Re: Need for historical prefix blacklist (`rogue' prefixes)

2021-10-31 Thread Jakob Heitz (jheitz) via NANOG 
It may be possible to create a fake certificate for a fake ROA.
However, to do that requires a lot of steps to go right.

First, the RSA private key needs to be derived from the public key.
The quantum computer physics exists to do it.
However, the known technology is massively behind and may never materialize.
OTOH, it is a wide open field and someone may find a way to create enough
qubits and entangle them all and keep them stable long enough to
perform the calculation tomorrow.
People have been trying for several years, so this is extremely unlikely.

Second, relying parties need to be convinced/tricked into downloading
the fake certificates. Since each certificate contains the publication points
of its child certificates, the certs are chained together.
The route to a publication point needs to be hacked to cause relying parties
to access the fake publication point.

A point was made that encrypted data can be captured and stored and then
be decrypted later once the technology becomes available. This possibility
is not useful for creating fake ROA certs.

Therefore quantum resistant certificates will not be needed in advance of
the development of quantum certificate crackers.

Regards,
Jakob.

-Original Message-
Date: Sat, 30 Oct 2021 19:57:25 -0500
From: "J. Hellenthal" 

He answered it completely. "You" worried about interception of RPKI exchange 
over the wire are failing to see that there is nothing there important to 
decrypt because the encryption in the transmission is not there !

And yet you've failed to even follow up to his question... "What's your point 
regarding your message? ROV does not use (nor needs) encryption."

So maybe you could give some context on that so someone can steer you out of 
the wrong direction.

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Oct 30, 2021, at 10:31, A Crisan  wrote:
> 
> ?
> Hi Matthew, 
> 
> Quantum computing exists as POCs, IBM being one of those advertising them and 
> announced to extend their project. There are others on the market, Amazon 
> advertised quantum computing as a service back in 2019: 
> https://www.theverge.com/2019/12/2/20992602/amazon-is-now-offering-quantum-computing-as-a-service.
>  The bottle neck of the current technology is scalability: we will not see QC 
> as personal computing level just yet (to go in more detail, current 
> technologies work at cryogenic temperatures, thus they are hyper expensive 
> and not really scalable), but they exist and one could be imagine they 
> are/will be used for various tasks.
> 
> On the other hand, you've actually commented every word of my mail, minus the 
> stated question. Thanks. 
> 
> Best Regards, 
> Dora Crisan 
> 
> 
> 
>  
> 
>> On Fri, Oct 29, 2021 at 8:10 PM Matthew Walster  wrote:
>> 
>> 
>>> On Fri, 29 Oct 2021, 15:55 A Crisan,  wrote:
>>> Hi Matthew,
>>> I was reading the above exchange, and I do have a question linked to your 
>>> last affirmation. To give you some context, the last 2021 ENISA report seem 
>>> to suggest that internet traffic is "casually registered" by X actors to 
>>> apply post Retrospective decryption (excerpt below). This would be at odds 
>>> with your (deescalating) affirmation that hijacks are non-malicious and 
>>> they are de-peered quickly, unless you pinpoint complete flux arrest only. 
>>> Are there any reportings/indicators... that look into internet flux 
>>> constant monitoring capabilities/capacities? Thanks.
>> 
>> 
>> RPKI uses authentication not confidentiality. There is no encryption taking 
>> place, other than the signatures on the certificates etc.
>> 
>>> Excerpt from the introduction: "What makes matters worse is that any cipher 
>>> text intercepted by an attacker today can be decrypted by the attacker as 
>>> soon as he has access to a large quantum computer (Retrospective 
>>> decryption).
>> 
>> 
>> Which do not exist (yet).
>> 
>>> Analysis of Advanced Persistent Threats (APT) and Nation State capabilities,
>> 
>> 
>> Buzzwords.
>> 
>>> along with whistle blowers? revelations
>> 
>>>  have shown that threat actors can and are casually recording all Internet 
>>> traffic in their data centers
>> 
>> 
>> No they're not. It's just not possible or indeed necessary to duplicate 
>> everything at large scale. Perhaps with a large amount of filtering, certain 
>> flows would be captured, but in the days of pervasive TLS, this seems less 
>> and less worthwhile.
>> 
>>>  and that they select encrypted traffic as interesting and worth 
>>> storing.This means that any data encrypted using any of the standard 
>>> public-key systems today will need to be considered compromised once a 
>>> quantum computer exists and there is no way to protect it retroactively, 
>>> because a copy of the ciphertexts in the hands of the attacker. This means 
>>> that data that needs to remain confidential after the arrival of quantum 
>>> computers need to

Re: PCH Peering Survey 2021

2021-10-31 Thread Adam Thompson 
Question: if I have a written contract with a peer that covers the link and IP 
service in general, but that contract does not specifically discuss BGP or 
peering, is that a Yes or No?
Also, how should I indicate "unknown" , particularly for the Written Contract 
field?
-Adam

Adam Thompson
Consultant, Infrastructure Services
[1593169877849]
100 - 135 Innovation Drive
Winnipeg, MB, R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
athomp...@merlin.mb.ca
www.merlin.mb.ca


From: NANOG on behalf of Bill Woodcock
Sent: Friday, October 29, 2021 06:47
To: NANOG
Subject: PCH Peering Survey 2021

Background:

Five and ten years ago PCH conducted comprehensive global surveys 
characterizing Internet peering agreements. They are the only ones of their 
kind, and are relied upon by legislators and regulators throughout the world to 
understand the Internet interconnection landscape.

Our write-ups of the prior surveys can be found here:

https://www.pch.net/resources/Papers/peering-survey/PCH-Peering-Survey-2011.pdf

https://www.pch.net/resources/Papers/peering-survey/PCH-Peering-Survey-2016/PCH-Peering-Survey-2016.pdf

…and video of the NANOG presentation of the 2016 results is here:

https://www.youtube.com/watch?v=lPuoBmxyXMc

At the time of the 2011 survey, we committed to repeating the survey every five 
years, to provide time-series data about the direction peering trends take. 
We’re now conducting the third iteration of the survey.

Among other things, the surveys have helped establish a better understanding of 
trends in:

• The increasingly uniform global norms of interconnection
• National preferences within the network operator community for country of 
governing law
• The long tail of small networks which don’t yet support IPv6 routing
• The significance of multilateral peering agreements in the density of the 
interconnection mesh

These findings, particularly the first, have been invaluable in giving 
regulators in the vast majority of the world’s countries a data-driven basis 
for refraining from prescriptively regulating Internet interconnection. They 
have demonstrated in objective terms that the Internet self-regulates in a way 
that’s more globally uniform and closely harmonized than any coordination of 
national regulatory bodies could accomplish.

Participation:

The survey is global in scope, and our goal is to reflect the diversity of 
peering agreements in the world. Your participation ensures that your norms and 
ways of doing business are represented accurately and proportionately in the 
dataset. If you don’t participate, the way you do business will be less 
well-represented in the data, and will seem less normal to regulators and 
policy-makers. We’re interested in large ISPs and small ISPs, ISPs in 
Afghanistan and in Zimbabwe, bilateral agreements and multilateral, private and 
public. Our intent is to be as comprehensive as possible. In 2011, the 
responses we received represented 4,331 networks in 96 countries, or 86% of the 
world’s ISPs at that time. In 2016, responses represented 10,794 networks in 
148 countries, or 60% of the world’s ISPs in 2016. Our aim is to be equally 
inclusive this year.

Since our principal method of soliciting participation is via NOG mailing 
lists, I’m afraid many of you will see this message several times, on different 
lists, for which we apologize.

Privacy:

In 2011 and 2016, we promised to collect the smallest set of data necessary to 
answer the questions, to perform the analysis immediately, and not to retain 
the data after the analysis was accomplished. In that way, we ensured that the 
privacy of respondents was fully protected. We did as we said, no data was 
leaked, and the whole community benefited from the trust that was extended to 
us. We ask for your trust again now as we make the same commitment to protect 
the privacy of all respondents, using the same process as was successfully 
employed the last two times. We are asking for no more data than is absolutely 
necessary. We will perform the analysis immediately upon receiving all of the 
data. We will delete the data once the analysis has been performed.

The Survey:

We would like to know your Autonomous System Number, and the following five 
pieces of information relative to each other AS you peer with:

• Your peer’s ASN (peers only, not upstream transit providers or downstream 
customers)
• Whether a written and signed peering agreement exists (the alternative being 
a less formal arrangement, such as a "handshake agreement")
• Whether the terms are roughly symmetric (the alternative being that they 
describe an agreement with different terms for each of the two parties, such as 
one compensating the other, or one receiving more or fewer than full customer 
routes)
• Whether a jurisdiction of governing law is defined
• Whether IPv6 routes are being exchanged (this year, we’ll still assume t