Re: [sig-policy] Comments on prop-059-v001: Using the Resource Public Ke
> in IRR is different from RPKI data. How would it help in routing for
> such cases?
it is assumed that they will register as they wish. the point here is
that the *relying party* chooses which version to give priority.
if the registrant did not intend the rpki/roa to be used they did not
have to issue/sign it.
> + How can we confirm that ROA is based on authentic RPKI?
see 200kg of documents on how the rpki works. essentially, you have
trust anchor for iana and the roa can validate up to that trust anchor.
> Could we really not change the route object at all?
the route: object in the overlay irr generated from the rpki roa can
only be changed by the prefix owner by changing the roa.
the route: object in the apnic or whichever irr segments can be changed
by the normal means for those irr segments.
> + what are we trying to achieve by strengthening security by overlay
> publication point? ie., trying to make the system work even if
> APNIC's IRR fails, for example? (just trying to understand the
> intention)
giving a relying party the option to prefer a more strongly validatable
binding of prefix to origin asn.
randy