[arin-ppml] Draft Policy 2012-3: ASN Transfers
tvest at eyeconomics.com
Fri Mar 23 18:24:02 EDT 2012
On Mar 23, 2012, at 12:15 PM, Martin Hannigan wrote:
> On Fri, Mar 16, 2012 at 5:23 PM, Tom Vest <tvest at eyeconomics.com> wrote:
>> On Mar 16, 2012, at 2:40 PM, David Farmer wrote:
>>> On 3/16/12 10:11 CDT, Tom Vest wrote:
>>>> 3. Entities that would not be unhappy to see SIDR/RPKI fail
>>>> absolutely and/or to succeed primarily in turning the current
>>>> industry pecking order into a perpetual, insurmountable reputation
>>>> hierarchy -- where no amount of good of behavior can ever be truly
>>>> reassuring (if you're a new entrant), and no instance of bad behavior
>>>> need ever tarnish one's own reputation (if you're an incumbent
>>>> operator) -- would have everything they require to achieve those
>>> I'd be interested in more details on the risks you see ASN transfers creating for RPKI.
>>> Would such risks to RPKI associated with ASN transfers be any different than ARIN reassigning an ASN that was returned to it or that ARIN reclaimed?
>>> Are you saying that ASNs are suppose to be both globally and eternally unique?
>>> I'm not saying I'd be opposed to ASNs being eternally unique, but I didn't know it was a requirement, especially of RPKI.
>> Hi David,
>> The risk would be to the value of the information that RPKI provides to (any/all) non-peers, and at least potentially to direct peers as well (as I believe Chris alluded to earlier this week). The knowledge that route (a) was originated by AS (x) is only meaningful insofar as one has some set of high-confidence beliefs/expectations about AS (x). However, if AS (x) can change hands at will, henceforth no such confidence will be possible for the overwhelming majority if not all ASes.
> If the ASN was transferred and trust mechanisms were implemented,
> wouldn't the trust chain break?
I'd like to respond to your question directly, but for that to be possible you'll first have to explain what you mean by "trust mechanisms."
Without specifics it sort of sounds like the proverbial "dormitive principle."
> I don't quite understand what the problem you are describing actually is.
Proponents of market-based resource transfers frequently argue that "command and control mechanisms" (in this case meaning a majority of the RIR policy-engaged community themselves c. a couple of policy cycles in the past) are inferior to markets because they cannot anticipate all of the reasons why resource seekers might want/need to acquire resources. It's basically an argument for individual humility before a market that somehow "knows more" than individuals acting alone or groups of individuals voluntarily coordinating their actions -- allegedly even in cases where "the market" and "the voluntarily self-coordinating group" are identical in size and composition.
The thing is, this argument for humility works both ways. So even if you don't know what sort of problems/exploits/vulnerabilities that AS transfers will create, you can rest assured that the market knows.
> If someone transfers an ASN to "steal" peering, it would take a
> lot more work than just that.
Maybe it would take more work, eventually. Maybe not.
Depends on what you mean by "steal" I guess.
In general you might assume that landlords would have all sorts of reasons and opportunities to inform their tenants when they decide to sell their rental properties. Despite that, a quick Google search suggests that there are probably "millions" of cases involving property owners who are not entirely clear about their incentives/obligations in this area, and/or tenants who "didn't get the memo" until it was too late to avoid some nontrivial personal inconvenience, etc., as a result of some unforeseen equity event. There may be no physical "stealing" in most such cases, but there certainly seems to be quite a lot of allegedly tortious activity -- which invariably means that somebody's claiming to have suffered losses due to someone else's actions.
Now, if we can come up with a "trust mechanism" for AS transfers that is as effective as black letter law + judicial system + continuous, consistent universal public visibility + armed LEA, we might very optimistically aspire to limit the frequency and impact of (invisible, ephemeral) AS-transfer related disputes to equivalent problem rates encountered in the market for (tangible, immovable, unmistakable) real property. Without (at least) an equivalent mechanism, the cumulative results are likely to start out ugly and only get uglier over time.
> At a very high level, the entire
> relationship would change and probably dramatically from what it was
> before the transfer.
So do you require your NOC staff to monitor dedicated video feeds for each and every one of your BGP links on a 24x7 basis (and also make the 24x7 visibility of some previously identified customer/peer/provider rep in each of those feeds as a mandatory condition of every peering agreement and interconnection deal you enter into)? Do your routers automatically detect and log changes in ownership status of the devices on the other side?
Here's a riddle that (IMO) perfectly encapsulates the problem:
Q: Practically speaking, what are the three most significant operational differences between an AS changing hands between two private parties and a BGP MITM attack?
A: 1. A legally executed purchase agreement that you'll never see.
2. A buyer or seller-initiated registry update that may or may not have happened yet (or ever).
3. An aggrieved third party who might discover or be tipped off about the unauthorized spoofing of his/her AS -- which would only exist in a real MITM attack.
> How about a real world example of how transferring an ASN has hurt someone?
As you know, If I had any to share, I couldn't share 'em ;-)
I've already shared several scenarios here and at various meetings a few years back, although none that is likely to cross the threshold separating "hypothetical" from "predictable" unless/until private AS transfers are actually sanctioned by the community.
I just don't see how private, market-based AS transfers can be made to be feasible/sustainable as a general practice under current circumstances :-\
More information about the ARIN-PPML