LOAs for Cross Connects - Something like PeeringDB for XC

George Michaelson ggm at algebras.org
Mon Feb 22 23:39:25 UTC 2021

The LOA type model is one of the ones we showed on slideware when we
presented RTA in IETF, and at the CloudFlare RPKI workshop years ago.

The detached signature model inherent in RTA and RSC goes to "you
define the business logic" It's not proscriptive. I saw nothing
proposed here which I thought wasn't a rational thing to try and
certify in this manner. The key point is, the "action" you want to
approve has to vest in "who controls the stated internet number
resources" -If they have no bearing, then its not rational to propose
using (R)PKI to do it. some other PKI? sure.

Randy is correct that the processes are baroque, not well defined,
come with all kinds of corner cases: what does a more specific command
(regarding some IP address) if its not signed and the parent is? or,
if the more specific is, and the parent isn't?)

Randy is also correct that RPKI certificates by design, do not permit
their use in ways which go directly to things like identity proofs.
detached signatures open the door to doing some things here, because
you can sign over something which ways "the person identified by the
following public key is to be permitted to ..." And in like sense, we
removed the uses which go to message encryption, sender or receiver.
You can't directly use an RPKI certificate to do "for your eyes only"
-it can only say "the person controlling these numbers, says the

Obviously, I think this detached signature model is good :-)

On Tue, Feb 23, 2021 at 6:31 AM Randy Bush <randy at psg.com> wrote:
> >> What if PeeringDB would be the CA for the Facilities?
> >> Supposedly this solves the CA problem of the "Colo Folks".
> >
> > I think pushing your security identification out (as the notional
> > equinix) to a third party where you can't revoke/change/etc is asking
> > for dangerous things to happen.
> there are a few examples of industry associations with simple, strong,
> and formal ties sufficient to allow forms of trust automation.  folk
> such as karen o'donoghue, lucy lynch, and heather flanagan would be able
> to speak vastly more knowledgeably in this space than i.
> > again, that draft is a... draft still and I"m sure we'll have a bunch
> > of chatter/discussion/changes before done, but it smells like it might
> > help.
> you might notice that we use it in draft-ietf-opsawg-finding-geofeeds.
> but that application is specifically to use rpki data to attest to ip
> address ownership.  the problem there is that the draft is a cool proof
> of concept, but is not operationally easy to use.
> randy
> ---
> randy at psg.com
> `gpg --locate-external-keys --auto-key-locate wkd randy at psg.com`
> signatures are back, thanks to dmarc header mangling

More information about the NANOG mailing list