I think there are two qualities to the problem

1) what kind of authentication takes place to admit out-of-region data into a system which demands self-referential integrity and can't be made to do cross-system references

2) what time limits do we place on the data to require re-validation, so that it doesn't last forever and go stale.

Designing this demands both sender and receiver agree. The prior art, RPSS and RPS-Auth did not achieve agreement both sides: we didn't all agree to run a single cohesive framework.

RPKI (noting Sanders concerns it  scares some people) has the huge benefit: all the RIR are doing it, and all the RIR respect each others root/signing trust chains.

And, as I said before, it has time limits built in: signed objects have a lifetime by definition. Do nothing, and data ages out at some point.

Thats why I like it: its commonly implemented, and it behaves the ways we need, for this function.

-G

On 9 November 2014 11:59, Gert Doering <gert@space.net> wrote:
Hi,

On Sun, Nov 09, 2014 at 11:48:36AM -0800, Ronald F. Guilmette wrote:
> P.S.  I'm still a bit befuddled by what happened in this case.  Would it
> be a fair characterization to say that what AS201640 has done in this
> case is to exploit a kind of loophole which is uniquely present only
> when the hijacker/squatter AS is registered in one RiR and the IP blocks
> that are being hijacked/squatted are registered in a different RiR?

Yes.

> Also, could this scenario have been replicated if the origin AS had
> been registered in/by ARIN, APNIC, LACNIC, or AFRINIC, rather than
> RIPE?

I'm not sure how the access control in other regions' IRR DBs work - but
at least ARIN's database is based on RIPE code, so "it might be".

> If so, then a proper sort of fix will necessarily involve all
> five RiRs, no?

Correct.  George Michaelson is from APNIC, so "they are aware", and I'm
fairly sure the other RIRs are being informed.

Gert Doering
        -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279