<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body dir="auto">
Hi David,
<div><br>
</div>
<div>> <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;">Both the AS number and the prefix(es) are resources issued by an RIR. Are you saying both the AS number and the prefix(es) for ROA must be issued by RIPE to
be accepted? I think that would be overly restrictive.</span>
<div class="gmail_quote" style="-webkit-text-size-adjust: auto; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<br>
</div>
<div class="gmail_quote" style="-webkit-text-size-adjust: auto; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
> I could see maybe only accepting ROAs authorizing address resources that RIPE has issued.</div>
<div class="gmail_quote" style="-webkit-text-size-adjust: auto; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<br>
</div>
<div class="gmail_quote" style="-webkit-text-size-adjust: auto; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
That was exactly what I had in mind as well.. as per ROA’s, filter to accept only what was allocated / assigned by the RIPE NCC. The AS nr could be from any rir. </div>
<div><br>
</div>
<div>Regards, </div>
<div>Erik </div>
<div><br>
</div>
<div dir="ltr">Verstuurd vanaf mijn iPhone</div>
<div dir="ltr"><br>
<blockquote type="cite">Op 29 sep. 2022 om 21:52 heeft David Farmer <farmer@umn.edu> het volgende geschreven:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Sep 29, 2022 at 2:11 PM Erik Bais <<a href="mailto:ebais@a2b-internet.com">ebais@a2b-internet.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi Randy, <br>
<br>
> so, you would exclude CAs which have resources from multiple RIRs?<br>
<br>
<br>
I didn’t say that.. the question from the NCC is .. do we want to run an non restictive publication point and support whatever someone uploads to it ..
<br>
or do we need to restrict it to ripe region resources.. <br>
<br>
if you want to publish self signed resources from multiple rir regions.. you are able to do so by setting up an instance per region.. or use software that can manage that by publishing the resources back to where the delegation came from..
<br>
<br>
We worked for years with irrdb’s like radb that would accept everything from everywhere .. I hoped we learned something from that mess at the design table ..
<br>
<br>
So again, not excluding anyone .. just push the stuff where it belongs … <br>
<br>
Erik Bais<br>
</blockquote>
<div><br>
</div>
A ROA or Route Origin Authorization is an attestation of a BGP route announcement. It attests that the origin AS number is authorized to announce the prefix(es).<br>
<br>
Both the AS number and the prefix(es) are resources issued by an RIR. Are you saying both the AS number and the prefix(es) for ROA must be issued by RIPE to be accepted? I think that would be overly restrictive.</div>
<div class="gmail_quote"><br>
</div>
<div class="gmail_quote">I could see maybe only accepting ROAs authorizing address resources that RIPE has issued. Or am I missing something? I'm admittedly an amateur when it comes to RPKI. <br>
<div> </div>
</div>
<div>Thanks</div>
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature">===============================================<br>
David Farmer <a href="mailto:Email%3Afarmer@umn.edu" target="_blank">
Email:farmer@umn.edu</a><br>
Networking & Telecommunication Services<br>
Office of Information Technology<br>
University of Minnesota <br>
2218 University Ave SE Phone: 612-626-0815<br>
Minneapolis, MN 55414-3029 Cell: 612-812-9952<br>
=============================================== </div>
</div>
</div>
</blockquote>
</div>
</body>
</html>