[RPKI] On entitlements and communications
Aistis Zenkevičius
aistis at heficed.com
Thu Sep 10 05:46:25 UTC 2020
Hi list
Coule of questions regarding Krill in a context of it being a child for RIR CA:
- is it possible to catch the certificate revocation from RIR end? Simply someone clicks on "Revoke" button in, for example, RIPE NCC's portal. According to Github, Krill used to "Log all RFC8181 and RFC6492 protocol messages. #143", then it started "Only save significant RFC6492 or RFC8181 exchanges #172", and at the moment, I'm not sure whether this is configurable at all. I did find a couple of messages under _data/rfc6492/<uuid>, but to be useful, they would need to be readable.
- is it possible to catch entitlement changes? E.g. resource added/removed? In fact, has anyone experienced/tried entitlement changes with any of RIRs and has it worked properly? I had at least one case where certain IPv6 or ASN resource has been added after RPKI has been set up at ARIN side and it didn't show up in their management until we requested to regenerate certificate via support ticket. So I wonder how this looks with Krill. Unofficially (and without looking at code, since my Rust skills are rusty) I heard Krill follows RFC6492 and contacts parent CA every 10 minutes asking for entitlement changes and other things.
Thanks,
Aistis
More information about the RPKI
mailing list