On 27 Feb 2013, at 15:42, Wilfried Woeber <Woeber@CC.UniVie.ac.at> wrote:
Hi Alex,
Alex Band wrote:
[...]
As soon as the Registry is updated and the resources are associated with the new holder, the LIR can optionally request a resource certificate for it. This does mean that a transition is not seamless; there is a gap where there is no certificate and no ROA, which has an effect on the RPKI validity state of the associated BGP announcements. More on that below.
Let's assume that there was a certificate for the full block of the current holder. Part of that space moves to a new holder. While it is "obvious", that there's no certificate for that space, it would also be "obvious", that the encompassing certificate would have to become invalid, e.g. by being revoked by the CA. Correct?
No. If an LIR requested a resource certificate, it will at all times reflect the Registry. So if certain resources are added or removed from an LIR, a new, updated certificate is issued automatically to reflect the new situation, without user interaction required. So this applies for both parties if they had certification enabled. The only thing the receiving party would have to do is create a ROA for the new address space, to authorise the BGP announcement they will be doing with it. Until that time, the announcement will will remain with the "unknown" state (so NOT invalid). -Alex