xiaoyu.net via Manrs-community wrote on 14/11/2024 05:21:

I don't know why it's so hard for you to understand this. /40 can be allocated to many /48s. Make full use of the IP space. Any situation is possible. Let everyone manage their own information. Why make each LIR do it? Since you are allowed to manage ROA yourself, why not allow you to manage RPKI yourself?

I'm not clear what you're trying to do here. Maybe you could explain your end goal and that might clarify what sort of options you would have?

The point of RPKI is routing security. If you get an IP address assignment from your LIR from a RIR allocation ("ALLOCATED PA"), the LIR is responsible for the routing security associated with that block. If they're happy for you to handle the routing of a subnet of it, they can choose to sub-delegate that using self-hosted RPKI. But if they don't want to do that, then that's their choice. They have the right to do this because that's matched with the responsibility of managing that block, which includes stewardship of the resource, paying the LIR, managing customer assignments and all that. They're the IP resource holder, not you.

If you want to handle this yourself, then get a direct assignment ("ASSIGNED PI") and you can be responsible for that. You can get your nearest LIR to act as sponsor for this, in which case, you can ask them to set up self-hosted RPKI for you, and you then can run your own authority. If they don't want to do this, you can get another LIR to sponsor your LIR, or you can open your own LIR, or you can get an assignment directly from the RIPE NCC and engage with them directly. The last two options are expensive, so maybe if this is for home / private use then it's probably too expensive.

I.e. if this is for public DFZ inter-domain routing, you'll need to register your own address space and use the existing frameworks for managing RPKI. If this is for a private routing system / home use VPN, then why not run your own private TAL and do whatever you want with that?

Nick