Stephen Kent wrote: > Oleg, > >> ... >>> I agree that an LIR could behave the way you indicated, but in so doing >>> it needs to track which >>> other LIRs provide service to the customer in question, in order to >>> generate ROAs for each of them. If >>> it fails to do so, any connections to other LIRs may be ignored, as the >>> NLRI in question will be >>> represented by a valid ROA pointing to another AS#. That might create a >>> liability for the LIR. That's why >>> Section 7.3.2 of RFC 6480 cites this as the least desirable option. >> If I understand correctly, you refer to multi-homed end-users here. > yes, but not PI space holders. >> In our region such users normally receive a provider-independent (PI) >> address space from RIPE NCC directly, so they will have their >> own CA and will have to maintain it. > I don't know if that is the most common practice, vs. a PA-space user moving > from being single-homed to > multi-homed. This is what the cited text refers to. >> However, there are also many end-users with provider-aggregatable address >> space that they received from LIRs. And this is where I >> find it quite difficult to continue with estimations, because >> - these end-users could still be multi-homed > if they are not multi-homed, they are invisible to BGP and thus do not need > RKI credentials. So, let's > assume that the entities in question are multi-homed, with a PA space > allocation. >> - or they might need to have own CAs for some other reason > The preferred approach, as noted, is for multi-homed subscribers to be > represented by a CA. >> - their LIRs might prefer to give them responsibility for their CA > agreed. >> - or prefer to not give them that responsibility > also an option. >> >From my perspective I do not know any source of data to collect/guess the >> >number of end-users who will need their own CA, or the >> number of LIRs who would prefer to delegate CAs to their clients. I think >> LIRs / operators might know better. This is what I said in >> my previous email. > As best I know, so far we have no LIRs who have gotten this far in the RPKI > space, so I too look forward > to hearing from those who are considering this next step. > > But, irrespective of this detail, isn't it reasonable to use the number of > (live) ASes as the basis for > the number of pub points (CAs)? To first order, any entity that needs to be > explicitly represented in the > RPKI is associated with an AS#, whether they are an LIR, a PI space holder, > or a multi-homed holder > of PA space (from an LIR).
I don't know. I see that the 1 AS = 1 CA is often referred as reasonable. But I do not see why an AS operator, using single AS#, cannot serve multiple organisations that got their address space from somewhere else. So all these organisations will have CAs, will create ROAs, but would not operate own ASes. -- Oleg Muravskiy RIPE NCC
_______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr