how the rpki works
Randy Bush
randy at psg.com
Sat Jan 8 21:22:01 UTC 2011
<pedantry but technically critical pedantry>
[ and 06:00 here so i am probably also making critical errors ]
> I don't think rr.arin.net and RPKI have anything to do with each
> other. I think the direction the RPKI should/is taking is to have the
> RIR sign a ROA to the ORG that they allocate the address space to...
s/ROA/resource certificate/
> Similarly the ORG (if they are an N|LIR-type) will sign a ROA to the
> ORG that they assign address space to.
idem
it is only when you get down to someone who has [a piece of] that
allocation they wish to announce into bgp that they acually cause a ROA
to be issued which may be validated using the cert chain.
> The parts of the puzzle here that ARIN (or really any RIR) is
> responsible for are the 'signing roas to allocatees' (the "up/down
> protocol" as it's referred to in the drafts
s/roas/certificates/
> I believe the 'up/down protocol' part here is critical, the "web
> server" part ... I'm not sure is so critical, maybe a third party
> makes that happen outside of the ARIN management chain?
this is easily done with the rpki, up/down, publication, ...
architecture.
> Using someone not yourself (ARIN or another third party) to manage
> your ROA data means you probably have (in the most simple case) given
> the ability to that third party to sign objects for you, that means
> they have your private key(s) and can break you by
> mistake/malfeasance/oversight/etc. For this reason some folks may be
> ok with using a third party, many will choose to hold their fate in
> their own hands.
exactly. but only if the parent runs the up/down ('provisioning')
protocol, does the child have that choice.
randy
More information about the NANOG
mailing list