RPKI publication

Jeff_McAdams · November 23, 2018, 5:51pm

OK, I'm trying to do the responsible thing and further the progress and
deployment of RPKI. I feel like I have a pretty good handle on a path
forward for doing validation and routing-policy based on ROA validation.

However, I also feel like I'm really banging my head against a wall trying
to set up publication of ROAs. $employer has IP space from several RIRs,
and enough space that there is a pretty strong desire to have our own
publication system for this, but I'm really struggling to find extant
software to do this.

Are there people doing their own publication? Or is everyone just using
Hosted ARIN/RIPE/APNIC/etc. systems? My colleagues and I feel like trying
to manage and automate processes against multiple RIRs is not ideal, so
setting up a publication system that can use the Up-Down protocol, or
perhaps publish our own publication points, or whatever is the best way to
handle this would be desired.

Can anyone point me to some facilitating resources on this? Software
packages that are reasonably current and maintained and not a total pain
to deploy?

Alex_Band · November 23, 2018, 7:30pm

Hi Jeff,

While I can’t offer you a solution today, I’m happy to tell you we’ve recognised this particular use case and are working on a free, open source solution.

We're building a toolset that allows you to run a CA as a child of one or multiple RIRs transparently and publish using your own or a third party publication server. In addition, we’ll provide validation software.

https://www.nlnetlabs.nl/projects/rpki/project-plan/

For the validation software we have running code that is already used in production in various places:

https://github.com/NLnetLabs/routinator

With development ongoing, we’re still in the process of getting this fully funded as we’re a small non-profit. So far the RIPE NCC Community Projects Fund and Brazilian registry NIC.br are contributing to financing this project. Our goal to to provide something that is on par with our other projects, such as NSD and Unbound.

Happy to keep you updated on the progress.

Cheers,

Alex Band
NLnet Labs

Christopher_Morrow · November 23, 2018, 9:48pm

Hi Jeff,

While I can’t offer you a solution today, I’m happy to tell you we’ve recognised this particular use case and are working on a free, open source solution.

We’re building a toolset that allows you to run a CA as a child of one or multiple RIRs transparently and publish using your own or a third party publication server. In addition, we’ll provide validation software.

https://www.nlnetlabs.nl/projects/rpki/project-plan/

For the validation software we have running code that is already used in production in various places:

https://github.com/NLnetLabs/routinator

With development ongoing, we’re still in the process of getting this fully funded as we’re a small non-profit. So far the RIPE NCC Community Projects Fund and Brazilian registry NIC.br are contributing to financing this project. Our goal to to provide something that is on par with our other projects, such as NSD and Unbound.

Happy to keep you updated on the progress.

Cheers,

Alex Band
NLnet Labs

OK, I’m trying to do the responsible thing and further the progress and
deployment of RPKI. I feel like I have a pretty good handle on a path
forward for doing validation and routing-policy based on ROA validation.

hey thanks!

However, I also feel like I’m really banging my head against a wall trying
to set up publication of ROAs. $employer has IP space from several RIRs,
and enough space that there is a pretty strong desire to have our own
publication system for this, but I’m really struggling to find extant
software to do this.

I think there are 3 options:
ripe validator v2 (potentially v3?) - https://github.com/RIPE-NCC/rpki-validator
https://github.com/RIPE-NCC/rpki-validator-3
rpki.net validator - https://github.com/dragonresearch/rpki.net
bbn rpstir - https://github.com/bgpsecurity/rpstir

Jeff_McAdams · November 23, 2018, 11:11pm

Like I said, validation and caching, "relying party", has several options...several of which are relatively easy to run and manage. It's the CA and publishing for which no really good options (that I've found, at least) are available currently.

Christopher_Morrow · November 23, 2018, 11:20pm

the ca bits do exist in rpki.net’s software set…
they are a tad fiddly to setup/run though, yes.

Jeff_McAdams · November 24, 2018, 1:51am

Oops, sorry, I missed the rpki.net reference in there (I read and replied
to that message from my phone).

Yes, I spent several hours trying to even get the Ubuntu 18.04 packages to
even install without errors. I'm not particularly keen on installing a 2
1/2 year old distro to run no-longer-supported version of the django
framework to support this, so I'm pretty much putting into the "not
reasonably current and maintained" category.

Michael_Gehrmann · November 25, 2018, 10:45pm

Hi Jeff,

I’ve worked on getting routinator installed via ansible recently and had some success. Seems to be the most actively supported/developed rpki I have seen out of the 3 options.

https://bitbucket.org/mjgehrmann/ansible-role-routinator

Regards

Jeff_McAdams · November 26, 2018, 12:07am

Thanks, but as I mentioned, I’ve got the validation/relying party side pretty well covered which is what Routinator is. I’m looking for options for running a delegated CA and potentially providing a publishing point.