Yeah ARIN does support delegation to your own RPKI servers, this is what I run for my company - internal ROKI system based on Krill (https://github.com/NLnetLabs/krill) and then ARIN and RIPE sign my CA and delegate my resources.
Krill also supports self-signing, so it would be possible to host something completely independent of the RIRs, however, as has been mentioned before, the ARDC trust anchor would have to be manually included by all networks that implement RPKI filtering.
Chris VE7ALB
On 25/05/2020 10:29, Quan Zhou via 44Net wrote:
It looks like ARIN supports delegation[0], the model seems like what the relationship between 44net and ARIN now?
If that works, maybe It's like this: ARIN delegates [44/9, 44.128.0.0/10] to AMPRNet/ARDC, and they run a subordinate CA to issue RV records. Configure and keep running a compliant CA can be a real challenging though.
--
On A2020/05/25 PM0:38, Nate Sales via 44Net wrote:
I would certainly be interested in RPKI implementation, and a few questions come to mind.
First, I'm curious is it possible to use the ARIN hosted TA even though it's legacy space?
Also, I'm wondering how the ROA creation and signing process would be handled. It wont work to have the entirety of AMPRNet signed for AS7377 AMPRGW announcement, so we would have to come up with a way to create ROAs for the other networks authorized to announce smaller allocations.
Nate
Nate
On Sun, May 24, 2020 at 9:06 PM Bryan Fields via 44Net 44net@mailman.ampr.org wrote:
On 5/24/20 11:26 PM, Scott Nicholas via 44Net wrote:
I think we could run our own RPKI but the ARIN won't sign us. Therefore we would just have to publish our trust anchor for others to include in their validators if they must use it..
I would be interested in doing this. I had a pretty long talk about it at a hotel bar about this very thing last year. It wouldn't be that hard IMHO.
This does beg the question, is ARDC trustworthy/open enough to be the anchor of this?
-- Bryan Fields
727-409-1194 - Voice http://bryanfields.net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net