[arin-ppml] ULA-C and RPKI

Michael Richardson mcr at sandelman.ca
Mon Apr 12 20:46:14 EDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "David" == David Farmer <farmer at umn.edu> writes:
    >> RPKI) I don't see why RPKI certificates would be issued for ULA-C space.
    >> If they were, it would be for completeness, and would specify a
    >> non-existant/reserved/invalid ASN.  This itself would provide an
    >> additional hurdle against leakage.
    >> If RPKI was legitimately issued, it would be issued, in my
    >> opinion, from a different CA. Most likely anyone that needed RPKI
    >> for their ULA-C would be running their own CA.  My opinion (as a
    >> security geek), is that running your own CA exceeds the cost of
    >> getting PI space!!

    David> I don't want to derail things with a discussion of RPKI for
    David> ULA-C, there are many different ways to deal with it I'm not
    David> sure what the right answers are. But just like I think those
    David> that want Authoritative Reverse DNS for ULA-C should be able
    David> to get it, if someone wants an RPKI certificate from ARIN for
    David> their ULA-C assignment, why not?  And it is yet another
    David> reason to have the RIR's do ULA-C assignment.  ULA-C is just
    David> more of the same of what the RIRs do now.

Why not?  Well because a full-validity, primary AA binding of ULA-C to
an ASN makes no operational sense.  

If we agree that the only routing of ULA-C is private small-i internets
(COINs), then those organizations that want to do this need to run their
own RPKI AA's. (AA = Authorization Authority)

- -- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBS8O+1YCLcPvd0N1lAQJwigf/au+zdCNs3/nIvtkYpwXuGKHr+amiMt6B
HeiITnhKfwkvyGMEj5CF9cqUseNUiYs8GM28PMhZt58MNoGl7WQLkBGgaUPDcJek
mbvS31+3uWjUpzrtqVC5LqmrDjN6EriRPt3zmgY5tMIdsIBpoN1yrejP8gXTvYUz
NOSBeN3GXKp0Sdv+I4DqAjTIBMlYWCMbByFAnLkXy5b6BKpN9qdbievb9PYX0g6w
CarcqElhyApN4nE7+VDuYafDM9SqcX0ershN7sn+E8APX52rj0hsBH7yNsviWQJi
jvYRvdSKmdC3+bqDBJir6Gw4Q2RZaLyhrq/QfTqNgJjnbQ+kBPFcHA==
=OAbF
-----END PGP SIGNATURE-----

More information about the ARIN-PPML mailing list