Re: Implementing Decentralized RPKI with Blockchain Technology

[Tom Beecher <beecher () beecher cc>]

> In all the rush to deploy RPKI I fear these issues are not talked
> about enough.


The first RPKI deployments started happening in the early 2010s, after many
many years of being talked about.

I'm sure you didn't mean it, but it's pretty insulting to the people who
have spent countless hours working on these issues to say 'it wasn't talked
about enough'.

On Wed, Nov 13, 2024 at 10:05 PM Matt Corallo <nanog () as397444 net> wrote:

> On 11/13/24 9:39 AM, Brandon Z. wrote:
> > Hi there,
> >
> > Currently, due to political factors, some countries are not particularly
> proactive in deploying
> > RPKI. Imagine if the RIR of a region were forced to revoke all IP
> resources of a particular country
> > from RPKI, effectively isolating that country from the global internet.
>
> Thanks for raising this topic. In all the rush to deploy RPKI I fear these
> issues are not talked
> about enough.
>
> > To address this, one approach is for autonomous networks within a region
> to establish two trusted
> > RPKI CA servers: one from the major RIRs and another locally managed.
> The locally managed CA would
> > take precedence, allowing autonomous networks to submit their IP
> resources to the RPKI server of
> > their peers (and potentially backed by a national mandate to trust this
> CA). This setup could
> > prevent a scenario where an entire country’s IP resources are revoked,
> leading to all IPs being
> > marked as invalid.
>
> A variant of this could make some sense, the issue is that it doesn't do
> you a whole lot of good to
> have a local RPKI anchor that you and your local community look to if the
> global internet community
> isn't looking at it - sure, your IPs are routable to a few of your
> friends, but they can't reach
> Google...oops.
>
> Another variant I've suggested before relies on timeouts for removal - for
> networks that have RPKI
> anchors deployed, if their RIR wants to remove their anchors the RIR must
> publish an intent to
> remove the anchor a week (or some other N) prior to the removal, with
> validators ignoring immediate
> removal. This takes the issue from "I woke up one morning and my IPs
> weren't routable" to "I spent a
> week arguing on *NOG and the internet community added a new temporary
> workaround to avoid my ISP
> losing all its resources due to a runaway RIR".
>
> > Another concept is to use blockchain technology. While cryptocurrencies
> use computational power to
> > verify ownership, BGP could use peer count. If an IP resource is marked
> as valid by a majority of
> > high-influence networks (with many peers), it could be trusted by the
> entire internet.
>
> I see where you're going - blockchains are an audit log (eg Certificate
> Transparency) and
> cryptocurrencies generally use something expensive to perform anti-sybil
> to gate appending to the
> audit log, but allowing the largest ISPs to randomly assign or re-assign
> resources doesn't solve the
> problem, it only makes it worse (and we can't do the thing
> cryptocurrencies do where resource
> holders have keys which are required to move the resources, because its
> legitimate for a RIR to
> reclaim resources for non-payment).
>
> Having a cryptographic audit log of RPKI changes (published by the RIRs,
> presumably) isn't the worst
> idea in the world, but it doesn't really buy us a lot so its just kinda
> added complexity.
>
> Matt