I don't know why it's so hard for you to understand this. /40 can be allocated to many /48s. Make full use of the IP space. Any situation is possible. Let everyone manage their own information. Why make each LIR do it? Since you are allowed to manage ROA yourself, why not allow you to manage RPKI yourself? What I mean is to popularize security. For example, SSL certificates were sold at high prices before, but now almost everyone can use SSL certificates for free and they can be automated. Does RPKI have to be manually operated by LIR every time? This is like you authorize someone to use your house. You must give the key to the guest so that they can manage the security themselves, right? Do you have to ask the landlord to open the door every time? Is this necessary? From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 21:10:03 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi, On Thu, Nov 14, 2024 at 12:50:54AM +0800, xiaoyu.net via Manrs-community wrote:
I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE.
A /40 IPv6 can be assigned by the RIPE NCC, or by an ISP (acting for the LIR). So the chain of assignment is clear, and if the ISP is permitting independent BGP announcement of said /40, they can do the RPKI ROA just fine ("two clicks in the RIPE LIR portal") - and if not, it's their decision to not allow that. If the /40 is coming from the RIPE NCC, the NCC will do RPKI. Normally the ROA setup is a one-time thing - if you have "a large number of prefixes" and RPKI changes all the time (making it a "very heavy task"), it sounds as if you're mostly holding it wrong. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ************************************ Our Mail Server Support IPv6 & IPv4 ************************************