John,
On Thu, Apr 30, 2020 at 6:00 PM John Gilmore via 44Net < 44net@mailman.ampr.org> wrote:
The Internet routing system (based on BGP) is currently a completely decentralized system. There are no single points of control in it.
False, BGP as used on the Internet requires an Autonomous System Number. These numbers are issued by IANA, and further downstream by RIR's; such as ARIN in North America. An RF equivalent would be the ITU followed by the FCC/NTIA and finally state repeater coordination groups* (this is not 100% accurate but serves as a quick analogy)*. One could argue at a local level frequency allocations are "decentralized", but in reality they are not.
The protocol itself does have an allocation of "private ASN's", which aren't designed for usage on the internet - as the vast majority of providers filter these as a industry best practice. The protocol itself is very much decentralized in nature, however the operational usage on the internet is very much centrally coordinated and administered.
you want to route your own traffic to network X via interface Y, there is nobody who can tell you different; and you can advertise that route to any or all of your BGP neighbors, again no matter who cares to say no. (Those neighbors make their own individual decisions about which routes they will pick up from you, use themselves, and/or spread further.)
It is true that each BGP speaking organization can choose their own routing policy. This choice in routing policy has long existed, well before RPKI.
Globally distributed protocols with no central control mechanism are rare and fragile(*). We should not help to destroy this one blindly. A huge part of what enabled the Internet to grow worldwide over 40 years, yet remain reliable and uncensorable, is exactly this lack of central control. RPKI is an effort to destroy it.
False, RPKI exists for RIR's to continue to have a business model - it was never intended to break the globally distributed BGP protocol. If anything, RPKI exists to provide a global documentation trail of acceptable prefixes which abide by the trust ring, explicitly don't, or are of a neutral nature *(neither positive or false positive).*
RPKI puts the Regional Internet Registries (RIRs), at the top of a newly
created cryptographic authentication pyramid for network routes. The RIRs are ARIN, RIPE, APNIC, LACNIC, and AfriNIC.
False, the RIR's were already "at the middle" of this trust chain *(IANA technically being the top)* - nothing new here. These organizations have long been the stewards of modern IP space, RPKI is a formalization of this documentation trail in a machine readable format, which operators can choose to use in their routing policies.
Those nonprofits are "stewards" of the Internet address space, but like every person and every entity they tend to serve themselves better than they serve others. And they serve themselves more power by making themselves the arbiters of which addresses can be routed by whom.
The same could be said for ARDC, the steward of the remaining AMPRnet IP space. The level of transparency of all of the RIR's does vary, but they're certainly more forthcoming then ARDC has ever been. A good example is the lack of board meeting minutes, no published budget or P&L, etc.
My own personal operational experience is limited to ARIN and RIPE, both of these organizations ultimately do what their members ask of them - though sometimes with a strong legal focus *(ARIN more so than RIPE, though that seems more cultural to ARIN being a US entity operating in a US legal system). *They are great stewards of a shared resource, not perfect but their involvement has not hampered the internet's growth.
Currently the RIRs have power over IP address allocations only in
subnets allocated to them by IANA. And this power does not extend to any technical control over routing systems -- without RPKI, it's just advisory. Anyone foolish enough to sign a contract with an RIR has also granted the RIR the power to cancel their IP address allocation at will (and to demand significant annual payments just for keeping your few thousand bytes in a database entry). But, 70% of the Internet addresses were allocated before the RIRs even came into existence. Those "legacy" addresses, including 44/9 and 44.128/10, are NOT under the control of any RIR. The RIRs have always chafed at this limitation, and they tried
Can ARDC publicly admit that remaining allocations are not under ARIN stewardship *(either under an LRSA or RSA)*? The ARIN whois database shows updates as recently as a few weeks https://whois.arin.net/rest/org/ARDC ("Last updated 2020-05-01") ago for the ARDC organization record. Generally ARIN facilitates these changes via a web portal or API, these services are only available to ARIN members, which execute an Registration Services Agreement https://www.arin.net/about/corporate/agreements/rsa_faq/. It's highly likely that the Amazon transaction required that the "left over" prefixes be formalized with ARIN, likely with an executed RSA contract. Again, as the steward of this space - ARDC could choose to be more transparent with the operational nature of the transaction.
Don't get me wrong -- besides the Internet power politics, there is an actual problem with people hijacking other peoples' routes occasionally.
Maybe instead of focusing on your personal war against legacy prefixed holders and legitimacy of RIR's, instead focus on the real operational concern - thank you.
Several large tier 1 providers have begun filtering based on RPKI data, such as NTT, ATT, and many others. Does ARDC have a plan to support ROA's?
--Matt