nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RPKI publication

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Fri, 23 Nov 2018 16:48:14 -0500
On Fri, Nov 23, 2018 at 2:31 PM Alex Band <alex () nlnetlabs nl> wrote:


Hi Jeff,

While I can’t offer you a solution today, I’m happy to tell you we’ve
recognised this particular use case and are working on a free, open source
solution.

We're building a toolset that allows you to run a CA as a child of one or
multiple RIRs transparently and publish using your own or a third party
publication server. In addition, we’ll provide validation software.

https://www.nlnetlabs.nl/projects/rpki/project-plan/

For the validation software we have running code that is already used in
production in various places:

https://github.com/NLnetLabs/routinator

With development ongoing, we’re still in the process of getting this fully
funded as we’re a small non-profit. So far the RIPE NCC Community Projects
Fund and Brazilian registry NIC.br are contributing to financing this
project. Our goal to to provide something that is on par with our other
projects, such as NSD and Unbound.

Happy to keep you updated on the progress.

Cheers,

Alex Band
NLnet Labs


On 23 Nov 2018, at 18:51, Jeff McAdams <jeffm () iglou com> wrote:

OK, I'm trying to do the responsible thing and further the progress and
deployment of RPKI.  I feel like I have a pretty good handle on a path
forward for doing validation and routing-policy based on ROA validation.




hey thanks! :)



However, I also feel like I'm really banging my head against a wall

trying

to set up publication of ROAs.  $employer has IP space from several RIRs,
and enough space that there is a pretty strong desire to have our own
publication system for this, but I'm really struggling to find extant
software to do this.




I think there are 3 options:
  ripe validator v2 (potentially v3?) -
https://github.com/RIPE-NCC/rpki-validator

https://github.com/RIPE-NCC/rpki-validator-3
  rpki.net validator - https://github.com/dragonresearch/rpki.net
  bbn rpstir - https://github.com/bgpsecurity/rpstir


Are there people doing their own publication?  Or is everyone just using

Hosted ARIN/RIPE/APNIC/etc. systems?  My colleagues and I feel like

trying

to manage and automate processes against multiple RIRs is not ideal, so
setting up a publication system that can use the Up-Down protocol, or
perhaps publish our own publication points, or whatever is the best way

to

handle this would be desired.

Can anyone point me to some facilitating resources on this?  Software
packages that are reasonably current and maintained and not a total pain
to deploy?

--
Jeff
Previous By Date Next
Previous By Thread Next

Current thread: