On Wed, Mar 04, 2020 at 11:36:55AM +0000, Nick Hilliard wrote: > Carlos Friaças via routing-wg wrote on 04/03/2020 07:23: > > Unfortunately, you will only "run AS0" over non-distributed APNIC space. > > > > If you were able to do it for the full problem space, those who will > > continue to explore this weakness in the global routing system would not > > have an excellent alternative by simply choosing to abuse > > non-distributed space by the other RIRs... > > are you seriously suggesting that APNIC or any other RIR should use a TAL > for 0/0 to claim authority over unallocated space from other RIRs? > > This would be an extraordinary breach of trust in the RIR community.
Should any RIR would start interfering with potentially unassigned or unallocated resources from another RIR in such a manner, I'd consider the RIR CA akin to compromised and suggest to remove the associated TAL from our RPKI Cache Validators. Thus the outlined approach would result in negative impact for the NIRs and LIRs under that RIR CA in the affected region, but probably outweighs the complications of one RIR claiming space is Unassigned/Unallocated while the actual managing RIR might think otherwise. In short, this would be a misuse of the current certificate structure that that implemented 0.0.0.0/0 + ::/0 to facilitate inter-RIR transfers. That mechanism was not intended to help RIRs step on each other's toes. Let's continue to focus on deploying RPKI Origin Validation as-is on all Internet EBGP sessions first. At best it seems premature to overload the functionality of the RPKI in this way. Kind regards, Job
