[arin-ppml] RPKI for Reallocations

Brian Knight ml at knight-networks.com
Mon Jun 26 16:38:18 EDT 2023

On 2023-06-25 14:10, Owen DeLong wrote:
>> On Jun 25, 2023, at 11:06, Brian Knight <ml at knight-networks.com> 
>> wrote:
>> Hi Owen,
>> If I understand the below right, the assigner / upstream may delegate 
>> authority (create ROAs) to originate the route, but may not delegate 
>> management of that authority to the assignee.
> They must be able to delegate the management also (delegated RPKI) or
> RPKI doesn’t work.
> I believe this limitation may existing in Hosted RPKI (which is
> admittedly way more popular than it should be).

Understood. I'm writing in the context of hosted RPKI. Sorry if that 
wasn't clear.


>> Managing ROAs isn't an onerous workload for me in particular. But it 
>> may be for others. It would also more closely match what is possible 
>> in IRR.
> The upstream still needs to sign the resulting ROAs for the system to
> maintain integrity. Not sure you can work around that.

If there were a workflow where an assignee could create an ROA and then 
send it to the assigner for signing before publishing, I could see that 
working for this use case.



More information about the ARIN-PPML mailing list