a reliability issue. ARIN requires anyone who relies on
their RPKI database to sign a contract that specifically absolves ARIN
of any responsibility, if relying on them causes a problem. This
contract specifically states that RPKI should *not* be used "in
connection with equipment in hazardous circumstances or for uses
requiring fail-safe performance, including uses in connection with the
operation of nuclear facilities, aircraft navigation or communication
systems, air traffic control systems, or weapons control systems, where
failure could lead to death, personal injury, or severe environmental
damage." It also says that "ARIN DOES NOT REPRESENT, WARRANT OR
COVENANT THAT ANY ORCP SERVICES, CERTIFICATE, OR ANY ACCESS OR USE
THEREOF WILL (i) BE UNINTERRUPTED, (ii) BE FREE OF DEFECTS,
INACCURACIES, OR ERRORS... IN NO EVENT ... WILL ARIN’S LIABILITY TO
YOU OR ANY THIRD PARTY, INCLUDING ANY OF YOUR CLIENTS OR CUSTOMERS,
EXCEED ONE HUNDRED U.S. DOLLARS (US$100.00) IN THE AGGREGATE." You're
on your own, suckers! It gives us power, but we are NOT responsible!
https://www.arin.net/resources/manage/rpki/rpa.pdf
So if you're a ham providing emergency systems for disaster
communications, don't use RPKI to control your routers. And find an ISP
that doesn't use RPKI to control their routers either.
Don't get me wrong -- besides the Internet power politics, there is an
actual problem with people hijacking other peoples' routes occasionally.
Spy agencies cause their national ISPs to make "mistakes" that reroute
large amounts of big companies' traffic past their wiretapping stations,
"oops". Spammers like to borrow others' address space. ISP technicians
mistype numeric IP prefixes and take out other peoples' addresses. Etc.
See:
https://en.wikipedia.org/wiki/BGP_hijacking
I just don't think imposing a centralized RPKI system is a good solution
to this problem. (Particularly with bureacracies desparate for new
powers exerting the control. Look up Harry J. Anslinger for an
instructive example.)
John
(speaking for myself, not for ARDC nor for net44)
(*): How many globally distributed systems without centralized control
can YOU think of? The Usenet used to be one, though I'd guess it's
down to under a hundred sites now (maybe down to 3!). Kademlia-style
distributed hash tables are another. Blockchains are another. Can you
think of any more?
ALL of these rely on the global Internet routing tables today. (Usenet
was formerly distributed by direct modem links among sites, and over
internal company leased lines, but it has entirely moved onto the
Internet now.) So, if you can centrally control the global Internet
routing tables, you can centrally control ALL the globally distributed
systems, even if they "have no centralized control" built into their own
protocols. Nice power play if you can sneak it through!
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net