[arin-ppml] RPKI for Reallocations

Brian Knight ml at knight-networks.com
Sun Jun 25 14:06:47 EDT 2023 

Hi Owen,

If I understand the below right, the assigner / upstream may delegate 
authority (create ROAs) to originate the route, but may not delegate 
management of that authority to the assignee.

I'm saying it may be helpful to have delegation of management as well. 
If I, the assigner, could perhaps issue a cryptographic delegation of 
management to an assignee for specific prefixes A, B, ..., N, I no 
longer have to manage the delegation of authority (the ROAs) on behalf 
of my customer; my customer can just create & manage it themselves.

Perhaps combined with that cryptographic object from the assigner, an 
assignee's ROAs for those prefixes could be validated. The assigner is 
still attesting to the validity of the assignment, just indirectly. The 
cryptographic object I'm imagining would state that the assigner 
delegates management of a set of prefixes to an assignee, establishing a 
chain of trust between the two.

Managing ROAs isn't an onerous workload for me in particular. But it may 
be for others. It would also more closely match what is possible in IRR.


-Brian


On 2023-06-23 16:31, Delong.com wrote:
> An assignee can’t create their own ROA, just as an ISP that gets a
> block from ARIN needs ARIN to create their ROA (or at least to sign
> it).
> 
> The upstream must sign the ROA for it to be valid. That’s the whole
> point. The upstream is delegating authority to originate the route.
> 
> Owen
> 
> 
>> On Jun 23, 2023, at 12:40, Brian Knight via ARIN-PPML 
>> <arin-ppml at arin.net> wrote:
>> 
>> Fernando,
>> 
>> It is possible today for an org to create a route entry in the IRR for 
>> a network reassigned to them by an LIR/ISP. The assignee has the 
>> control over the route record, not the assigner.
>> 
>> Recognizing that the goals and mechanisms of IRR are similar but not 
>> identical to RPKI, it would be helpful to have an RPKI mechanism in 
>> ARIN Online for an assignee to create their own ROAs, as Owen said.
>> 
>> If that were to be added, there should also be a mechanism for the 
>> assigner to cryptographically revoke that authorization should the 
>> need arise.
>> 
>> -Brian
>> 
>> 
>> On 2023-06-23 13:24, Fernando Frediani wrote:
>> 
>>> I don't think this should be allowed to happen. ROAs are to be 
>>> created by organizations who receive the allocation from the RIR as 
>>> ultimatelly they remain responsible for that IP space. If they have 
>>> allocated a block to a customer they should be the ones responsible 
>>> for creating any ROAs they need for that IP space (in fact ideally 
>>> they should create for the whole IP space anyway).
>>> Fernando

More information about the ARIN-PPML mailing list