<div dir="ltr">Reading Carlos's first post reminded me of a presentation[1,2] from the Cloudflare team at LACNIC 31 about RPKI.<br>That's why I asked about the difficulties and ease of automation, comparing hosted and delegated modes.<br><br>I remember someone mentioning at that event (perhaps it was hallway chat) how the RPKI up-down protocol would be a solution for this...<br><br>Since then, a lot has changed!<br>- Many RIRs, NIRs, and LIRs have made moves and started offering better support for RPKI definitions in their APIs (some still don't support it).<br>- Delegated mode with up-down has really emerged, and it's grown, and it's working with both good and bad examples of availability.<br><br>Well, after almost 6 years, I think an analysis on this is in order.<br>The data Job provided is excellent for this. And it would be even more impressive if academics analyzed this data on CA malfunctions in a graph over time.<br>Perhaps comparing it with data from notable events involving routing failures on the internet.<br><br>[1] <a href="https://www.lacnic.net/innovaportal/file/3635/1/lacnic-cloudflares-rpki-validator.pdf">https://www.lacnic.net/innovaportal/file/3635/1/lacnic-cloudflares-rpki-validator.pdf</a><br>[2] <a href="https://youtu.be/bdeZh6kBYkg?t=3729">https://youtu.be/bdeZh6kBYkg?t=3729</a></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Em ter., 23 de set. de 2025 às 12:53, Carlos Martinez-Cagnazzo <<a href="mailto:carlos@lacnic.net">carlos@lacnic.net</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<p>Hey, </p>
<div>On 23/9/25 12:48 PM, Job Snijders
wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto"><span>On Tue, 23 Sep 2025 at 17:41, Carlos
Martinez-Cagnazzo <<a href="mailto:carlos@lacnic.net" target="_blank">carlos@lacnic.net</a>>
wrote:</span><br>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" dir="auto">Thanks Job,<br>
<br>
I believe there is a sweet spot somewhere. If you run a
really large <br>
org, I believe operationally it make sense to run your own
CA. You may <br>
run into things like the need to run transfers, move space
from one <br>
service to the other and you will feel more at home running
something <br>
you can deeply integrate with your automation platforms.<br>
<br>
If you run a small org, you are definitely better off on
hosted.</blockquote>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">I disagree with some of what you say, having
worked for several large orgs, I contend that
the RIR-provided APIs work just as fine as poking APIs of an
internal CA; RIR probably better.</div>
</div>
</div>
</blockquote>
<p>There is a risk-management side of things that we cannot ignore.
But I disgress.</p>
<p>I think this is one point where we can agree to disagree :-)</p>
<blockquote type="cite">
<div dir="auto">
<div class="gmail_quote">
<div dir="auto"><br>
</div>
<div dir="auto">The observable experience with “a really large
org running their own CA”, so far has only demonstrated that
the large org repeated all the mistakes that the RIRs made
in the beginning.</div>
<div dir="auto"><br>
</div>
<div dir="auto">“Large” just doesn’t equate “good execution”.</div>
<div dir="auto"><br>
</div>
</div>
</div>
</blockquote>
<p>IMO that's a separate discussion. I agree with you, but I believe
that should be taken care "out of band" if you will. Be it
policies, MANRS or whatnot. </p>
<p>One thing I believe we would all benefit from is some form of
"RPKI Etiquette" that of course involves proper running delegated
CAs.</p>
<blockquote type="cite">
<div dir="auto">
<div class="gmail_quote">
<div dir="auto">Kind regards,</div>
<div dir="auto"><br>
</div>
<div dir="auto">Job</div>
</div>
</div>
</blockquote>
/Carlos
<blockquote type="cite">
<br>
<fieldset></fieldset>
<pre>_______________________________________________
LACNOG mailing list
<a href="mailto:LACNOG@lacnic.net" target="_blank">LACNOG@lacnic.net</a>
<a href="https://mail.lacnic.net/mailman/listinfo/lacnog" target="_blank">https://mail.lacnic.net/mailman/listinfo/lacnog</a>
Cancelar suscripcion: <a href="https://mail.lacnic.net/mailman/options/lacnog" target="_blank">https://mail.lacnic.net/mailman/options/lacnog</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
LACNOG mailing list<br>
<a href="mailto:LACNOG@lacnic.net" target="_blank">LACNOG@lacnic.net</a><br>
<a href="https://mail.lacnic.net/mailman/listinfo/lacnog" rel="noreferrer" target="_blank">https://mail.lacnic.net/mailman/listinfo/lacnog</a><br>
Cancelar suscripcion: <a href="https://mail.lacnic.net/mailman/options/lacnog" rel="noreferrer" target="_blank">https://mail.lacnic.net/mailman/options/lacnog</a><br>
</blockquote></div><div><br clear="all"></div><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr">Douglas Fernando Fischer<br>Engº de Controle e Automação<br><div style="padding:0px;margin-left:0px;margin-top:0px;overflow:hidden;color:black;text-align:left;line-height:130%;font-family:"courier new",monospace"></div></div></div>