OK, I'm trying to do the responsible thing and further the progress and deployment of RPKI. I feel like I have a pretty good handle on a path forward for doing validation and routing-policy based on ROA validation. However, I also feel like I'm really banging my head against a wall trying to set up publication of ROAs. $employer has IP space from several RIRs, and enough space that there is a pretty strong desire to have our own publication system for this, but I'm really struggling to find extant software to do this. Are there people doing their own publication? Or is everyone just using Hosted ARIN/RIPE/APNIC/etc. systems? My colleagues and I feel like trying to manage and automate processes against multiple RIRs is not ideal, so setting up a publication system that can use the Up-Down protocol, or perhaps publish our own publication points, or whatever is the best way to handle this would be desired. Can anyone point me to some facilitating resources on this? Software packages that are reasonably current and maintained and not a total pain to deploy? -- Jeff
Hi Jeff, While I can’t offer you a solution today, I’m happy to tell you we’ve recognised this particular use case and are working on a free, open source solution. We're building a toolset that allows you to run a CA as a child of one or multiple RIRs transparently and publish using your own or a third party publication server. In addition, we’ll provide validation software. https://www.nlnetlabs.nl/projects/rpki/project-plan/ For the validation software we have running code that is already used in production in various places: https://github.com/NLnetLabs/routinator With development ongoing, we’re still in the process of getting this fully funded as we’re a small non-profit. So far the RIPE NCC Community Projects Fund and Brazilian registry NIC.br are contributing to financing this project. Our goal to to provide something that is on par with our other projects, such as NSD and Unbound. Happy to keep you updated on the progress. Cheers, Alex Band NLnet Labs
On 23 Nov 2018, at 18:51, Jeff McAdams <jeffm@iglou.com> wrote:
OK, I'm trying to do the responsible thing and further the progress and deployment of RPKI. I feel like I have a pretty good handle on a path forward for doing validation and routing-policy based on ROA validation.
However, I also feel like I'm really banging my head against a wall trying to set up publication of ROAs. $employer has IP space from several RIRs, and enough space that there is a pretty strong desire to have our own publication system for this, but I'm really struggling to find extant software to do this.
Are there people doing their own publication? Or is everyone just using Hosted ARIN/RIPE/APNIC/etc. systems? My colleagues and I feel like trying to manage and automate processes against multiple RIRs is not ideal, so setting up a publication system that can use the Up-Down protocol, or perhaps publish our own publication points, or whatever is the best way to handle this would be desired.
Can anyone point me to some facilitating resources on this? Software packages that are reasonably current and maintained and not a total pain to deploy?
-- Jeff
On Fri, Nov 23, 2018 at 2:31 PM Alex Band <alex@nlnetlabs.nl> wrote:
Hi Jeff,
While I can’t offer you a solution today, I’m happy to tell you we’ve recognised this particular use case and are working on a free, open source solution.
We're building a toolset that allows you to run a CA as a child of one or multiple RIRs transparently and publish using your own or a third party publication server. In addition, we’ll provide validation software.
https://www.nlnetlabs.nl/projects/rpki/project-plan/
For the validation software we have running code that is already used in production in various places:
https://github.com/NLnetLabs/routinator
With development ongoing, we’re still in the process of getting this fully funded as we’re a small non-profit. So far the RIPE NCC Community Projects Fund and Brazilian registry NIC.br are contributing to financing this project. Our goal to to provide something that is on par with our other projects, such as NSD and Unbound.
Happy to keep you updated on the progress.
Cheers,
Alex Band NLnet Labs
On 23 Nov 2018, at 18:51, Jeff McAdams <jeffm@iglou.com> wrote:
OK, I'm trying to do the responsible thing and further the progress and deployment of RPKI. I feel like I have a pretty good handle on a path forward for doing validation and routing-policy based on ROA validation.
hey thanks! :)
However, I also feel like I'm really banging my head against a wall trying to set up publication of ROAs. $employer has IP space from several RIRs, and enough space that there is a pretty strong desire to have our own publication system for this, but I'm really struggling to find extant software to do this.
I think there are 3 options: ripe validator v2 (potentially v3?) - https://github.com/RIPE-NCC/rpki-validator https://github.com/RIPE-NCC/rpki-validator-3 rpki.net validator - https://github.com/dragonresearch/rpki.net bbn rpstir - https://github.com/bgpsecurity/rpstir
Hosted ARIN/RIPE/APNIC/etc. systems? My colleagues and I feel like
Are there people doing their own publication? Or is everyone just using trying
to manage and automate processes against multiple RIRs is not ideal, so setting up a publication system that can use the Up-Down protocol, or perhaps publish our own publication points, or whatever is the best way to handle this would be desired.
Can anyone point me to some facilitating resources on this? Software packages that are reasonably current and maintained and not a total pain to deploy?
-- Jeff
On November 23, 2018 4:48:14 PM EST, Christopher Morrow <morrowc.lists@gmail.com> wrote:
I think there are 3 options: ripe validator v2 (potentially v3?) - https://github.com/RIPE-NCC/rpki-validator
https://github.com/RIPE-NCC/rpki-validator-3 rpki.net validator - https://github.com/dragonresearch/rpki.net bbn rpstir - https://github.com/bgpsecurity/rpstir
Like I said, validation and caching, "relying party", has several options...several of which are relatively easy to run and manage. It's the CA and publishing for which no really good options (that I've found, at least) are available currently.
On Fri, Nov 23, 2018 at 6:12 PM Jeff McAdams <jeffm@iglou.com> wrote:
On November 23, 2018 4:48:14 PM EST, Christopher Morrow < morrowc.lists@gmail.com> wrote:
I think there are 3 options: ripe validator v2 (potentially v3?) - https://github.com/RIPE-NCC/rpki-validator
https://github.com/RIPE-NCC/rpki-validator-3 rpki.net validator - https://github.com/dragonresearch/rpki.net bbn rpstir - https://github.com/bgpsecurity/rpstir
Like I said, validation and caching, "relying party", has several options...several of which are relatively easy to run and manage. It's the CA and publishing for which no really good options (that I've found, at least) are available currently.
the ca bits do exist in rpki.net's software set... they are a tad fiddly to setup/run though, yes.
On Fri, November 23, 2018 18:20, Christopher Morrow wrote:
On Fri, Nov 23, 2018 at 6:12 PM Jeff McAdams <jeffm@iglou.com> wrote:
On November 23, 2018 4:48:14 PM EST, Christopher Morrow < morrowc.lists@gmail.com> wrote:
I think there are 3 options: ripe validator v2 (potentially v3?) - https://github.com/RIPE-NCC/rpki-validator
https://github.com/RIPE-NCC/rpki-validator-3 rpki.net validator - https://github.com/dragonresearch/rpki.net bbn rpstir - https://github.com/bgpsecurity/rpstir
Like I said, validation and caching, "relying party", has several options...several of which are relatively easy to run and manage. It's the CA and publishing for which no really good options (that I've found, at least) are available currently.
the ca bits do exist in rpki.net's software set... they are a tad fiddly to setup/run though, yes.
Oops, sorry, I missed the rpki.net reference in there (I read and replied to that message from my phone). Yes, I spent several hours trying to even get the Ubuntu 18.04 packages to even install without errors. I'm not particularly keen on installing a 2 1/2 year old distro to run no-longer-supported version of the django framework to support this, so I'm pretty much putting into the "not reasonably current and maintained" category. -- Jeff
Hi Jeff, I've worked on getting routinator installed via ansible recently and had some success. Seems to be the most actively supported/developed rpki I have seen out of the 3 options. https://bitbucket.org/mjgehrmann/ansible-role-routinator Regards -- MiCHAEL On Sat, 24 Nov 2018 at 12:52, Jeff McAdams <jeffm@iglou.com> wrote:
On Fri, November 23, 2018 18:20, Christopher Morrow wrote:
On Fri, Nov 23, 2018 at 6:12 PM Jeff McAdams <jeffm@iglou.com> wrote:
On November 23, 2018 4:48:14 PM EST, Christopher Morrow < morrowc.lists@gmail.com> wrote:
I think there are 3 options: ripe validator v2 (potentially v3?) - https://github.com/RIPE-NCC/rpki-validator
https://github.com/RIPE-NCC/rpki-validator-3 rpki.net validator - https://github.com/dragonresearch/rpki.net bbn rpstir - https://github.com/bgpsecurity/rpstir
Like I said, validation and caching, "relying party", has several options...several of which are relatively easy to run and manage. It's the CA and publishing for which no really good options (that I've found, at least) are available currently.
the ca bits do exist in rpki.net's software set... they are a tad fiddly to setup/run though, yes.
Oops, sorry, I missed the rpki.net reference in there (I read and replied to that message from my phone).
Yes, I spent several hours trying to even get the Ubuntu 18.04 packages to even install without errors. I'm not particularly keen on installing a 2 1/2 year old distro to run no-longer-supported version of the django framework to support this, so I'm pretty much putting into the "not reasonably current and maintained" category.
-- Jeff
Thanks, but as I mentioned, I've got the validation/relying party side pretty well covered which is what Routinator is. I'm looking for options for running a delegated CA and potentially providing a publishing point. -- Jeff On November 25, 2018 5:45:21 PM EST, Michael Gehrmann <mgehrmann@atlassian.com> wrote:
Hi Jeff,
I've worked on getting routinator installed via ansible recently and had some success. Seems to be the most actively supported/developed rpki I have seen out of the 3 options.
https://bitbucket.org/mjgehrmann/ansible-role-routinator
Regards -- MiCHAEL
On Sat, 24 Nov 2018 at 12:52, Jeff McAdams <jeffm@iglou.com> wrote:
On Fri, November 23, 2018 18:20, Christopher Morrow wrote:
On Fri, Nov 23, 2018 at 6:12 PM Jeff McAdams <jeffm@iglou.com> wrote:
On November 23, 2018 4:48:14 PM EST, Christopher Morrow < morrowc.lists@gmail.com> wrote:
I think there are 3 options: ripe validator v2 (potentially v3?) - https://github.com/RIPE-NCC/rpki-validator
https://github.com/RIPE-NCC/rpki-validator-3 rpki.net validator - https://github.com/dragonresearch/rpki.net bbn rpstir - https://github.com/bgpsecurity/rpstir
Like I said, validation and caching, "relying party", has several options...several of which are relatively easy to run and manage. It's the CA and publishing for which no really good options (that I've found, at least) are available currently.
the ca bits do exist in rpki.net's software set... they are a tad fiddly to setup/run though, yes.
Oops, sorry, I missed the rpki.net reference in there (I read and replied to that message from my phone).
Yes, I spent several hours trying to even get the Ubuntu 18.04 packages to even install without errors. I'm not particularly keen on installing a 2 1/2 year old distro to run no-longer-supported version of the django framework to support this, so I'm pretty much putting into the "not reasonably current and maintained" category.
-- Jeff
participants (4)
-
Alex Band
-
Christopher Morrow
-
Jeff McAdams
-
Michael Gehrmann