[arin-ppml] RPKI for Reallocations
Brian Knight
ml at knight-networks.com
Mon Jun 26 16:38:18 EDT 2023
On 2023-06-25 14:10, Owen DeLong wrote:
>> On Jun 25, 2023, at 11:06, Brian Knight <ml at knight-networks.com>
>> wrote:
>>
>> Hi Owen,
>>
>> If I understand the below right, the assigner / upstream may delegate
>> authority (create ROAs) to originate the route, but may not delegate
>> management of that authority to the assignee.
>
> They must be able to delegate the management also (delegated RPKI) or
> RPKI doesn’t work.
>
> I believe this limitation may existing in Hosted RPKI (which is
> admittedly way more popular than it should be).
Understood. I'm writing in the context of hosted RPKI. Sorry if that
wasn't clear.
[snip]
>> Managing ROAs isn't an onerous workload for me in particular. But it
>> may be for others. It would also more closely match what is possible
>> in IRR.
>
> The upstream still needs to sign the resulting ROAs for the system to
> maintain integrity. Not sure you can work around that.
If there were a workflow where an assignee could create an ROA and then
send it to the assigner for signing before publishing, I could see that
working for this use case.
Thanks!
-Brian
More information about the ARIN-PPML
mailing list