[arin-ppml] RPKI for Reallocations

Brad Gorman bgorman at arin.net
Tue Jun 27 15:02:25 EDT 2023

Job, and others,

We (ARIN) did receive the request in our suggestions portal late last week.  We will be reviewing the submission and posting updates on the ARIN public website.   A few contributors to this thread have used this vehicle to make their own submissions for new features or product enhancements, some of which have led to being developed and delivered to the ARIN community.  Anyone interested in participating in the Consultations and Suggestions process can do so by proceeding to the following link (https://www.arin.net/participate/community/acsp/) to learn more about the program. 

Best regards, 

Brad Gorman 
Sr Product Owner, Routing Security 
American Registry for Internet Numbers 

On 6/27/23, 10:44 AM, "ARIN-PPML on behalf of Job Snijders via ARIN-PPML" <arin-ppml-bounces at arin.net <mailto:arin-ppml-bounces at arin.net> on behalf of arin-ppml at arin.net <mailto:arin-ppml at arin.net>> wrote:

Hi all,

On Sun, Jun 25, 2023 at 01:06:47PM -0500, Brian Knight via ARIN-PPML wrote:
> If I understand the below right, the assigner / upstream may delegate
> authority (create ROAs) to originate the route, but may not delegate
> management of that authority to the assignee.
> I'm saying it may be helpful to have delegation of management as well. If I,
> the assigner, could perhaps issue a cryptographic delegation of management
> to an assignee for specific prefixes A, B, ..., N, I no longer have to
> manage the delegation of authority (the ROAs) on behalf of my customer; my
> customer can just create & manage it themselves.
> Perhaps combined with that cryptographic object from the assigner, an
> assignee's ROAs for those prefixes could be validated. The assigner is still
> attesting to the validity of the assignment, just indirectly. The
> cryptographic object I'm imagining would state that the assigner delegates
> management of a set of prefixes to an assignee, establishing a chain of
> trust between the two.
> Managing ROAs isn't an onerous workload for me in particular. But it may be
> for others. It would also more closely match what is possible in IRR.

It seems a reasonable enhancement request to ask ARIN to enable folks to
delegate full RPKI authority to the receipient of SWIPed space.

For some parties it would be a time-saver: "go create/maintain your ROAs
yourself!", but it wouldn't be for everyone. I can also imagine that as
part of the SWIP agreement the receipient may only originate from a
specific ASN for a specific purpose and is not authorized to change

I'd like to encourage ARIN to investigate possible enhancements to the
delegation of RPKI management in the Hosted environment (rpki.arin.net).

Kind regards,

You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML at arin.net <mailto:ARIN-PPML at arin.net>).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml <https://lists.arin.net/mailman/listinfo/arin-ppml>
Please contact info at arin.net <mailto:info at arin.net> if you experience any issues.

More information about the ARIN-PPML mailing list