Hi Nusenu,

If anyone can comment on how hard it is to get a ROA for a legacy IP block for a RIPE member without converting it to ALLOCATED PA block first, that would be interesting. Also: is there any reason why a RIPE member would prefer to retain the LEGACY status? (instead of converting it)

RPKI is a service that should also be available for Legacy resource holders. A Legacy resource is a resource that was handed out by IANA or prior orgs, before the RIPE NCC was setup. The status of Legacy resources are handed in name of the actual resource holder, same as that it was decided by the 5 RIR's and IANA at some point, that IANA would only hand down resources through the regional internet registries. ( RIR's ) The Legacy holders in the RIPE region have a special status as their resources are registered (also in the RIPE DB), but don't fall under the RIPE policy, unless specifically stated by the policy and agreed upon by the community. The main reason why a Legacy holders want to keep their status, is because the resource is theirs.. With RIPE PA or RIPE PI space, the holdership and right to use is attached to a membership with the RIPE NCC or a contractual relationship. So it is a right of use. Legally there are some differences and for some organizations that is not an issue, but others prefer to keep it to themselves. Legacy holders can should have a contract with the RIPE NCC in order to be able to use the RPKI service, as it should be documented who is the actual holder of the IP space.. otherwise it adds no value to have it signed .. But it isn't required to hand over the holdership or ownership into RIPE PA in order to be able to use the RPKI services. Once the specified contract is decided by the Legacy Holder and it is agreed by the RIPE NCC and a signature is received, the legacy resource holder gets access to a stripped version of the LIR portal where they can sign their resources. The same interface is also used for RIPE PI customers. Let me know if you have any specific additional question on that topic. Regards, Erik Bais On 21/08/2018, 00:26, "routing-wg on behalf of nusenu" <routing-wg-bounces@ripe.net on behalf of nusenu-lists@riseup.net> wrote: Hi, since I used your data, API (RIPEstat) and tools (RPKI validator) I figured I send you also my IRR and RPKI measurement results: https://medium.com/@nusenu/how-vulnerable-is-the-tor-network-to-bgp-hijackin... Thanks for making RIPEstat available for everyone. If anyone can comment on how hard it is to get a ROA for a legacy IP block for a RIPE member without converting it to ALLOCATED PA block first, that would be interesting. Also: is there any reason why a RIPE member would prefer to retain the LEGACY status? (instead of converting it) thanks, nusenu btw: While collecting the IRR data I stumbled on a problem with RIPEstat where it would say there is no IRR entry but NTTCOM actually had it (Christian is looking into it). https://stat.ripe.net/data/prefix-routing-consistency/data.json?resource=36.... (if you change it to /17 the expected record will appear) "routes": [ { "origin": 10013, "irr_sources": [], <<<<------------------- "in_whois": false, <<<<------------------- "asn_name": "FBDC - FreeBit Co.,Ltd.", "prefix": "36.55.0.0/16", <<<<------------------- "in_bgp": true } vs whois -h rr.ntt.net 36.55.0.0/16 route: 36.55.0.0/16 descr: FreeBit CIDR origin: AS10013 notify: noc@FreeBit.NET mnt-by: MAINT-FBDC changed: y.ishizaki@FreeBit.NET 20120821 source: NTTCOM -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu