nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Implementing Decentralized RPKI with Blockchain Technology

From: Matt Corallo <nanog () as397444 net>
Date: Mon, 18 Nov 2024 07:57:03 -0500



On Nov 18, 2024, at 00:02, Tom Beecher <beecher () beecher cc> wrote:



That said, the reality today is that RPKI trust anchors are perfectly
capable of (through malice or cybersecurity incidents) AS0-routing as much IP space as they want,
taking entire swaths of the internet offline for a day or more at a time. So even if there was a ton
of hand-wringing about it prior to deployment, that didn't translate into any best practices which
actually reduce the trust the RPKI system has.


I mean, I'm still confused about what best practices people think should exist.

The entire point of RPKI is to validate the announcement instructions in the ROA were created by authorized assignee 
of the IP space. The authoritative party as to who the assignee of the IP space is is the RIR .  This means the RIR 
is inherently the root of trust.

What proposals are out there that can perform the same function without that RIR being at the root of it? 


I didn’t suggest changing the root of trust. Indeed, the RIR is ultimately responsible for its IP space, and there’s no 
reason to suggest changing that.

RPKI did, however, materially change the process for revoking IP space - instead of removing IP space from Whois and 
then needing to email various networks to get it removed from filters, RIRs can simply AS0-ROA the space and it’s gone 
overnight.

Forcing some human timescale (via software changes in validators) onto that process pulls us one step in between the 
two cases.

Matt
Previous By Date Next
Previous By Thread Next

Current thread: