Re: [44net] NSP bugging me to use RPKI for my /24 grant

Tom, It sounds like you're referring to delegated RPKI: https://www.arin.net/resources/manage/rpki/delegated/ I assume this could be done, but it would still have to be set up through ARIN first - just as in the case of hosted RPKI. Regards, Erik KE5SAI On Wed, Jun 10, 2020 at 11:21 AM Tom Cardinal via 44Net <44net(a)mailman.ampr.org> wrote: > > Cynthia, > > I only listed them as an example, my point was a having our own CA > signed by a signing org that is trusted by RIRs. If that be ARIN then > so be it. More importantly though, as you know, we have a legacy > allocation. In my opinion we are equal to an RIR but with the ability > to make global allocations from the 44.0/9 and 44.128/10 space. > > --ton/n2xu 44.98.63.0/29. > > > On 6/10/20 7:38 AM, Cynthia Revström via 44Net wrote: > > Tom, > > > > As Q already mentioned, Thawte or Comodo (now called Sectigo) are

> > PKI, not RPKI, they have nothing to do with this. > > And not to mention the huge requirements something like that would

> > and enormous fees. > > > > Not entirely sure what you mean by "act as an IR"? > > > >> They would have to accept it much like ARIN and RIPE trust each

> > In the context of RPKI, ARIN and RIPE NCC do not trust each other,

> > have their own Root CAs (TALs), which are independent of each other. > > An RPKI validator has to use both of them. > > > > - Cynthia > > > > > > On Wed, Jun 10, 2020 at 2:33 PM Q Misell via 44Net <

> > wrote: > > > >> CA's like Thawte or Comodo won't work for this, they're for web PKI

> >> resource PKI. > >> The 44.0.0.0/9 cert would have to be signed by one of the RIR's

> >> anchors (probably ARIN since they have 44.0.0.0/8 assigned to them) > >> > >> Thanks, > >> Q > >> > >> > >> On Wed, 10 Jun 2020 at 13:28, Tom Cardinal via 44Net < > >> 44net(a)mailman.ampr.org&gt; > >> wrote: > >> > >>> I've been monitoring this discussion. Since our space was

> >>> Jon Postel, initially around 1981 (ish), why can't we create our

> >>> trust model (CA signed by a CA signing agency like Thawte or

> >>> examples) and act as an IR for the 44.0/9 and 22.128/10 space

> >>> and publish that trust model to the RIRs? They would have to

> >>> much like ARIN and RIPE trust each other. Then RPKI would work for > >>> AMPRNet and AMPRNet would control it's own destiny. > >>> > >>> --tom/n2xu 44.98.62.0/29 > >>> > >>> > >>> On 6/2/20 2:34 PM, Jonathan Lassoff via 44Net wrote: > >>>> I can sympathize with the sentiment that RPKI and widespread RPKI > >>>> adoption in its current form will really lock out and

> >>>> smaller network operators. > >>>> > >>>> Now, *more than ever*, we need to enable an Internet that any > >>>> organization (a natural person, a registered entity, a

> >>>> etc.) can connect to, uniquely address itself, and begin

> >>>> traffic. > >>>> > >>>> In order to enable such an open system to function, we also need

> >>>> of ensuring that unicast addresses are unique and that there is

> >>>> public, verifiable way of claiming ownership of IP space. Without > >>>> this, the entire network is open to disruption and abuse by

> >>>> operator. It's amazing we have gotten so far on the good will of

> >>>> operators. > >>>> > >>>> The RIR model of lawyers, paperwork, and public databases works

> >>>> lot of people and organizations. IRR was the first step, but it

> >>>> complex and a bit clunky to use. I see RPKI for Origin Validation

> >>>> just the first/next step of extending this model of trust and > >>>> numbering resource ownership into the routing protocol space more > >>>> directly. > >>>> From a technical standpoint, this logical extension of systems

> >>>> lot of sense and I don't have a problem with it. > >>>> > >>>> For commercial network operators, a RIR registration is just the

> >>>> of doing business. > >>>> But for many small nonprofits, regional amataur radio/network > >>>> operators, or individuals, a few thousand dollars/euros a year is

> >>>> lot of money that makes Internet independence out of reach. > >>>> They end up having to resort to the hegemony of their local

> >>>> monopoly and chain themselves to the whims of their upstreams and > >>>> regulators. > >>>> > >>>> I suspect many legacy resource holders find themselves in a

> >>>> limbo-state of not wanting to participate in the RIR model and pay > >>>> money for essentially nothing. > >>>> > >>>> > >>>> > >>>> > >>>> Echoing some similar earlier sentiments to want to create a CA for > >>>> legacy address holders: How feasible would it be to create

> >>>> RIR-like, but noncommercial? > >>>> A place for legacy address holders to coordinate and register > >>>> resources seems like a natural fit. If we're going to operate a > >>>> database of ROAs, we're going to need some database of address

> >>>> ownership. > >>>> For 44net use cases, this seems really straightforward, since we

> >>>> the Portal to draw from. But for other organizations, it gets a

> >>>> more complicated to do properly. Given some random email > >>>> address/account in some hypothetical legacy RIR, how can we really > >>>> validate that they're authorized to take actions on behalf of some > >>>> organization? > >>>> To take some random examples from the IANA IPv4 list: DISA, USPS, > >>>> AT&T, Apple, etc. Doing this right is going to take some process, > >>>> record keeping, and well.... work. > >>>> With this context, I can see how a lot of RIRs go commercial.

> >>>> with a bit of automation, good documentation and records, and some > >>>> dedicated volunteers, this seems like a really doable/achievable

> >>>> in the netops community. > >>>> > >>>> I would be curious to know if anyone else shares these

> >>>> and would like to chat about it. > >>>> > >>>> Stay safe and sane out there. > >>>> > >>>> Cheers, > >>>> jof > >>>> > >>>> On Tue, 2 Jun 2020 at 08:18, Job Snijders via 44Net > >>>> &lt;44net(a)mailman.ampr.org&gt; wrote: > >>>>> Thomas, > >>>>> > >>>>> You say > >>>>> > >>>>> On Tue, Jun 2, 2020, at 04:17, Thomas Jones - KG5ZI /8 via 44Net > >> wrote: > >>>>>> DO NOT participate in RPKI! > >>>>> And ... > >>>>> > >>>>>> We should be protecting our Internet!! Just saying... > >>>>> What are you really saying? These statements seem at odds with

> >>> other. > >>>>> How do you protect your internet? Maybe I can learn some tricks

> >>> you? > >>>>> Kind regards, > >>>>> > >>>>> Job > >>>>> _________________________________________ > >>>>> 44Net mailing list > >>>>> 44Net(a)mailman.ampr.org > >>>>> https://mailman.ampr.org/mailman/listinfo/44net > >>>> _________________________________________ > >>>> 44Net mailing list > >>>> 44Net(a)mailman.ampr.org > >>>> https://mailman.ampr.org/mailman/listinfo/44net > >>> > >>> _________________________________________ > >>> 44Net mailing list > >>> 44Net(a)mailman.ampr.org > >>> https://mailman.ampr.org/mailman/listinfo/44net > >>> > >> _________________________________________ > >> 44Net mailing list > >> 44Net(a)mailman.ampr.org > >> https://mailman.ampr.org/mailman/listinfo/44net > >> > > _________________________________________ > > 44Net mailing list > > 44Net(a)mailman.ampr.org > > https://mailman.ampr.org/mailman/listinfo/44net > > > _________________________________________ > 44Net mailing list > 44Net(a)mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net