[arin-ppml] RPKI for Reallocations

Owen DeLong owen at delong.com
Sun Jun 25 15:10:16 EDT 2023

> On Jun 25, 2023, at 11:06, Brian Knight <ml at knight-networks.com> wrote:
> Hi Owen,
> If I understand the below right, the assigner / upstream may delegate authority (create ROAs) to originate the route, but may not delegate management of that authority to the assignee.

They must be able to delegate the management also (delegated RPKI) or RPKI doesn’t work.

I believe this limitation may existing in Hosted RPKI (which is admittedly way more popular than it should be).

> I'm saying it may be helpful to have delegation of management as well. If I, the assigner, could perhaps issue a cryptographic delegation of management to an assignee for specific prefixes A, B, ..., N, I no longer have to manage the delegation of authority (the ROAs) on behalf of my customer; my customer can just create & manage it themselves.

I’m agreeing with you. Fernando is the one who thinks that shouldn’t happen.

> Perhaps combined with that cryptographic object from the assigner, an assignee's ROAs for those prefixes could be validated. The assigner is still attesting to the validity of the assignment, just indirectly. The cryptographic object I'm imagining would state that the assigner delegates management of a set of prefixes to an assignee, establishing a chain of trust between the two.

It’s basically the same as an X.509 Certificate chain. No CA signs their customer certificates directly with their root certificate. There are always intermediate certificates.

> Managing ROAs isn't an onerous workload for me in particular. But it may be for others. It would also more closely match what is possible in IRR.

The upstream still needs to sign the resulting ROAs for the system to maintain integrity. Not sure you can work around that.


> -Brian
> On 2023-06-23 16:31, Delong.com wrote:
>> An assignee can’t create their own ROA, just as an ISP that gets a
>> block from ARIN needs ARIN to create their ROA (or at least to sign
>> it).
>> The upstream must sign the ROA for it to be valid. That’s the whole
>> point. The upstream is delegating authority to originate the route.
>> Owen
>>> On Jun 23, 2023, at 12:40, Brian Knight via ARIN-PPML <arin-ppml at arin.net> wrote:
>>> Fernando,
>>> It is possible today for an org to create a route entry in the IRR for a network reassigned to them by an LIR/ISP. The assignee has the control over the route record, not the assigner.
>>> Recognizing that the goals and mechanisms of IRR are similar but not identical to RPKI, it would be helpful to have an RPKI mechanism in ARIN Online for an assignee to create their own ROAs, as Owen said.
>>> If that were to be added, there should also be a mechanism for the assigner to cryptographically revoke that authorization should the need arise.
>>> -Brian
>>> On 2023-06-23 13:24, Fernando Frediani wrote:
>>>> I don't think this should be allowed to happen. ROAs are to be created by organizations who receive the allocation from the RIR as ultimatelly they remain responsible for that IP space. If they have allocated a block to a customer they should be the ones responsible for creating any ROAs they need for that IP space (in fact ideally they should create for the whole IP space anyway).
>>>> Fernando

More information about the ARIN-PPML mailing list