Sander, On Mon, May 20, 2013 at 03:57:47PM +0200, Sander Steffann wrote:
i) whether these concerns are at least potentially valid (I am convinced they are); The concerns are based on: a) the majority of network operators using rPKI and dropping unsigned or invalid routes
If this is not the case, rpki serves no useful (security) purpose and its implementation is pointless.
b) legislators giving power to law enforcement so that they can force a Dutch entity (the RIPE NCC) to withdraw resources from its members
Wrong. The NCC must (and will, see Axel's recent message) comply with a court order or injunction. Possibly any court order from an EU member state, these are enforceable across borders, TTBOMK. Neither legislation nor law enforcement need be involved, it could be anyone (BREIN, GEMA, a pissed-off individual with money and lawyers) and the right judge. This does not even consider an attack from a non-legal actor, such as a compromised CA.
c) legislators forcing network operators all over the world to keep doing (a) even in the event of abuse by law enforcement
Nobody needs to *force* operators to do anything, they will probably not even notice a route missing from a few hundred thousand or, indeed, care that TPB is no longer reachable unless someone complains loudly.
show how to adjust local-pref based on rPKI while still accepting all routes. This is the network operator's choice!
True, but the security gain is nil to low if routes with invalid/ non-existing ROAs aren't dropped. While some operators may use ROAs to adjust localpref, IMO the "lazy default" and most-widely used implementation will be "drop invalid/missing" and this is the case I base my argument on.
The RIPE NCC will only comply with such requests if a Dutch Court order is served by a Dutch LEA, as well as a binding order from law-enforcement or regulatory authorities that are operating as required under Dutch criminal and administrative law (such as the Public Prosecution Department, the Police, the Fiscal Intelligence and Investigation Service).
The NCC will comply with a valid court order as prescribed by law, or the officers will go to jail for contempt until it does.
If the Dutch legal system gets so bad that they require disproportional measures to be taken by the RIPE NCC then I think we have bigger issues and should move the RIPE NCC to a different country.
It already is (not just in .nl), please remember the various TPB-blocking orders served to ISPs in .nl, .ie, .uk and so on. Moving the NCC would have little effect unless it'd be to a non-EU jurisdiction. The only way to solve this would be to have a distributed trust-anchor in multiple jurisdictions, so that a single point of failure/attack does not exist. I've already indicated that I would support a RPKI policy if this requirement was met, but not until then.
I see no need at this point to take other steps, as I don't see (a), (b) and (c) happen simultaneously. If your concerns should approach reality (laws enabling remote control of the RIPE NCC, laws enforcing a very specific usage of rPKI, etc) then we should take steps. Until there is evidence that those concerns are more than fear, uncertainty and doubt we should not act on them.
And unless you deign to take these concerns seriously and even *consider* steps to mitigate them, I will remain, in opposition, your, Sascha Luck