Hi Owen,
If I understand the below right, the assigner / upstream may delegate
authority (create ROAs) to originate the route, but may not delegate
management of that authority to the assignee.
I'm saying it may be helpful to have delegation of management as well.
If I, the assigner, could perhaps issue a cryptographic delegation of
management to an assignee for specific prefixes A, B, ..., N, I no
longer have to manage the delegation of authority (the ROAs) on behalf
of my customer; my customer can just create & manage it themselves.
Perhaps combined with that cryptographic object from the assigner, an
assignee's ROAs for those prefixes could be validated. The assigner is
still attesting to the validity of the assignment, just indirectly. The
cryptographic object I'm imagining would state that the assigner
delegates management of a set of prefixes to an assignee, establishing a
chain of trust between the two.
Managing ROAs isn't an onerous workload for me in particular. But it may
be for others. It would also more closely match what is possible in IRR.
-Brian
On 2023-06-23 16:31, Delong.com wrote:
An assignee can’t create their own ROA, just as an ISP that gets a
block from ARIN needs ARIN to create their ROA (or at least to sign
it).
The upstream must sign the ROA for it to be valid. That’s the whole
point. The upstream is delegating authority to originate the route.
Owen
On Jun 23, 2023, at 12:40, Brian Knight via ARIN-PPML
<arin-ppml@arin.net> wrote:
Fernando,
It is possible today for an org to create a route entry in the IRR for
a network reassigned to them by an LIR/ISP. The assignee has the
control over the route record, not the assigner.
Recognizing that the goals and mechanisms of IRR are similar but not
identical to RPKI, it would be helpful to have an RPKI mechanism in
ARIN Online for an assignee to create their own ROAs, as Owen said.
If that were to be added, there should also be a mechanism for the
assigner to cryptographically revoke that authorization should the
need arise.
-Brian
On 2023-06-23 13:24, Fernando Frediani wrote:
I don't think this should be allowed to happen. ROAs are to be
created by organizations who receive the allocation from the RIR as
ultimatelly they remain responsible for that IP space. If they have
allocated a block to a customer they should be the ones responsible
for creating any ROAs they need for that IP space (in fact ideally
they should create for the whole IP space anyway).
Fernando
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact i...@arin.net if you experience any issues.
