Something I’ve been curious about for some time: since deployment of RPKI is (mostly) hosted by the RIRs and ultimately, the RIRs control the validation chain, what would happen if the RIR creates (or, if you prefer, is directed by court order to create) INVALIDs?
As explained earlier, RIRs cannot "create" INVALIDs. Remember that RIRs role in RPKI is to validate that the organization creating ROAs is the one authorized to do so, because the number resources are assigned to them. That's it. They have no function in saying anything about the ROAs themselves. RIRs could always invalidate the resource certificate if forced, which would invalidate those ROAs too, but that would lead to NOTFOUND from a validator, **NOT INVALID** INVALID means 'a VRP exists that covers this prefix, but does not MATCH it'. On Thu, Nov 14, 2024 at 5:22 AM David Conrad <drc@virtualized.org> wrote:
Tom,
Something I’ve been curious about for some time: since deployment of RPKI is (mostly) hosted by the RIRs and ultimately, the RIRs control the validation chain, what would happen if the RIR creates (or, if you prefer, is directed by court order to create) INVALIDs?
Regards, -drc
On Nov 13, 2024, at 11:59 PM, Tom Beecher <beecher@beecher.cc> wrote:
In technical terms, RIRs can indeed configure IPs to become RPKI invalid.
Incorrect.
If the RIR revokes the resource certificate used to sign the ROA, the ROA is also then revoked. Validator software will then remove the VRPs that had been created from that previously valid ROA. If there are no other VRPs that cover the BGP message parameters, the validator will return NOTFOUND.
If the RIR refused to publish or deleted the ROA, validators will eventually delete them, which also removes the VRP previously created. If there are no other VRPs that cover the BGP message parameters, the validator will return NOTFOUND.