Oleg,
...
I agree that an LIR could behave the way you indicated, but in so doing it needs to track which
other LIRs provide service to the customer in question, in order to generate
ROAs for each of them. If
it fails to do so, any connections to other LIRs may be ignored, as the NLRI in
question will be
represented by a valid ROA pointing to another AS#. That might create a
liability for the LIR. That's why
Section 7.3.2 of RFC 6480 cites this as the least desirable option.
If I understand correctly, you refer to multi-homed end-users here.
yes, but not PI space holders.
In our region such users normally receive a provider-independent (PI) address
space from RIPE NCC directly, so they will have their
own CA and will have to maintain it.
I don't know if that is the most common practice, vs. a PA-space user
moving from being single-homed to
multi-homed. This is what the cited text refers to.
However, there are also many end-users with provider-aggregatable address space
that they received from LIRs. And this is where I
find it quite difficult to continue with estimations, because
- these end-users could still be multi-homed
if they are not multi-homed, they are invisible to BGP and thus do not
need RKI credentials. So, let's
assume that the entities in question are multi-homed, with a PA space
allocation.
- or they might need to have own CAs for some other reason
The preferred approach, as noted, is for multi-homed subscribers to be
represented by a CA.
- their LIRs might prefer to give them responsibility for their CA
agreed.
- or prefer to not give them that responsibility
also an option.
>From my perspective I do not know any source of data to collect/guess the
number of end-users who will need their own CA, or the
number of LIRs who would prefer to delegate CAs to their clients. I think LIRs
/ operators might know better. This is what I said in
my previous email.
As best I know, so far we have no LIRs who have gotten this far in the
RPKI space, so I too look forward
to hearing from those who are considering this next step.
But, irrespective of this detail, isn't it reasonable to use the number
of (live) ASes as the basis for
the number of pub points (CAs)? To first order, any entity that needs to
be explicitly represented in the
RPKI is associated with an AS#, whether they are an LIR, a PI space
holder, or a multi-homed holder
of PA space (from an LIR).
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
