[arin-ppml] implementing RPKI prefix validation actually increases risk

John W. O'Brien obrienjw at upenn.edu
Wed Jun 7 11:19:15 EDT 2023


Very well said. Seconded on all points.


On 6/7/23 11:09, Heather Schiller wrote:
> ARIN is relatively neutral on such things.  They take their mandate from 
> the community.  The /community/ wants RPKI deployed.  The /community/ 
> pushed and begged for ARIN to participate.  ARIN held several 
> consultations and public discussions on whether or not they should 
> participate and then what types of service to offer.  That's a 
> fundamental thing folks should understand about ARIN's mission.
> 
> There are several technical forums, NANOG, MANRS, SIDR Ops in IETF, that 
> are better fit for implementation discussion and assistance.  It is not 
> ARIN's mission to dictate to vendors how something should work -- chat 
> up the helpful folks on the SIDR Ops, that is /their/ mandate.  It is 
> occasionally ARIN's mission to raise awareness and educate the public on 
> how something works-- when the community requests it and it aligns with 
> their mission -- see ARIN's years of IPv6 outreach as an example.  Even 
> then, ARIN facilitated discussions, pulling AC members and folks from 
> the community to do the presentations.
> 
> The use case of having large content providers, banks, communications 
> providers, and other critical infrastructure unavailable to significant 
> portions of the internet because someone leaked a /24 they were 
> hijacking to prevent their citizens accessing a service, is a bit more 
> important to the overall security and stability of the internet than a 
> few devices responding to some leaky vpn traffic.
> 
> What I say to orgs who give a lot of money to Spamhaus... You are doing 
> security wrong.  There are enormous business critical institutions and 
> governments that want to see RPKI deployed, to prevent both outages and 
> interception.  Those use cases far outweigh "I don't want anything on my 
> network to respond to packets from an arbitrary list" Spamhaus pricey 
> lists are designed to be applied to your email service, not your entire 
> routing infrastructure.  Use of RPKI should reduce or eliminate the need 
> for CYMRU's (free!) bogon service and Spamhaus (free!) DROP service. 
> CYMRU's (free!) UTRS list provides a very limited set of prefixes to 
> discard traffic to, to mitigate a DoS attack -- it is not designed to 
> make /your/ network any more secure, but rather protect /others/ from 
> /your/ network.  Spamhaus (free!) EDROP service /could/, rightly, break 
> against RPKI -- I haven't gone to see how many prefixes on the EDROP 
> list have ROA's and there are workarounds.  Overall, you really aren't 
> really in a worse security position for deploying RPKI.
> 
> Shout it from the rooftops, deploy RPKI everywhere.
> 
>   --Heather
> 
> 
> On Wed, Jun 7, 2023 at 1:13 AM Michel Py via ARIN-PPML 
> <arin-ppml at arin.net <mailto:arin-ppml at arin.net>> wrote:
> 
>     In private...
> 
>      > Can you articulate something ARIN could do which would improve
>     the basic fact that configuring and maintaining cryptographic
>     validation systems is technically challenging?
> 
>     Private shame on Cisco to do something better than a half-baked
>     implementation that breaks things ?
>     If ARIN wants RPKI deployed, ARIN needs to understand that RPKI does
>     not have much of a business case that executives can see, and that
>     if it breaks even slightly security it's going to end nowhere.
> 
>     What do you say to orgs who give a lot of money to SpamHaus and
>     other pricey feeds and suddenly see them ineffective because of a
>     cheezy RPKI implementation? They won't touch it again for years and
>     tell everyone to stay away from it.
> 
>     Michel
> 
> 
>     -----Original Message-----
>     From: William Herrin <bill at herrin.us <mailto:bill at herrin.us>>
>     Sent: Tuesday, June 6, 2023 1:58 PM
>     To: Michel Py <michel at arneill-py.sacramento.ca.us
>     <mailto:michel at arneill-py.sacramento.ca.us>>
>     Cc: PPML <arin-ppml at arin.net <mailto:arin-ppml at arin.net>>
>     Subject: Re: [arin-ppml] implementing RPKI prefix validation
>     actually increases risk
> 
>     On Tue, Jun 6, 2023 at 10:38 AM Michel Py
>     <michel at arneill-py.sacramento.ca.us
>     <mailto:michel at arneill-py.sacramento.ca.us>> wrote:
>      > the point I was trying to make was about why protocols are not being
>      > adopted. I have some concern that RPKI may eventually die from a
>      > thousand cuts; none of the issues are fatal, but the accumulation of
>      > them sure is annoying.
> 
>     Hi Michel,
> 
>     Unless ARIN did something or failed to do something which
>     contributed to the problem you described, it's not obvious that such
>     information is useful here. Can you articulate something ARIN could
>     do which would improve the basic fact that configuring and
>     maintaining cryptographic validation systems is technically challenging?
> 
>     There are certainly things ARIN could do to improve RPKI uptake, but
>     I'm not aware of any that are responsive to the specific concern you
>     raised.
> 
>     Regards,
>     Bill Herrin
> 
> 
> 
>     --
>     William Herrin
>     bill at herrin.us <mailto:bill at herrin.us>
>     https://bill.herrin.us/
>     <https://urldefense.com/v3/__https://bill.herrin.us/__;!!IBzWLUs!UpTJp9APogut27T8-o0-l-g5cFNyaCzPZGWcm1ZbZ1ZKixm6AOxbwUJtgXk5tyw_saWGGuD3n5liZGNYtBuBZokfnQ$>
>     _______________________________________________
>     ARIN-PPML
>     You are receiving this message because you are subscribed to
>     the ARIN Public Policy Mailing List (ARIN-PPML at arin.net
>     <mailto:ARIN-PPML at arin.net>).
>     Unsubscribe or manage your mailing list subscription at:
>     https://lists.arin.net/mailman/listinfo/arin-ppml
>     <https://urldefense.com/v3/__https://lists.arin.net/mailman/listinfo/arin-ppml__;!!IBzWLUs!UpTJp9APogut27T8-o0-l-g5cFNyaCzPZGWcm1ZbZ1ZKixm6AOxbwUJtgXk5tyw_saWGGuD3n5liZGNYtBsjkc48oA$>
>     Please contact info at arin.net <mailto:info at arin.net> if you
>     experience any issues.
> 
> 
> _______________________________________________
> ARIN-PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://urldefense.com/v3/__https://lists.arin.net/mailman/listinfo/arin-ppml__;!!IBzWLUs!UpTJp9APogut27T8-o0-l-g5cFNyaCzPZGWcm1ZbZ1ZKixm6AOxbwUJtgXk5tyw_saWGGuD3n5liZGNYtBsjkc48oA$
> Please contact info at arin.net if you experience any issues.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xD97D135B02EC753B.asc
Type: application/pgp-keys
Size: 16033 bytes
Desc: OpenPGP public key
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20230607/443a2acc/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20230607/443a2acc/attachment-0001.sig>


More information about the ARIN-PPML mailing list