Hi Stephen, Stephen Kent wrote: > ... >> Ok, then I'll continue with mine line of thinking. >> From the RIR stats files that RIRs publish daily we could get the numbers of >> distinct resource holders. They are: >> >> AFRINIC 1310 >> APNIC 7957 >> ARIN 35380 >> LACNIC 4278 > What is the definition of a "distinct resource holder?" Does this correspond > to an account with the RIR, or is there some other > definition? >> Now, these are only the first level resource holders under RIRs. They all >> *must* have their own CAs in order to participate in >> RPKI. However, many of these first-level resource holders are NIRs > Many are NIRs?
No. You broke the line in the wrong place. I meant "many (NIRs or LIRs)". > There are no many NIRs in the world, and today the ones in APNIC (the region > with the most NIRs) act as RAs, not CAs. So it's not > clear that one should be counting them. >> or LIRs, who distribute resources further down to their clients. They could >> choose to manage their clients' RPKI objects within >> their single CA, but could also give their clients own certificates, >> creating next level of CA hierarchy. > The distinction you cite here is not quite correct. Even if an LIR manages > RPKI objects for folks to whom that have sub-allocated > resources, each of those folks is represented by a CA. Not necessarily. The LIR could create a ROA for client's assignment, using LIR's allocation certificate. I'm not saying they should do it like this, but they could. And I have a feeling that might become a common case. But I think LIRs could say for themselves. For example, how many their clients maintain Whois objects themselves, and for how many LIRs doing it? > The question is who runs that CA, and whether the CA's pub point lives in a > different repository. >> I find it difficult to estimate how many LIRs will do this, and for how many >> of their clients. But for RIPE NCC I could see that >> the number of organisation objects in RIPE DB is 70746, and that should be >> the upper bound of the number of CAs in our region. I >> don't have that number for other regions, and don't know if it's applicable >> in the same way, especially where NIRs are present. >> > NIRs are probably not relevant in this counting approach. My point was that it's quite difficult to estimate the upper bound of possible CAs. NIR or LIR does not matter, I agree. -- Oleg Muravskiy RIPE NCC _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr