[arin-ppml] implementing RPKI prefix validation actually increases risk

Martin Hannigan hannigan at gmail.com
Wed Jun 7 15:15:52 EDT 2023 

Don't usually feel the need to +1, but I doubt anyone can add much more to
this than "well said".

Warm regards,

-M<



On Wed, Jun 7, 2023 at 11:09 AM Heather Schiller <heather.skanks at gmail.com>
wrote:

> ARIN is relatively neutral on such things.  They take their mandate from
> the community.  The *community* wants RPKI deployed.  The *community*
> pushed and begged for ARIN to participate.  ARIN held several consultations
> and public discussions on whether or not they should participate and then
> what types of service to offer.  That's a fundamental thing folks should
> understand about ARIN's mission.
>
> There are several technical forums, NANOG, MANRS, SIDR Ops in IETF, that
> are better fit for implementation discussion and assistance.  It is not
> ARIN's mission to dictate to vendors how something should work -- chat up
> the helpful folks on the SIDR Ops, that is *their* mandate.  It is
> occasionally ARIN's mission to raise awareness and educate the public on
> how something works-- when the community requests it and it aligns with
> their mission -- see ARIN's years of IPv6 outreach as an example.  Even
> then, ARIN facilitated discussions, pulling AC members and folks from the
> community to do the presentations.
>
> The use case of having large content providers, banks, communications
> providers, and other critical infrastructure unavailable to significant
> portions of the internet because someone leaked a /24 they were hijacking
> to prevent their citizens accessing a service, is a bit more important to
> the overall security and stability of the internet than a few devices
> responding to some leaky vpn traffic.
>
> What I say to orgs who give a lot of money to Spamhaus... You are doing
> security wrong.  There are enormous business critical institutions and
> governments that want to see RPKI deployed, to prevent both outages and
> interception.  Those use cases far outweigh "I don't want anything on my
> network to respond to packets from an arbitrary list" Spamhaus pricey lists
> are designed to be applied to your email service, not your entire routing
> infrastructure.  Use of RPKI should reduce or eliminate the need for
> CYMRU's (free!) bogon service and Spamhaus (free!) DROP service. CYMRU's
> (free!) UTRS list provides a very limited set of prefixes to discard
> traffic to, to mitigate a DoS attack -- it is not designed to make *your*
> network any more secure, but rather protect *others* from *your*
> network.  Spamhaus (free!) EDROP service *could*, rightly, break against
> RPKI -- I haven't gone to see how many prefixes on the EDROP list have
> ROA's and there are workarounds.  Overall, you really aren't really in a
> worse security position for deploying RPKI.
>
> Shout it from the rooftops, deploy RPKI everywhere.
>
>  --Heather
>
>
> On Wed, Jun 7, 2023 at 1:13 AM Michel Py via ARIN-PPML <arin-ppml at arin.net>
> wrote:
>
>> In private...
>>
>> > Can you articulate something ARIN could do which would improve the
>> basic fact that configuring and maintaining cryptographic validation
>> systems is technically challenging?
>>
>> Private shame on Cisco to do something better than a half-baked
>> implementation that breaks things ?
>> If ARIN wants RPKI deployed, ARIN needs to understand that RPKI does not
>> have much of a business case that executives can see, and that if it breaks
>> even slightly security it's going to end nowhere.
>>
>> What do you say to orgs who give a lot of money to SpamHaus and other
>> pricey feeds and suddenly see them ineffective because of a cheezy RPKI
>> implementation? They won't touch it again for years and tell everyone to
>> stay away from it.
>>
>> Michel
>>
>>
>> -----Original Message-----
>> From: William Herrin <bill at herrin.us>
>> Sent: Tuesday, June 6, 2023 1:58 PM
>> To: Michel Py <michel at arneill-py.sacramento.ca.us>
>> Cc: PPML <arin-ppml at arin.net>
>> Subject: Re: [arin-ppml] implementing RPKI prefix validation actually
>> increases risk
>>
>> On Tue, Jun 6, 2023 at 10:38 AM Michel Py <
>> michel at arneill-py.sacramento.ca.us> wrote:
>> > the point I was trying to make was about why protocols are not being
>> > adopted. I have some concern that RPKI may eventually die from a
>> > thousand cuts; none of the issues are fatal, but the accumulation of
>> > them sure is annoying.
>>
>> Hi Michel,
>>
>> Unless ARIN did something or failed to do something which contributed to
>> the problem you described, it's not obvious that such information is useful
>> here. Can you articulate something ARIN could do which would improve the
>> basic fact that configuring and maintaining cryptographic validation
>> systems is technically challenging?
>>
>> There are certainly things ARIN could do to improve RPKI uptake, but I'm
>> not aware of any that are responsive to the specific concern you raised.
>>
>> Regards,
>> Bill Herrin
>>
>>
>>
>> --
>> William Herrin
>> bill at herrin.us
>> https://bill.herrin.us/
>> _______________________________________________
>> ARIN-PPML
>> You are receiving this message because you are subscribed to
>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> https://lists.arin.net/mailman/listinfo/arin-ppml
>> Please contact info at arin.net if you experience any issues.
>>
> _______________________________________________
> ARIN-PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20230607/e18afcd4/attachment.htm>

More information about the ARIN-PPML mailing list