24 May
2020
24 May
'20
9:14 p.m.
John,
On Thu, Apr 30, 2020 at 6:00 PM John Gilmore via 44Net <
44net(a)mailman.ampr.org> wrote:
The Internet routing system (based on BGP) is currently a completely
decentralized system. There are no single points of control in it.
False, BGP as used on the Internet requires an Autonomous System Number.
These numbers are issued by IANA, and further downstream by RIR's; such as
ARIN in North America. An RF equivalent would be the ITU followed by the
FCC/NTIA and finally state repeater coordination groups* (this is not 100%
accurate but serves as a quick analogy)*. One could argue at a local level
frequency allocations are "decentralized", but in reality they are not.
The protocol itself does have an allocation of "private ASN's", which
aren't designed for usage on the internet - as the vast majority of
providers filter these as a industry best practice. The protocol itself is
very much decentralized in nature, however the operational usage on the
internet is very much centrally coordinated and administered.
you want to route your own traffic to network X via
interface Y, there
is nobody who can tell you different; and you can advertise that route
to any or all of your BGP neighbors, again no matter who cares to say no.
(Those neighbors make their own individual decisions about which routes
they will pick up from you, use themselves, and/or spread further.)
It is true that each BGP speaking organization can choose their own routing
policy. This choice in routing policy has long existed, well before RPKI.
Globally distributed protocols with no central control
mechanism are
rare and fragile(*). We should not help to destroy this one blindly. A
huge part of what enabled the Internet to grow worldwide over 40 years,
yet remain reliable and uncensorable, is exactly this lack of central
control. RPKI is an effort to destroy it.
False, RPKI exists for RIR's to continue to have a business model - it was
never intended to break the globally distributed BGP protocol. If anything,
RPKI exists to provide a global documentation trail of acceptable prefixes
which abide by the trust ring, explicitly don't, or are of a neutral
nature *(neither
positive or false positive).*
RPKI puts the Regional Internet Registries (RIRs), at the top of a newly
created cryptographic authentication pyramid for
network routes. The
RIRs are ARIN, RIPE, APNIC, LACNIC, and AfriNIC.
False, the RIR's were already "at the middle" of this trust chain *(IANA
technically being the top)* - nothing new here. These organizations have
long been the stewards of modern IP space, RPKI is a formalization of this
documentation trail in a machine readable format, which operators can
choose to use in their routing policies.
Those nonprofits are
"stewards" of the Internet address space, but like every person and every
entity they tend to serve themselves better than they serve others. And
they serve themselves more power by making themselves the arbiters of
which addresses can be routed by whom.
The same could be said for ARDC, the steward of the remaining AMPRnet IP
space. The level of transparency of all of the RIR's does vary, but they're
certainly more forthcoming then ARDC has ever been. A good example is the
lack of board meeting minutes, no published budget or P&L, etc.
My own personal operational experience is limited to ARIN and RIPE, both of
these organizations ultimately do what their members ask of them - though
sometimes with a strong legal focus *(ARIN more so than RIPE, though that
seems more cultural to ARIN being a US entity operating in a US legal
system). *They are great stewards of a shared resource, not perfect but
their involvement has not hampered the internet's growth.
Currently the RIRs have power over IP address allocations only in
subnets allocated to them by IANA. And this power
does not extend to
any technical control over routing systems -- without RPKI, it's just
advisory. Anyone foolish enough to sign a contract with an RIR has also
granted the RIR the power to cancel their IP address allocation at will
(and to demand significant annual payments just for keeping your few
thousand bytes in a database entry). But, 70% of the Internet addresses
were allocated before the RIRs even came into existence. Those "legacy"
addresses, including 44/9 and 44.128/10, are NOT under the control of
any RIR. The RIRs have always chafed at this limitation, and they tried
Can ARDC publicly admit that remaining allocations are not under ARIN
stewardship *(either under an LRSA or RSA)*? The ARIN whois database shows
updates as recently as a few weeks
<https://whois.arin.net/rest/org/ARDC> ("Last
updated 2020-05-01") ago for the ARDC organization record. Generally ARIN
facilitates these changes via a web portal or API, these services are only
available to ARIN members, which execute an Registration Services Agreement
<https://www.arin.net/about/corporate/agreements/rsa_faq/>. It's highly
likely that the Amazon transaction required that the "left over" prefixes
be formalized with ARIN, likely with an executed RSA contract. Again, as
the steward of this space - ARDC could choose to be more transparent with
the operational nature of the transaction.
Don't get me wrong -- besides the Internet power
politics, there is an
actual problem with people hijacking other peoples' routes occasionally.
Maybe instead of focusing on your personal war against legacy prefixed
holders and legitimacy of RIR's, instead focus on the real operational
concern - thank you.
Several large tier 1 providers have begun filtering based on RPKI data,
such as NTT, ATT, and many others. Does ARDC have a plan to support ROA's?
--Matt