[ excuse typos; minor hand surgery ] > Aren't the valid ranges for an AS specified in the RPKI-protected > routing data feed (where RPKI is available)? not really, on a number of dimensions first, have a look at draft-ietf-sidrops-rpki-has-no-identity i suggest we not drag ASs into this; they are orthogonal to address space ownership. e.g. someone owns a /24, but creates a ROA to authorize AS42, their upstream, to actually originate the prefix. i.e. ASs do not 'own' address space, the RPKI enables, through ROAs, for address space owners to authorize ASs to announce a (possibly improper) subset of the owner's address space. and inetnum:s are quite disjoint from ASs. heck, i have loaned 198.133.206.0/24 to be used by a north macedonian exchange point (not joking). also, neither the RPSL nor the RPKI invert to enumerate the address space announced by an AS. operators and researchers use the current bgp tables from routers, route views, or ripe/ris if we want today's map. > How does a client know that an IP range specified in the geodata feed > is valid under a given RPKI signature? the rpki is formally authoritative for ip space ownership. in a sense, the rpki was created to rigorously fill the gap left by the lack of authenticity of RPSL. the signature in the geofeed file can be 3779 validated to the trust anchor of the RIR (it should be to the IANA, but the RIRs are at war with the IANA). and the IANA is the ultimate authority for address space, and through it the RIRs. > I.e., that the given AS has authority over that IP range? again, let's not drag ASs in here. they are not ip space owners. the complexity of this space is embarrassing. sorry. i hope this helps. willing to chat on zoom or whatever. randy -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
