Re: Implementing Decentralized RPKI with Blockchain Technology

[Robert McKay via NANOG <nanog () nanog org>]

Possibly one use of a blockchain RPKI would be to restrict the RIR's 
ability to sign RPKIs to address ranges under their management. The 
blockchain would then be used for inter-RIR transfers, preventing RIRs 
from going rogue and interfering with each other's RPKIs (such as a 
court using it's power over RIRs in it's jurisdiction to censor address 
space under another RIR). Perhaps over time additional RIRs could be 
created or even end user orgs could withdraw their RPKIs from the legacy 
RIR system into the new RIRs or their own custody.

-Rob

On 2024-11-14 10:22, David Conrad via NANOG wrote:
> Tom,
>
> Something I’ve been curious about for some time: since deployment of
> RPKI is (mostly) hosted by the RIRs and ultimately, the RIRs control
> the validation chain, what would happen if the RIR creates (or, if you
> prefer, is directed by court order to create) INVALIDs?
>
> Regards,
> -drc
>
> > On Nov 13, 2024, at 11:59 PM, Tom Beecher <beecher () beecher cc>
> > wrote:
> >
> > > In technical terms, RIRs can indeed configure IPs to become RPKI
> > > invalid.
> >
> > Incorrect.
> >
> > If the RIR revokes the resource certificate used to sign the ROA,
> > the ROA is also then revoked. Validator software will then remove
> > the VRPs that had been created from that previously valid ROA. If
> > there are no other VRPs that cover the BGP message parameters, the
> > validator will return NOTFOUND.
> >
> > If the RIR refused to publish or deleted the ROA, validators will
> > eventually delete them, which also removes the VRP previously
> > created. If there are no other VRPs that cover the BGP message
> > parameters, the validator will return NOTFOUND.