[arin-ppml] RPKI for Reallocations
job at fastly.com
Tue Jun 27 10:44:29 EDT 2023
On Sun, Jun 25, 2023 at 01:06:47PM -0500, Brian Knight via ARIN-PPML wrote:
> If I understand the below right, the assigner / upstream may delegate
> authority (create ROAs) to originate the route, but may not delegate
> management of that authority to the assignee.
> I'm saying it may be helpful to have delegation of management as well. If I,
> the assigner, could perhaps issue a cryptographic delegation of management
> to an assignee for specific prefixes A, B, ..., N, I no longer have to
> manage the delegation of authority (the ROAs) on behalf of my customer; my
> customer can just create & manage it themselves.
> Perhaps combined with that cryptographic object from the assigner, an
> assignee's ROAs for those prefixes could be validated. The assigner is still
> attesting to the validity of the assignment, just indirectly. The
> cryptographic object I'm imagining would state that the assigner delegates
> management of a set of prefixes to an assignee, establishing a chain of
> trust between the two.
> Managing ROAs isn't an onerous workload for me in particular. But it may be
> for others. It would also more closely match what is possible in IRR.
It seems a reasonable enhancement request to ask ARIN to enable folks to
delegate full RPKI authority to the receipient of SWIPed space.
For some parties it would be a time-saver: "go create/maintain your ROAs
yourself!", but it wouldn't be for everyone. I can also imagine that as
part of the SWIP agreement the receipient may only originate from a
specific ASN for a specific purpose and is not authorized to change
I'd like to encourage ARIN to investigate possible enhancements to the
delegation of RPKI management in the Hosted environment (rpki.arin.net).
More information about the ARIN-PPML