[sneak]

So this means that the national governments/militaries of the countries in which those entities are located would then have the practical ability to force a revocation that causes someone’s routes to become invalid? This seems like a giant legal SPoF for censorship.

[jessaustin]

ISTM if these entities were a threat of that sort, they would have already caused problems? Besides ARIN, none of them are really under the control of any one nation, are they?

[sneak]

Nothing the RiRs do right now immediately affects routing on the internet. There is a patchwork of systems, some automatic, some manual, that eventually converge their authority onto the routers that actually do the routing.

This proposal turns that system (which mostly works well) into a a system that has somewhat centralized algorithmic control. If routers enforce valid signed records for routing, suddenly the RiRs have an instant, practical power they did not have before.

[Alex_Band]

First of all, BGP routing doesn't work that well at all. There's thousands of BGP hijacks per year [1]; the ones you read about in the news are just the most noteworthy. There are tons of smaller and larger outages because of fat fingering and misconfigurations RPKI can help protect against.

Secondly, the RIRs also have the ability to revoke IP address allocations and AS numbers, as well as whois database objects and IRR route objects. An RPKI resource certificate is just a different representation of an RIR resource registration, it's not going to make the difference you claim.

Then, it would also be fairly stupid of a government to abuse a system that is designed to protect the internet from hijacking of critical infrastructure for censorship purposes. The RIRs have done extensive outreach to make this clear to their respective governments. Still, as soon as a government would try a stunt like this, the networking community would simply walk away from this technology in an instant.

Most importantly though, a revoked or expired certificate would result in a BGP announcement with the status 'unknown', as if the operator doesn't participate in the system and the route were never signed in the first place. The route would never become invalid, and thus unreachable.

[1] https://www.internetsociety.org/blog/2018/01/14000-incidents...

[sneak]

Revoking an IP or AS allocation doesn’t actually immediately stop anyone from using it in practice, though, until their peers stop treating them as valid (which is not instantaneous upon RiR fiat).

The networking community would not walk away from abuse in a literal instant, though. It would take days at a minimum, while censorship would occur instantly. It may be a single use weapon but it is still a weapon.

I am not sure that BGP is broken enough to warrant the signing of allocations (or, more specifically, to fail-closed on unsigned/expired allocations).

[icedchai]

I'd argue that BGP works really well given how large the Internet has grown over the past 25 years, and how little BGP has changed in that time.