|
|
|
|
|
|
by sneak
2832 days ago
|
|
|
Nothing the RiRs do right now immediately affects routing on the internet. There is a patchwork of systems, some automatic, some manual, that eventually converge their authority onto the routers that actually do the routing. This proposal turns that system (which mostly works well) into a a system that has somewhat centralized algorithmic control. If routers enforce valid signed records for routing, suddenly the RiRs have an instant, practical power they did not have before. |
|
|
Secondly, the RIRs also have the ability to revoke IP address allocations and AS numbers, as well as whois database objects and IRR route objects. An RPKI resource certificate is just a different representation of an RIR resource registration, it's not going to make the difference you claim.
Then, it would also be fairly stupid of a government to abuse a system that is designed to protect the internet from hijacking of critical infrastructure for censorship purposes. The RIRs have done extensive outreach to make this clear to their respective governments. Still, as soon as a government would try a stunt like this, the networking community would simply walk away from this technology in an instant.
Most importantly though, a revoked or expired certificate would result in a BGP announcement with the status 'unknown', as if the operator doesn't participate in the system and the route were never signed in the first place. The route would never become invalid, and thus unreachable.
[1] https://www.internetsociety.org/blog/2018/01/14000-incidents...