> On Jun 26, 2023, at 13:38, Brian Knight <m...@knight-networks.com> wrote: > > On 2023-06-25 14:10, Owen DeLong wrote: >>> On Jun 25, 2023, at 11:06, Brian Knight <m...@knight-networks.com> wrote: >>> Hi Owen, >>> If I understand the below right, the assigner / upstream may delegate >>> authority (create ROAs) to originate the route, but may not delegate >>> management of that authority to the assignee. >> They must be able to delegate the management also (delegated RPKI) or >> RPKI doesn’t work. >> I believe this limitation may existing in Hosted RPKI (which is >> admittedly way more popular than it should be). > > Understood. I'm writing in the context of hosted RPKI. Sorry if that wasn't > clear. > IMHO, from both a security perspective _AND_ a service provider perspective, hosted RPKI is a bad idea.
>>> Managing ROAs isn't an onerous workload for me in particular. But it may be >>> for others. It would also more closely match what is possible in IRR. >> The upstream still needs to sign the resulting ROAs for the system to >> maintain integrity. Not sure you can work around that. > > If there were a workflow where an assignee could create an ROA and then send > it to the assigner for signing before publishing, I could see that working > for this use case. It would have to be something like that to be functional. Unfortunately, I think that’s a non-trivial implementation by each RIR for their particular brand of hosted RPKI. All of this is a lot easier with delegated RPKI. Owen _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML@arin.net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact i...@arin.net if you experience any issues.
