Hacker News new | past | comments | ask | show | jobs | submit login

RPKI uses CAs at the RIRs because the RIRs are who make the IP allocations and have a relationship with the IP holders and can (at least in theory) authenticate the holders.

Just as a RIR could issue a certificate for your IPs to someone else, they could change WHOIS, which is how IP delegations are generally cross referenced.

You're welcome to accept (or propagate) someone's advertisements without RPKI in case of some dispute with their RIR, but expect to get called out for it if the routes are bogus if you don't answer your NOC phone or email or twitters.

Actually, I don't think Cloudflare was even calling Verizon out for not doing RPKI, which is fairly new and has costs, it was more for not limiting prefix counts; a small customer should probably be limited to 2n + 4 prefixes where N is the average number of prefixes they've advertised over the past 30 days; or like they have to put their prefixes in a portal or something.

Filtering customer advertisements with IRRs is also pretty normal.

But really, you gotta answer the phone. The steel guys answered the phone.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact