[arin-ppml] RPKI for Reallocations
owen at delong.com
Mon Jun 26 18:11:54 EDT 2023
> On Jun 26, 2023, at 13:38, Brian Knight <ml at knight-networks.com> wrote:
> On 2023-06-25 14:10, Owen DeLong wrote:
>>> On Jun 25, 2023, at 11:06, Brian Knight <ml at knight-networks.com> wrote:
>>> Hi Owen,
>>> If I understand the below right, the assigner / upstream may delegate authority (create ROAs) to originate the route, but may not delegate management of that authority to the assignee.
>> They must be able to delegate the management also (delegated RPKI) or
>> RPKI doesn’t work.
>> I believe this limitation may existing in Hosted RPKI (which is
>> admittedly way more popular than it should be).
> Understood. I'm writing in the context of hosted RPKI. Sorry if that wasn't clear.
IMHO, from both a security perspective _AND_ a service provider perspective, hosted RPKI is a bad idea.
>>> Managing ROAs isn't an onerous workload for me in particular. But it may be for others. It would also more closely match what is possible in IRR.
>> The upstream still needs to sign the resulting ROAs for the system to
>> maintain integrity. Not sure you can work around that.
> If there were a workflow where an assignee could create an ROA and then send it to the assigner for signing before publishing, I could see that working for this use case.
It would have to be something like that to be functional. Unfortunately, I think that’s a non-trivial implementation by each RIR for their particular brand of hosted RPKI. All of this is a lot easier with delegated RPKI.
More information about the ARIN-PPML