We are working on a PoC in regards to DR with AWS.
We are doing BYOIP and were asked to create an ROA record which I can
easily understand. But AWS also requests an X.509 certificate as per:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html
which needs to be added to a new "descr:" tag
They state in their page:
"When you provision an address range for use with AWS, you are
confirming that you control the address range and are authorizing Amazon
to advertise it. We also verify that you control the address range
through a signed authorization message. This message is signed with the
self-signed X.509 key pair that you used when updating the RDAP record
with the X.509 certificate. AWS requires a cryptographically signed
authorization message that it presents to the RIR. The RIR authenticates
the signature against the certificate that you added to RDAP, and checks
the authorization details against the ROA."
Why isn't creating an ROA proof enough that I control the address range?
Why 2 forms of authentication needed (ROA & X.509)? What will happen to
the pollution of the descr tag if others like Azure and GCP decide on
something similar? Should the community form a standard rather than let
the descr field become polluted?
Regards,
Hank
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/db-wg