[arin-ppml] RPKI for Reallocations
August Yang
ayang at august.tw
Fri Jun 23 13:03:17 EDT 2023
Current hosted RPKI implementations across all RIRs follow a
hierarchical structure, where access to manage ROAs terminates at the
party directly allocated corresponding resources. IPv6 reverse DNS is
another example. If you've received a small IPv6 subnet through
reallocation, you may face similar restrictions in managing name servers
through ARIN Online, necessitating contact with the LIR/ISP responsible.
To address the limitation, one solution is to implement a delegated RPKI
setup at LIR/ISP level. This allows the chain of trust to be extended to
end users, granting more control over the specific IP resources
reallocated. See https://www.arin.net/resources/manage/rpki/delegated/
It's worth noting that this issue primarily stems from technical
constraints of the hosted RPKI implementation, rather than being a
direct policy matter related to NRPM. There's an opportunity for ARIN to
consider adapting its hosted setup to align with the allocation
structure in whois database. This integration could facilitate better
RPKI adoption.
On 2023-06-23 12:20 p.m., Richard Laager wrote:
> It is my understanding that the downstream Org cannot create RPKI ROAs
> for Reallocated IP Networks. For example, 206.9.80.0/24 is reallocated
> to me (OrgID WIKSTR-1), but I cannot make a ROA for it.
>
> This is obviously suboptimal for adopting RPKI.
>
> Is this something that we could fix with Policy development, or do I
> need to bark up some other tree?
>
> --
> Richard
--
Best regards
August Yang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x9C1B40F09053AE75.asc
Type: application/pgp-keys
Size: 1574 bytes
Desc: OpenPGP public key
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20230623/eaad3e5e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20230623/eaad3e5e/attachment.sig>
More information about the ARIN-PPML
mailing list