Re: Has Anyone managed to get Delegated RPKI working with ARIN

[Alex Band <alex () nlnetlabs nl>]

Final update:

On April 1st ARIN deployed support for the RFC 8183 RPKI key exchange format:
https://www.arin.net/vault/participate/acsp/suggestions/2020-3.html

You will no longer need the “ARIN Compatible" toggle in Krill as described in the previous email. The toggle will be 
removed in version 0.6, due next week. 

-Alex


> On 25 Feb 2020, at 13:40, Alex Band <alex () nlnetlabs nl> wrote:
>
> An update:
>
> The setup process with ARIN has now been fixed in Krill 0.5.0, which was just released:
> https://www.nlnetlabs.nl/news/2020/Feb/25/krill.0.5.0-released/
>
> We have worked around the issue by transforming the child request XML file in the user interface using a toggle:
> https://rpki.readthedocs.io/en/latest/krill/parent-interactions.html#arin
>
> The ensured that Krill is compatible with both the old and new response file format. Once ARIN conforms to RFC 8183, 
> this toggle will be removed in a future version. We have also fixed two blocking issues with APNIC, ensuring Krill 
> now works with every RIR implementation.
>
> Looking forward to your feedback on this release.
>
> Cheers,
>
> Alex
>
> > On 13 Feb 2020, at 09:48, Alex Band <alex () nlnetlabs nl> wrote:
> >
> > Hi there!
> >
> > There is also this somewhat hacky SED command to transform the Request XML into the format that ARIN accepts, in 
> > case you’d like to use something other than the XSL:
> >
> > https://sed.js.org/?gist=3f08fb293c8825855bb26f2865161575
> >
> > –– Looping in John Curran
> >
> > John, I appreciate ARIN has accepted RFC 8183 compatibility as an ACSP suggestion:
> >
> > https://www.arin.net/participate/community/acsp/suggestions/2020-3/
> >
> > Looking at the XML though, the changes needed to make this work are one tag, a URL and a version number. Could this 
> > please be tracked as a simple bug instead of a "feature to include in our future RPKI improvements”?
> >
> > In the mean time I have added a warning to the documentation:
> > https://rpki.readthedocs.io/en/latest/krill/manage-cas.html#step-1-get-the-request-xml-file
> >
> > Thanks!
> >
> > -Alex
> >
> > > On 5 Feb 2020, at 16:48, Tim Bruijnzeels <tim () nlnetlabs nl> wrote:
> > >
> > > Hi,
> > >
> > > Everyone is welcome to read that list of course, but the TL;DR is:
> > >
> > > ARIN currently uses a pre RFC 8183 format for the identity exchange. It would be good if this were updated. New 
> > > versions of rpkid as well as Krill have issues with the old format.
> > >
> > > In the meantime this XSL provided by rpki.net can be of help:
> > > https://raw.githubusercontent.com/dragonresearch/rpki.net/master/potpourri/oob-translate.xsl
> > >
> > > Note: if you are planning to give Krill a try we recommend that you wait for version 0.5. We expect to have this 
> > > version ready in 1-2 weeks. It will include usability improvements, better monitoring and a UI.
> > >
> > > Kind regards,
> > >
> > > Tim
> > >
> > >
> > >
> > > > On 5 Feb 2020, at 16:03, Christopher Munz-Michielin <christopher () ve7alb ca> wrote:
> > > >
> > > > Brilliant! Thanks for the write up Cynthia, I'll have a read through!
> > > >
> > > > Chris
> > > >
> > > > On 2020-02-05 1:56 a.m., Cynthia Revström wrote:
> > > > > (Re-sent as I forgot to include the ML the first time, oops)
> > > > > Hi Chris,
> > > > >
> > > > > I recently figured it out and posted it on the NLNetLabs RPKI mailing list. 
> > > > > https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html 
> > > > > <https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html>
> > > > > I hope it helps :)
> > > > >
> > > > > - Cynthia
> > > > >
> > > > > On Wed, Jan 29, 2020 at 6:31 PM Christopher Munz-Michielin <christopher () ve7alb ca <mailto:christopher () 
> > > > > ve7alb ca>> wrote:
> > > > >
> > > > >  Hi Nanog,
> > > > >
> > > > >  Posting here since my Google-fu is coming up short.  I'm trying to setup delegated RPKI in ARIN using rpki.net 
> > > > > <http://rpki.net>'s rpkid Python daemon and am running into an issue submitting the identity file to ARIN's 
> > > > > control panel. The same file submitted to RIPE's  test environment at https://localcert.ripe.net/#/rpki works 
> > > > > without issue, while submitting to ARIN results in "Invalid Identity.xml file."
> > > > >
> > > > >  The guide I'm following is this one: 
> > > > > https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-ca.md and I'm able to get as far as 
> > > > > generating the identity file.
> > > > >
> > > > >  Wondering if anyone has gone down this road before and has any helpful hints to make this work?
> > > > >
> > > > >  Cheers,
> > > > >  Chris