[arin-ppml] RPKI for Reallocations
Mark Andrews
marka at isc.org
Sat Jun 24 00:41:01 EDT 2023
ROAs are supposed to turtle down. In the end ISPs will end up signing ROAs on individual DHCP leases allowing packets from these addresses permitted through other ISPs BCP39 filters when customers are multi-homed. We aren’t at this stage yet but that is the future we all should be working too.
--
Mark Andrews
> On 24 Jun 2023, at 13:07, Fernando Frediani <fhfrediani at gmail.com> wrote:
>
>
> I would imagine you would defend this Owen. But I didn't misunderstand.
>
> ROAs should be signed by organizations who receive IP space from the RIR. They are the ones responsible for that IP space. If you let these organizations re-assign to other Autonomous Systems you start to void the RIR function. This has nothing to do with ISPs assigning IP resources to their customers in order they can connect to the Internet as it has always been. Of course some will defend ISP to assign resources to another ISP which is an ASN as it doesn't need to pass through the RIR policies directly.
> If an organization who is an Autonomous System get their IP space directly from the RIR then it can freely and easily sign whatever ROAs they should.
>
> Fernando
>
>> On 23/06/2023 15:38, Delong.com wrote:
>> You fundamentally misunderstand the situation, then.
>>
>> ROAs must be delegated according to the way networks are delegated. Lots of ISPs get addresses from upstream ISPs who get them from upstream ISPs who get them from ARIN.
>>
>> In the case where IP addresses are delegated ARIN->ISP A->ISP B->ISP C, for RPKI to function, it has to be possible for ISP B to get a ROA from ISP A and for ISP C to
>> Get a ROA from ISP B.
>>
>> ROAs have to be representative of the ORIGINATOR of the route in BGP or they are useless.
>>
>> Owen
>>
>>
>>> On Jun 23, 2023, at 11:24, Fernando Frediani <fhfrediani at gmail.com> wrote:
>>>
>>> I don't think this should be allowed to happen. ROAs are to be created by organizations who receive the allocation from the RIR as ultimatelly they remain responsible for that IP space. If they have allocated a block to a customer they should be the ones responsible for creating any ROAs they need for that IP space (in fact ideally they should create for the whole IP space anyway).
>>>
>>> Fernando
>>>
>>> On 23/06/2023 13:20, Richard Laager wrote:
>>>> It is my understanding that the downstream Org cannot create RPKI ROAs for Reallocated IP Networks. For example, 206.9.80.0/24 is reallocated to me (OrgID WIKSTR-1), but I cannot make a ROA for it.
>>>>
>>>> This is obviously suboptimal for adopting RPKI.
>>>>
>>>> Is this something that we could fix with Policy development, or do I need to bark up some other tree?
>>>>
>>> _______________________________________________
>>> ARIN-PPML
>>> You are receiving this message because you are subscribed to
>>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
>>> Unsubscribe or manage your mailing list subscription at:
>>> https://lists.arin.net/mailman/listinfo/arin-ppml
>>> Please contact info at arin.net if you experience any issues.
>>
> _______________________________________________
> ARIN-PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20230624/db51bc5a/attachment.htm>
More information about the ARIN-PPML
mailing list