Implementing Decentralized RPKI with Blockchain Technology
Hi there, Currently, due to political factors, some countries are not particularly proactive in deploying RPKI. Imagine if the RIR of a region were forced to revoke all IP resources of a particular country from RPKI, effectively isolating that country from the global internet. To address this, one approach is for autonomous networks within a region to establish two trusted RPKI CA servers: one from the major RIRs and another locally managed. The locally managed CA would take precedence, allowing autonomous networks to submit their IP resources to the RPKI server of their peers (and potentially backed by a national mandate to trust this CA). This setup could prevent a scenario where an entire country’s IP resources are revoked, leading to all IPs being marked as invalid. Another concept is to use blockchain technology. While cryptocurrencies use computational power to verify ownership, BGP could use peer count. If an IP resource is marked as valid by a majority of high-influence networks (with many peers), it could be trusted by the entire internet. Could this approach work? Perhaps there’s existing research on similar methods? *Brandon Z.* HUIZE LTD www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.
I think at least manrs.org should do something. Set up a certification node. To help those who are not LIRs but have IP addresses to easily deploy and update RPKI. Deploying RPKI should be easier and that is what we need to work towards. In addition, RIRs should be encouraged to open RPKI deployment to all those who own and manage IP for free. From: "Brandon Z." <Brandon@huize.asia> To: Brandon Zhi <Brandon@huize.asia> Cc: North American Network Operators' Group <nanog@nanog.org>, manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 09:39:03 -0500 Subject: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi there, Currently, due to political factors, some countries are not particularly proactive in deploying RPKI. Imagine if the RIR of a region were forced to revoke all IP resources of a particular country from RPKI, effectively isolating that country from the global internet. To address this, one approach is for autonomous networks within a region to establish two trusted RPKI CA servers: one from the major RIRs and another locally managed. The locally managed CA would take precedence, allowing autonomous networks to submit their IP resources to the RPKI server of their peers (and potentially backed by a national mandate to trust this CA). This setup could prevent a scenario where an entire country’s IP resources are revoked, leading to all IPs being marked as invalid. Another concept is to use blockchain technology. While cryptocurrencies use computational power to verify ownership, BGP could use peer count. If an IP resource is marked as valid by a majority of high-influence networks (with many peers), it could be trusted by the entire internet. Could this approach work? Perhaps there’s existing research on similar methods? Brandon Z. HUIZE LTD www.huize.asia | www.ixp.su | Twitter This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. ************************************ Our Mail Server Support IPv6 & IPv4 ************************************
Hi, On Wed, Nov 13, 2024 at 11:07:50PM +0800, xiaoyu.net via Manrs-community wrote:
In addition, RIRs should be encouraged to open RPKI deployment to all those who own and manage IP for free.
Why? If an entity thinks their IP space is important enough everyone else needs to bear the costs of carrying it in the global routing system, they can very well take part of the costs the RIRs have. If something on the Internet is "free" it just means someone else is paying. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi, On Wed, Nov 13, 2024 at 09:39:03AM -0500, Brandon Z. wrote:
Another concept is to use blockchain technology.
Everything that was blockchain last year is now AI. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi guys, In technical terms, RIRs can indeed configure IPs to become RPKI invalid. However, my point is not to remove RPKI but to make it invalid. This could happen; for example, RIPE was required to remove all IRRs related to Russia (I'm glad RIPE has not done this).
Everything that was blockchain last year is now AI.
Decentralization can address this issue; it's not just a hype concept. Best, *Brandon Z.* HUIZE LTD www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. On Wed, 13 Nov 2024 at 11:10, Gert Doering <gert@space.net> wrote:
Hi,
On Wed, Nov 13, 2024 at 09:39:03AM -0500, Brandon Z. wrote:
Another concept is to use blockchain technology.
Everything that was blockchain last year is now AI.
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi, On Wed, Nov 13, 2024 at 11:16:26AM -0500, Brandon Z. wrote:
In technical terms, RIRs can indeed configure IPs to become RPKI invalid. However, my point is not to remove RPKI but to make it invalid.
This could happen; for example, RIPE was required to remove all IRRs related to Russia (I'm glad RIPE has not done this).
The RIR system builds on trust, so if the RIPE NCC would do something like this "because they can" that would be the end of such trust, and chaos would ensue. Now, if the people with the guns force the NCC to do so, these can also force others to not route russian networks - in that case, it does not matter. (RIPE can not do anything, and can not be required to do anything. The RIPE NCC might)
Everything that was blockchain last year is now AI. Decentralization can address this issue; it's not just a hype concept.
There is no decentralization in address distribution. Also, blockchain was hyped last year, really. Now it's all AI. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi, AFAIK, works in IETF regarding BGP security using blockchain: - https://datatracker.ietf.org/doc/draft-paillisse-sidrops-blockchain/ First attempt but finally without conclusion. - https://datatracker.ietf.org/doc/draft-mcbride-rtgwg-bgp-blockchain/ New attempt. Now, FWIW, blockchain security can be also impacted by BGP security (cf. https://btc-hijack.ethz.ch/files/btc_hijack.pdf, this paper won IRTF ANR prize during IETF 104): "chicken and egg" issue? Hope that helps. Best regards, JMC. -----Message d'origine----- De : Manrs-community <manrs-community-bounces@elists.manrs.org> De la part de Gert Doering Envoyé : mercredi 13 novembre 2024 17:11 À : Brandon Z. <Brandon@huize.asia> Cc : North American Network Operators' Group <nanog@nanog.org>; manrs-community@elists.manrs.org Objet : Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology -------------------------------------------------------------------------------------------------------------- CAUTION : This email originated outside the company. Do not click on any links or open attachments unless you are expecting them from the sender. ATTENTION : Cet e-mail provient de l'extérieur de l'entreprise. Ne cliquez pas sur les liens ou n'ouvrez pas les pièces jointes à moins de connaitre l'expéditeur. -------------------------------------------------------------------------------------------------------------- Hi, On Wed, Nov 13, 2024 at 09:39:03AM -0500, Brandon Z. wrote:
Another concept is to use blockchain technology.
Everything that was blockchain last year is now AI. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Hi JMC, Thank you for helping to summarize these drafts and papers. That is exactly what I wanted! Best, *Brandon Z.* HUIZE LTD www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. On Wed, 13 Nov 2024 at 11:39, <jeanmichel.combes@orange.com> wrote:
Hi,
AFAIK, works in IETF regarding BGP security using blockchain: - https://datatracker.ietf.org/doc/draft-paillisse-sidrops-blockchain/ First attempt but finally without conclusion. - https://datatracker.ietf.org/doc/draft-mcbride-rtgwg-bgp-blockchain/ New attempt.
Now, FWIW, blockchain security can be also impacted by BGP security (cf. https://btc-hijack.ethz.ch/files/btc_hijack.pdf, this paper won IRTF ANR prize during IETF 104): "chicken and egg" issue?
Hope that helps.
Best regards,
JMC.
-----Message d'origine----- De : Manrs-community <manrs-community-bounces@elists.manrs.org> De la part de Gert Doering Envoyé : mercredi 13 novembre 2024 17:11 À : Brandon Z. <Brandon@huize.asia> Cc : North American Network Operators' Group <nanog@nanog.org>; manrs-community@elists.manrs.org Objet : Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology
-------------------------------------------------------------------------------------------------------------- CAUTION : This email originated outside the company. Do not click on any links or open attachments unless you are expecting them from the sender.
ATTENTION : Cet e-mail provient de l'extérieur de l'entreprise. Ne cliquez pas sur les liens ou n'ouvrez pas les pièces jointes à moins de connaitre l'expéditeur.
--------------------------------------------------------------------------------------------------------------
Hi,
On Wed, Nov 13, 2024 at 09:39:03AM -0500, Brandon Z. wrote:
Another concept is to use blockchain technology.
Everything that was blockchain last year is now AI.
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
-- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
participants (4)
-
Brandon Z. -
Gert Doering -
jeanmichel.combes@orange.com -
xiaoyu.net