[arin-ppml] [EXT] Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation
Jimmy Hess
mysidia at gmail.com
Mon May 6 14:49:41 EDT 2019
On Mon, May 6, 2019 at 1:45 AM Owen DeLong <owen at delong.com> wrote:
> Well, this might pose one small problem… ARIN doesn’t approve (or disprove)
> any other RIR’s RPKI, nor does it have any authority or basis for doing so.
Perhaps this represents a design issue in the RPKI that would likely
be addressed
in due time, then, before promulgating the protocol any further...?
That the individual RIRs' should not each have their own separate instance of
a root of the resource PKI in the first place (which each router
would then need to load).
There should instead be a single root authority; much like what exists is for
the DNS root signing key for DNSSEC.
And the root CA certificate's signing key used to sign an intermediate
root CA, from which
each RIR receives a certificate signed by the intermediary that grants
CA authority
for signing only certificates that are limited to signing only
certificates that can
only validate for IP Number resources contained in the list of IPv4
and IPv6 blocks
and AS number ranges, which are from the list of the blocks that have
been allocated
by IANA to the respective parent RIR.
Instead of referring to "an ARIN Approved RPKI"; one would mention
"A particular global RPKI"
> Some of us prefer the global internet rather than dividing it up into 5 regional internets.
> Owen
--
-JH
More information about the ARIN-PPML
mailing list