Thank you, Brad. The scenario makes sense. On 6/27/2024 5:56 PM, Brad Gorman wrote:
Andrew,I responded to you from the perspective of a Hosted RPKI user. For delegated RPKI it works as follows; * A direct resource holder can sign up to use delegated RPKI, obtain a resource certificate, and set up a CA (i.e Krill). * Within Krill the direct resource holder creates customer accounts for the recipients of detailed reassignments or relocations. * The direct resource holder configures Krill to permit these customer accounts to generate ROAs for the specific IP resources handed to them. Brad Gorman Sr. Product Owner, Routing Security ARIN On 6/24/24, 13:57, "Andrew Gallo" <[email protected]> wrote: This is helpful. Thank you for the explanation. On 6/24/2024 11:08 AM, Brad Gorman wrote:Hello Andrew, Thanks for your question. * Only holders of resources received directly from ARIN are able to create ROAs for those resources. * Organizations who are recipients of reallocated or detailed reassignments can create IRR objects, not RPKI ROAs for those resources. * Organizations who are recipients of simple reassignments may not user IRR or RPKI services. Best regards, Brad Gorman Sr Product Owner, Routing Security ARIN From: arin-tech-discuss <[email protected]<mailto:[email protected]>> on behalf of Andrew Gallo <[email protected]<mailto:[email protected]>> Date: Monday, June 24, 2024 at 10:52 To: David Farmer <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: [arin-tech-discuss] Who can generate ROAs when a holder reassigns or reallocations address space? I like that idea. I was thinking along the same lines. When a prefix is delegated, associate a Routing POC with the prefix which would be allowed to generate ROAs and IRR objects. If no association is made, only the parent can take these actions. Question- do you think the delegating/parent holder should be allowed to generate ROAs if there is a downstream Routing POC? On 6/24/2024 10:08 AM, David Farmer wrote:I wonder if a tactic to address this issue is expanding the use of the Router POC. Maybe a Router POC could be created at the resource level or with a Detailed Reassignment instead of a Router POC at the Organization Level, providing a fine-grained mechanism to delegate control of ROA and IRR. Just a thought. On Mon, Jun 24, 2024 at 8:34 AM Andrew Gallo <[email protected]<mailto:[email protected]>> wrote:If a holder of address resources reassigns or reallocates a portion of that space, who can create an RPKI ROA? The original holder (parent), the downstream org that has the delegated portion of the space? The three options for reassignment/reallocation are Simple Reassignment Detailed Reassignment Reallocation (definitions below) Based on my reading, Simple Reassignment allows only the 'parent' (or delegating) org allowed to create ROAs. But what about Detailed? The downstream org can have POCs and maintain reverse nameserver records. Can they also generate ROAs or IRR objects? What about Reallocation? Thank you.Simple Reassignment Use this option if you will manage abuse and network contacts for your customer. Detailed Reassignment Use this for a downstream organization that needs to maintain its own reverse nameservers and/or separate Point of Contact (POC) information. Reallocation Use this for a downstream organization that needs to maintain its own reverse nameservers and/or separate Point of Contact (POC) information and make reassignments of IP addresses to its own customers._______________________________________________ arin-tech-discuss mailing list [email protected]<mailto:[email protected]> https://lists.arin.net/mailman/listinfo/arin-tech-discuss
OpenPGP_0x1C61021F8B5942A2.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ arin-tech-discuss mailing list [email protected] https://lists.arin.net/mailman/listinfo/arin-tech-discuss
