I assume this could be done, but it would still have to be set up
through ARIN first - just as in the case of hosted RPKI.
Regards,
Erik
KE5SAI
On Wed, Jun 10, 2020 at 11:26 AM Erik Seidel <erik(a)znsl.us> wrote:
Tom,
It sounds like you're referring to delegated RPKI:
https://www.arin.net/resources/manage/rpki/delegated/
I assume this could be done, but it would still have to be set up
through ARIN first - just as in the case of hosted RPKI.
Regards,
Erik
KE5SAI
On Wed, Jun 10, 2020 at 11:21 AM Tom Cardinal via 44Net
<44net(a)mailman.ampr.org> wrote:
>
> Cynthia,
>
> I only listed them as an example, my point was a having our own CA
> signed by a signing org that is trusted by RIRs. If that be ARIN then
> so be it. More importantly though, as you know, we have a legacy
> allocation. In my opinion we are equal to an RIR but with the ability
> to make global allocations from the 44.0/9 and 44.128/10 space.
>
> --ton/n2xu 44.98.63.0/29.
>
>
> On 6/10/20 7:38 AM, Cynthia Revström via 44Net wrote:
> > Tom,
> >
> > As Q already mentioned, Thawte or Comodo (now called Sectigo) are for Web
> > PKI, not RPKI, they have nothing to do with this.
> > And not to mention the huge requirements something like that would have,
> > and enormous fees.
> >
> > Not entirely sure what you mean by "act as an IR"?
> >
> >> They would have to accept it much like ARIN and RIPE trust each other
> > In the context of RPKI, ARIN and RIPE NCC do not trust each other, they
> > have their own Root CAs (TALs), which are independent of each other.
> > An RPKI validator has to use both of them.
> >
> > - Cynthia
> >
> >
> > On Wed, Jun 10, 2020 at 2:33 PM Q Misell via 44Net
<44net(a)mailman.ampr.org>
> > wrote:
> >
> >> CA's like Thawte or Comodo won't work for this, they're for web
PKI not
> >> resource PKI.
> >> The 44.0.0.0/9 cert would have to be signed by one of the RIR's trust
> >> anchors (probably ARIN since they have 44.0.0.0/8 assigned to them)
> >>
> >> Thanks,
> >> Q
> >>
> >>
> >> On Wed, 10 Jun 2020 at 13:28, Tom Cardinal via 44Net <
> >> 44net(a)mailman.ampr.org>
> >> wrote:
> >>
> >>> I've been monitoring this discussion. Since our space was
allocated by
> >>> Jon Postel, initially around 1981 (ish), why can't we create our
own
> >>> trust model (CA signed by a CA signing agency like Thawte or Comodo as
> >>> examples) and act as an IR for the 44.0/9 and 22.128/10 space
ourselves
> >>> and publish that trust model to the RIRs? They would have to accept it
> >>> much like ARIN and RIPE trust each other. Then RPKI would work for
> >>> AMPRNet and AMPRNet would control it's own destiny.
> >>>
> >>> --tom/n2xu 44.98.62.0/29
> >>>
> >>>
> >>> On 6/2/20 2:34 PM, Jonathan Lassoff via 44Net wrote:
> >>>> I can sympathize with the sentiment that RPKI and widespread RPKI
> >>>> adoption in its current form will really lock out and
disenfranchise
> >>>> smaller network operators.
> >>>>
> >>>> Now, *more than ever*, we need to enable an Internet that any
> >>>> organization (a natural person, a registered entity, a
hackerspace,
> >>>> etc.) can connect to, uniquely address itself, and begin
exchanging
> >>>> traffic.
> >>>>
> >>>> In order to enable such an open system to function, we also need
ways
> >>>> of ensuring that unicast addresses are unique and that there is
some
> >>>> public, verifiable way of claiming ownership of IP space. Without
> >>>> this, the entire network is open to disruption and abuse by almost
any
> >>>> operator. It's amazing we have gotten so far on the good will
of most
> >>>> operators.
> >>>>
> >>>> The RIR model of lawyers, paperwork, and public databases works for
a
> >>>> lot of people and organizations. IRR was the first step, but it
was
> >>>> complex and a bit clunky to use. I see RPKI for Origin Validation
as
> >>>> just the first/next step of extending this model of trust and
> >>>> numbering resource ownership into the routing protocol space more
> >>>> directly.
> >>>> From a technical standpoint, this logical extension of systems
makes a
> >>>> lot of sense and I don't have a problem with it.
> >>>>
> >>>> For commercial network operators, a RIR registration is just the
cost
> >>>> of doing business.
> >>>> But for many small nonprofits, regional amataur radio/network
> >>>> operators, or individuals, a few thousand dollars/euros a year is
a
> >>>> lot of money that makes Internet independence out of reach.
> >>>> They end up having to resort to the hegemony of their local
incumbent
> >>>> monopoly and chain themselves to the whims of their upstreams and
> >>>> regulators.
> >>>>
> >>>> I suspect many legacy resource holders find themselves in a
similar
> >>>> limbo-state of not wanting to participate in the RIR model and pay
> >>>> money for essentially nothing.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Echoing some similar earlier sentiments to want to create a CA for
> >>>> legacy address holders: How feasible would it be to create
something
> >>>> RIR-like, but noncommercial?
> >>>> A place for legacy address holders to coordinate and register
> >>>> resources seems like a natural fit. If we're going to operate
a
> >>>> database of ROAs, we're going to need some database of address
space
> >>>> ownership.
> >>>> For 44net use cases, this seems really straightforward, since we
have
> >>>> the Portal to draw from. But for other organizations, it gets a
bit
> >>>> more complicated to do properly. Given some random email
> >>>> address/account in some hypothetical legacy RIR, how can we really
> >>>> validate that they're authorized to take actions on behalf of
some
> >>>> organization?
> >>>> To take some random examples from the IANA IPv4 list: DISA, USPS,
> >>>> AT&T, Apple, etc. Doing this right is going to take some
process,
> >>>> record keeping, and well.... work.
> >>>> With this context, I can see how a lot of RIRs go commercial.
However,
> >>>> with a bit of automation, good documentation and records, and some
> >>>> dedicated volunteers, this seems like a really doable/achievable
thing
> >>>> in the netops community.
> >>>>
> >>>> I would be curious to know if anyone else shares these
views/dreams
> >>>> and would like to chat about it.
> >>>>
> >>>> Stay safe and sane out there.
> >>>>
> >>>> Cheers,
> >>>> jof
> >>>>
> >>>> On Tue, 2 Jun 2020 at 08:18, Job Snijders via 44Net
> >>>> <44net(a)mailman.ampr.org> wrote:
> >>>>> Thomas,
> >>>>>
> >>>>> You say
> >>>>>
> >>>>> On Tue, Jun 2, 2020, at 04:17, Thomas Jones - KG5ZI /8 via
44Net
> >> wrote:
> >>>>>> DO NOT participate in RPKI!
> >>>>> And ...
> >>>>>
> >>>>>> We should be protecting our Internet!! Just saying...
> >>>>> What are you really saying? These statements seem at odds with
each
> >>> other.
> >>>>> How do you protect your internet? Maybe I can learn some tricks
from
> >>> you?
> >>>>> Kind regards,
> >>>>>
> >>>>> Job
> >>>>> _________________________________________
> >>>>> 44Net mailing list
> >>>>> 44Net(a)mailman.ampr.org
> >>>>>
https://mailman.ampr.org/mailman/listinfo/44net
> >>>> _________________________________________
> >>>> 44Net mailing list
> >>>> 44Net(a)mailman.ampr.org
> >>>>
https://mailman.ampr.org/mailman/listinfo/44net
> >>>
> >>> _________________________________________
> >>> 44Net mailing list
> >>> 44Net(a)mailman.ampr.org
> >>>
https://mailman.ampr.org/mailman/listinfo/44net
> >>>
> >> _________________________________________
> >> 44Net mailing list
> >> 44Net(a)mailman.ampr.org
> >>
https://mailman.ampr.org/mailman/listinfo/44net
> >>
> > _________________________________________
> > 44Net mailing list
> > 44Net(a)mailman.ampr.org
> >
https://mailman.ampr.org/mailman/listinfo/44net
>
>
> _________________________________________
> 44Net mailing list
> 44Net(a)mailman.ampr.org
>
https://mailman.ampr.org/mailman/listinfo/44net