Tom,
It sounds like you're referring to delegated RPKI:
https://www.arin.net/resources/manage/rpki/delegated/
I assume this could be done, but it would still have to be set up
through ARIN first - just as in the case of hosted RPKI.
Regards,
Erik
KE5SAI
On Wed, Jun 10, 2020 at 11:26 AM Erik Seidel <erik(a)znsl.us> wrote:
Tom,
It sounds like you're referring to delegated RPKI:
https://www.arin.net/resources/manage/rpki/delegated/
I assume this could be done, but it would still have to be set up
through ARIN first - just as in the case of hosted RPKI.
Regards,
Erik
KE5SAI
On Wed, Jun 10, 2020 at 11:21 AM Tom Cardinal via 44Net
<44net(a)mailman.ampr.org> wrote:
> Cynthia,
>
> I only listed them as an example, my point was a having our own CA
> signed by a signing org that is trusted by RIRs. If that be ARIN then
> so be it. More importantly though, as you know, we have a legacy
> allocation. In my opinion we are equal to an RIR but with the ability
> to make global allocations from the 44.0/9 and 44.128/10 space.
>
> --ton/n2xu 44.98.63.0/29.
>
>
> On 6/10/20 7:38 AM, Cynthia Revström via 44Net wrote:
>> Tom,
>>
>> As Q already mentioned, Thawte or Comodo (now called Sectigo) are
for Web
>> PKI, not RPKI, they have nothing to do
with this.
>> And not to mention the huge requirements something like that would
have,
>> and enormous fees.
>>
>> Not entirely sure what you mean by "act as an IR"?
>>
>>> They would have to accept it much like ARIN and RIPE trust each
other
>> In the context of RPKI, ARIN and RIPE NCC
do not trust each other,
they
>> have their own Root CAs (TALs), which are
independent of each other.
>> An RPKI validator has to use both of them.
>>
>> - Cynthia
>>
>>
>> On Wed, Jun 10, 2020 at 2:33 PM Q Misell via 44Net <
44net(a)mailman.ampr.org>
>> wrote:
>>
>>> CA's like Thawte or Comodo won't work for this, they're for web
PKI
not
>>> resource PKI.
>>> The 44.0.0.0/9 cert would have to be signed by one of the RIR's
trust
>>> anchors (probably ARIN since they
have 44.0.0.0/8 assigned to them)
>>>
>>> Thanks,
>>> Q
>>>
>>>
>>> On Wed, 10 Jun 2020 at 13:28, Tom Cardinal via 44Net <
>>> 44net(a)mailman.ampr.org>
>>> wrote:
>>>
>>>> I've been monitoring this discussion. Since our space was
allocated by
>>>> Jon Postel, initially around 1981
(ish), why can't we create our
own
>>>> trust model (CA signed by a CA
signing agency like Thawte or
Comodo as
>>>> examples) and act as an IR for
the 44.0/9 and 22.128/10 space
ourselves
>>>> and publish that trust model to
the RIRs? They would have to
accept it
>>>> much like ARIN and RIPE trust
each other. Then RPKI would work for
>>>> AMPRNet and AMPRNet would control it's own destiny.
>>>>
>>>> --tom/n2xu 44.98.62.0/29
>>>>
>>>>
>>>> On 6/2/20 2:34 PM, Jonathan Lassoff via 44Net wrote:
>>>>> I can sympathize with the sentiment that RPKI and widespread RPKI
>>>>> adoption in its current form will really lock out and
disenfranchise
>>>>> smaller network operators.
>>>>>
>>>>> Now, *more than ever*, we need to enable an Internet that any
>>>>> organization (a natural person, a registered entity, a
hackerspace,
>>>>> etc.) can connect to,
uniquely address itself, and begin
exchanging
>>>>> traffic.
>>>>>
>>>>> In order to enable such an open system to function, we also need
ways
>>>>> of ensuring that unicast
addresses are unique and that there is
some
>>>>> public, verifiable way of
claiming ownership of IP space. Without
>>>>> this, the entire network is open to disruption and abuse by
almost any
>>>>> operator. It's amazing we
have gotten so far on the good will of
most
>>>>> operators.
>>>>>
>>>>> The RIR model of lawyers, paperwork, and public databases works
for a
>>>>> lot of people and
organizations. IRR was the first step, but it
was
>>>>> complex and a bit clunky to
use. I see RPKI for Origin Validation
as
>>>>> just the first/next step of
extending this model of trust and
>>>>> numbering resource ownership into the routing protocol space more
>>>>> directly.
>>>>> From a technical standpoint, this logical extension of systems
makes a
>>>>> lot of sense and I don't
have a problem with it.
>>>>>
>>>>> For commercial network operators, a RIR registration is just the
cost
>>>>> of doing business.
>>>>> But for many small nonprofits, regional amataur radio/network
>>>>> operators, or individuals, a few thousand dollars/euros a year is
a
>>>>> lot of money that makes
Internet independence out of reach.
>>>>> They end up having to resort to the hegemony of their local
incumbent
>>>>> monopoly and chain themselves
to the whims of their upstreams and
>>>>> regulators.
>>>>>
>>>>> I suspect many legacy resource holders find themselves in a
similar
>>>>> limbo-state of not wanting to
participate in the RIR model and pay
>>>>> money for essentially nothing.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Echoing some similar earlier sentiments to want to create a CA for
>>>>> legacy address holders: How feasible would it be to create
something
>>>>> RIR-like, but noncommercial?
>>>>> A place for legacy address holders to coordinate and register
>>>>> resources seems like a natural fit. If we're going to operate a
>>>>> database of ROAs, we're going to need some database of address
space
>>>>> ownership.
>>>>> For 44net use cases, this seems really straightforward, since we
have
>>>>> the Portal to draw from. But
for other organizations, it gets a
bit
>>>>> more complicated to do
properly. Given some random email
>>>>> address/account in some hypothetical legacy RIR, how can we really
>>>>> validate that they're authorized to take actions on behalf of
some
>>>>> organization?
>>>>> To take some random examples from the IANA IPv4 list: DISA, USPS,
>>>>> AT&T, Apple, etc. Doing this right is going to take some
process,
>>>>> record keeping, and well.... work.
>>>>> With this context, I can see how a lot of RIRs go commercial.
However,
>>>>> with a bit of automation,
good documentation and records, and some
>>>>> dedicated volunteers, this seems like a really doable/achievable
thing
>>>>> in the netops community.
>>>>>
>>>>> I would be curious to know if anyone else shares these
views/dreams
>>>>> and would like to chat about
it.
>>>>>
>>>>> Stay safe and sane out there.
>>>>>
>>>>> Cheers,
>>>>> jof
>>>>>
>>>>> On Tue, 2 Jun 2020 at 08:18, Job Snijders via 44Net
>>>>> <44net(a)mailman.ampr.org> wrote:
>>>>>> Thomas,
>>>>>>
>>>>>> You say
>>>>>>
>>>>>> On Tue, Jun 2, 2020, at 04:17, Thomas Jones - KG5ZI /8 via 44Net
>>> wrote:
>>>>>>> DO NOT participate in RPKI!
>>>>>> And ...
>>>>>>
>>>>>>> We should be protecting our Internet!! Just saying...
>>>>>> What are you really saying? These statements seem at odds with
each
>>>> other.
>>>>>> How do you protect your internet? Maybe I can learn some tricks
from
>>>> you?
>>>>>> Kind regards,
>>>>>>
>>>>>> Job
>>>>>> _________________________________________
>>>>>> 44Net mailing list
>>>>>> 44Net(a)mailman.ampr.org
>>>>>>
https://mailman.ampr.org/mailman/listinfo/44net
>>>>> _________________________________________
>>>>> 44Net mailing list
>>>>> 44Net(a)mailman.ampr.org
>>>>>
https://mailman.ampr.org/mailman/listinfo/44net
>>>> _________________________________________
>>>> 44Net mailing list
>>>> 44Net(a)mailman.ampr.org
>>>>
https://mailman.ampr.org/mailman/listinfo/44net
>>>>
>>> _________________________________________
>>> 44Net mailing list
>>> 44Net(a)mailman.ampr.org
>>>
https://mailman.ampr.org/mailman/listinfo/44net
>>>
>> _________________________________________
>> 44Net mailing list
>> 44Net(a)mailman.ampr.org
>>
https://mailman.ampr.org/mailman/listinfo/44net
>
> _________________________________________
> 44Net mailing list
> 44Net(a)mailman.ampr.org
>
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org