Hacker News new | past | comments | ask | show | jobs | submit login
Helping to secure internet routing (amazon.com)
114 points by mcbain 2 days ago | hide | past | favorite | 48 comments

With RPKI, what happens if the RIR (i.e., ARIN, RIPE, etc)'s Certificate Authority decides to revoke the certificate for the netblock?

Does the netblock "owner" suddenly see all of its traffic dropped?

If so, this is a far more powerful takedown than simply a domain or CA takedown or revocation and takes immediate effect across the globe.

It's basically a giant "kill switch" and centralizes enormous power in the RIR's, which still have to operate according to the laws of the jurisdiction that they operate in, but span country laws.

Follow up question. What happens when a judge in (any country) issues legal notice to terminate the certificate to the RIR of a region for a netblock of an entity in another country?

> Does the netblock "owner" suddenly see all of its traffic dropped?

Assuming everyone implements RPKI validation AND the RIR signs a new valid ROA with a different origin: Yes, eventually. Depends on sync intervals. It's unlikely it would even be legally possible to compel them to do this.

Individual ASNs can still choose to accept the invalid route anyway.

The RIR already has the power to revoke assignments, and IRRs would likely remove the route objects which most large networks use to generate filters. It was simply a slower process, and filtering according to IRR data is much more error-prone and open to abuse.

For example, here's RIPE's policy: https://www.ripe.net/publications/docs/ripe-541

"It's unlikely it would even be laglly possible to compel them to do this."

But then, at a higher level, look at the unilateral/collective censorship ("deplatforming") that is happening right now... and being carried out in part by Amazon. None of the censors have been legally compelled to take any such actions.

What you are calling "censorship" is a free market business transaction. There are many cloud services, colo facilities, etc. If Amazon chooses not to do business with you there are certainly other options.

This certainly happens at the local level all the time: really toxic customers can get "fired" and banned from all the local movie theaters or all the local grocery stores. It is really no different online - some people just got used to living consequence-free on the internet. Wider society had no idea what the internet was at first then later didn't grasp the seriousness or impact the internet had. Fewer people hold such obviously disprovable beliefs now. The internet is just slowly catching up with how the physical world usually works. Neo-Nazi groups often can't find private venues willing to host their rallies, caterers willing to serve them food, etc. Newspapers refuse to run ads all the time. Broadcast networks don't hand over the microphone to everyone who demands it. If every newspaper in the country refuses to run your political ad that doesn't make it a grand conspiracy to censor you - perhaps you're just an asshole they don't want to do business with.

RIRs are not regular for-profit businesses and operate under very different policies for many reasons not the least of which is there are no alternatives since the RIR controls your access to the internet within your region via IP assignments.

If the reason for the decision is objectionable speech then what term do we use.

Anyway, it does not change the point of the original comment which is that these entities are collectively taking action based on objectionable material without any legal compulsion.

It's pretty clear what trusting Amazon with internet routing will accomplish. The 73% of Republicans think the election was fraudulent - that basket of deplorable assholes will be routed straight to the nearest landfill.

Any protocol which lets them do that will surely face a lot of opposition.

"Only trust Operating Systems signed by us for your own security", "Only trust Apps signed by us for your own security", "Only trust routes signed by us for your own security", yeah I think we all know how that usually goes.

The experience in the Web PKI has been that you can pay lawyers to explain to a judge that they should order the thing they actually want done, rather than accept contorted arguments from other lawyers that a different order will achieve the goals despite not ordering what is actually desired.

For example the EFF spent effort helping US judges understand that if they want to order that stealmovies.example must go away they need to order the example registry to remove this name, not try to force Let's Encrypt to revoke certificates for it as Hollywood lawyers were advocating.

That won't magically stop judges from making orders you disagree with but it does force them to be clear eyed about what they're about, and that means you're more likely to prevail with simple just rationales either in court or subsequently in popular opinion.

It would revert to not being signed, which routes just fine. You just don't get the additional security benefits. It won't turn it into invalid if I'm following what you are saying.

Yep - simply deleting ROAs would make it "unknown".

A RIR could, however, purposefully sign a new ROA with a different origin.

>We are happy to have over 99% of our IPv4 and IPv6 -Space covered under a Route Origination Authorization, and that we are right now dropping RPKI invalid routes in every single Point-of-Presence for AS16509.

Does anyone know if AWS is going to push the remaining 1% to implement ROA?

Also, it sounds like an unsigned route - which I think most BGP announcements are - is still accepted, right? Any idea when we can start to require routes be signed?

There can be legitimate use cases why a network maybe have a very few amount of prefixes not signed or even invalid: canaries and beacons.

For example, running tests to a signed, unsigned and invalid prefix can provide insight into how other networks are routing to them.

One example is a beacon to probe to determine if a network has enabled origin validation. Failure to connect, or a change in the routing path can provide insight into which networks on the internet have enabled origin validation.

Making RPKI mandatory is like turning off IPv4 after everyone has adopted IPv6.

I believe it is likely that global IPv4 routing goes away before universal adoption of IPv6 at clients.

Transitional technologies allow IPv4 holdouts to have "working" Internet despite an increasing proportion of IPv6 nodes, there's some device somewhere which is mapping your connection to some IPv6-only service as an imaginary IPv4 connection. Such things wouldn't scale with 99% of users and usages, but can handle say, five thousand IPv4 users on your ten million customer ISP who mostly visit Facebook and check email.

Eventually the long distance traffic for IPv4 is tiny, because there's a transition device nearer almost all remaining IPv4 users and that's turning their traffic into IPv6 for the long haul anyway.

At that point if you're a backbone provider, IPv4 is a sizeable cost (the routing tables for it are horrendous) for negligible benefit (hardly any of your traffic) and its future only looks more dismal. So you start deprecating this service for your customers, and they don't bother to buy a replacement because they have a transition device to help any residual IPv4 users.

And so one day, without a fanfare, there just isn't really an IPv4 Internet any more, and the RIRs will just deprecate their management of the numbering for that network because it's obsolete.

Ideally this is an obscure nerd event, like a leap second, which your friends at first don't understand, and then when you explain it they realise it's boring and they don't care.

I hope to live to see it.

> a transition device nearer almost all remaining IPv4 users and that's turning their traffic into IPv6 for the long haul anyway.

This is mostly impossible, because an IPv4 packet doesn't have room for an IPv6 destination. The opposite direction (NAT64) is common, but that's for IPv6 clients talking to IPv4 servers.

So, what you do goes like this: You provide DNS service, offering A answers even where (if you were to ask the public Internet) there are none. When you're asked for foo.bar.example you do an AAAA query, and you track for a while a mapping from the answer to a (RFC1918 or assigned for this purpose) IPv4 address, and recording it, then you reply to the A? query with your temporary address as the answer and a chosen timeout (maybe you plan to have this work for one hour, so you give 3600 seconds timeout). You then act as a NAT gateway that translates between IPv6 and IPv4 for that address mapping.

This doesn't work great, it breaks protocols which assume they're transparent (e.g. some FTP modes), it is slower and clunkier than "just" having IPv4 as we do today, and as I said it isn't viable with huge numbers of users (you run out of address space) but it's good enough that a lot of common application software remains usable this way.

This is about the gentle slope down, so it doesn't need to be perfect or even have the potential to be perfect, it just needs to work well enough to reduce the amount of tech support phone calls.

Think of it like the way pulse dialling was deprecated. Nobody needed to figure out a way to have pulse dialling be as good as tone dialling, let alone a truly out-of-band system (as is used by your mobile phone, and most other modern systems), they just needed to minimise the situation where lots of customers discover that they were using pulse dialling only because now it doesn't work.

You're describing NAT-PT, which the IETF moved to "historic status" in 2007: https://tools.ietf.org/html/rfc4966

Recent developments like DNS over HTTPS make it even less viable.

If you're using DS-Lite then the traffic is IPv4 from the user's device to their local router, v6 from there to... somewhere, and then v4 between that somewhere and the endpoint. Initially that "somewhere" is the user's ISP, but we can imagine it getting outsourced further and further upstream until eventually "the IPv4 internet" is a single datacenter that every ISP outsources to.

I’m happy to see this get addressed yet simultaneously disappointed that Pirate Bay can’t knock North Korea off the Internet anymore.

listened to a good podcast about this a while back


We need to get to a fully trustless routing mechanism on global networks

Fully trustless is where we started.

If you have to trust everyones routing to be correct to have a working internet, it doesen't seem trustless

Does this give AWS any ability to block/censor or influence access to segments of the internet that they might not politically "approve" of?

No. If anything this makes it harder for anyone to block segments of the internet, by ensuring the integrity of routing to any given netblock.

Not really. ISPs can still send your traffic to null0. They can still filter routes. On top of that, it will be years, likely decades, before the majority even bother to validate routes with RPKI.

Who is the authority on the integrity of routing?

The certificate authority that signs the routes. So yeah, this will centralize control of routing and expose it to things like government censorship and corporation exploitation. Sometimes the wild west is better than an authoritarian government.

Like DNSSEC this is only good for megacorps and nationstates. If anything it will expose human people to more abuse and exploitation.

Has this happened as HTTPS adoption has increased? Do you believe BGP RPKI will be different?

A lot of threads about rising use of encryption seem to have this fear - that it will be used against us at some point, and I'd really like to understand where this fear comes from

Even taking a recent example of Parler; as far as I know it had HTTPS support and the corresponding X.509 cert was never revoked - instead hosting and I think the domain was terminated

Let's put it another way. Do you think the Arab spring and Libyan civil war would've taken place if DNSSEC had been in place and Gaddafi had control of bit.ly's TLS keys? I don't. Now think of that on kind of thing happening with routes. Yikes.

At least with the way things are now there's no ground truth. Every AS has it's own perception of the routing table and the ability to act on it. That's the way it should be. Securing BGP means less security because there is no global consensus even implied in the protocol. Securing BGP means centralizing BGP, not security.

> if DNSSEC had been in place and Gaddafi had control of bit.ly's TLS keys?

But Gaddafi was already in control of all Libyan ISPs and the .ly ccTLD. Why would DNSSEC have made his job any easier?

Also, surely Facebook was more instrumental in the Arab Spring than bit.ly was.[0] If anything, the lack of DNSSEC made it easier for Gaddafi to spoof DNS results for facebook.com and other sites.

[0] https://en.wikipedia.org/wiki/Social_media_and_the_Arab_Spri...

Gaddafi was not, to my knowledge, in control of any WebPKI CA=True certificates.

Obviously for facebook.com he would only be able to serve an unencrypted HTTP version (and HSTS-preloading would prevent that working in most cases), but by controlling the .ly ccTLD he could acquire TLS certificates for any "national" site. I'm not sure if any of that is relevant, though.

For what it's worth this Gaddafi -> Libya -> bit.ly connection has to be one of the weirdest beliefs you've exhibited over a long period.

At first I thought it was just an extended bit, like the whole Cody Johnston "teleporting boars" thing [0]

But I don't think it can be, I think you're serious and er, that's not great basically. Maybe take a few minutes to think about it more clearly, discuss it with somebody you trust, and see if you can't figure out where you went wrong.

[0] https://twitter.com/drmistercody/status/1046558632878399489

Um, okay. Who do you think I am?

You're superkuh, but I was replying to tptacek which is to say Thomas Ptacek, who has made this very strange argument multiple times.

Anyone can still accept routes that don't have the stamp of authority.

I would also point out that the big authorities handing out the certification for this can also just revoke your IP block instead. You could still announce the block but since you're not longer in legitimate ownership of the IP block, it's likely that you'll quickly be blocked from announcing it.

In this case, certificate revocation being so broken probably saved Parler from having it being done to them.

> Has this happened as HTTPS adoption has increased?

This is such a naive way of looking at things. First a trap is built. Then you wait. Years. Only when the trap is filled to the brim does it snap shut. Many examples of that pattern.

It seems like we should be more focused on the possibility of this being abused rather than asking if it’s been abused yet.

Actually, it's a level playing for all ISPs. So if you want safety, support your smaller ISPs rather than the big names who are often under the surveillance radar and will still be using RPKI.

The owner of the netblock.

Amazon at any point can create a firewall (it would be business suicide however to do so for geopolitical reasons). This however has nothing to do with that.

Why the downvotes for this question? Given recent events, this seems like an incredibly important consideration. No matter your perspective, this seems like something to think about.

If you think Amazon did the right thing, then you would probably want them to be able to refuse routes from networks that are too dangerous.

If you think Amazon did the wrong thing, then you may be afraid that this gives them even more power to de-platform.

Either way, this seems relevant to me. Thanks OP for asking the question.

FYI, asking about downvotes usually yields downvotes.

That said, votes usually come in waves. It'll end up where it needs to.

ISPs need this big time.

Well, I feel so much more secure about that, now.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact