Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NANOG>
  3. users
Your Input Needed: Can ROA Replace LOA? ? Short Survey (7 mins)
chris at thesysadmin
Nov 15, 2023, 7:47 PM
Post #1 of 4 (107 views)
Permalink
Hello everyone,

Aftab Siddiqui is currently exploring the possibility of using Route Object Authorisations (ROAs) as a potential replacement to LOAs. Separate to this (and unknowing of Aftab's research), I had started a discussion on the RPKI Community guild on Discord (https://discord.gg/9jYcqpbdRE) discussing the usage of ROAs instead of LOAs.

An LOA, or "Letter of Authority" / "Letter of Authorization," is a formal document granting permission for third parties to take specific actions regarding network resources or services. In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN). When an organization intends to announce its IP prefixes through its own or a transit provider's ASN to the global internet, it typically needs to provide an LOA to their transit provider, confirming their custodianship or ownership of the resources.

RPKI ROA, stands for "Resource Public Key Infrastructure Route Origin Authorization," is part of a security framework designed to validate the authenticity of internet routing information. It involves a digitally signed object that specifies which Autonomous Systems (ASes) are permitted to announce specific IP address prefixes.

Could you please take a moment to fill out our brief survey? Your feedback will play a crucial role in our understanding of this topic.

Survey Link: https://www.surveymonkey.com/r/JCHLWBB

Thanks,
Christopher Hawker
Re: Your Input Needed: Can ROA Replace LOA? ? Short Survey (7 mins) [ In reply to ]
toma at visnetworkrd
Nov 17, 2023, 5:12 AM
Post #2 of 4 (105 views)
Permalink
There is IPV4 exhaustion and many ISPs lease IPV4 space from other
entities, such as brokers and other providers. One of the biggest IPv4
lessors is Cogent. By Cogent having legacy IP space from IANA which it
inherited when it acquired PSInet, Cogent was not required to sign a
contract when RIR ARIN was created.

Therefore, Cogent currently does not have and is not member of ARIN. It
refuses to sign contract with ARIN and currently Cogent is not bound by
this RUD rules and regulations.

There is one downfall to not being ARIN member, Cogent cannot currently
issue ROAs or RPKIs. They only update RIR in ROADB database for the leased
out IP addresses.

By implicitly requiring ROA or RPKI for IPv4 space leased from Covent,
about 70% of small ISPs that were created after IPv4 space exhaustion,
would not be able to route their IPV4 traffic, because currently they lease
IPv4 space from Cogent, and as we mentioned, by Cogent refusing to become
ARIN member, it cannot issue ROAs or RPKIs, and therefore ISPs using this
leased IPV4 space can only use LOAs for validation.
Re: Your Input Needed: Can ROA Replace LOA? ? Short Survey (7 mins) [ In reply to ]
beecher at beecher
Nov 17, 2023, 7:02 AM
Post #3 of 4 (105 views)
Permalink
>
> Therefore, Cogent currently does not have and is not member of ARIN. It
> refuses to sign contract with ARIN and currently Cogent is not bound by
> this RUD rules and regulations.
>
> There is one downfall to not being ARIN member, Cogent cannot currently
> issue ROAs or RPKIs. They only update RIR in ROADB database for the leased
> out IP addresses.
>

Not entirely accurate.

Cogent Communications is already a General Member of ARIN. You can see that
for yourself here : https://account.arin.net/public/member-list
. *Membership* is not a prerequisite for anything RPKI.

ARIN requires an RSA or LRSA in place covering a number resource before
they will be the trust anchor for that number resource. In the design of
RPKI, this should make logical sense. Many legacy resource holders have
their own reasons on why they chose not to sign an LRSA for those
resources, so there is a chicken/egg problem here.

Cogent can participate in RPKI with any non-legacy resources without a
problem, as anything non-legacy is covered by an RSA.


On Fri, Nov 17, 2023 at 8:13?AM George Toma <toma@visnetworkrd.com> wrote:

> There is IPV4 exhaustion and many ISPs lease IPV4 space from other
> entities, such as brokers and other providers. One of the biggest IPv4
> lessors is Cogent. By Cogent having legacy IP space from IANA which it
> inherited when it acquired PSInet, Cogent was not required to sign a
> contract when RIR ARIN was created.
>
> Therefore, Cogent currently does not have and is not member of ARIN. It
> refuses to sign contract with ARIN and currently Cogent is not bound by
> this RUD rules and regulations.
>
> There is one downfall to not being ARIN member, Cogent cannot currently
> issue ROAs or RPKIs. They only update RIR in ROADB database for the leased
> out IP addresses.
>
> By implicitly requiring ROA or RPKI for IPv4 space leased from Covent,
> about 70% of small ISPs that were created after IPv4 space exhaustion,
> would not be able to route their IPV4 traffic, because currently they lease
> IPv4 space from Cogent, and as we mentioned, by Cogent refusing to become
> ARIN member, it cannot issue ROAs or RPKIs, and therefore ISPs using this
> leased IPV4 space can only use LOAs for validation.
>
Re: Your Input Needed: Can ROA Replace LOA? ? Short Survey (7 mins) [ In reply to ]
nanog at nanog
Nov 21, 2023, 6:00 PM
Post #4 of 4 (99 views)
Permalink
> On Nov 17, 2023, at 07:02, Tom Beecher <beecher@beecher.cc> wrote:
>
>> Therefore, Cogent currently does not have and is not member of ARIN. It refuses to sign contract with ARIN and currently Cogent is not bound by this RUD rules and regulations.
>>
>> There is one downfall to not being ARIN member, Cogent cannot currently issue ROAs or RPKIs. They only update RIR in ROADB database for the leased out IP addresses.
>
> Not entirely accurate.
>
> Cogent Communications is already a General Member of ARIN. You can see that for yourself here : https://account.arin.net/public/member-list . *Membership* is not a prerequisite for anything RPKI.

Membership is not, but…

You can’t have ARIN resources under contract without also getting membership along with them any more, so, effectively, you can’t get RPKI without membership.

However, just because you are a member doesn't mean you can get RPKI for all of your resources… Indeed, you can only get RPKI for your resources under ARIN contract.

> ARIN requires an RSA or LRSA in place covering a number resource before they will be the trust anchor for that number resource. In the design of RPKI, this should make logical sense. Many legacy resource holders have their own reasons on why they chose not to sign an LRSA for those resources, so there is a chicken/egg problem here.

Interestingly, RIPE-NCC will issue RPKI for non-contracted resources if they have a sponsoring LIR. Generally this means paying 70-100EU/year/resource to some RIPE member (who ends up passing 50EU of that to RIPE as part of their annual fees). LIR Prices vary greatly, so be prepared to negotiate.

Or just don’t bother with RPKI, you’re not really missing anything.

Owen

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal