At least for now, ARIN and RIPE do not allow actual IP users to manage and set up RPKI themselves. So think about what we can do.In addition, I think manrs should provide some technical information and methods to help implement network security. From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 18:50:30 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology
I mean to allow the person who authorizes the use of the IP to submit and manage the ROA and RPKI settings themselves.
I think that is a good idea.
I think it would be a good idea for manrs to set up an RPKI hosting service.
That is not a good idea. RIRs should provide the service to sub-allocation holders as they know to whom a sub-allocation has been given (as long as the main holder has record it) Regards as On Wed, Nov 13, 2024 at 6:46 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote:
But you can do it with the current hosted system, you do not need fancy blockchain.
I didn't say blockchain. I mean to allow the person who authorizes the use of the IP to submit and manage the ROA and RPKI settings themselves. I think it would be a good idea for manrs to set up an RPKI hosting service. From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 18:34:43 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Well, your proposal is also not very suitable.
But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who
Yes, in that we agree. RIRs should let sub-allocations holders to generate ROAs, that could help RPKI adoption and reduce work for the ISP re-allocating space to customers. But you can do it with the current hosted system, you do not need fancy blockchain. Regards as On Wed, Nov 13, 2024 at 6:12 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote: I know, I can host RPKI. But it is not suitable. What kind of situation exists? For example, obtaining a /40 ipv6 address may be obtained through 10 people. The person who finally uses the ip is unlikely to find a LIR to set up RPKI. But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who ultimately uses the IP to set up RPKI themselves. From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:58:59 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology I think they could, but the holder of the /40 should have a CA and manage its own RPKI. So, basically the /40 holder would have a hosted RPKI (as RIRs do today) that the customers could use to sign their sub-allocated IP space. Not easy, possibly not today but the technology is there. Regards as On Wed, Nov 13, 2024 at 5:55 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote: I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE. From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:39:51 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi, On Thu, Nov 14, 2024 at 12:31:01AM +0800, xiaoyu.net via Manrs-community wrote:
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses.
IP address assigned by the RIPE NCC have a contractual relationship, and money flows. *Of course* they can have RPKI ROAs. Do not confuse "RIPE" (which is the community) and "RIPE NCC" (which is the company that runs the database and the RPKI servers). Otherwise it is very hard to figure out what you are trying to say. Of course "RIPE has a large number of people" (because it's "all of us", no?) but that's not exactly meaningful for the question "who gave them their IP addresses?". This entity can handle RPKI - and it might not be the RIPE NCC. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************