Helping to secure internet routing


116 points | by mcbain 113 days ago


  • skynet-9000 113 days ago
    With RPKI, what happens if the RIR (i.e., ARIN, RIPE, etc)'s Certificate Authority decides to revoke the certificate for the netblock?

    Does the netblock "owner" suddenly see all of its traffic dropped?

    If so, this is a far more powerful takedown than simply a domain or CA takedown or revocation and takes immediate effect across the globe.

    It's basically a giant "kill switch" and centralizes enormous power in the RIR's, which still have to operate according to the laws of the jurisdiction that they operate in, but span country laws.

    Follow up question. What happens when a judge in (any country) issues legal notice to terminate the certificate to the RIR of a region for a netblock of an entity in another country?

    • lima 113 days ago
      > Does the netblock "owner" suddenly see all of its traffic dropped?

      Assuming everyone implements RPKI validation AND the RIR signs a new valid ROA with a different origin: Yes, eventually. Depends on sync intervals. It's unlikely it would even be legally possible to compel them to do this.

      Individual ASNs can still choose to accept the invalid route anyway.

      The RIR already has the power to revoke assignments, and IRRs would likely remove the route objects which most large networks use to generate filters. It was simply a slower process, and filtering according to IRR data is much more error-prone and open to abuse.

      For example, here's RIPE's policy:

      • apple_innocent 113 days ago
        "It's unlikely it would even be laglly possible to compel them to do this."

        But then, at a higher level, look at the unilateral/collective censorship ("deplatforming") that is happening right now... and being carried out in part by Amazon. None of the censors have been legally compelled to take any such actions.

        • xenadu02 113 days ago
          What you are calling "censorship" is a free market business transaction. There are many cloud services, colo facilities, etc. If Amazon chooses not to do business with you there are certainly other options.

          This certainly happens at the local level all the time: really toxic customers can get "fired" and banned from all the local movie theaters or all the local grocery stores. It is really no different online - some people just got used to living consequence-free on the internet. Wider society had no idea what the internet was at first then later didn't grasp the seriousness or impact the internet had. Fewer people hold such obviously disprovable beliefs now. The internet is just slowly catching up with how the physical world usually works. Neo-Nazi groups often can't find private venues willing to host their rallies, caterers willing to serve them food, etc. Newspapers refuse to run ads all the time. Broadcast networks don't hand over the microphone to everyone who demands it. If every newspaper in the country refuses to run your political ad that doesn't make it a grand conspiracy to censor you - perhaps you're just an asshole they don't want to do business with.

          RIRs are not regular for-profit businesses and operate under very different policies for many reasons not the least of which is there are no alternatives since the RIR controls your access to the internet within your region via IP assignments.

          • apple_innocent 113 days ago
            If the reason for the decision is objectionable speech then what term do we use.

            Anyway, it does not change the point of the original comment which is that these entities are collectively taking action based on objectionable material without any legal compulsion.

            • redis_mlc 112 days ago
              > Neo-Nazi groups often can't find private venues willing to host their rallies

              But calling people who are not Neo-Nazis "Neo-Nazis" makes you the asshole. It was the DNC that used antifa goons to burn US cities for 2 months, not Neo-Nazis.

              We know this is true because it took Pelosi 2 months to denounce the city riots, while 1 week to impeach Trump.

              • im3w1l 113 days ago
                It's pretty clear what trusting Amazon with internet routing will accomplish. The 73% of Republicans think the election was fraudulent - that basket of deplorable assholes will be routed straight to the nearest landfill.

                Any protocol which lets them do that will surely face a lot of opposition.

                "Only trust Operating Systems signed by us for your own security", "Only trust Apps signed by us for your own security", "Only trust routes signed by us for your own security", yeah I think we all know how that usually goes.

          • tialaramex 113 days ago
            The experience in the Web PKI has been that you can pay lawyers to explain to a judge that they should order the thing they actually want done, rather than accept contorted arguments from other lawyers that a different order will achieve the goals despite not ordering what is actually desired.

            For example the EFF spent effort helping US judges understand that if they want to order that stealmovies.example must go away they need to order the example registry to remove this name, not try to force Let's Encrypt to revoke certificates for it as Hollywood lawyers were advocating.

            That won't magically stop judges from making orders you disagree with but it does force them to be clear eyed about what they're about, and that means you're more likely to prevail with simple just rationales either in court or subsequently in popular opinion.

            • kitteh 113 days ago
              It would revert to not being signed, which routes just fine. You just don't get the additional security benefits. It won't turn it into invalid if I'm following what you are saying.
              • lima 113 days ago
                Yep - simply deleting ROAs would make it "unknown".

                A RIR could, however, purposefully sign a new ROA with a different origin.

            • ancarda 113 days ago
              >We are happy to have over 99% of our IPv4 and IPv6 -Space covered under a Route Origination Authorization, and that we are right now dropping RPKI invalid routes in every single Point-of-Presence for AS16509.

              Does anyone know if AWS is going to push the remaining 1% to implement ROA?

              Also, it sounds like an unsigned route - which I think most BGP announcements are - is still accepted, right? Any idea when we can start to require routes be signed?

              • kitteh 113 days ago
                There can be legitimate use cases why a network maybe have a very few amount of prefixes not signed or even invalid: canaries and beacons.

                For example, running tests to a signed, unsigned and invalid prefix can provide insight into how other networks are routing to them.

                One example is a beacon to probe to determine if a network has enabled origin validation. Failure to connect, or a change in the routing path can provide insight into which networks on the internet have enabled origin validation.

                • wmf 113 days ago
                  Making RPKI mandatory is like turning off IPv4 after everyone has adopted IPv6.
                  • tialaramex 113 days ago
                    I believe it is likely that global IPv4 routing goes away before universal adoption of IPv6 at clients.

                    Transitional technologies allow IPv4 holdouts to have "working" Internet despite an increasing proportion of IPv6 nodes, there's some device somewhere which is mapping your connection to some IPv6-only service as an imaginary IPv4 connection. Such things wouldn't scale with 99% of users and usages, but can handle say, five thousand IPv4 users on your ten million customer ISP who mostly visit Facebook and check email.

                    Eventually the long distance traffic for IPv4 is tiny, because there's a transition device nearer almost all remaining IPv4 users and that's turning their traffic into IPv6 for the long haul anyway.

                    At that point if you're a backbone provider, IPv4 is a sizeable cost (the routing tables for it are horrendous) for negligible benefit (hardly any of your traffic) and its future only looks more dismal. So you start deprecating this service for your customers, and they don't bother to buy a replacement because they have a transition device to help any residual IPv4 users.

                    And so one day, without a fanfare, there just isn't really an IPv4 Internet any more, and the RIRs will just deprecate their management of the numbering for that network because it's obsolete.

                    Ideally this is an obscure nerd event, like a leap second, which your friends at first don't understand, and then when you explain it they realise it's boring and they don't care.

                    I hope to live to see it.

                    • p1mrx 113 days ago
                      > a transition device nearer almost all remaining IPv4 users and that's turning their traffic into IPv6 for the long haul anyway.

                      This is mostly impossible, because an IPv4 packet doesn't have room for an IPv6 destination. The opposite direction (NAT64) is common, but that's for IPv6 clients talking to IPv4 servers.

                      • tialaramex 113 days ago
                        So, what you do goes like this: You provide DNS service, offering A answers even where (if you were to ask the public Internet) there are none. When you're asked for you do an AAAA query, and you track for a while a mapping from the answer to a (RFC1918 or assigned for this purpose) IPv4 address, and recording it, then you reply to the A? query with your temporary address as the answer and a chosen timeout (maybe you plan to have this work for one hour, so you give 3600 seconds timeout). You then act as a NAT gateway that translates between IPv6 and IPv4 for that address mapping.

                        This doesn't work great, it breaks protocols which assume they're transparent (e.g. some FTP modes), it is slower and clunkier than "just" having IPv4 as we do today, and as I said it isn't viable with huge numbers of users (you run out of address space) but it's good enough that a lot of common application software remains usable this way.

                        This is about the gentle slope down, so it doesn't need to be perfect or even have the potential to be perfect, it just needs to work well enough to reduce the amount of tech support phone calls.

                        Think of it like the way pulse dialling was deprecated. Nobody needed to figure out a way to have pulse dialling be as good as tone dialling, let alone a truly out-of-band system (as is used by your mobile phone, and most other modern systems), they just needed to minimise the situation where lots of customers discover that they were using pulse dialling only because now it doesn't work.

                      • lmm 113 days ago
                        If you're using DS-Lite then the traffic is IPv4 from the user's device to their local router, v6 from there to... somewhere, and then v4 between that somewhere and the endpoint. Initially that "somewhere" is the user's ISP, but we can imagine it getting outsourced further and further upstream until eventually "the IPv4 internet" is a single datacenter that every ISP outsources to.
                • jgrahamc 113 days ago
                  • ericpauley 113 days ago
                    • godzillabrennus 113 days ago
                      I’m happy to see this get addressed yet simultaneously disappointed that Pirate Bay can’t knock North Korea off the Internet anymore.
                      • dangerboysteve 113 days ago
                        listened to a good podcast about this a while back


                        • jharohit 113 days ago
                          We need to get to a fully trustless routing mechanism on global networks
                          • hossbeast 113 days ago
                            Fully trustless is where we started.
                            • kornbattery 113 days ago
                              If you have to trust everyones routing to be correct to have a working internet, it doesen't seem trustless
                          • jtdev 113 days ago
                            Does this give AWS any ability to block/censor or influence access to segments of the internet that they might not politically "approve" of?
                            • advisedwang 113 days ago
                              No. If anything this makes it harder for anyone to block segments of the internet, by ensuring the integrity of routing to any given netblock.
                              • icedchai 113 days ago
                                Not really. ISPs can still send your traffic to null0. They can still filter routes. On top of that, it will be years, likely decades, before the majority even bother to validate routes with RPKI.
                                • jtdev 113 days ago
                                  Who is the authority on the integrity of routing?
                                  • superkuh 113 days ago
                                    The certificate authority that signs the routes. So yeah, this will centralize control of routing and expose it to things like government censorship and corporation exploitation. Sometimes the wild west is better than an authoritarian government.

                                    Like DNSSEC this is only good for megacorps and nationstates. If anything it will expose human people to more abuse and exploitation.

                                    • ancarda 113 days ago
                                      Has this happened as HTTPS adoption has increased? Do you believe BGP RPKI will be different?

                                      A lot of threads about rising use of encryption seem to have this fear - that it will be used against us at some point, and I'd really like to understand where this fear comes from

                                      Even taking a recent example of Parler; as far as I know it had HTTPS support and the corresponding X.509 cert was never revoked - instead hosting and I think the domain was terminated

                                      • superkuh 113 days ago
                                        Let's put it another way. Do you think the Arab spring and Libyan civil war would've taken place if DNSSEC had been in place and Gaddafi had control of's TLS keys? I don't. Now think of that on kind of thing happening with routes. Yikes.

                                        At least with the way things are now there's no ground truth. Every AS has it's own perception of the routing table and the ability to act on it. That's the way it should be. Securing BGP means less security because there is no global consensus even implied in the protocol. Securing BGP means centralizing BGP, not security.

                                        • dane-pgp 113 days ago
                                          > if DNSSEC had been in place and Gaddafi had control of's TLS keys?

                                          But Gaddafi was already in control of all Libyan ISPs and the .ly ccTLD. Why would DNSSEC have made his job any easier?

                                          Also, surely Facebook was more instrumental in the Arab Spring than was.[0] If anything, the lack of DNSSEC made it easier for Gaddafi to spoof DNS results for and other sites.


                                          • tptacek 113 days ago
                                            Gaddafi was not, to my knowledge, in control of any WebPKI CA=True certificates.
                                            • dane-pgp 113 days ago
                                              Obviously for he would only be able to serve an unencrypted HTTP version (and HSTS-preloading would prevent that working in most cases), but by controlling the .ly ccTLD he could acquire TLS certificates for any "national" site. I'm not sure if any of that is relevant, though.
                                              • tialaramex 113 days ago
                                                For what it's worth this Gaddafi -> Libya -> connection has to be one of the weirdest beliefs you've exhibited over a long period.

                                                At first I thought it was just an extended bit, like the whole Cody Johnston "teleporting boars" thing [0]

                                                But I don't think it can be, I think you're serious and er, that's not great basically. Maybe take a few minutes to think about it more clearly, discuss it with somebody you trust, and see if you can't figure out where you went wrong.


                                                • superkuh 113 days ago
                                                  Um, okay. Who do you think I am?
                                                  • tialaramex 112 days ago
                                                    You're superkuh, but I was replying to tptacek which is to say Thomas Ptacek, who has made this very strange argument multiple times.
                                            • zaarn 113 days ago
                                              Anyone can still accept routes that don't have the stamp of authority.

                                              I would also point out that the big authorities handing out the certification for this can also just revoke your IP block instead. You could still announce the block but since you're not longer in legitimate ownership of the IP block, it's likely that you'll quickly be blocked from announcing it.

                                            • jtdev 113 days ago
                                              It seems like we should be more focused on the possibility of this being abused rather than asking if it’s been abused yet.
                                              • skynet-9000 113 days ago
                                                In this case, certificate revocation being so broken probably saved Parler from having it being done to them.
                                                • im3w1l 113 days ago
                                                  > Has this happened as HTTPS adoption has increased?

                                                  This is such a naive way of looking at things. First a trap is built. Then you wait. Years. Only when the trap is filled to the brim does it snap shut. Many examples of that pattern.

                                                • simonjgreen 113 days ago
                                                  Actually, it's a level playing for all ISPs. So if you want safety, support your smaller ISPs rather than the big names who are often under the surveillance radar and will still be using RPKI.
                                                • colde 113 days ago
                                                  The owner of the netblock.
                                            • bawolff 113 days ago
                                              Amazon at any point can create a firewall (it would be business suicide however to do so for geopolitical reasons). This however has nothing to do with that.
                                              • freedomben 113 days ago
                                                Why the downvotes for this question? Given recent events, this seems like an incredibly important consideration. No matter your perspective, this seems like something to think about.

                                                If you think Amazon did the right thing, then you would probably want them to be able to refuse routes from networks that are too dangerous.

                                                If you think Amazon did the wrong thing, then you may be afraid that this gives them even more power to de-platform.

                                                Either way, this seems relevant to me. Thanks OP for asking the question.

                                                • kodah 113 days ago
                                                  FYI, asking about downvotes usually yields downvotes.

                                                  That said, votes usually come in waves. It'll end up where it needs to.

                                              • ed25519FUUU 113 days ago
                                                ISPs need this big time.
                                                • rossdavidh 113 days ago
                                                  Well, I feel so much more secure about that, now.
                                                  • asdfsfkwqe 113 days ago
                                                    Given recent AWS activities. One can foresee AWS dropping routing request for sites they don't like.