take two paragraphs and call back in the morning if you are still in
pain :)
randy
In order that routers need not perform certificate validation,
cryptographic operations, etc., the RPKI-Router protocol, [RFC6810],
does not provide object-based security to the router. I.e. the
router may not validate the data cryptographically from well-known
trust anchor. The router trusts the cache to provide correct data
and relies on transport based security for the data received from the
cache. Therefore the authenticity and integrity of the data from the
cache should be well protected, see Section 7 of [RFC6810].
As RPKI-based origin validation relies on the availability of RPKI
data, operators SHOULD locate caches close to routers that require
these data and services. 'Close' is, of course, complex. One should
consider trust boundaries, routing bootstrap reachability, latency,
etc. E.g. as the router can not validate the received data using a
trust anchor, it should only accept data from caches it strongly
trusts to provide valid data. And a router should bootstrap from a
chache which is reachable without relying on other infrastructure
such as DNS or routing protocols.