how the rpki works

Randy Bush randy at
Sat Jan 8 15:22:01 CST 2011

<pedantry but technically critical pedantry>
[ and 06:00 here so i am probably also making critical errors ]

> I don't think and RPKI have anything to do with each
> other. I think the direction the RPKI should/is taking is to have the
> RIR sign a ROA to the ORG that they allocate the address space to...

s/ROA/resource certificate/

> Similarly the ORG (if they are an N|LIR-type) will sign a ROA to the
> ORG that they assign address space to.


it is only when you get down to someone who has [a piece of] that
allocation they wish to announce into bgp that they acually cause a ROA
to be issued which may be validated using the cert chain.

> The parts of the puzzle here that ARIN (or really any RIR) is
> responsible for are the 'signing roas to allocatees' (the "up/down
> protocol" as it's referred to in the drafts


> I believe the 'up/down protocol' part here is critical, the "web
> server" part ... I'm not sure is so critical, maybe a third party
> makes that happen outside of the ARIN management chain?

this is easily done with the rpki, up/down, publication, ...

> Using someone not yourself (ARIN or another third party) to manage
> your ROA data means you probably have (in the most simple case) given
> the ability to that third party to sign objects for you, that means
> they have your private key(s) and can break you by
> mistake/malfeasance/oversight/etc. For this reason some folks may be
> ok with using a third party, many will choose to hold their fate in
> their own hands.

exactly.  but only if the parent runs the up/down ('provisioning')
protocol, does the child have that choice.


More information about the NANOG mailing list