Re: [sig-policy] Article of possible interest to the community
On 22/08/2011, at 6:45 PM, Jay Daley wrote:
>
> I understand this intent but I see that as the product of much the same set of participants as the RIR policy process and so RPKI and the policy around it are all of the same nature.
>
That is not surprising, the people who are cognisant of security concerns regarding the routing protocol are the ones who understand the routing system and also how to apply a layer of infrastructure security to it. Idealistically one would say that in the creation of the RPKI the technical concerns were the initial driver, not the political concerns. (noting that 'keeping people in line with RPKI' is a political concern from my PoV.)
It may be arguable that the latter now holds more importance and could well signal a structural change to the former - but if the sentiment seen from stakeholders in another region are anything to go by the application in effort will be for a more relaxed, less controlled incarnation.
Although there are some parallels between RPKI and DNSSEC. Is the domain industry mandating DNSSEC to keep people in line? ;)
>
> Ultimately an RIR is allocating resources that provide access and with that comes responsibility for the policies under which those resources are allocated.
I think what you are trying to assert is that the RIRs have more of a role in routing than they actually do. Granted it is a fuzzy line, but the system has always attempted to state that RIRs cannot guarantee the routability of any address block. As it is already, there are prefixes that are simply not satisfactory and operators pop up on mailing lists from time to time lamenting their allocated address block they cannot return/replace due to filtering by organisations all over the world outside of their control or the RIR's control.
It's an imperfect system, I fear that more centralisation and control will make it even more so. Any implementation of RPKI, or indeed anything else including the trading market that others suggest and have faith in, will need to work perfectly well in a decentralised manner.
> The key word here is responsibility. It is an intrinsic attribute of resource allocation and cannot be avoided or ignored or the system fails. Every outsider I know that has looked in on the RIR policy process in the last couple of years has seen this responsibility gap clearly and was astonished by it.
>
Can you specifically call out this responsibility gap?
>> I dare say that the vast amount of operators out there would also rather not see a RIR given such reaching controls.
>
> In .nz we are also acutely concerned to prevent too much power being vested with one entity and the need for appropriate checks and balances. Consequently the ccTLD role is split across two entities - the registry that operates the DNS and registration systems, which it does according to the policy set by the other entity, the regulator, who manages an open and consultative policy process. As the guardian of the policy it is the regulator that takes action If someone breaches the policy by instructing the registry on what action to take.
>
It's true that in the APNIC region the one organisation is both the ultimate approval point for policy (the APNIC EC approves the polices before implementation) and the operator of the registry. The question that I have is if there was a separation of policy and operation, would that make the mooted trading market easier to migrate too? or for the RIR system to have a softer ride over speed bumps and potholes?
It may well.. I just don't have an unblemished crystal ball.. nor a mental model that fits the scenario at this stage, and as much as Tom in past has argued the banking/monetary structure to me I still don't buy that either.
Cheers