[arin-ppml] [EXT] Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

Mon May 6 02:52:42 EDT 2019

> On May 4, 2019, at 21:41 , Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
> 
> 
> In message <F04ED1585899D842B482E7ADCA581B8472A70BB6 at newserver.arneill-py.local
> Michel Py <michel at arneill-py.sacramento.ca.us> wrote:
> 
>> And now this comes, which is going to scare the bleep out of everyone who
>> has to deal with these issues in the real world.
> 
> You say that like it's a bad thing.
> 
> If univeral RPKI deployment is really The Solution, as many appear to
> claim, then maybe it's time that some folks had the bleep scared out of
> them in order to make it actually happen.  I mean universally.

As it currently stands, RPKI alone is little more than a cryptographically signed
indication of what you need to prepend to your hijack announcement.

> I confess to being woefully ignorant of all this.  So if Michael or anyone
> wants to enlighten me about what the hold up is, and why we don't already
> have universal RPKI deployment, I'm all ears.

This is my current understanding… I may be slightly wrong, but I think
this is the gist of the situation anyway…

1.	RPKI depends on distribution of a Trust Anchor Locator (TAL).
2.	Because (politics) and (ICANN), there’s no universal TAL.
3.	To work around (2) each RIR has its own TAL which signs the
	following:
			All IPv4 prefixes longer than 0.0.0.0/0
			All IPv6 prefixes longer than ::/0
4.	Because (lawyers) and (US politics), the ARIN TAL is not
	freely available without agreement to a license which:
	(1)	Prohibits redistribution without imposing the same
		terms on each recipient
	(2)	Requires you to indemnify ARIN and hold ARIN harmless
		for any damages that result from your use of the TAL.
5.	Lots of people don’t like the contract and refuse to sign it.

> Personally, I am not wedded to any specific solution.  I just want the
> obvious and abundant routing problem(s) solved.  Any port in a storm.

I want the problem solved, too. But asking ARIN to solve it is a little bit
like asking the guy that drives the ice cream truck to stop people from
speeding in your neighborhood.

He may know who all the kids are, but he has no law enforcement powers.

Owen