On Mon, May 9, 2011 at 4:21 PM, Alex Band <alexb@ripe.net> wrote:
On 9 May 2011, at 22:06, Sascha Luck wrote:
On Mon, May 09, 2011 at 10:01:14PM +0200, Sander Steffann wrote:
I fully agree. Mind you, they could just as well just make a law that says "You may not route any packets to/from addresses that appear on list X" and we would have exactly the situation everyone seems to be afraid of, and it doesn't need RPKI. As soon as laws don't allow 'your network, your rules' anymore then anything can happen... But that is something that we'll have to steer through voting, not address policy :) > >- Sander >
Right now, this does *not* work effectively because the internet routes around such censorship attempts and there is no LEA that can reach *everyone* in the world. This policy proposal changes that.
Again, it doesn't change that.
Yes, it could potentially change that in some future where laws are changed, but right now revoking a certificate has no effect on routing whatsoever. In the way the system is designed, everything revolves around preferences. At the end of the day, it it up to the network operator to base a decision on the information that is available to him/her. Accepting an invalid prefix because of a revoked certificate is always an option, unless the law is changed in *every* country where this system is used.
Yeah, new laws, and regarding the Internet, has that ever happened? Oh wait. See block-lists in various countries.
Reread Randy's post from just now where draft-ietf-sidr-origin-ops-07 is quoted.
-Alex
RIPE NCC re-assigns resource R from ISP A to LEA L, and issues it a new resource certificate. A does not use RPKI. LEA L creates a ROA and starts announcing R. In accordance with Randy's post, this means the *minimum* RPKI policy will impose the DDoS. Kind Regards, Martin