[as112-ops] RPKI-signature for AS112-Prefixes
Matthew Pounsett
matt at dns-oarc.net
Fri Jul 27 23:20:55 UTC 2018
> On Jul 27, 2018, at 12:22, Joe Abley <jabley at hopcount.ca> wrote:
>
> Hi Matt,
>
> Presumably the same as any other use of route origin validation:
> defence against accidental origination of the routes from autonomous
> systems other than 112.
This seems like a decent-enough reason to go ahead with it. I had thought the intention was to protect against admins accidentally announcing the block from the wrong AS, which seems like a non-issue to me, but protecting against admins accidentally announcing the block at all is a worthy cause.
> It'd be fairly straightforward for DNS-OARC, as stewards of the
> project's number resources, to publish a ROA I think (and I don't
> think doing so would do any harm).
It looks like it involves either spinning up a certificate authority (and the attendant remote access infrastructure) or figuring out ARIN’s RPKI hosting system. The latter seems like the obvious choice.
I’m going to put this on the “good idea, but not critical” section of the TODO list, and hopefully I can sort out enough time to look into ARIN’s tools before too long.
Matt Pounsett
DNS-OARC Systems Engineering
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/mailman/private/as112-ops/attachments/20180727/63add20d/attachment.sig>
More information about the as112-ops
mailing list