[arin-ppml] implementing RPKI prefix validation actually increases risk

Heather Schiller heather.skanks at gmail.com
Wed Jun 7 11:09:06 EDT 2023

ARIN is relatively neutral on such things.  They take their mandate from
the community.  The *community* wants RPKI deployed.  The *community*
pushed and begged for ARIN to participate.  ARIN held several consultations
and public discussions on whether or not they should participate and then
what types of service to offer.  That's a fundamental thing folks should
understand about ARIN's mission.

There are several technical forums, NANOG, MANRS, SIDR Ops in IETF, that
are better fit for implementation discussion and assistance.  It is not
ARIN's mission to dictate to vendors how something should work -- chat up
the helpful folks on the SIDR Ops, that is *their* mandate.  It is
occasionally ARIN's mission to raise awareness and educate the public on
how something works-- when the community requests it and it aligns with
their mission -- see ARIN's years of IPv6 outreach as an example.  Even
then, ARIN facilitated discussions, pulling AC members and folks from the
community to do the presentations.

The use case of having large content providers, banks, communications
providers, and other critical infrastructure unavailable to significant
portions of the internet because someone leaked a /24 they were hijacking
to prevent their citizens accessing a service, is a bit more important to
the overall security and stability of the internet than a few devices
responding to some leaky vpn traffic.

What I say to orgs who give a lot of money to Spamhaus... You are doing
security wrong.  There are enormous business critical institutions and
governments that want to see RPKI deployed, to prevent both outages and
interception.  Those use cases far outweigh "I don't want anything on my
network to respond to packets from an arbitrary list" Spamhaus pricey lists
are designed to be applied to your email service, not your entire routing
infrastructure.  Use of RPKI should reduce or eliminate the need for
CYMRU's (free!) bogon service and Spamhaus (free!) DROP service. CYMRU's
(free!) UTRS list provides a very limited set of prefixes to discard
traffic to, to mitigate a DoS attack -- it is not designed to make *your*
network any more secure, but rather protect *others* from *your* network.
Spamhaus (free!) EDROP service *could*, rightly, break against RPKI -- I
haven't gone to see how many prefixes on the EDROP list have ROA's and
there are workarounds.  Overall, you really aren't really in a worse
security position for deploying RPKI.

Shout it from the rooftops, deploy RPKI everywhere.


On Wed, Jun 7, 2023 at 1:13 AM Michel Py via ARIN-PPML <arin-ppml at arin.net>

> In private...
> > Can you articulate something ARIN could do which would improve the basic
> fact that configuring and maintaining cryptographic validation systems is
> technically challenging?
> Private shame on Cisco to do something better than a half-baked
> implementation that breaks things ?
> If ARIN wants RPKI deployed, ARIN needs to understand that RPKI does not
> have much of a business case that executives can see, and that if it breaks
> even slightly security it's going to end nowhere.
> What do you say to orgs who give a lot of money to SpamHaus and other
> pricey feeds and suddenly see them ineffective because of a cheezy RPKI
> implementation? They won't touch it again for years and tell everyone to
> stay away from it.
> Michel
> -----Original Message-----
> From: William Herrin <bill at herrin.us>
> Sent: Tuesday, June 6, 2023 1:58 PM
> To: Michel Py <michel at arneill-py.sacramento.ca.us>
> Cc: PPML <arin-ppml at arin.net>
> Subject: Re: [arin-ppml] implementing RPKI prefix validation actually
> increases risk
> On Tue, Jun 6, 2023 at 10:38 AM Michel Py <
> michel at arneill-py.sacramento.ca.us> wrote:
> > the point I was trying to make was about why protocols are not being
> > adopted. I have some concern that RPKI may eventually die from a
> > thousand cuts; none of the issues are fatal, but the accumulation of
> > them sure is annoying.
> Hi Michel,
> Unless ARIN did something or failed to do something which contributed to
> the problem you described, it's not obvious that such information is useful
> here. Can you articulate something ARIN could do which would improve the
> basic fact that configuring and maintaining cryptographic validation
> systems is technically challenging?
> There are certainly things ARIN could do to improve RPKI uptake, but I'm
> not aware of any that are responsive to the specific concern you raised.
> Regards,
> Bill Herrin
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/
> _______________________________________________
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20230607/2b6d92fd/attachment.htm>

More information about the ARIN-PPML mailing list