25 May
2020
25 May
'20
1:40 p.m.
Yeah ARIN does support delegation to your own RPKI servers, this is what
I run for my company - internal ROKI system based on Krill
(https://github.com/NLnetLabs/krill) and then ARIN and RIPE sign my CA
and delegate my resources.
Krill also supports self-signing, so it would be possible to host
something completely independent of the RIRs, however, as has been
mentioned before, the ARDC trust anchor would have to be manually
included by all networks that implement RPKI filtering.
Chris
VE7ALB
On 25/05/2020 10:29, Quan Zhou via 44Net wrote:
It looks like ARIN supports delegation[0], the model
seems like what
the relationship between 44net and ARIN now?
If that works, maybe It's like this: ARIN delegates [44/9,
44.128.0.0/10] to AMPRNet/ARDC, and they run a subordinate CA to issue
RV records. Configure and keep running a compliant CA can be a real
challenging though.
--
[0]:
https://rpki.readthedocs.io/en/latest/rpki/implementation-models.html#funct…
On A2020/05/25 PM0:38, Nate Sales via 44Net wrote:
I would certainly be interested in RPKI
implementation, and a few
questions come to mind.
First, I'm curious is it possible to use the ARIN hosted TA even
though it's legacy space?
Also, I'm wondering how the ROA creation and signing process would be
handled. It wont work to have the entirety of AMPRNet signed for
AS7377 AMPRGW announcement, so we would have to come up with a way to
create ROAs for the other networks authorized to announce smaller
allocations.
Nate
Nate
On Sun, May 24, 2020 at 9:06 PM Bryan Fields via 44Net
<44net(a)mailman.ampr.org> wrote:
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net On 5/24/20 11:26 PM, Scott Nicholas via 44Net
wrote:
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net I think we could run our own RPKI but the ARIN
won't sign us.
Therefore we would just have to publish our trust anchor for others to
include in their validators if they must use it..
I would be interested in doing
this. I had a pretty long talk about
it at a
hotel bar about this very thing last year. It wouldn't be that hard
IMHO.
This does beg the question, is ARDC trustworthy/open enough to be
the anchor
of this?
--
Bryan Fields
727-409-1194 - Voice
http://bryanfields.net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net