Hi Randy,

> so, you would exclude CAs which have resources from multiple RIRs?


I didn’t say that..  the question from the NCC is .. do we want to run an non restictive publication point and support whatever someone uploads to it ..
or do we need to restrict it to ripe region resources..

if you want to publish self signed resources from multiple rir regions.. you are able to do so by setting up an instance per region.. or use software that can manage that by publishing the resources  back to where the delegation came from..

We worked for years with irrdb’s like radb that would accept everything from everywhere .. I hoped we learned something from that mess at the design table ..

So again, not excluding anyone .. just push the stuff where it belongs …

Erik Bais

A ROA or Route Origin Authorization is an attestation of a BGP route announcement. It attests that the origin AS number is authorized to announce the prefix(es).

Both the AS number and the prefix(es) are resources issued by an RIR. Are you saying both the AS number and the prefix(es) for ROA must be issued by RIPE to be accepted?  I think that would be overly restrictive.

I could see maybe only accepting ROAs authorizing address resources that RIPE has issued. Or am I missing something? I'm admittedly an amateur when it comes to RPKI.