Stephen Kent wrote:
Oleg,
...
I'm not opposed to the 1AS = 1CA idea. It's just that in my mind RPKI associates with IP space holders, not AS operators,
because this is how we do RPKI on RIR level. And on this level we already have more distinct IP space holders than the number of
active AS. I don't know much about LIR to end user level, maybe the number of CAs there will be insignificant.
The RPKI is about who holds both sets of resources: addresses and AS#s. So,
yes, as an RIR issuing certs
for address space, the focus is on address space holders. When we discuss using
AS#'s to estimate the
number of CAs it is just because that seems like a reasonable estimator, not
because it is the basis
for the management of address space.
But RIRs will issue certificates to IP numbers holders, no matter how many AS#
they have. This is a fact, not an estimator.
And it already makes the number of CAs created by RIRs bigger than the number of ASes. So I do not see why you still insist that the
total number of CAs is reasonably equal to the number of ASes.
But the difference is not that big, so maybe we should mention in the requirements document all different estimations and stop this
discussion.
I am curious, though. When RIPE acts as a CA on behalf of 1300+ entities with
address space, have you
included the AS#s in the CA certs you issued, when the address space holders
have AS#'s from RIPE?
No, we do not include AS# in our certificates.
--
Oleg Muravskiy
RIPE NCC
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
