On Thu, 2019-10-31 at 19:34 +0000, Nick Hilliard wrote:
Petrit Hasani wrote on 31/10/2019 14:28:
A new RIPE Policy proposal, 2019-08, "RPKI ROAs for Unallocated and Unassigned RIPE NCC Address Space" is now available for discussion.
From a political point of view, I'm deeply uncomfortable with the idea of the RIPE NCC setting out to make preemptive declarations of routability for anything other than holders of resource allocations / assignments. This is new and precedents like this could weaken the RIPE NCC's case if it were to argue in court that it was inappropriate for it to create false ROAs for address blocks.
The declaration that is envisioned is more akin to "there is no party authorised to make routing attestations regarding this space". If by "false ROAs" you mean ones that contradict the intentions of the assignee, then this is hardly the same thing. Perhaps an alternative would be an resource x.509 attribute that says "this CA cert does not issue EE certs", so that any resources that it contains could be implicitly considered bogons unless delegated to a subordinate CA. This is of course a (large) protocol change. Cheers, Ben