[arin-tech-discuss] Who can generate ROAs when a holder reassigns or reallocations address space?

Andrew Gallo akg1330 at gmail.com
Thu Jun 27 21:11:41 EDT 2024


Thank you, Brad.  The scenario makes sense.

On 6/27/2024 5:56 PM, Brad Gorman wrote:
> Andrew,
>
> I responded to you from the perspective of a Hosted RPKI user.
>
> For delegated RPKI it works as follows;
>
>    *   A direct resource holder can sign up to use delegated RPKI, obtain a resource certificate, and set up a CA (i.e Krill).
>    *   Within Krill the direct resource holder creates customer accounts for the recipients of detailed reassignments or relocations.
>    *   The direct resource holder configures Krill to permit these customer accounts to generate ROAs for the specific IP resources handed to them.
>
>
> Brad Gorman
> Sr. Product Owner, Routing Security
> ARIN
>
> On 6/24/24, 13:57, "Andrew Gallo" <akg1330 at gmail.com> wrote:
> This is helpful.  Thank you for the explanation.
>
>
> On 6/24/2024 11:08 AM, Brad Gorman wrote:
>> Hello Andrew,
>>
>> Thanks for your question.
>>
>>
>>     *   Only holders of resources received directly from ARIN are able to create ROAs for those resources.
>>     *   Organizations who are recipients of reallocated or detailed reassignments can create IRR objects, not RPKI ROAs for those resources.
>>     *   Organizations who are recipients of simple reassignments may not user IRR or RPKI services.
>>
>> Best regards,
>>
>> Brad Gorman
>> Sr Product Owner, Routing Security
>> ARIN
>>
>> From: arin-tech-discuss <arin-tech-discuss-bounces at arin.net<mailto:arin-tech-discuss-bounces at arin.net>> on behalf of Andrew Gallo <akg1330 at gmail.com<mailto:akg1330 at gmail.com>>
>> Date: Monday, June 24, 2024 at 10:52
>> To: David Farmer <farmer at umn.edu<mailto:farmer at umn.edu>>
>> Cc: arin-tech-discuss at arin.net<mailto:arin-tech-discuss at arin.net> <arin-tech-discuss at arin.net<mailto:arin-tech-discuss at arin.net>>
>> Subject: Re: [arin-tech-discuss] Who can generate ROAs when a holder reassigns or reallocations address space?
>> I like that idea.  I was thinking along the same lines.
>>
>> When a prefix is delegated, associate a Routing POC with the prefix
>> which would be allowed to generate ROAs and IRR objects. If no
>> association is made, only the parent can take these actions.
>>
>> Question- do you think the delegating/parent holder should be allowed to
>> generate ROAs if there is a downstream Routing POC?
>>
>> On 6/24/2024 10:08 AM, David Farmer wrote:
>>> I wonder if a tactic to address this issue is expanding the use of the
>>> Router POC. Maybe a Router POC could be created at the resource level or
>>> with a Detailed Reassignment instead of a Router POC at the Organization
>>> Level, providing a fine-grained mechanism to delegate control of ROA and
>>> IRR.
>>>
>>> Just a thought.
>>>
>>> On Mon, Jun 24, 2024 at 8:34 AM Andrew Gallo <akg1330 at gmail.com<mailto:akg1330 at gmail.com>> wrote:
>>>
>>>> If a holder of address resources reassigns or reallocates a portion of
>>>> that space, who can create an RPKI ROA?  The original holder (parent),
>>>> the downstream org that has the delegated portion of the space?
>>>>
>>>> The three options for reassignment/reallocation are
>>>>         Simple Reassignment
>>>>         Detailed Reassignment
>>>>         Reallocation
>>>> (definitions below)
>>>>
>>>> Based on my reading, Simple Reassignment allows only the 'parent' (or
>>>> delegating) org allowed to create ROAs.  But what about Detailed?  The
>>>> downstream org can have POCs and maintain reverse nameserver records.
>>>> Can they also generate ROAs or IRR objects?
>>>>
>>>> What about Reallocation?
>>>>
>>>> Thank you.
>>>>
>>>>
>>>>
>>>>> Simple Reassignment
>>>>>        Use this option if you will manage abuse and network contacts for
>>>>> your customer.
>>>>>
>>>>> Detailed Reassignment
>>>>>        Use this for a downstream organization that needs to maintain its
>>>>> own reverse nameservers and/or separate Point of Contact (POC)
>>>>> information.
>>>>>
>>>>> Reallocation
>>>>>        Use this for a downstream organization that needs to maintain its
>>>>> own reverse nameservers and/or separate Point of Contact (POC)
>>>>> information and make reassignments of IP addresses to its own customers.
>>>>>
>>>> _______________________________________________
>>>> arin-tech-discuss mailing list
>>>> arin-tech-discuss at arin.net<mailto:arin-tech-discuss at arin.net>
>>>> https://lists.arin.net/mailman/listinfo/arin-tech-discuss
>>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x1C61021F8B5942A2.asc
Type: application/pgp-keys
Size: 4097 bytes
Desc: OpenPGP public key
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20240627/7d1b19d2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20240627/7d1b19d2/attachment.sig>


More information about the arin-tech-discuss mailing list