[arin-ppml] RPKI for Reallocations
owen at delong.com
Fri Jun 23 17:31:44 EDT 2023
An assignee can’t create their own ROA, just as an ISP that gets a block from ARIN needs ARIN to create their ROA (or at least to sign it).
The upstream must sign the ROA for it to be valid. That’s the whole point. The upstream is delegating authority to originate the route.
> On Jun 23, 2023, at 12:40, Brian Knight via ARIN-PPML <arin-ppml at arin.net> wrote:
> It is possible today for an org to create a route entry in the IRR for a network reassigned to them by an LIR/ISP. The assignee has the control over the route record, not the assigner.
> Recognizing that the goals and mechanisms of IRR are similar but not identical to RPKI, it would be helpful to have an RPKI mechanism in ARIN Online for an assignee to create their own ROAs, as Owen said.
> If that were to be added, there should also be a mechanism for the assigner to cryptographically revoke that authorization should the need arise.
> On 2023-06-23 13:24, Fernando Frediani wrote:
>> I don't think this should be allowed to happen. ROAs are to be created by organizations who receive the allocation from the RIR as ultimatelly they remain responsible for that IP space. If they have allocated a block to a customer they should be the ones responsible for creating any ROAs they need for that IP space (in fact ideally they should create for the whole IP space anyway).
>> On 23/06/2023 13:20, Richard Laager wrote:
>>> It is my understanding that the downstream Org cannot create RPKI ROAs for Reallocated IP Networks. For example, 220.127.116.11/24 is reallocated to me (OrgID WIKSTR-1), but I cannot make a ROA for it.
>>> This is obviously suboptimal for adopting RPKI.
>>> Is this something that we could fix with Policy development, or do I need to bark up some other tree?
>> You are receiving this message because you are subscribed to
>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> Please contact info at arin.net if you experience any issues.
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> Please contact info at arin.net if you experience any issues.
More information about the ARIN-PPML