I think that since someone is licensed to use the IP, they should also be allowed to submit their own RPKI to the RIRs. Especially since the number of IPv6 addresses is very huge, it is unreasonable to ask a LIR to submit and update RPKI in RIR for each /48 IPv6 address. For example, if there are hundreds of millions of /48 IPv6 addresses that need to be set up for hundreds of millions of people, how can this be reasonable? Our goal is to make the entire network secure. Security should be easy to implement. Protect everyone. From: "xiaoyu.net via Manrs-community" <manrs-community@elists.manrs.org> To: manrs-community@elists.manrs.org Date: Thu, 14 Nov 2024 01:07:53 +0800 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology I know, I can host RPKI. But it is not suitable. What kind of situation exists? For example, obtaining a /40 ipv6 address may be obtained through 10 people. The person who finally uses the ip is unlikely to find a LIR to set up RPKI. But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who ultimately uses the IP to set up RPKI themselves. From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:58:59 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology I think they could, but the holder of the /40 should have a CA and manage its own RPKI. So, basically the /40 holder would have a hosted RPKI (as RIRs do today) that the customers could use to sign their sub-allocated IP space. Not easy, possibly not today but the technology is there. Regards as On Wed, Nov 13, 2024 at 5:55 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote: I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE. From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:39:51 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi, On Thu, Nov 14, 2024 at 12:31:01AM +0800, xiaoyu.net via Manrs-community wrote:
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses.
IP address assigned by the RIPE NCC have a contractual relationship, and money flows. *Of course* they can have RPKI ROAs. Do not confuse "RIPE" (which is the community) and "RIPE NCC" (which is the company that runs the database and the RPKI servers). Otherwise it is very hard to figure out what you are trying to say. Of course "RIPE has a large number of people" (because it's "all of us", no?) but that's not exactly meaningful for the question "who gave them their IP addresses?". This entity can handle RPKI - and it might not be the RIPE NCC. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ ************************************ Our Mail Server Support IPv6 & IPv4 ************************************