14 Nov
2014
14 Nov
'14
7:21 p.m.
I think that it is wrong to exclude use of the RPKI signed assertion of authority over a resource to drive admission of foreign records. I do not speak to RPSL per se or ROA, but the fact is that maintainer status is not visible in routing and is irrelevant. Databases need ACL and admission control but we all know the RIPE code has (and always has had) a privileged channel which can effect change in the contents of the schema without first class use of the authorization primitives: heck you can type SQL commands directly and make objects So I like much of what Wilfred said in terms of its intent and outcome. I do not agree that ab initio we should reject use of RPKI signed objects to permit import and export of external information. If I sign an authorization to somebody to include my resources in their IRR, and my resources are in the certificate which signed that authorization what can be stronger? -G On 14 November 2014 06:59, Elvis Daniel Velea <elvis@velea.eu> wrote: > Hi Wilfried, > > finally someone responding to the problem presented. I was about to > think that nobody cares anymore. > > On 14/11/14 16:18, Wilfried Woeber wrote: > > Michael Horn wrote: (to anti-abuse-wg@ripe.net) > > > > [...] > > > >> will result in significant workload. Holy dingus, is this database a > mess... > > And not just "this" one. The whole "Routing Registry" stuff is an > incredible > > mess, and since years, actually. Not really a Numbers Registry failure > or a > > negligence, but rather a multi-faceted mesh of FUD, History and Trade > Secrets > > claimed. > > > > Let me try to collect some facts, at least according to my memory. > > Please correct me where I'm wrong... > > > > - not all 5 RIRs actually do support an IRR functionality. > > > > - the RPSL doc.set, back in the good old days, had some ideas and > provisions > > for integrating the 5 (or then, rather 3, iirc) pieces of Numbers > Registries > > into a single, global, consistent structure. > > As Gert put it: it didn't fly. > > Since then, we were putting band-aid over patch over whatever to deal > with > > that. The result is what we have before us, right now. > > > > - the whole system of creating objects, at least in the RIPE Region, has > become > > totally inconsistent. For an address block, where the RIPE DB is > authoritative, > > and an AS number, you need the credentials from both parties to > register a route: > > or route6: object. > > > > for out-of-region authoritative entries, the dreaded maintainer was > created, in > > order to provide the (useless) 2nd auth: token. > > > > For the RPKI stuff, again, there isn't a requirment for a second > authentication > > token, iirc not even a *notification* to the AS ref.d, when an RoA is > created. > > Anyone of you still thinks RPKI is going to be helpful here? > > Bah, it's just going to give another false impression of credibility > + new vectors > > for errors and attacks. > > > >> -mh > > The only way(s) forward I can see are: > > > > - require manual approval of route: objects for the case of > out-of-region registrations > sounds like an other patch, one that I would welcome as a temporary > solution. > > > > - get the RPSL flaws fixed, the RFCs updated and then implemented > this will probably take years.. > > > > - integrate the 5 Number Registries into a homogenous, distributed DB > with consistent > > authentication mechanisms > > > > - come up with a viable proposal for 1 (one!!) global routing registry > that is > > authoritative, up-todate and complete, used by all operators (yes, I > know, it is > > the wrong type of year /w a XMAS) > I've been asking myself for years why the RIRs can not, under the NRO, > ASO, IANA, (?) umbrellas to come up with a unique registry (resource + > routing).. It's not like the communities do not want/need it... Do we > need to pass a global policy to ask the RIRs to work together? :-) > > A single source of information is, at this moment, a dream. > > - try to do any or all of the above and do so without RPKI requirements. > Please! > > > > Wilfried. > > > regards, > elvis > >