[arin-tech-discuss] Who can generate ROAs when a holder reassigns or reallocations address space?

Thu Jun 27 17:56:38 EDT 2024

Andrew,

I responded to you from the perspective of a Hosted RPKI user.

For delegated RPKI it works as follows;

  *   A direct resource holder can sign up to use delegated RPKI, obtain a resource certificate, and set up a CA (i.e Krill).
  *   Within Krill the direct resource holder creates customer accounts for the recipients of detailed reassignments or relocations.
  *   The direct resource holder configures Krill to permit these customer accounts to generate ROAs for the specific IP resources handed to them.

Brad Gorman
Sr. Product Owner, Routing Security
ARIN

On 6/24/24, 13:57, "Andrew Gallo" <akg1330 at gmail.com> wrote:
This is helpful.  Thank you for the explanation.

On 6/24/2024 11:08 AM, Brad Gorman wrote:
> Hello Andrew,
>
> Thanks for your question.
>
>
>    *   Only holders of resources received directly from ARIN are able to create ROAs for those resources.
>    *   Organizations who are recipients of reallocated or detailed reassignments can create IRR objects, not RPKI ROAs for those resources.
>    *   Organizations who are recipients of simple reassignments may not user IRR or RPKI services.
>
> Best regards,
>
> Brad Gorman
> Sr Product Owner, Routing Security
> ARIN
>
> From: arin-tech-discuss <arin-tech-discuss-bounces at arin.net<mailto:arin-tech-discuss-bounces at arin.net>> on behalf of Andrew Gallo <akg1330 at gmail.com<mailto:akg1330 at gmail.com>>
> Date: Monday, June 24, 2024 at 10:52
> To: David Farmer <farmer at umn.edu<mailto:farmer at umn.edu>>
> Cc: arin-tech-discuss at arin.net<mailto:arin-tech-discuss at arin.net> <arin-tech-discuss at arin.net<mailto:arin-tech-discuss at arin.net>>
> Subject: Re: [arin-tech-discuss] Who can generate ROAs when a holder reassigns or reallocations address space?
> I like that idea.  I was thinking along the same lines.
>
> When a prefix is delegated, associate a Routing POC with the prefix
> which would be allowed to generate ROAs and IRR objects. If no
> association is made, only the parent can take these actions.
>
> Question- do you think the delegating/parent holder should be allowed to
> generate ROAs if there is a downstream Routing POC?
>
> On 6/24/2024 10:08 AM, David Farmer wrote:
>> I wonder if a tactic to address this issue is expanding the use of the
>> Router POC. Maybe a Router POC could be created at the resource level or
>> with a Detailed Reassignment instead of a Router POC at the Organization
>> Level, providing a fine-grained mechanism to delegate control of ROA and
>> IRR.
>>
>> Just a thought.
>>
>> On Mon, Jun 24, 2024 at 8:34 AM Andrew Gallo <akg1330 at gmail.com<mailto:akg1330 at gmail.com>> wrote:
>>
>>> If a holder of address resources reassigns or reallocates a portion of
>>> that space, who can create an RPKI ROA?  The original holder (parent),
>>> the downstream org that has the delegated portion of the space?
>>>
>>> The three options for reassignment/reallocation are
>>>        Simple Reassignment
>>>        Detailed Reassignment
>>>        Reallocation
>>> (definitions below)
>>>
>>> Based on my reading, Simple Reassignment allows only the 'parent' (or
>>> delegating) org allowed to create ROAs.  But what about Detailed?  The
>>> downstream org can have POCs and maintain reverse nameserver records.
>>> Can they also generate ROAs or IRR objects?
>>>
>>> What about Reallocation?
>>>
>>> Thank you.
>>>
>>>
>>>
>>>> Simple Reassignment
>>>>       Use this option if you will manage abuse and network contacts for
>>>> your customer.
>>>>
>>>> Detailed Reassignment
>>>>       Use this for a downstream organization that needs to maintain its
>>>> own reverse nameservers and/or separate Point of Contact (POC)
>>>> information.
>>>>
>>>> Reallocation
>>>>       Use this for a downstream organization that needs to maintain its
>>>> own reverse nameservers and/or separate Point of Contact (POC)
>>>> information and make reassignments of IP addresses to its own customers.
>>>>
>>> _______________________________________________
>>> arin-tech-discuss mailing list
>>> arin-tech-discuss at arin.net<mailto:arin-tech-discuss at arin.net>
>>> https://lists.arin.net/mailman/listinfo/arin-tech-discuss
>>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20240627/39adb12c/attachment-0001.htm>