Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses. From: Arturo Servin <arturolev@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 16:19:46 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology How do you propose to validate that the IPs that a given holder is claiming as them, really belong to them? Regards as On Wed, Nov 13, 2024 at 4:15 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote: I think at least manrs.org should do something. Set up a certification node. To help those who are not LIRs but have IP addresses to easily deploy and update RPKI. Deploying RPKI should be easier and that is what we need to work towards. In addition, RIRs should be encouraged to open RPKI deployment to all those who own and manage IP for free. From: "Brandon Z." <Brandon@huize.asia> To: Brandon Zhi <Brandon@huize.asia> Cc: North American Network Operators' Group <nanog@nanog.org>, manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 09:39:03 -0500 Subject: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi there, Currently, due to political factors, some countries are not particularly proactive in deploying RPKI. Imagine if the RIR of a region were forced to revoke all IP resources of a particular country from RPKI, effectively isolating that country from the global internet. To address this, one approach is for autonomous networks within a region to establish two trusted RPKI CA servers: one from the major RIRs and another locally managed. The locally managed CA would take precedence, allowing autonomous networks to submit their IP resources to the RPKI server of their peers (and potentially backed by a national mandate to trust this CA). This setup could prevent a scenario where an entire country’s IP resources are revoked, leading to all IPs being marked as invalid. Another concept is to use blockchain technology. While cryptocurrencies use computational power to verify ownership, BGP could use peer count. If an IP resource is marked as valid by a majority of high-influence networks (with many peers), it could be trusted by the entire internet. Could this approach work? Perhaps there’s existing research on similar methods? Brandon Z. HUIZE LTD www.huize.asia | www.ixp.su | Twitter This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************
Hi, On Thu, Nov 14, 2024 at 12:31:01AM +0800, xiaoyu.net via Manrs-community wrote:
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses.
IP address assigned by the RIPE NCC have a contractual relationship, and money flows. *Of course* they can have RPKI ROAs. Do not confuse "RIPE" (which is the community) and "RIPE NCC" (which is the company that runs the database and the RPKI servers). Otherwise it is very hard to figure out what you are trying to say. Of course "RIPE has a large number of people" (because it's "all of us", no?) but that's not exactly meaningful for the question "who gave them their IP addresses?". This entity can handle RPKI - and it might not be the RIPE NCC. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE. From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:39:51 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi, On Thu, Nov 14, 2024 at 12:31:01AM +0800, xiaoyu.net via Manrs-community wrote:
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses.
IP address assigned by the RIPE NCC have a contractual relationship, and money flows. *Of course* they can have RPKI ROAs. Do not confuse "RIPE" (which is the community) and "RIPE NCC" (which is the company that runs the database and the RPKI servers). Otherwise it is very hard to figure out what you are trying to say. Of course "RIPE has a large number of people" (because it's "all of us", no?) but that's not exactly meaningful for the question "who gave them their IP addresses?". This entity can handle RPKI - and it might not be the RIPE NCC. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ************************************ Our Mail Server Support IPv6 & IPv4 ************************************
I think they could, but the holder of the /40 should have a CA and manage its own RPKI. So, basically the /40 holder would have a hosted RPKI (as RIRs do today) that the customers could use to sign their sub-allocated IP space. Not easy, possibly not today but the technology is there. Regards as On Wed, Nov 13, 2024 at 5:55 PM xiaoyu.net via Manrs-community < manrs-community@elists.manrs.org> wrote:
I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE.
From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:39:51 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology
Hi,
On Thu, Nov 14, 2024 at 12:31:01AM +0800, xiaoyu.net via Manrs-community wrote:
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses.
IP address assigned by the RIPE NCC have a contractual relationship, and money flows. *Of course* they can have RPKI ROAs.
Do not confuse "RIPE" (which is the community) and "RIPE NCC" (which is the company that runs the database and the RPKI servers). Otherwise it is very hard to figure out what you are trying to say.
Of course "RIPE has a large number of people" (because it's "all of us", no?) but that's not exactly meaningful for the question "who gave them their IP addresses?". This entity can handle RPKI - and it might not be the RIPE NCC.
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 <+49%2089%2032356444> USt-IdNr.: DE813185279
************************************
Our Mail Server Support IPv6 & IPv4
************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
I know, I can host RPKI. But it is not suitable. What kind of situation exists? For example, obtaining a /40 ipv6 address may be obtained through 10 people. The person who finally uses the ip is unlikely to find a LIR to set up RPKI. But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who ultimately uses the IP to set up RPKI themselves. From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:58:59 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology I think they could, but the holder of the /40 should have a CA and manage its own RPKI. So, basically the /40 holder would have a hosted RPKI (as RIRs do today) that the customers could use to sign their sub-allocated IP space. Not easy, possibly not today but the technology is there. Regards as On Wed, Nov 13, 2024 at 5:55 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote: I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE. From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:39:51 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi, On Thu, Nov 14, 2024 at 12:31:01AM +0800, xiaoyu.net via Manrs-community wrote:
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses.
IP address assigned by the RIPE NCC have a contractual relationship, and money flows. *Of course* they can have RPKI ROAs. Do not confuse "RIPE" (which is the community) and "RIPE NCC" (which is the company that runs the database and the RPKI servers). Otherwise it is very hard to figure out what you are trying to say. Of course "RIPE has a large number of people" (because it's "all of us", no?) but that's not exactly meaningful for the question "who gave them their IP addresses?". This entity can handle RPKI - and it might not be the RIPE NCC. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************
I think that since someone is licensed to use the IP, they should also be allowed to submit their own RPKI to the RIRs. Especially since the number of IPv6 addresses is very huge, it is unreasonable to ask a LIR to submit and update RPKI in RIR for each /48 IPv6 address. For example, if there are hundreds of millions of /48 IPv6 addresses that need to be set up for hundreds of millions of people, how can this be reasonable? Our goal is to make the entire network secure. Security should be easy to implement. Protect everyone. From: "xiaoyu.net via Manrs-community" <manrs-community@elists.manrs.org> To: manrs-community@elists.manrs.org Date: Thu, 14 Nov 2024 01:07:53 +0800 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology I know, I can host RPKI. But it is not suitable. What kind of situation exists? For example, obtaining a /40 ipv6 address may be obtained through 10 people. The person who finally uses the ip is unlikely to find a LIR to set up RPKI. But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who ultimately uses the IP to set up RPKI themselves. From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:58:59 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology I think they could, but the holder of the /40 should have a CA and manage its own RPKI. So, basically the /40 holder would have a hosted RPKI (as RIRs do today) that the customers could use to sign their sub-allocated IP space. Not easy, possibly not today but the technology is there. Regards as On Wed, Nov 13, 2024 at 5:55 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote: I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE. From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:39:51 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi, On Thu, Nov 14, 2024 at 12:31:01AM +0800, xiaoyu.net via Manrs-community wrote:
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses.
IP address assigned by the RIPE NCC have a contractual relationship, and money flows. *Of course* they can have RPKI ROAs. Do not confuse "RIPE" (which is the community) and "RIPE NCC" (which is the company that runs the database and the RPKI servers). Otherwise it is very hard to figure out what you are trying to say. Of course "RIPE has a large number of people" (because it's "all of us", no?) but that's not exactly meaningful for the question "who gave them their IP addresses?". This entity can handle RPKI - and it might not be the RIPE NCC. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ ************************************ Our Mail Server Support IPv6 & IPv4 ************************************
Hi, On Thu, Nov 14, 2024 at 01:27:21AM +0800, xiaoyu.net via Manrs-community wrote:
I think that since someone is licensed to use the IP, they should also be allowed to submit their own RPKI to the RIRs. Especially since the number of IPv6 addresses is very huge, it is unreasonable to ask a LIR to submit and update RPKI in RIR for each /48 IPv6 address. For example, if there are hundreds of millions of /48 IPv6 addresses that need to be set up for hundreds of millions of people, how can this be reasonable? Our goal is to make the entire network secure. Security should be easy to implement. Protect everyone.
There is no need to set up RPKI "for each /48". You can't announce "hundred of millions of /48" to BGP anyway. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Well, your proposal is also not very suitable.
But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who
Yes, in that we agree. RIRs should let sub-allocations holders to generate ROAs, that could help RPKI adoption and reduce work for the ISP re-allocating space to customers. But you can do it with the current hosted system, you do not need fancy blockchain. Regards as On Wed, Nov 13, 2024 at 6:12 PM xiaoyu.net via Manrs-community < manrs-community@elists.manrs.org> wrote:
I know, I can host RPKI. But it is not suitable. What kind of situation exists? For example, obtaining a /40 ipv6 address may be obtained through 10 people. The person who finally uses the ip is unlikely to find a LIR to set up RPKI. But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who ultimately uses the IP to set up RPKI themselves.
From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:58:59 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology
I think they could, but the holder of the /40 should have a CA and manage its own RPKI.
So, basically the /40 holder would have a hosted RPKI (as RIRs do today) that the customers could use to sign their sub-allocated IP space.
Not easy, possibly not today but the technology is there.
Regards as
On Wed, Nov 13, 2024 at 5:55 PM xiaoyu.net via Manrs-community < manrs-community@elists.manrs.org> wrote:
I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE.
From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:39:51 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology
Hi,
On Thu, Nov 14, 2024 at 12:31:01AM +0800, xiaoyu.net via Manrs-community wrote:
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses.
IP address assigned by the RIPE NCC have a contractual relationship, and money flows. *Of course* they can have RPKI ROAs.
Do not confuse "RIPE" (which is the community) and "RIPE NCC" (which is the company that runs the database and the RPKI servers). Otherwise it is very hard to figure out what you are trying to say.
Of course "RIPE has a large number of people" (because it's "all of us", no?) but that's not exactly meaningful for the question "who gave them their IP addresses?". This entity can handle RPKI - and it might not be the RIPE NCC.
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 <+49%2089%2032356444> USt-IdNr.: DE813185279
************************************
Our Mail Server Support IPv6 & IPv4
************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
************************************
Our Mail Server Support IPv6 & IPv4
************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
But you can do it with the current hosted system, you do not need fancy blockchain.
I didn't say blockchain. I mean to allow the person who authorizes the use of the IP to submit and manage the ROA and RPKI settings themselves. I think it would be a good idea for manrs to set up an RPKI hosting service. From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 18:34:43 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Well, your proposal is also not very suitable.
But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who
Yes, in that we agree. RIRs should let sub-allocations holders to generate ROAs, that could help RPKI adoption and reduce work for the ISP re-allocating space to customers. But you can do it with the current hosted system, you do not need fancy blockchain. Regards as On Wed, Nov 13, 2024 at 6:12 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote: I know, I can host RPKI. But it is not suitable. What kind of situation exists? For example, obtaining a /40 ipv6 address may be obtained through 10 people. The person who finally uses the ip is unlikely to find a LIR to set up RPKI. But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who ultimately uses the IP to set up RPKI themselves. From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:58:59 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology I think they could, but the holder of the /40 should have a CA and manage its own RPKI. So, basically the /40 holder would have a hosted RPKI (as RIRs do today) that the customers could use to sign their sub-allocated IP space. Not easy, possibly not today but the technology is there. Regards as On Wed, Nov 13, 2024 at 5:55 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote: I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE. From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:39:51 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi, On Thu, Nov 14, 2024 at 12:31:01AM +0800, xiaoyu.net via Manrs-community wrote:
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses.
IP address assigned by the RIPE NCC have a contractual relationship, and money flows. *Of course* they can have RPKI ROAs. Do not confuse "RIPE" (which is the community) and "RIPE NCC" (which is the company that runs the database and the RPKI servers). Otherwise it is very hard to figure out what you are trying to say. Of course "RIPE has a large number of people" (because it's "all of us", no?) but that's not exactly meaningful for the question "who gave them their IP addresses?". This entity can handle RPKI - and it might not be the RIPE NCC. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************
I mean to allow the person who authorizes the use of the IP to submit and manage the ROA and RPKI settings themselves.
I think that is a good idea.
I think it would be a good idea for manrs to set up an RPKI hosting service.
That is not a good idea. RIRs should provide the service to sub-allocation holders as they know to whom a sub-allocation has been given (as long as the main holder has record it) Regards as On Wed, Nov 13, 2024 at 6:46 PM xiaoyu.net via Manrs-community < manrs-community@elists.manrs.org> wrote:
But you can do it with the current hosted system, you do not need fancy blockchain.
I didn't say blockchain.
I mean to allow the person who authorizes the use of the IP to submit and manage the ROA and RPKI settings themselves.
I think it would be a good idea for manrs to set up an RPKI hosting service.
From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 18:34:43 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology
Well, your proposal is also not very suitable.
But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who
Yes, in that we agree. RIRs should let sub-allocations holders to generate ROAs, that could help RPKI adoption and reduce work for the ISP re-allocating space to customers.
But you can do it with the current hosted system, you do not need fancy blockchain.
Regards as
On Wed, Nov 13, 2024 at 6:12 PM xiaoyu.net via Manrs-community < manrs-community@elists.manrs.org> wrote:
I know, I can host RPKI. But it is not suitable. What kind of situation exists? For example, obtaining a /40 ipv6 address may be obtained through 10 people. The person who finally uses the ip is unlikely to find a LIR to set up RPKI. But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who ultimately uses the IP to set up RPKI themselves.
From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:58:59 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology
I think they could, but the holder of the /40 should have a CA and manage its own RPKI.
So, basically the /40 holder would have a hosted RPKI (as RIRs do today) that the customers could use to sign their sub-allocated IP space.
Not easy, possibly not today but the technology is there.
Regards as
On Wed, Nov 13, 2024 at 5:55 PM xiaoyu.net via Manrs-community < manrs-community@elists.manrs.org> wrote:
I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE.
From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:39:51 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology
Hi,
On Thu, Nov 14, 2024 at 12:31:01AM +0800, xiaoyu.net via Manrs-community wrote:
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses.
IP address assigned by the RIPE NCC have a contractual relationship, and money flows. *Of course* they can have RPKI ROAs.
Do not confuse "RIPE" (which is the community) and "RIPE NCC" (which is the company that runs the database and the RPKI servers). Otherwise it is very hard to figure out what you are trying to say.
Of course "RIPE has a large number of people" (because it's "all of us", no?) but that's not exactly meaningful for the question "who gave them their IP addresses?". This entity can handle RPKI - and it might not be the RIPE NCC.
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 <+49%2089%2032356444> USt-IdNr.: DE813185279
************************************
Our Mail Server Support IPv6 & IPv4
************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
************************************
Our Mail Server Support IPv6 & IPv4
************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
************************************
Our Mail Server Support IPv6 & IPv4
************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
At least for now, ARIN and RIPE do not allow actual IP users to manage and set up RPKI themselves. So think about what we can do.In addition, I think manrs should provide some technical information and methods to help implement network security. From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 18:50:30 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology
I mean to allow the person who authorizes the use of the IP to submit and manage the ROA and RPKI settings themselves.
I think that is a good idea.
I think it would be a good idea for manrs to set up an RPKI hosting service.
That is not a good idea. RIRs should provide the service to sub-allocation holders as they know to whom a sub-allocation has been given (as long as the main holder has record it) Regards as On Wed, Nov 13, 2024 at 6:46 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote:
But you can do it with the current hosted system, you do not need fancy blockchain.
I didn't say blockchain. I mean to allow the person who authorizes the use of the IP to submit and manage the ROA and RPKI settings themselves. I think it would be a good idea for manrs to set up an RPKI hosting service. From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 18:34:43 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Well, your proposal is also not very suitable.
But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who
Yes, in that we agree. RIRs should let sub-allocations holders to generate ROAs, that could help RPKI adoption and reduce work for the ISP re-allocating space to customers. But you can do it with the current hosted system, you do not need fancy blockchain. Regards as On Wed, Nov 13, 2024 at 6:12 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote: I know, I can host RPKI. But it is not suitable. What kind of situation exists? For example, obtaining a /40 ipv6 address may be obtained through 10 people. The person who finally uses the ip is unlikely to find a LIR to set up RPKI. But the person who ultimately uses the IP should have a RIPE account, and RIPE should allow the person who ultimately uses the IP to set up RPKI themselves. From: Arturo Servin <arturo.servin@google.com> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:58:59 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology I think they could, but the holder of the /40 should have a CA and manage its own RPKI. So, basically the /40 holder would have a hosted RPKI (as RIRs do today) that the customers could use to sign their sub-allocated IP space. Not easy, possibly not today but the technology is there. Regards as On Wed, Nov 13, 2024 at 5:55 PM xiaoyu.net via Manrs-community <manrs-community@elists.manrs.org> wrote: I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE. From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 17:39:51 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi, On Thu, Nov 14, 2024 at 12:31:01AM +0800, xiaoyu.net via Manrs-community wrote:
For example, RIPE has route6 and inet6num. It can be queried and verified at any time.RIPE now has a large number of people who are not LIRs but actually use IP networks. I mean promoting security should be available to everyone. Since you are assigning IP addresses to non-LIRs for use, you should provide security capabilities to anyone who actually manages the use of the IP addresses.
IP address assigned by the RIPE NCC have a contractual relationship, and money flows. *Of course* they can have RPKI ROAs. Do not confuse "RIPE" (which is the community) and "RIPE NCC" (which is the company that runs the database and the RPKI servers). Otherwise it is very hard to figure out what you are trying to say. Of course "RIPE has a large number of people" (because it's "all of us", no?) but that's not exactly meaningful for the question "who gave them their IP addresses?". This entity can handle RPKI - and it might not be the RIPE NCC. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************ -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community ************************************ Our Mail Server Support IPv6 & IPv4 ************************************
xiaoyu.net via Manrs-community wrote on 13/11/2024 17:42:
I mean to allow the person who authorizes the use of the IP to submit and manage the ROA and RPKI settings themselves.
Are you talking about a LIR assignment from an allocated block of LIR addresses? If that's the case, then it's the LIR that authorises the use of the IP address block, and they can manage them as appropriate. The holder of the addresses doesn't change because it's been assigned to a customer of theirs. If you're talking about a direct assignment from the RIPE NCC (i.e ASSIGNED PI), then there's a couple of policy items that would be relevant. One would be that assignments can't be sub-assigned, i.e. if you're thinking of sharing this with other people, it's probably not permitted by policy. Another would be that the annual charge for the address space is low because there's a sponsoring LIR who is a RIPE NCC member, who handles the relationship with the RIPE NCC. I.e. you don't have a direct relationship with the RIPE NCC. If you want a direct relationship with the RIPE NCC, you can become a member and handle your own RPKI. Or if this is a direct assignment you could ask your sponsoring LIR to set you up with hosted RPKI, and run your own service.
I think it would be a good idea for manrs to set up an RPKI hosting service.
How would a third party organisation be able to attest legally that someone was the canonical holder of a block of IP addresses? The only organisation in the RIPE NCC service region that can do that is the RIPE NCC - because they're the address registry and have the canonical list of assignments and allocations. Nick
I'm mainly talking about the IP obtained from LIR PA. As I said before, there is a situation where the end user's IP address is not obtained directly from the LIR, but may be obtained through 10 people. Therefore, it is unlikely that the end user will directly find the LIR to set it, or it is difficult. In addition, the volume of IPv6 is huge. It is unrealistic to let a LIR manage the RPKI settings of hundreds of millions of IPv6 /48. Once there is any change, it will be a huge task. Therefore, many people simply do not set up RPKI. I think people who end up using it should be given a way to manage it themselves. From: "Nick Hilliard (INEX)" <nick@inex.ie> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 18:00:44 +0000 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology xiaoyu.net via Manrs-community wrote on 13/11/2024 17:42: I mean to allow the person who authorizes the use of the IP to submit and manage the ROA and RPKI settings themselves. Are you talking about a LIR assignment from an allocated block of LIR addresses? If that's the case, then it's the LIR that authorises the use of the IP address block, and they can manage them as appropriate. The holder of the addresses doesn't change because it's been assigned to a customer of theirs. If you're talking about a direct assignment from the RIPE NCC (i.e ASSIGNED PI), then there's a couple of policy items that would be relevant. One would be that assignments can't be sub-assigned, i.e. if you're thinking of sharing this with other people, it's probably not permitted by policy. Another would be that the annual charge for the address space is low because there's a sponsoring LIR who is a RIPE NCC member, who handles the relationship with the RIPE NCC. I.e. you don't have a direct relationship with the RIPE NCC. If you want a direct relationship with the RIPE NCC, you can become a member and handle your own RPKI. Or if this is a direct assignment you could ask your sponsoring LIR to set you up with hosted RPKI, and run your own service. I think it would be a good idea for manrs to set up an RPKI hosting service. How would a third party organisation be able to attest legally that someone was the canonical holder of a block of IP addresses? The only organisation in the RIPE NCC service region that can do that is the RIPE NCC - because they're the address registry and have the canonical list of assignments and allocations. Nick ************************************ Our Mail Server Support IPv6 & IPv4 ************************************
Hi, On Thu, Nov 14, 2024 at 02:20:15AM +0800, xiaoyu.net via Manrs-community wrote:
I'm mainly talking about the IP obtained from LIR PA. As I said before, there is a situation where the end user's IP address is not obtained directly from the LIR, but may be obtained through 10 people.
This is a nondesirable scenario, so why should it be made easy? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi, On Thu, Nov 14, 2024 at 12:50:54AM +0800, xiaoyu.net via Manrs-community wrote:
I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE.
A /40 IPv6 can be assigned by the RIPE NCC, or by an ISP (acting for the LIR). So the chain of assignment is clear, and if the ISP is permitting independent BGP announcement of said /40, they can do the RPKI ROA just fine ("two clicks in the RIPE LIR portal") - and if not, it's their decision to not allow that. If the /40 is coming from the RIPE NCC, the NCC will do RPKI. Normally the ROA setup is a one-time thing - if you have "a large number of prefixes" and RPKI changes all the time (making it a "very heavy task"), it sounds as if you're mostly holding it wrong. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
I don't know why it's so hard for you to understand this. /40 can be allocated to many /48s. Make full use of the IP space. Any situation is possible. Let everyone manage their own information. Why make each LIR do it? Since you are allowed to manage ROA yourself, why not allow you to manage RPKI yourself? What I mean is to popularize security. For example, SSL certificates were sold at high prices before, but now almost everyone can use SSL certificates for free and they can be automated. Does RPKI have to be manually operated by LIR every time? This is like you authorize someone to use your house. You must give the key to the guest so that they can manage the security themselves, right? Do you have to ask the landlord to open the door every time? Is this necessary? From: Gert Doering <gert@space.net> To: "xiaoyu.net" <yon@xiaoyu.net> Cc: manrs-community@elists.manrs.org Date: Wed, 13 Nov 2024 21:10:03 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi, On Thu, Nov 14, 2024 at 12:50:54AM +0800, xiaoyu.net via Manrs-community wrote:
I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE.
A /40 IPv6 can be assigned by the RIPE NCC, or by an ISP (acting for the LIR). So the chain of assignment is clear, and if the ISP is permitting independent BGP announcement of said /40, they can do the RPKI ROA just fine ("two clicks in the RIPE LIR portal") - and if not, it's their decision to not allow that. If the /40 is coming from the RIPE NCC, the NCC will do RPKI. Normally the ROA setup is a one-time thing - if you have "a large number of prefixes" and RPKI changes all the time (making it a "very heavy task"), it sounds as if you're mostly holding it wrong. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ************************************ Our Mail Server Support IPv6 & IPv4 ************************************
Hi, On Thu, Nov 14, 2024 at 01:21:26PM +0800, xiaoyu.net via Manrs-community wrote:
I don't know why it's so hard for you to understand this. /40 can be allocated to many /48s. Make full use of the IP space. Any situation is possible. Let everyone manage their own information. Why make each LIR do it? Since you are allowed to manage ROA yourself, why not allow you to manage RPKI yourself?
Not sure who of us is not understanding :-) (But I might indeed not understanding what you are talking about, since most of the things you do complain about are a non-issue really) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
xiaoyu.net via Manrs-community wrote on 14/11/2024 05:21:
I don't know why it's so hard for you to understand this. /40 can be allocated to many /48s. Make full use of the IP space. Any situation is possible. Let everyone manage their own information. Why make each LIR do it? Since you are allowed to manage ROA yourself, why not allow you to manage RPKI yourself?
I'm not clear what you're trying to do here. Maybe you could explain your end goal and that might clarify what sort of options you would have? The point of RPKI is routing security. If you get an IP address assignment from your LIR from a RIR allocation ("ALLOCATED PA"), the LIR is responsible for the routing security associated with that block. If they're happy for you to handle the routing of a subnet of it, they can choose to sub-delegate that using self-hosted RPKI. But if they don't want to do that, then that's their choice. They have the right to do this because that's matched with the responsibility of managing that block, which includes stewardship of the resource, paying the LIR, managing customer assignments and all that. They're the IP resource holder, not you. If you want to handle this yourself, then get a direct assignment ("ASSIGNED PI") and you can be responsible for that. You can get your nearest LIR to act as sponsor for this, in which case, you can ask them to set up self-hosted RPKI for you, and you then can run your own authority. If they don't want to do this, you can get another LIR to sponsor your LIR, or you can open your own LIR, or you can get an assignment directly from the RIPE NCC and engage with them directly. The last two options are expensive, so maybe if this is for home / private use then it's probably too expensive. I.e. if this is for public DFZ inter-domain routing, you'll need to register your own address space and use the existing frameworks for managing RPKI. If this is for a private routing system / home use VPN, then why not run your own private TAL and do whatever you want with that? Nick
Dear Xiaoyu (by lack of a signature in your messages, I don't know who you are), First, I think you need to familiarize yourself with the concept of aggregation in BGP and the RIPE policies for Provider Aggregatable address space and why we want to do that. I think both ideas are stupid. The way it works now is that there is always either a PA allocation to an LIR or a direct PI allocation to an individual that should have a sponsoring LIR that can make changes on his behalf, or give it's sponsoring customers access to the hosted RPKI system: https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/resource-c... RIPE already has the possibility to create ROAs for PI or LEGACY address space, and even lets the assignment holder manage the ROAs. But it is the sponsoring LIR that can give you that authority by giving you your own maintainer object in the RIPE database to manage your PI holder organisation and ROAs. If your current sponsor doesn't give you that authority, choose a different sponsoring LIR: https://www.ripe.net/manage-ips-and-asns/resource-management/number-resource... I can imagine that sponsoring LIRs are reluctant to give that authorisation, because most of the time the address holders of PI address space have no clue how the RIPE database nor its policies or RPKI work, and that is a security risk by itself. This email thread is a great example that even here on the MANRS mailing list people don't understand how the registry system works. I have the experience, maintaining IRR data and RPKI ROAs for many PI customers, that in the end I always need to help them when changes are necessary. Mostly after a number of years and their sysadmin that had some clue left the company many moons ago because he was underpaid. Give me a prefix, and I will tell you who you need to go to to maintain your RPKI ROA. I also think it will be a very bad idea to let MANRS or any other organisation like RADB handle RPKI trust anchors. I will certainly not use those trust anchors in my validator as they will be untrustworthy. There is no guarantee the ROAs are created by the legitimate IP holders. Only the RIRs can verify the ROAs are created by the legitimate IP holder since they maintain the allocations to those holders. This is the whole concept of RPKI. In that same sense, I do not trust any RADB IRR data, as anyone can just create objects in that database. We require address holders to create route objects in an RIR IRR if we need to route their traffic, the non-RIR IRRs are too much a mess to be reliable because of these unauthorised objects. We want to get rid of those IRRs, so people don't get these stupid insecure ideas: https://ripe88.ripe.net/wp-content/uploads/presentations/87-RIPE88_RS_Propos....
/40 can be allocated to many /48s
No they cannot. That would be a BGP nightmare and all routers would die (https://www.youtube.com/watch?v=_y36fG2Oba0). They can be "-ASSIGNED-" to many /48s. Please familiarize yourself with what that means and why. Kind regards, Antoin Verschuren Senior Manager Network Security IETF REGEXT Co-chair Liberty Global Technology Services B.V. Boeing Avenue 53 1119 PE Schiphol-Rijk The Netherlands www.libertyglobal.com<http://www.libertyglobal.com> From: Manrs-community <manrs-community-bounces@elists.manrs.org> On Behalf Of xiaoyu.net via Manrs-community Sent: Thursday 14 November 2024 06:21 To: manrs-community@elists.manrs.org Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology I don't know why it's so hard for you to understand this. /40 can be allocated to many /48s. Make full use of the IP space. Any situation is possible. Let everyone manage their own information. Why make each LIR do it? Since you are allowed to manage ROA yourself, why not allow you to manage RPKI yourself? What I mean is to popularize security. For example, SSL certificates were sold at high prices before, but now almost everyone can use SSL certificates for free and they can be automated. Does RPKI have to be manually operated by LIR every time? This is like you authorize someone to use your house. You must give the key to the guest so that they can manage the security themselves, right? Do you have to ask the landlord to open the door every time? Is this necessary? From: Gert Doering <gert@space.net<mailto:gert@space.net>> To: "xiaoyu.net" <yon@xiaoyu.net<mailto:yon@xiaoyu.net>> Cc: manrs-community@elists.manrs.org<mailto:manrs-community@elists.manrs.org> Date: Wed, 13 Nov 2024 21:10:03 +0100 Subject: Re: [manrs-community] Implementing Decentralized RPKI with Blockchain Technology Hi, On Thu, Nov 14, 2024 at 12:50:54AM +0800, xiaoyu.net via Manrs-community wrote:
I don't agree with this view. For example, a /40 ipv6 address block is assigned to a person who has no connection with the LIR. Submitting RPKI settings to the LIR is difficult and impossible to keep up to date. Because updating and setting up RPKI for a large number of IPv6 prefixes to LIR is a very heavy task. What I mean is that the person who actually manages the use of the IP prefix should be allowed to set up RPKI himself in RIPE.
A /40 IPv6 can be assigned by the RIPE NCC, or by an ISP (acting for the LIR). So the chain of assignment is clear, and if the ISP is permitting independent BGP announcement of said /40, they can do the RPKI ROA just fine ("two clicks in the RIPE LIR portal") - and if not, it's their decision to not allow that. If the /40 is coming from the RIPE NCC, the NCC will do RPKI. Normally the ROA setup is a one-time thing - if you have "a large number of prefixes" and RPKI changes all the time (making it a "very heavy task"), it sounds as if you're mostly holding it wrong. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ************************************ Our Mail Server Support IPv6 & IPv4 ************************************
participants (5)
-
Arturo Servin -
Gert Doering -
Nick Hilliard (INEX) -
Verschuren, Antoin -
xiaoyu.net