[arin-ppml] RPKI for Reallocations

August Yang ayang at august.tw
Fri Jun 23 13:03:17 EDT 2023

Current hosted RPKI implementations across all RIRs follow a 
hierarchical structure, where access to manage ROAs terminates at the 
party directly allocated corresponding resources. IPv6 reverse DNS is 
another example. If you've received a small IPv6 subnet through 
reallocation, you may face similar restrictions in managing name servers 
through ARIN Online, necessitating contact with the LIR/ISP responsible.

To address the limitation, one solution is to implement a delegated RPKI 
setup at LIR/ISP level. This allows the chain of trust to be extended to 
end users, granting more control over the specific IP resources 
reallocated. See https://www.arin.net/resources/manage/rpki/delegated/

It's worth noting that this issue primarily stems from technical 
constraints of the hosted RPKI implementation, rather than being a 
direct policy matter related to NRPM. There's an opportunity for ARIN to 
consider adapting its hosted setup to align with the allocation 
structure in whois database. This integration could facilitate better 
RPKI adoption.

On 2023-06-23 12:20 p.m., Richard Laager wrote:
> It is my understanding that the downstream Org cannot create RPKI ROAs 
> for Reallocated IP Networks. For example, is reallocated 
> to me (OrgID WIKSTR-1), but I cannot make a ROA for it.
> This is obviously suboptimal for adopting RPKI.
> Is this something that we could fix with Policy development, or do I 
> need to bark up some other tree?
> -- 
> Richard
Best regards
August Yang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x9C1B40F09053AE75.asc
Type: application/pgp-keys
Size: 1574 bytes
Desc: OpenPGP public key
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20230623/eaad3e5e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20230623/eaad3e5e/attachment.sig>

More information about the ARIN-PPML mailing list