| | | | | | | | |
|
|
|
You're here: Home |
> + There could be cases where prefix that operator wishes to register > in IRR is different from RPKI data. How would it help in routing for > such cases? it is assumed that they will register as they wish. the point here is that the *relying party* chooses which version to give priority. if the registrant did not intend the rpki/roa to be used they did not have to issue/sign it. > + How can we confirm that ROA is based on authentic RPKI? see 200kg of documents on how the rpki works. essentially, you have trust anchor for iana and the roa can validate up to that trust anchor. > Could we really not change the route object at all? the route: object in the overlay irr generated from the rpki roa can only be changed by the prefix owner by changing the roa. the route: object in the apnic or whichever irr segments can be changed by the normal means for those irr segments. > + what are we trying to achieve by strengthening security by overlay > publication point? ie., trying to make the system work even if > APNIC's IRR fails, for example? (just trying to understand the > intention) giving a relying party the option to prefer a more strongly validatable binding of prefix to origin asn. randy
