Re: Implementing Decentralized RPKI with Blockchain Technology

[Tom Beecher <beecher () beecher cc>]

> Something I’ve been curious about for some time: since deployment of RPKI
> is (mostly) hosted by the RIRs and ultimately, the RIRs control the
> validation chain, what would happen if the RIR creates (or, if you prefer,
> is directed by court order to create) INVALIDs?


As explained earlier,  RIRs cannot "create" INVALIDs.

Remember that RIRs role in RPKI is to validate that the organization
creating ROAs is the one authorized to do so, because the number resources
are assigned to them. That's it. They have no function in saying anything
about the ROAs themselves.

RIRs could always invalidate the resource certificate if forced, which
would invalidate those ROAs too, but that would lead to NOTFOUND from a
validator, **NOT INVALID** INVALID means 'a VRP exists that covers this
prefix, but does not MATCH it'.


On Thu, Nov 14, 2024 at 5:22 AM David Conrad <drc () virtualized org> wrote:

> Tom,
>
> Something I’ve been curious about for some time: since deployment of RPKI
> is (mostly) hosted by the RIRs and ultimately, the RIRs control the
> validation chain, what would happen if the RIR creates (or, if you prefer,
> is directed by court order to create) INVALIDs?
>
> Regards,
> -drc
>
> On Nov 13, 2024, at 11:59 PM, Tom Beecher <beecher () beecher cc> wrote:
>
> In technical terms, RIRs can indeed configure IPs to become RPKI invalid.
>
>
> Incorrect.
>
> If the RIR revokes the resource certificate used to sign the ROA, the ROA
> is also then revoked. Validator software will then remove the VRPs that had
> been created from that previously valid ROA. If there are no other VRPs
> that cover the BGP message parameters, the validator will return NOTFOUND.
>
> If the RIR refused to publish or deleted the ROA, validators will
> eventually delete them, which also removes the VRP previously created. If
> there are no other VRPs that cover the BGP message parameters, the
> validator will return NOTFOUND.