<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:767628302;
mso-list-template-ids:91676014;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Andrew, <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I responded to you from the perspective of a Hosted RPKI user.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">For delegated RPKI it works as follows;</span><span style="font-family:"Arial",sans-serif;color:#777777"><o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:#777777;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt">A direct resource holder can sign up to use delegated RPKI, obtain a resource certificate, and set up a CA (i.e Krill).</span><o:p></o:p></li><li class="MsoNormal" style="color:#777777;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt">Within Krill the direct resource holder creates customer accounts for the recipients of detailed reassignments or relocations. </span><o:p></o:p></li><li class="MsoNormal" style="color:#777777;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt">The direct resource holder configures Krill to permit these customer accounts to generate ROAs for the specific IP resources handed to them.</span><o:p></o:p></li></ul>
<p class="MsoNormal"><span style="color:#777777"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#777777"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#777777">Brad Gorman<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Sr. Product Owner, Routing Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">ARIN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">
On 6/24/24, 13:57, "Andrew Gallo" <akg1330@gmail.com> wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">This is helpful. Thank you for the explanation.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">On 6/24/2024 11:08 AM, Brad Gorman wrote:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> Hello Andrew,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> Thanks for your question.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> * Only holders of resources received directly from ARIN are able to create ROAs for those resources.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> * Organizations who are recipients of reallocated or detailed reassignments can create IRR objects, not RPKI ROAs for those resources.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> * Organizations who are recipients of simple reassignments may not user IRR or RPKI services.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> Best regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> Brad Gorman<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> Sr Product Owner, Routing Security<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> ARIN<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> From: arin-tech-discuss <<a href="mailto:arin-tech-discuss-bounces@arin.net">arin-tech-discuss-bounces@arin.net</a>> on behalf of Andrew Gallo <<a href="mailto:akg1330@gmail.com">akg1330@gmail.com</a>><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> Date: Monday, June 24, 2024 at 10:52<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> To: David Farmer <<a href="mailto:farmer@umn.edu">farmer@umn.edu</a>><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> Cc: <a href="mailto:arin-tech-discuss@arin.net">
arin-tech-discuss@arin.net</a> <<a href="mailto:arin-tech-discuss@arin.net">arin-tech-discuss@arin.net</a>><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> Subject: Re: [arin-tech-discuss] Who can generate ROAs when a holder reassigns or reallocations address space?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> I like that idea. I was thinking along the same lines.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> When a prefix is delegated, associate a Routing POC with the prefix<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> which would be allowed to generate ROAs and IRR objects. If no<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> association is made, only the parent can take these actions.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> Question- do you think the delegating/parent holder should be allowed to<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> generate ROAs if there is a downstream Routing POC?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">> On 6/24/2024 10:08 AM, David Farmer wrote:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>> I wonder if a tactic to address this issue is expanding the use of the<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>> Router POC. Maybe a Router POC could be created at the resource level or<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>> with a Detailed Reassignment instead of a Router POC at the Organization<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>> Level, providing a fine-grained mechanism to delegate control of ROA and<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>> IRR.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>> Just a thought.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>> On Mon, Jun 24, 2024 at 8:34<span style="font-family:"Arial",sans-serif"> </span>AM Andrew Gallo <<a href="mailto:akg1330@gmail.com">akg1330@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> If a holder of address resources reassigns or reallocates a portion of<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> that space, who can create an RPKI ROA? The original holder (parent),<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> the downstream org that has the delegated portion of the space?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> The three options for reassignment/reallocation are<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> Simple Reassignment<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> Detailed Reassignment<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> Reallocation<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> (definitions below)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> Based on my reading, Simple Reassignment allows only the 'parent' (or<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> delegating) org allowed to create ROAs. But what about Detailed? The<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> downstream org can have POCs and maintain reverse nameserver records.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> Can they also generate ROAs or IRR objects?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> What about Reallocation?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> Thank you.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>> Simple Reassignment<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>> Use this option if you will manage abuse and network contacts for<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>> your customer.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>> Detailed Reassignment<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>> Use this for a downstream organization that needs to maintain its<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>> own reverse nameservers and/or separate Point of Contact (POC)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>> information.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>> Reallocation<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>> Use this for a downstream organization that needs to maintain its<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>> own reverse nameservers and/or separate Point of Contact (POC)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>> information and make reassignments of IP addresses to its own customers.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> _______________________________________________<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> arin-tech-discuss mailing list<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> <a href="mailto:arin-tech-discuss@arin.net">
arin-tech-discuss@arin.net</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>> <a href="https://lists.arin.net/mailman/listinfo/arin-tech-discuss">
https://lists.arin.net/mailman/listinfo/arin-tech-discuss</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">>>><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
</div>
</body>
</html>