Re: AS4788 Telecom Malaysia major route leak?
On Fri, 2015-06-12 at 10:43 +0100, Marty Strong via NANOG wrote: It *looks* like GBLX stopped accepting the leak. Nope. Churn is ongoing, nothing has been fixed. Global outage began 08:44 UTC and is still ongoing. It's been so long people have now had time to come up with things like 33.333%. Also, possible explanation for why nobody's fixing it: https://twitter.com/TMCorp/status/609167065300271104 :) /M signature.asc Description: This is a digitally signed message part
Open letter to Level3 concerning the global routing issues on June 12th
Dear Level3, The Internet is a cooperative effort, and it works well only when its participants take constructive actions to address errors and remedy problems. Your position as a major Internet Carrier bestows upon you a certain degree of responsibility for the correct operation of the Internet all across (and beyond) the planet. You have many customers. Customers will always occasionally make mistakes. You as a major Internet Carrier have a responsibility to limit, not amplify, your customers' mistakes. Other major carriers implement technical measures that severely limits the damages from customer mistakes from having global impact. Other major carriers also implement operational procedures in addition to technical measures. In combination, these measures drastically reduce the outage-hours as a result of customer configuration errors. At 08:44 UTC on Friday 12th of June, one of your transit customers, Telekom Malaysia (AS4788) began announcing the full Internet table back to you, which you accepted and propagated to your peers and customers, causing global outages for close to 3 hours. [ https://twitter.com/DynResearch/status/609340592036970496 ] During this 3 hour window, it appears (from your own service outage reports) that you did nothing to stop the global Internet outage, but that Telekom Malaysia themselves eventually resolved it. This lack of action on your end, and your disregard for the correct operation of the global Internet is astonishing. These mistakes do not need to happen. AS4788 under normal circumstances announces ~1900 IPv4 prefixes to the Internet. You accepted multiple hundred thousand prefixes from them - a max prefix setting would have severely limited the damage. We expect that these are your practices as well, but they failed. When they do, it should not take ~3 hours to shut down the session(s). Many operators, in despair, turned down their peering sessions with you once it was clear you were causing the outages and no immediate fix was in sight. This improved the situation for some - but not all did. Had you deployed proper IRR-filtering to filter the bad announcements the impact would've been far less critical. As a direct consequence of your ~3 hours of inaction, as a local example, Swedish payment terminals were experiencing problems all over the country. The Swedish economy was directly affected by your inaction. There were queues when I was buying lunch! Imagine the food rage. The situation was probably similar at other places around the globe where people were awake. Operators around the planet are curious: - Did Level3 not detect or understand that it was causing global Internet outages for ~3 hours? - If Level3 did in fact detect or understand it was causing global Internet outages, why did it not properly and immediately remedy the situation? - What is Level3 going to do to address these questions and begin work on restoring its credibility as a carrier? We all understand that mistakes do happen (in applying customer interface templates, etc.). However the Internet is all too pervasive in everyday life today for anything but swift action by carriers to remedy breakage after the fact. It is absolutely not sufficient to let a customer spend 3 hours to detect and fix a situation like this one. It is unacceptable that no swift action was taken on your end to limit the global routing issues you caused. Sincerely, Martin Millnert Member of Internet Community - no carrier / ISP affiliation. signature.asc Description: This is a digitally signed message part
RIPE in final /8 of IPv4
Hi list, in the interest of really running down also the final /8 of RIPE, which was entered today, let me point out that the cost to setup a new LIR is a meager application + application fee (2000 EUR) + ~1500 EUR or so for the first year. You can obviously transfer the resource as long as the requirement for the minimum allocation remains the same (which is a couple of web servers or so :) ), and then discontinue the LIR if you feel so inclined. This stands in contrast with the cost of fixing your documentation to justify 80% used space of the current allocations. Also, each LIR can just get 1 /22 from the final /8 pool. So if you're getting space for customers, the new-LIR approach with option to transfer back in is pretty reasonable. Happy Friday! Best, Martin (IPv6, where are you?) - http://www.ripe.net/ripe/mail/archives/ncc-announce/2012-September/000615.html - https://www.ripe.net/internet-coordination/news/ripe-ncc-begins-to-allocate-ipv4-address-space-from-the-last-8
Re: rpki vs. secure dns?
On Sun, 2012-04-29 at 21:50 +0100, Nick Hilliard wrote: - the RIPE NCC is now funding a project for which there is no consensus policy supported by the RIPE community, and is doing this on the basis of a hair's breath majority vote amongst its membership. Not only were the vote extremely narrow, a whopping ~97% of the voters did not vote at all. If we incorporate the no-shows, the vote statistics becomes something like: 120 Yes 114 No 26 Abstain ~7400 No-shows The membership got a chance to speak on the topic and largely didn't. Best, Martin
Re: [outages] News item: Blackberry services down worldwide
Jared, On Thu, Oct 13, 2011 at 5:56 PM, Jared Mauch ja...@puck.nether.net wrote: Rebuilding this trust can take some time. I do expect that with the iMessage stuff that was released yesterday (SMS/MMSoIP to email/phone#) many more companies will shift to using that instead as the value of BBM is decreased. With iMessage, Apple is following the lead of multi-platform apps such as Viber (integrated voice over ip) and whatsapp (integrated rich texting over ip). Integrated meaning the unique name/key registered in the system's name lookup service is your phone number, so you automagically discover who of all your address book entries have the application. Turning on whatsapp on my 360 contact address book yielded me 10% of my contact list *online* using it. :) Not being multi-vendor/platform, I wonder if iMessage on iPhone is going to reach similar uptake. Being installed from start certainly helps though, but not piggy backing on the phone numbers is a clear strategic error in my opinion (apple IDs are obviously a long long way from being as universal as phone numbers). I tried out whatsapp yesterday on an old Symbian S60 Nokia (N97) and it works great. Only thing I regret is not trying it out sooner. Now, if mobile devices only had ... globally unique and *reachable* IP addresses, you could even envision sending messages/pictures/video directly from your own device to a peer, with no need for bouncing through overloaded centralized bottlenecks, such as is the case with whatsapp (and certainly iMessage as well). There's certainly a business case in there for a legacy-free, bandwidth-optimized, IP only, LTE-network... (read: no [stupid] tunnels) I also wonder what the impact of iMessage and others will be on places like hotel networks as the devices camp out longer/more often on the wifi, etc. We observed the impact to a hotel of the NANOG crowd this week (i wonder if there will be lessons learned on the part of lodgenet, etc?) I know personally I've observed the attwifi ssid expanding to more places (including hilton branded properties) in the past 6 months to offload cellular data. Offloading is wise, indeed. Cheers, Martin
Re: Botnets buying up IPv4 address space
On Sat, Oct 8, 2011 at 6:14 PM, Florian Weimer f...@deneb.enyo.de wrote: IPv4 addresses will never run out in a strict sense of the word, it will just become increasingly more difficult to reassign IPv4 address space to those who need it. If you by difficult mean expensive, then I agree. Regards, Martin
Re: Botnets buying up IPv4 address space
Arturo, On Fri, Oct 7, 2011 at 8:59 PM, Arturo Servin arturo.ser...@gmail.com wrote: ARIN and APNIC allows it, LACNIC will when it reaches the last /12 (so now is not possible). RIPE NCC and Afrinic do not have a policy yet AFAIK. RIPE's LIR IPv4 listing service has 1x /20 listed, *right now*. https://www.ripe.net/lir-services/resource-management/listing Regards, Martin
Re: DPI deployment use case
Hi, On Wed, Oct 5, 2011 at 1:11 PM, Claudio Lapidus clapi...@gmail.com wrote: what actual use cases have you seen in the field (if any) for DPI'ing user sessions, considering we are mostly a DSL shop. I've seen tyrannical governments use Bluecoat's to crack down on their own population(*). Was this the sort of use-case you were looking for? :) Best, Martin (*) http://tcxsyria.ceops.eu/95191b161149135ba7bf6936e01bc3bb
Re: F.ROOT-SERVERS.NET moved to Beijing?
Leo, On Mon, Oct 3, 2011 at 7:34 PM, Leo Bicknell bickn...@ufp.org wrote: The only way to make sure a route was correct, everywhere, would be to have 39,000+ probes, one on every ASN, and check the path to the root server. Even if you had that, how do you define when any of the changes in 1-4 are legitimate? You could DNSSEC verify to rule out #1, but #2-4 are local decisions made by the ASN (or one of its upstreams). I suppose, if someone had all 39,000+ probes, we could attempt to write algorythms that determined if too much change was happening at once; but I'm reminded of events like the earthquake that took out many asian cables a few years back. There's a very real danger in such a system shutting down a large number of nodes during such an event due to the magnitude of changes which I'd suggest is the exact opposite of what the Internet needs to have happen in that event. This sounds an awfully lot like the notary concept: - http://perspectives-project.org/ - http://convergence.io/ Furthermore, changing network paths used to reach information probably should not be reason to shut down a service, in general. More interesting than which path is used, I suppose, is whether or not the data being returned has been changed in some unexpected/undesired way. Regards, Martin
Re: Nxdomain redirect revenue
Jimmy, On Tue, Sep 27, 2011 at 1:50 PM, Jimmy Hess mysi...@gmail.com wrote: The name for an ISP intercepting traffic from its own users is not interference or DoS, because they're breaking the operation of (er) only their own network. This statement somehow assumes that users of said network were only intending to communicate within that same network. I think this applies to so few networks it can be ignored in the discussion. If I have a partner/customer/supplier/$foo in [common carrier/public carrier] network X, and there is no D/DoS or other form of abuse ongoing, and the operator of X willfully denies our communication, the operator of X should have pretty darn good reasons for doing so (on the order of having been ordered by the proper judicial system (which should be well-functional, but that's a bit out of scope for the discussion I guess)). Operators should take great care to not break communication, including tampering with internet architectures such as DNS, and it must be possible to hold those who do responsible for their actions. Regards, Martin
Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
Mike, On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones m...@mikejones.in wrote: It will take a while to get updated browsers rolled out to enough users for it do be practical to start using DNS based self-signed certificated instead of CA-Signed certificates, so why don't any browsers have support yet? are any of them working on it? Chrome v 14 works with DNS stapled certificates, sort of a hack. ( http://www.imperialviolet.org/2011/06/16/dnssecchrome.html ) There are other proposals/ideas out there, completely different to DANE / DNSSEC, like http://perspectives-project.org/ / http://convergence.io/ . Regard, Martin
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
Steinar, On Sun, Sep 11, 2011 at 8:12 PM, sth...@nethelp.no wrote: To pop up the stack a bit it's the fact that an organization willing to behave in that fashion was in my list of CA certs in the first place. Yes they're blackballed now, better late than never I suppose. What does that say about the potential for other CAs to behave in such a fashion? I'd say we have every reason to believe that something similar *will* happen again :-( Something similar, including use of purchased (not only limited to stolen certs), is ongoing already, all of the time. (I had a fellow IRC-chat-friend report from a certain very western-allied middle eastern country that there's ISP/state-scale SSL-MITM ongoing there, for all https traffic.) The comment on starting out with an empty /etc/ssl is valid. Most of the normally included CA's you almost never run into on the wild web anyway. There were some blog postings about this last time a CA was busted. Shave off 90% of them and you have at least come a bit on the way (goal 100%). The absence of proof is *not* proof of absence, and in this particular case it's pretty safe to assume some abuse is ongoing somewhere, 24/7. Cheers, Martin
Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas m...@mtcc.com wrote: And how long would it be before browsers allowed self-signed-but-ok'ed-using-dnssec-protected-cert-hashes? As previously mentioned, Chrome = v14 already does. Regards, Martin
Re: vyatta for bgp
Brent, On Mon, Sep 12, 2011 at 11:13 PM, Brent Jones br...@servuhome.net wrote: Lots of devices can have trouble if you direct high PPS to the control plane, and will exhibit performance degradation, leading up to a DoS eventually. That isn't limited to software based routers at all, it will impact dedicated ASICs. Vendors put together solutions for this, to protect the router itself/control plane, whether its a software based routed or ASICs. Now if this was a Microtik with an 1Ghz Intel Atom CPU, sure, lots of things could take that thing offline, even funny looks. But a modern, multi-core/multi-thread system with multi-queued NICs will handle hundreds of thousands of PPS directed to the router itself before having issues, of nearly any packet size. A high end ASIC can handle millions/tens of millions PPS, but directed to the control plane (which is often a general purpose CPU as well, Intel or PowerPC), probably not in most scenarios. I think its very fair for a small/medium sized organization to run software based routers, Vyatta included. Speaking of Mikrotik there, I recently pushed 350kpps small packets through an x86 routeros image running under kvm (using vt-d for nic) on my desktop machine (which is a number i seem to run into more than once when it comes to linux/linux-derivative forwarding on single queue core). I saw a release note claiming their next sw release will do 15-20% more on both mips and x86. Unsurprisingly is open source software forwarding very far from 10G linerate of small pps through single cpu core still. 350kpps of 64B packets is of course merely 180 Mbps (notably, actually sufficient for handling incoming small packets on a 100 Mbps uplink). Re adversaries or random scum filling your uplinks with useless bits, I think I hear the largest DDoS'es now have filled 100G links, so.. don't make yourself a packeting target if you happen to run smaller links than that? :) Generally on staying alive through DDoS by anything else than some degree of luck, I guess having more bandwith between your network and your peers than what your peers all have to their peers is advised (the statement could possibly be improved upon using some minimum cut graph theory language). Best, Martin
Re: Quick comparison of LSNs and NAT64
Hi, On Thu, Jun 9, 2011 at 10:39 AM, Cameron Byrne cb.li...@gmail.com wrote: In message 4df053aa.50...@axu.tm, Aleksi Suhonen writes: Some people were talking about Large Scale NATs (LSN) or Carrier Grade NATs (CGN) yesterday. Comments included that DS-Lite and NAT64 are basically LSNs and they suffer from all the same problems. I don't think that NAT64 is as bad as other LSNs and here's why: My statement is that a *pure* ipv6-only network, in the sense you have 0 NAT:ed reachability to the IPv4 Internet, will only attract people like me. :) All good and accurate info. I would just restate that nat64 unlike nat444 does not need to be on path, this is what drives its improved scaling over nat444. Also, unlike ds-lite, nat64 works without any special client, such as the b4 function in the ds-lite architecture. Any fully functional ipv6 system such as win7 can work out of the box (ipv4 only apps being the exception) Finally, ds-lite and nat444 are just crutches for ipv4. Nat64 pushes ipv6 by making ipv6 end to end and forcing applications to be AF agnostic as where the others enable ipv4 without any backpressure. You are absolutely correct here. The proper solution is indeed to backtrack from the end-goal, which is to have only one stack in the network. Thanks, Martin
Re: Cogent HE
On Wed, Jun 8, 2011 at 4:10 PM, Ken Chase k...@sizone.org wrote: So we have to buy from BOTH HE and Cogent?! Sounds like market fixing to me! :/ Guess if we do we can advertise that on our webpage... now with BOTH halves of the ipv6 internets! Or just buy from someone who have sessions with both, who IOW can offer a full IPv6 Internet. Regards, Martin
Re: World IPv6 Only Day.
Iljitsch, On Thu, Jun 9, 2011 at 12:49 PM, Iljitsch van Beijnum iljit...@muada.com wrote: Are there any switches out there that do MLDP snooping to avoid flooding IPv6 multicasts? Something as enterprisey as even HP Procurve (!) has been doing this for years. Regards, Martin
Re: Microsoft's participation in World IPv6 day
Cameron, On Wed, Jun 8, 2011 at 8:48 AM, Cameron Byrne cb.li...@gmail.com wrote: On Wed, Jun 8, 2011 at 5:47 AM, Cameron Byrne cb.li...@gmail.com wrote: On Wed, Jun 8, 2011 at 12:09 AM, Owen DeLong o...@delong.com wrote: On Jun 7, 2011, at 9:59 PM, Martin Millnert wrote: Owen, On Tue, Jun 7, 2011 at 11:47 PM, Owen DeLong o...@delong.com wrote: LSN is required when access providers come across the following two combined constraints: 1. No more IPv4 addresses to give to customers. 2. No ability to deploy those customers on IPv6. 2 has little bearing on need of LSN to access v4. Insufficient amount of IPv4 addresses = LSN required. Regards, Martin No, if you have the option of deploying the customers on IPv6, you don't need LSN. The problem is that until the vast majority of content is dual-stack, you can't deploy customers on IPv6 without IPv4. cough cough NAT64/DNS64 ... cough DS-lite. Cameron AF translators are in the same class of technology as LSN -- to me they are the same (_NAT_64). Someone who thinks you will be successful in selling an Internet with pure ipv6 only access today to consumers must be living on a different planet. Cheers, Martin
Re: Cogent IPv6
Nick, On Wed, Jun 8, 2011 at 9:51 AM, Nick Olsen n...@flhsi.com wrote: I'm sure someone here is doing IPv6 peering with cogent. (snip) Any things to be aware of before pulling the trigger on it? (Other then them not having connectivity to HE's IPv6 side of things, Wish they would fix that already...) Not just HE's prefixes you miss with Cogent. Lack of full table means they can't be considered a full transit, ie, you need something like minimum 2 full transits + cogent to do v6 properly. They're more like a private peering. Cheers, Martin
Re: Microsoft's participation in World IPv6 day
Owen, On Tue, Jun 7, 2011 at 11:47 PM, Owen DeLong o...@delong.com wrote: LSN is required when access providers come across the following two combined constraints: 1. No more IPv4 addresses to give to customers. 2. No ability to deploy those customers on IPv6. 2 has little bearing on need of LSN to access v4. Insufficient amount of IPv4 addresses = LSN required. Regards, Martin
Re: IPv6 foot-dragging
George, On Thu, May 12, 2011 at 11:41 AM, George Bonser gbon...@seven.com wrote: A lot. I see /48 breakouts from /32 PA blocks for instance, announced by a customer AS of the PA holder AS. -- Mikael Abrahamsson email: swm...@swm.pp.se Which is kinda sad. It's reality. If those customer AS are multihomed or plan to be multihomed, they can get their own allocation out of PI space. If they are not multihomed outside of the provider AS, there is no need for the provider to leak that /48 out of their AS to their peers. In the RIPE region, being multihomed or planning to be it is not a sufficient condition for getting a PI prefix. And even if it was, the hit on DFZ is the same as from getting allocation from LIR. Even if they get their own /32, the hit would be the same (modulo individual FIB/RIB implementations). Consequently, there's work in progress to modernize RIPE IPv6 address policy. http://ripe62.ripe.net/presentations/148-wg.pdf p. 19 and forward. Cheers, Martin
Re: Yahoo and IPv6
Owen, On Mon, May 9, 2011 at 8:40 PM, Owen DeLong o...@delong.com wrote: RIPE-NCC is probably next and I expect they will likely run out next month. Seems a bit improbable to me, considering: http://www.ripe.net/internet-coordination/ipv4-exhaustion/ipv4-available-pool-graph Regards, Martin
Re: How do you put a TV station on the Mbone?
Daniel, On Fri, Apr 29, 2011 at 7:44 PM, Daniel Roesen d...@cluenet.de wrote: On Fri, Apr 29, 2011 at 05:51:25PM -0400, Jay Ashworth wrote: Imagine: multicast internet radio! Awesome! That would, indeed, be awesome; when everyone in my office was listening to the royal wedding, there would be a *much* higher chance of them all being in sync. That reminds me of 9/11. When the tragic event unfolded, we sat in the office. News made the rounds verbally, and people started looking for streaming services at their personal desks (no TVs around). People pretty quickly gave up trying to find streams and news portals which were actually working fine and the crowd gathering behind me watching over my shoulder became bigger and bigger. Why? Because I was in the fortunate position of being able to watch an Mbone multicast stream of some news TV broadcaster... cannot remember wether it was CNN or BBC or someone else entirely. Back then, a collegue was playing around with IP multicast and my desktop machine had connectivity to his Mbone-connected playground. :) IP multicast was the only way for us to see what happened, live. Unicast failed miserably. +10 I've been meaning to write something similar. Multicast infrastructure in place absolutely and certainly has a role to play in humanity-wide events. Also, having a 'free' distribution channel for those moving images carrying such licensing that it does not matter how many eyeballs see them, could be valuable as well. I made sure to get this capability in the network I worked on last. Cheers, Martin
Re: New IPv6 survey released on labs.ripe.net
Mobile v6 folks, On Wed, Apr 27, 2011 at 12:56 PM, Kevin Day toa...@dragondata.com wrote: T-Mobile: Nokia N900 works great thanks to you(admittedly a dead-end from Nokia, but it works with the same level of shell script and kernel hacking that all N900 users expect) Add the Nokia N97 to this list, with cellular/wifi support but no tethering, etc. Also I don't think IPv6 support on WiFi is as significant by at least two orders of magnitude as IPv6 support on the cellular interfaces is. A survey would be useful though: Firmware, IPv6 support ( WiFi / cellular ), v4/v6 tethering / hot spot operations, etc. I don't see how it can hurt to provide the middle ground between manufacturers and operators by having such a survey in this regard. Cameron probably has more to add (and some that he can't even if he wanted to, I guess). Marco H, understanding your reasons for wanting to keep CPE survey separate from what Cameron suggested, what's your opinion on doing a clone of the survey? (At some level, having not one but two of these surveys should attract you :) ) Best, Martin
Re: Voice Peering?
On Thu, Apr 21, 2011 at 1:00 PM, Scott Berkman sc...@sberkman.net wrote: It's not specific for mobile, but this is one of the most well know VOIP exchanges: And here I thought IP exchanges would cover the IP in VOIP. When do we get HTTP exchanges? :) Regards, Martin
Re: Bandwidth growth
On Wed, Apr 20, 2011 at 9:55 PM, Patrick W. Gilmore patr...@ianai.net wrote: On Apr 20, 2011, at 9:35 PM, Curran, David wrote: I'm interested in any evidence (even anecdotal) that general Internet usage (and more importantly, link utilization) has increased at higher rates in the last 6-12 months than in previous periods. Any graphs or otherwise would be greatly appreciated. The purpose is for an internal research project and this data will only be used internally and will not be shared, nor will the sources. https://stats.linx.net/aggregate.html http://www.ams-ix.net/historical-traffic-data/ http://de-cix.net/content/network.html http://www.seattleix.net/agg.htm http://www.torix.net/stats.php Growth unsurprisingly also varies by region: http://www.msk-ix.ru/eng/traffic.html It has seen plenty of growth recently. If any MSK-IX staff reads this, a 3-, 5- or all-year graph would be an interesting add! I don't know if that proves your theory. And one could argue public IX stats are actually not representative of growth, since many networks move peers to private connections as they grow. But it is data, and it is available. Aggregate IX statistics also fail to identify what part of the growth is due to people moving traffic onto IX:es, from private connections (transits). It is certainly data, aggregate data. I wouldn't hang my heart-lung machine off of it's accuracy in predicting individual networks short-term traffic developments though, so to speak. :) Regards, Martin
Re: Comcast's 6to4 Relays
John, On Tue, Apr 19, 2011 at 4:44 PM, Brzozowski, John john_brzozow...@cable.comcast.com wrote: Folks, Since deploying our 6to4 relays, Comcast has observed a substantial reduction in the latency associated with the use of 6to4. As such we are contemplating further opening our relays for use by others. The availability of our 6to4 relays should improve the experience of others using 6to4 as a means to access content and services over IPv6. I think it is a correct and welcome move on the north american internet market and that it will improve 6to4 performance there as 6to4 is phased out. Regards, Martin
Re: Comcast's 6to4 Relays
Butch, On Tue, Apr 19, 2011 at 8:52 PM, Butch Evans but...@butchevans.com wrote: The drafts I saw posted earlier were discussing what is essentially toredo services (anycast tunnel) at least. 6to4 is significantly different from Teredo, since it: a) it does not hurt web deployments using DNS records for their resources (src/dst addr selection, and more) b) it works from behind a NAT, If this is on by default, then that is only bad (in my opinion) IF there is no native IPv6 support on the LAN side of these networks. Maybe I am missing something, but this is my take. In the case of 6to4, this is only true if your source/destination address selection works properly. Teredo adds extra safety to really make it a ipv4-ipv6 connection mechanism of last resort. Either way, there certainly IS a place in networks for Toredo services, since SO MANY devices for the CPE end of the connectivity equation still have zero support for IPv6. I must point you to Geoff Hustons most recent ISP posting: http://www.potaroo.net/ispcol/2011-04/teredo.html It gives a very good picture of the Teredo support out in the wild. It also makes it abundantly clear that Teredo is not a reliable auto-tunneling mechanism (if such a mechanism ever can exist): 6to4 looks like flawlessness in comparison with Teredo when it comes to connection success ratios. Yet, virtually nobody has so far been complaining over issues caused by Teredo being active on their hosts. And there are some situations where it is OK that only 2 out of 3 connections succeed, if it means your system can work better: Notably, peer-to-peer applications can make use of this to establish connections in a cloud, using DHT instead of DNS for peer propagation, and Teredo relays as the rendezvous mechanism. I would, however, not want to rely on this for calls in Skype, for example. My (current) personal opinion on the situation is that application developers who do not want to use the last-resort NAT-trespassing method of establishing connectivity that Teredo supplies, must decide in their code not to use it. Some peer-to-peer applications have been known for years to come with a Enable IPv6-button, because it improved the applications performance to do so. So, in a world where some applications will enable it, other applications will have to *not use it*, else the applications will end-up in a race-condition on whether the protocol is enabled or not. It's not the best solution for sure, but the fact remains that most networks will be dual-stacked at least initially at the core, but the endpoints (customer networks) are outside of our administrative control and often are behind devices that we do not control/own. Maybe I'm missing something... AFAIK, there's ongoing work in IETF to address this. I think one of the wg's is softwire, http://tools.ietf.org/wg/softwire/ , but I have not followed this at all. Regards, Martin
Re: The state-level attack on the SSL CA security model
On Fri, Mar 25, 2011 at 12:19 PM, Akyol, Bora A b...@pnl.gov wrote: One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-) Indeed not very unreasonable at all, except a) it would be kind of unfortunate if Facebook would not make the data available under adequate conditions, b) Facebook can already infer level of relationships between people based on a whole lot of their other data (it's kind of what makes them spin). I agree in seeing it coming though: Web-of-trust 2.0. soBGP takes on a similar approach to securing BGP. Not a bad idea at all at first sight, IMHO. Anyone knows why it died out and why other (perhaps poorer) ideas are floating around now? http://tools.ietf.org/html/draft-white-sobgp-architecture-02 Regards, Martin -Original Message- From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] Sent: Friday, March 25, 2011 9:05 AM To: Akyol, Bora A Cc: Dobbins, Roland; nanog group Subject: Re: The state-level attack on the SSL CA security model On Fri, 25 Mar 2011 08:36:12 PDT, Akyol, Bora A said: Is it far fetched to supplement the existing system with a reputation based model such as PGP? I apologize if this was discussed before. That would be great, if you could ensure the following: 1) That Joe Sixpack actually knows enough somebodies who are trustable to sign stuff. (If Joe doesn't know them, then it's not a web of trust, it's just the same old CA). 2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on occasion scrape unknown signatures off my PGP key on the keyservers, when people I've never heard of before have signed my key just because somebody they recognized signed it). The PGP model doesn't work for users who are used to clicking everything they see, whether or not they really should...
Re: The growth of municipal broadband networks
Paul, On Fri, Mar 25, 2011 at 2:31 PM, Paul Graydon p...@paulgraydon.co.uk wrote: http://arstechnica.com/tech-policy/news/2011/03/133-us-cities-now-run-their-own-broadband-networks.ars Ars Technica has a short article up about the growth of municipal networks, but principally a nice little 'hey check out this website' (http://www.muninetworks.org/communitymap) (snip) I'm curious how the feeling is on NANOG about shifting such provision towards municipal instead of corporations? I guess a rough summary of the competing views I've heard so far are: (snip) With experience from Sweden, which has seen many varying incantations of these sort of networks, I have this hopefully useful bit to share: It's OK for tax-payer money to build layer-1 infrastructure if it decides so, that non-tax payer money can sell services on, but fail starts to happen the very moment they decide to go higher than that. That's... all. Regards, Martin
Re: The growth of municipal broadband networks
Jay, On Fri, Mar 25, 2011 at 9:46 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Leo Bicknell bickn...@ufp.org Having looked around the world I personally believe most communities would be best served if the government provided layer-1 distribution, possibly with some layer 2 switching, but then allowed any commercial entity to come in and offer layer 3 services. +5 I've seen several cases of these types of networks rolling out the MPLS cloud, oversubscribing ad infinitum, with lots of active network equipment, which all in all in the end doesn't add *anything* more to the end-user than hundredths or thousandths or even less of their end-to-end link capacity, between them and the service-offering ISPs. I'm very wary of doing more L2 than essentially required, and believe it is much more sane to invest a bit extra in the L1, and skip investments at this level in L2 entirely. Handing of L1 to providers works perfectly fine, and adds no over-subscription. The only issue with what I describe above is that it complicates the multiple-vendors-over-the-same-pipe a little bit. Voice and video works pretty fine over IP, though, last I checked. With a few new L1 network devices, the above should become even more feasible. Convincing people they can build a network infrastructure without switches is nearly fated for complete doom, though... (Perhaps giving them some LED panels with high-power fans will satisfy their need for blinkenlights?) Regards, Martin
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
List, since there are IRR databases operated by non-RIRs, does one need to register a prefix in any RIR-DB at all, to see it reachable on the Internet? Have there been any presentations/research done on reachability of RIR-registered vs non-RIR-registered vs completely unregistered announcements? ( When I say RPKI below I mean the entire secure BGP routing infrastructure developments. ) I think it is pretty clear what the greatest motivation from RIRs on RPKI is: (Unregistered) legacy v4-space (ie, reaching a critical mass so that the network effect starts to apply positively for the reachability of non-RIR-registered space. John Currant has written on RPKI = certification of RIR-DB contents on this list before, but that could in all seriousness be equally accomplished simply by having a usable and trusted API-connection to query the DB itself. And that I think hardly anyone would oppose. (AFAIK ARIN has already deployed this by now; and as soon as their services has some sort of authentication (DNSSEC'ed DNS with SSL cert in it, for example? It's ~trivial to program a client for this!) a lot will have been accomplished already! What's different and unique with the RPKI effort is that it integrates this information directly into BGP itself, in an effort to claim control on what's being announced on the Internet. The former I welcome warmly, while the latter I think it remains to be seen how successful it will be. Regards, Martin On Thu, Mar 24, 2011 at 11:35 AM, John Curran jcur...@arin.net wrote: On Mar 24, 2011, at 8:57 AM, Eugen Leitl wrote: http://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.html Read the comment at the end (attached here for reference). /John John Curran President and CEO ARIN Re: Nortel, in bankruptcy, Requests Approval of Sale of IPv4 address blocks by John Curran on Thu 24 Mar 2011 11:31 AM EDT | Profile | Permanent Link Milton - Did you have an opportunity to review the actual docket materials, or is your coverage based just on your review of the referenced article? The parties have requested approval of a sale order from the Bankruptcy judge. There is a timeline for making filings and a hearing date. There is not an approved sale order at this time, contrary to your blog entry title. ARIN has a responsibility to make clear the community-developed policies by which we maintain the ARIN Whois database, and any actual transfer of number resources in compliance with such policies will be reflected in the database. FYI, /John
The state-level attack on the SSL CA security model
To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security. Essentially a state somewhere between Iraq and Pakistan snatched valid certs for: - mail.google.com - www.google.com - login.yahoo.com - login.skype.com - addons.mozilla.org - login.live.com - global trustee https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html http://www.imperialviolet.org/2011/03/18/revocation.html (on epic failure of cert revocation lists implementations in browsers, failing open (!)) http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/ http://www.microsoft.com/technet/security/advisory/2524375.mspx For over a week users of browsers, and the internet at large, were/was not informed by COMODO that their security was compromised. Why not is beyond many of us. Announcing this high and loud even before fixes were available would not have exposed more users to threats, but less. Conclusion: protecting people must not be a priority in the SSL CA model. In some places, failure of internet security means people die, and it is high time to start serious work to replace this time-and-time again proven flawed model with something that, at the very least, does not fail this tragically. DNSSEC is a good but insufficient start in this particular case. Regards, Martin
Re: CSI New York fake IPv6
On Sun, Mar 20, 2011 at 6:35 PM, Patrick W. Gilmore patr...@ianai.net wrote: Is 127.0.0.1 / ::1 the Internet version of 555? Not according to the RFC:s. Given the use of 555 in the (North American) TV world, and the regularity with which IETF defines specific example resources of various sorts, one would almost expect there'd be 555-equivalent address spaces defined by the IETF already. I assume it has been discussed and rejected. Can anyone enlighten us on why? Regards, Martin PS. It's quite obvious that it would be announced and point to HTTP servers serving responses containing various evil things, I guess? PPS. Didn't know Adobe made web browsers with remote connect clients in them. :)
Re: Libya
On Sat, Feb 19, 2011 at 1:45 AM, Randy Bush ra...@psg.com wrote: thanks, craig luckily, we have no problems like this http://www.boingboing.net/2011/02/17/dhs-erroneously-seiz.html mm what would we do without these well-functioning blacklists ( http://boingboing.net/2010/09/30/only-17-of-sites-blo.html - 1.7% accuracy, few minutes work emailing - few hours resolution time - clearly the blacklists are doing the job well) Regards, Martin
Re: NYTimes: Egypt Leaders Found ‘Off’ Switch for Internet
Mounir, On Wed, Feb 16, 2011 at 6:58 PM, Mounir Mohamed mounir.moha...@gmail.com wrote: No the BGP and the physical links were down. did you have any domestic BGP sessions up? Regards, Martin
Re: US Warships jamming Lebanon Internet
On Sun, Feb 6, 2011 at 12:00 AM, Joly MacFie j...@punkcast.com wrote: Lebanon's Telecom minister is claiming that US Navy radar is blocking the country's Internet.. http://www.naharnet.com/domino/tn/NewsDesk.nsf/0/93A95CA1A4E42178C225782E007371AF The problem, however, is due to a coordination error related to waves, Nahhas told OTV, adding that an investigation was underway to find out whether this act is intentional or not. also at http://www.naharnet.com/domino/tn/NewsDesk.nsf/Lebanon/EFCEF203B3C315A5C225782E0020C75F Well-known problem with radars and wifi (used to live next to a (military) radar research site): http://en.wikipedia.org/wiki/Radar#Frequency_bands -- Check who uses S and C http://en.wikipedia.org/wiki/S_band Another reason to not rely on radio for your LAN/WAN in times of Aegis cruisers passing by... ;) Regards, Martin
Re: Weekend Gedankenexperiment - The Kill Switch
Paul, a key piece in the article is on the second page: In fact, a lot of what the bill provides for are a very good ideas. The bill sets out the concept that cyberspace is a strategic asset for the United States and needs to be protected like any other strategic asset. This is good. The bill also acknowledges that we’re likely to come under severe attack and need to have a way to respond. We also need to have a single point of authority to make sure we respond in a coordinated way, instead of having all of America’s security forces working at cross-purposes. That single point of authority is the President. This makes sense. In all seriousness here, I wonder how the Egyptian law was worded, that allowed them to legally (let's assume so) send out propaganda text messages through all mobile operators (force operators to comply), and even shut down the Internet (force operators to comply). It is fully possible that the law says something very similar to that above, that when the state is under stress or attack (by its own storm troopers...), the state is allowed to step in to take protective measures, all in the good interest of the state, authorized by their single point of authority. This is a dangerous design, specifically as it assumes that the state under all circumstances is good which most observers will note, especially now, that states cannot be assumed to be, forever and always. Essentially, I'm not seeing the upside in assuming any state will always be good, forever and always. And it boils down to what's been discussed earlier: centralizing control of the Internet, whether political or technical, makes it less robust to failures and more prone to abuse/attack, as the value of a single point or target increases. This sub-thread is a bit off-topic, and to the thread starter I only suggest you look into the Egypt situation/operations a bit, but I guess that's where you got your inspiration for the question anyway. :) Cheers, Martin On Fri, Feb 4, 2011 at 12:32 AM, Paul Ferguson fergdawgs...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Feb 3, 2011 at 9:27 PM, Mark Newton new...@internode.com.au wrote: On 04/02/2011, at 3:43 PM, Paul Ferguson wrote: On Thu, Feb 3, 2011 at 9:09 PM, Mark Newton new...@internode.com.au wrote: On 04/02/2011, at 2:13 PM, Jay Ashworth wrote: An armed FBI special agent shows up at your facility and tells your ranking manager to shut down the Internet. Turn off the room lights, salute, and shout, Mission Accomplished. The FBI dude with the gun won't know the difference. No. The correct answer is that in the U.S., if the Agent in question has a valid subpoena or N.S.L., you must comply. Subpoenas and NSLs are used to gather information, not to shut down telcos. They're just an enforceable request for records. Considering that politicians in the US have suggested that they need kill switch legislation passed before they can do it, and further considering that kill switch legislation doesn't currently exist, what lawful means do you anticipate an FBI special agent to rely on in making such a request? I'm not actually in the US. In a question arising from the Egypt demonstrations earlier this week, Australia's Communications Minister said he didn't think the law as written at the moment provided the government with the lawful ability to shut down telecommunications services. http://delimiter.com.au/2011/02/03/no-internet-kill-switch-for-australia- says-conroy/ I share your sentiment. One of the best commentaries I have read lately on this issue was earlier today: http://www.zdnet.com/blog/government/ive-changed-my-mind-america-must-never - -allow-an-internet-kill-switch-heres-why/9982 Worth a quick read. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFNS49Qq1pz9mNUZTMRAg63AJ9XifxhugBVp9eyMrGQW7W9uKiAMACgor23 ISBUTZgvbwKKjJ5qBnJxPrg= =O3vq -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: quietly....
On Tue, Feb 1, 2011 at 3:32 PM, Majdi S. Abbas m...@latt.net wrote: If your business requires connectivity, you're not going to have a choice, so you might as well get with the program. It's less about making a business case for v6, and more about risk management at this point. +1 Regards, Martin
Re: A top-down RPKI model a threat to human freedom? (was Re: Level 3's IRR Database)
On Tue, Feb 1, 2011 at 5:15 PM, Carlos M. Martinez carlosm3...@gmail.com wrote: Although I support Rpki as a technology, there are legitimate concerns that it could be abused. I now believe that Rpki needs work in this area at IETF level so the concerns are adressed. I imagine some form of secret sharing among different parties or sme form of key escrow. I am sure that it is not an easy problem, but maybe some progress can be made in this direction. Right. To preserve the integrity of the system it is rather necessary that multiple parties must agree to do some changes to it. This is in many ways of course a very hard thing to do, but there are a lot of good people out there with a much better understanding of cryptography and real information security than I, who definitely should look into this. Unless there already is a problem statement covering this problem, perhaps we should make one. Perhaps it is impossible to combine an easily managed system with a totally secure and robust routing infrastructure. At any rate, I consider censorship a failure of information routing. Any secure and robust routing infrastructure will not invite more censorship. Regards, Martin
Re: A top-down RPKI model a threat to human freedom? (was Re: Level 3's IRR Database)
Alex, On Tue, Feb 1, 2011 at 4:57 PM, Alex Band al...@ripe.net wrote: On 1 Feb 2011, at 22:20, Owen DeLong wrote: RPKI is a big knob governments might be tempted to turn. Of course we looked into this, cause we're running our service from Amsterdam, the Netherlands. The possibilities for law enforcement agencies to take measures against the Resource Certification service run by the RIPE NCC are extremely limited. Under Dutch law, the process of certification, as well as resource certificates themselves, do not qualify as goods that are capable of being confiscated. Then of course, the decision making process always lies in the hands of the network operator. Only if a government would mandate an ISP to respect an invalid ROA and drop the route, it would be effective. So *both* these things would have to happen before there is an operational issue. Like you've seen in Egypt, pulling the plug is easier... YMMV on your side of the pond. Alex Band Product Manager, RIPE NCC As others pointed out, and as we especially have seen the past 10 and a half years, laws can easily change. I too believe it is somewhat necessary to have 'control' over the IPv4 prefix distribution in order for the RIRs to continue being Registries. I understand and share the RIRs concern regarding this. I also do believe we can expend at least two years (just to put a number out there) more to make a system that is robust also against censorship, that everybody can feel comfortable to trust. Operational impact and cost, I believe, will be quite minor during this time. In fact, I believe it is an investment that apart from being necessary (IMO), will actually pay off, because only with a system that people trust, will most network operators enable it by their free will, which ought to be the goal for *everybody* involved. (Lest the dystopian future takes hold, of course.) Once a reliable system exists, I would be the first one to enable it on my routers, and wouldn't shed a tear if illegitimately acquired or traded routing information was lost at that time. And to be extremely clear, nobody is suggesting that they do not trust the people working at RIPE or any other RIR to do a good job here but at the same time, we are all human. We have a, in my opinion, very big responsibility towards future generations in (re-)designing the Internet in a way that continues to keep it open and robust towards failures of various sorts. Even that of a single RIR. Regards, Martin
Re: quietly....
Jeremy, I have not heard of any IP stack that is built to accept 240/4. Neither Linux 2.6.37 nor Windows 7 accepts it, and let's not think about all routers, including CPE:s, out there. The logic goes: You are many orders of magnitudes more likely to get v6 off the ground, than 240/4 or 224/4 as unicast IPv4. 224/3 will never be very usable as public v4 space since every non-upgraded host on the Internet will be unable to send packets to them, eg, for every additional host you introduce with these addresses the worse the reachability situation becomes for the v4 Internet. Notably, this is the inverse of what happens when you introduce more hosts with native, proper IPv6, in the IPv6-Internet. Cheers, Martin On Mon, Jan 31, 2011 at 11:31 PM, Jeremy jba...@gmail.com wrote: Has there been any discussion about allocating the Class E blocks? If this doesn't count as future use what does? (Yes, I realize this doesn't *fix* the problem here) -Jeremy On Mon, Jan 31, 2011 at 10:15 PM, Jack Carrozzo j...@crepinc.com wrote: On Mon, Jan 31, 2011 at 9:55 PM, Jimmy Hess mysi...@gmail.com wrote: IPv4's not dead yet; even the first RIR exhaustion probable in 3 - 6 months doesn't end the IPv4 ride. There is some hope more IPv4 organizations will start thinking about their plans for establishing connectivity with IPv6; so they can commmunicate with IPv6-only hosts that will begin to emerge later. What organizations (eye networks) will do is layer NAT till the cows come home for some years to come. Buckle up! -Jack Carrozzo
Re: quietly....
On Tue, Feb 1, 2011 at 12:00 AM, Martin Millnert milln...@gmail.com wrote: Neither Linux 2.6.37 nor Windows 7 accepts it Oops, I was clumpsy there, apologies. When I was testing this, I messed up one of my hosts :/ It seems 240/4 *does* work as unicast v4 in Linux 2.6.37. Then it's easy, just convert everything to Linux. ;) /M
Re: Wikileaks, Friend or Foe?
On Sun, Jan 30, 2011 at 3:52 AM, Joseph Prasad joseph.pra...@gmail.com wrote: A very good interview with John Young on Russia Today. http://www.youtube.com/watch?v=oMRUiB_8tTc One thing that Mr Young mentions in this interview is the threat secret governance poses for any free and democratic society and how there should be more debate on this with regards to the internet... There was a /very/ good debate on this at the Churchill Club in San Francisco two weeks ago, with many top tier Bay Area people in the audience: http://www.churchillclub.org/eventDetail.jsp?EVT_ID=892 Watch it at: http://fora.tv/2011/01/19/WikiLeaks_Why_It_Matters_Why_It_Doesnt Anyone interested in this topic will do good to watch this piece (1h 48m in total). If you feel hesitant to watch all of it, start with chapter 9 and 10. This piece contains plenty food for thought. Cheers, Martin
A top-down RPKI model a threat to human freedom? (was Re: Level 3's IRR Database)
Here be dragons, On Sun, Jan 30, 2011 at 12:39 PM, Carlos Martinez-Cagnazzo carlosm3...@gmail.com wrote: The solution to this problem (theoretical at least) already exist in the form of RPKI. Any top-down RPKI model is intrinsically flawed. Deploying an overlay of single-point(s) of failure on top of a well-functional distributed system such as the Internet does not seem like a solution to much. The Internet works reasonably well only because it is reasonably distributed. I acknowledge that: 1) there are occasionally routing problems, 2) that IPv4 will deteriorate further very rapidly as it runs out and second-hand markets pick up, 3) that spammers run BGP and abuse, seemingly primarily, the non-RIR IRR-dbs. The answer to these issues is not by default RPKI IMO. For example, how about: 1, fix them - are there any problems that hasn't been fixed or were seriously hard to fix? Enumerate and let's go specific; let's not deploy a tank to push in a screw. 2, IPv6? 3, improve/remove non-RIR IRR-dbs It should be fairly obvious, by most recently what's going on in Egypt, why allowing a government to control the Internet is a Really Bad Idea. While it is true that governments are more or less in control of the *geographic area* they govern, as is evident in Egypt, there is a serious and big difference between the ease of removing a prefix from the Internet today in a country and how easy it will be in the fully network-deployed RPKI case, because of the hierarchical model (send your tanks to the RIR office(s) instead of every single country). Yes, governments exploit capabilities given to them by technological means (we do it just because we can is a standing motto). A top-down RPKI model would be a severely negative development of the resilience of the Internet, especially for freedom-aspiring people (approximately equal to humankind?), who need to avert government suppression. If we are to go down this path, at the very least it must stay architecturally/technologically *impossible* for a entity from country A to via-the-hierarchical-trust-model block a prefix assigned to some entity in country B, that is assigned by B's RIR and in full accordance with the RIR policies and in no breach of any contract. If not, we're doing humanity a disservice. One that I have no doubt would simply spawn/grow further overlay-networks to counter the problem. Cheers, Martin On Sun, Jan 30, 2011 at 6:23 AM, Andrew Alston a...@tenet.ac.za wrote: Hi All, I've just noticed that Level 3 is allowing people to register space in its IRR database that A.) is not assigned to the people registering it and B.) is not assigned via/to Level 3. So, I have two queries A.) Are only customers of Level 3 allowed to use this database B.) Can someone from Level 3 please clarify if there are any plans to lock this down slightly At this point, it would seem that if you are a customer of level 3's, you can register any space you feel like in there, and announce anything you feel like once the filters propagate, which in my opinion completely nullifies the point of IRR in the first place. Though I think this also raises the question about IRR databases in general. Would it not be far more sane to have each RIR run a single instance each which talk to each other, which can be verified against IP address assignments, and scrap the distributed IRR systems that allow for issues like this to occur? (In the mean time I've emailed the relevant people to try and get the entries falsely registered in that database removed, and will wait and see if I get a response). Andrew Alston TENET - Chief Technology Officer Phone: +27 21 763 7181 -- -- = Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =
Re: Level 3's IRR Database
On Sun, Jan 30, 2011 at 5:08 PM, Jack Bates jba...@brightok.net wrote: Just a simple, if route invalidly signed, drop it. What constitutes a invalidly signed route more exactly? Would a signed route by a signer (ISP) who's status has been revoked by an entity in the RPKI-hierarchy-of-trust above (for whatever reason), be considered invalid? For example, if the Egyptian government orders an entity situated somewhere in the verification trust-chain to revoke the trust-chain for some prefixes below, because it prefers these prefixes to not be reachable by anyone, that wouldn't be very good, would it? Not seeing the upside of that model at all. Why would anyone want that? Cheers, Martin
Re: Level 3's IRR Database
Carlos, On Sun, Jan 30, 2011 at 9:22 PM, Carlos Martinez-Cagnazzo carlosm3...@gmail.com wrote: Hi, this is the second mention I see of RPKI and Egypt in the same context. I sincerely fail to see the connection between both situations. It is quite simple actually. 1. Governments (eventually) want to take pieces of the Internet offline, and Egypt is only the latest abundantly clear proof of this desire. 2. RPKI might make this easier to accomplish than before, effectively leading to more censorship than without it. My fear is that of the big red DELETE-FROM-THE-INTERNET-button: If the system becomes widely deployed, it is an even shorter step to make for various lawmakers in various countries to legislate how RPKI is to be used. There are obviously other ways for your local autocrat to cut the Internet down, but this would undoubtedly add a potential fine-grained mechanism on top of it that I fail to see how it will not be abused. Eg, it'd be possible to, with the right hand, require that all ISPs treats RPKI in a certain way (abstract away the censorship to all ISPs, even those in other countries(!), own routers, once the technology is in place), and with the left hand cherry pick what can be on and what can be off, at a much, much lower cost than unplugging everything (Egypt), or buying lots of cool hardware (China). (This is a bad thing, btw.) I'd happily see an explanation of RPKI that clears these fears from my mind, and I'm fairly sure that I am not crazy for having them... (Meanwhile I will read all of Randy's recommended reading.) And yes there are a myriad of other ways to shut things down from the Internet, but none of them are as integrated with the Internet as RPKI would be, right? Plus, I don't really see adding another way to shut things down as a positive thing, because of the apparent abuse-vector it represents. Regards, Martin (With tiny, tiny steps, nobody will understand how we ended up where we end up, and by then it's hard to retract.) On Sun, Jan 30, 2011 at 7:53 PM, Brandon Butterworth bran...@rd.bbc.co.uk wrote: I think it is too early in the deployment process to start dropping routes based on RPKI alone. We'll get there at some point, I guess. Do we really *want* to get to that point? I thought that was the point and the goal of securing the routing infrastructure is laudable. But the voices in my head say don't trust them with control of your routes, see what happened in Egypt. brandon -- -- = Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =