RE: Implementing Decentralized RPKI with Blockchain Technology

[Vasilenko Eduard via NANOG <nanog () nanog org>]

++

From: NANOG <nanog-bounces+vasilenko.eduard=huawei.com () nanog org> On Behalf Of Alex
Sent: Friday, November 15, 2024 03:46
To: nanog () nanog org
Subject: Re: Implementing Decentralized RPKI with Blockchain Technology


Haven't we seen this pattern enough times?

1. some organization maintains some database with some data
2. someone asks what if the government forces it to falsify/censor data
3. someone says it would ruin trust and nobody would use the database any more
4. government forces organization to falsify/censor data
5. everyone keeps using that database because it's the low friction path
6. amount of false/censored data increases

Governments already censor everything they can physically get their hands on:

* IP ranges
* DNS (ISP/open resolvers, registries *and* registrars)
* messaging apps
* social media
* end device software and data (only when the vendor already controls it, by pressuring the vendor)

If a little birdie told a censor that if they force *this* organization to publish this data block, *that* organization 
would automatically block *that* resource they don't like, they would go for it. There's absolutely no reason to think 
they would not.

And no, the 1st Amendment won't prevent it, even in the USA.




On 14/11/24 23:44, Tom Beecher wrote:
William-

Yes, you're correct on that point.

Fundamentally though, if an RIR actually did that, it's effectively the end of RPKI, and seismic damage to the internet 
at large. The entire foundation of this system is that everything must trust that the RIRs are the source of truth over 
what IPs are allocated and to whom. RPKI just provides a way to cryptographically verify it. If an RIR was forced to 
pull an allocation by an external party for "non-normal" reasons, then trust in that RIR is irrevocably broken, and we 
have much larger issues to deal with.

On Thu, Nov 14, 2024 at 5:28 PM Brandon Z. <Brandon () huize asia<mailto:Brandon () huize asia>> wrote:
Yeah ,that's what I meant. They can remove the certificate for the resource holder and sign a new certificate for these 
resources and set ROA for as0 only. Technically speaking.

Brandon Z.
HUIZE LTD
www.huize.asia <https://huize.asia/> | www.ixp.su<https://www.ixp.su/> | Twitter
[https://ci3.googleusercontent.com/mail-sig/AIorK4w5mVhfW4gNpNNG4wjzSr6YXLPGstLI3_79RkgqnXaG2nuFEB1nkGeXOqUOO3ma96TcEVR3iaA]
This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use 
of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.


On Fri, Nov 15, 2024 at 01:21 William Herrin <bill () herrin us<mailto:bill () herrin us>> wrote:
On Thu, Nov 14, 2024 at 9:03 AM Tom Beecher <beecher () beecher cc<mailto:beecher () beecher cc>> wrote:
> As explained earlier,  RIRs cannot "create" INVALIDs.

Hi Tom,

Wouldn't they just withdraw the delegation and issue an AS0 ROA
covering the address block? Does that not cause the associated route
advertisements to become RPKI invalid?

Regards,
Bill Herrin


--
William Herrin
bill () herrin us<mailto:bill () herrin us>
https://bill.herrin.us/