[arin-ppml] [EXT] Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

Owen DeLong owen at delong.com
Mon May 6 15:03:59 EDT 2019 


> On May 6, 2019, at 11:49 AM, Jimmy Hess <mysidia at gmail.com> wrote:
> 
> On Mon, May 6, 2019 at 1:45 AM Owen DeLong <owen at delong.com> wrote:
> 
>> Well, this might pose one small problem… ARIN doesn’t approve (or disprove)
>> any other RIR’s RPKI, nor does it have any authority or basis for doing so.
> 
> Perhaps this represents a design issue in the RPKI that would likely
> be addressed
> in due time, then,  before promulgating the protocol any further…?

It’s mostly a political problem. In general, seeking technical solutions to
political problems tends to work only slightly better than seeking political
solutions to technical problems.

> That the individual RIRs' should not each have their own separate instance of
> a root of the resource PKI in the first place (which each  router
> would then need to load).

There are five of them, so it’s really not that big of a problem.

To reduce this to one, you first need to identify an organization that can be
Trusted with that authority, literally the ability to revoke the valid status of
every route on the internet (or at least every route that has a corresponding
ROA in the RPKI system.

Who do you nominate for that function?

Hint: A US not for profit in Southern California was deemed unacceptable
by most of the regions outsid of North America.

> There should instead be a single root authority; much like what exists is for
> the DNS root signing key  for DNSSEC.

The difference is that if the DNSSEC signing authority goes rogue, it’s
relatively easy to simply turn off DNSSEC in your own zone file and get
back online with an unsigned zone.

With RPKI, cert revocation by the upstream authority makes your route
Invalid until you get a new cert approved by them.

The risk profile is radically different.

> And the root CA certificate's signing key used to sign an intermediate
> root CA,  from which
> each RIR receives a certificate signed by the intermediary that grants
> CA authority
> for signing only certificates that are limited to signing only
> certificates that can
> only validate for IP Number resources contained in the list of  IPv4
> and IPv6 blocks
> and AS number ranges,  which are from the list of the blocks that have
> been allocated
> by IANA to the respective parent RIR.

The PKI 101 course notwithstanding, it’s the risk model associated with this
and the single point of potential failure in that system that has people on
edge about doing it that way.

> Instead of referring to "an ARIN Approved RPKI";  one would mention
> "A particular global RPKI”

Or several particular global RPKIs. Or…

Owen

More information about the ARIN-PPML mailing list