[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RPKI (was: Re: Cogent sales reps who actually respond)

In message <MN2PR17MB402947F79FD83ABB9BBF429B9E8F0 at MN2PR17MB4029.namprd17.prod.outlook.com>,
Martijn Schmidt <martijnschmidt at i3d.net> wrote:

>Hi Elad,
>If you were to create RPKI ROAs for the IPs in question...

Thanks Martijn, for reminding me of a follow-up point that I had intended
to make regarding my recent post about the (Athenix) block.

RPKI is the best we have and I cannot wait for the day when it will see
universal deployment.  But it isn't actually the 100% solution that
everyone has been hoping it would be.

As the case of the block illustrates, if the RIR has itself
been snookered into believing that party X actually owns party Y's block,
then that's it.  Game over, and RPKI doesn't help, because if the
RIR believes that you own the block, and if you are insisting on
driving it off the lot, right now, today, then they *are* going to give
you the keys, even if the "keys", in future, will include some additional
RPKI mumbo jumbo, along with WHOIS records reflecting your desired public
persona, and reverse DNS delegation, etc.

In short, it appears to me that RPKI only secures resources from the RIR
outwards, and if there is a problem of either competency or trust within
the RIR, then RPKI can't and won't solve that...

... but I feel sure that someone will correct me if I'm wrong.