With RPKI, what happens if the RIR (i.e., ARIN, RIPE, etc)'s Certificate Authority decides to revoke the certificate for the netblock?<p>Does the netblock "owner" suddenly see all of its traffic dropped?<p>If so, this is a far more powerful takedown than simply a domain or CA takedown or revocation and takes immediate effect across the globe.<p>It's basically a giant "kill switch" and centralizes enormous power in the RIR's, which still have to operate according to the laws of the jurisdiction that they operate in, but span country laws.<p>Follow up question. What happens when a judge in (any country) issues legal notice to terminate the certificate to the RIR of a region for a netblock of an entity <i>in another country</i>?
>We are happy to have over 99% of our IPv4 and IPv6 -Space covered under a Route Origination Authorization, and that we are right now dropping RPKI invalid routes in every single Point-of-Presence for AS16509.<p>Does anyone know if AWS is going to push the remaining 1% to implement ROA?<p>Also, it sounds like an unsigned route - which I think most BGP announcements are - is still accepted, right? Any idea when we can start to require routes be signed?
See also <a href="https://isbgpsafeyet.com/" rel="nofollow">https://isbgpsafeyet.com/</a> and <a href="https://blog.cloudflare.com/is-bgp-safe-yet-rpki-routing-security-initiative/" rel="nofollow">https://blog.cloudflare.com/is-bgp-safe-yet-rpki-routing-sec...</a>
listened to a good podcast about this a while back<p><a href="https://softwareengineeringdaily.com/2020/12/02/bgp-with-andree-toonk/" rel="nofollow">https://softwareengineeringdaily.com/2020/12/02/bgp-with-and...</a>
Does this give AWS any ability to block/censor or influence access to segments of the internet that they might not politically "approve" of?