On Sun, Feb 14, 2010 at 4:54 AM, SM <sm(_at_)resistor(_dot_)net> wrote:
At 02:55 12-02-10, IAB Chair wrote:
IAB statement on the RPKI.
= RPKI as a prerequisite for improving the security of the global
It would be preposterous of me to disagree with the opinion of the learned
members of the IAB.
I don't think that any member of the IAB would claim that their
expertise in the PKI field precluded debate.
This is not a technical issue, it is a political issue. IANA and ICANN
have a really, really bad record when it comes to setting up root
authorities. Any plan that requires their involvement is going to take
considerably more time and effort than one where their involvement is
The substantive statements being issued in the PKI are going to
consist of a RIR issuing an assertion of the form 'The holder of the
key X has the authority to assign AS numbers to the IP address space Y
There are five RIRs, this number is not going to increase in the short
term. Participation of the RIRs is critical for an authoritative
system. Participation of ICANN is not.
The risk of including ICANN is that misguided or not, there are lots
of people who have concerns as to the power that the US exercises over
the Internet through their defacto control of ICANN. One common
concern is that the US could use such control to ensure that US ISPs
were favored in the distribution of the remaining IPv4 blocks.
The people who hold these views are not stupid, they just hold a
completely different world view. A world view that is not going to be
overturned by rational arguments based on the world view largely
shared by the IAB. And some of those people hold positions of
authority that can pretty much ensure that any ICANN sponsored root
In the diplomatic world, you do not accept a position based on 'trust
me'. The original DNS emerged by accident because nobody was looking.
X.500 died because everyone was watching and there was a sufficiently
large number of parties who prefered no system to an unacceptable
As most people here are aware, the Internet has become a forum for
proxy-warfare and symbolic warfare. There will be considerable
opposition even with the changes I propose: certain parties do not
want this system to be secure.
A better alternative to a single root structure would be for each RIR
to cross certify with the other RIRs. This eliminates the objection to
'US dominance', eliminates ICANN as a roadblock and provides for
The security difference between the two scheme is that a single root
system headed by ICANN could in theory prevent 'defection' by a RIR.
In practice this would require a lot more technical mechanism. ICANN
would have to certify each mega-block allocation.
I don't think it is very likely that end entities are going to be
checking the block allocations on every transaction absent an
expectation that the RIRs might defect. But the possibility that they
might will mean that the RIRs will lose authority should they
co-operate with such a scheme.
In conclusion, I strongly recommend that we do not repeat the
disastrous political mistakes of DNSSEC that have blocked deployment
for over a decade and will still continue long after the DNSSEC root
Deployment of infrastructure on this scale requires that we make a
commitment to deployment a higher priority than the realization of a
specific technical architecture.
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
Ietf mailing list