Ensuring RPKI ROAs match your routing intent
Hi everyone, Over the last two years NLnet Labs has been working on free, open source RPKI software and research for the community, supported by the RIPE NCC Community Projects Fund, Brazilian NIR NIC.br and Asia Pacific RIR APNIC. I have an update that we’d like to share. When creating a ROA in RPKI, it can have an effect on one or more BGP announcements, making them either Valid, Invalid or NotFound. Understanding what exactly determines these three states is not immediately obvious, especially in the beginning. At times, this can make creating ROAs a bit of a shot in the dark. I’ve seen several examples in the past where an operator created a ROA in their RIR Portal, waited for it to be published and then checked in services like BGPMon or the HE BGP Toolkit to see if everything turned out as expected. This is why, during my time at the RIPE NCC, we put a lot of work into making it immediately obvious what the effect of a ROA is going to be on the BGP announcements with your address space. Several RIRs have followed in these footsteps since. I presented on this journey at NANOG 63 in 2015: https://archive.nanog.org/meetings/abstract?id=2500 Now, in my new adventure at NLnet Labs, we’ve gotten the same team together to make simple, intuitive ROA management for Delegated RPKI available for everyone, seamlessly across RIR regions. With Krill 0.7.1 ‘Sobremesa’ you can easily create and maintain ROAs in a user interface that incorporates all of the best practices and lessons learned over the last 10 years and monitor them in ways never before possible, such as through Prometheus. Blog post with details: http://link.medium.com/1SsTJSAvB7 All the best, Alex
So in the ARIN world, Krill only works with "delegated" RPKI, not "hosted" RPKI - do I understand that correctly? If so, are there any plans to allow Krill's analytics and rules to monitor ARIN Hosted RPKI ROAs? -Adam Adam Thompson Consultant, Infrastructure Services [[MERLIN LOGO]] 100 - 135 Innovation Drive Winnipeg, MB, R3T 6A8 (204) 977-6824 or 1-800-430-6404 (MB only) athompson@merlin.mb.ca<mailto:athompson@merlin.mb.ca> www.merlin.mb.ca<http://www.merlin.mb.ca/> ________________________________ From: NANOG <nanog-bounces+athompson=merlin.mb.ca@nanog.org> on behalf of Alex Band <alex@nlnetlabs.nl> Sent: Thursday, June 25, 2020 8:31:52 AM To: Nanog Subject: Ensuring RPKI ROAs match your routing intent Hi everyone, Over the last two years NLnet Labs has been working on free, open source RPKI software and research for the community, supported by the RIPE NCC Community Projects Fund, Brazilian NIR NIC.br and Asia Pacific RIR APNIC. I have an update that we’d like to share. When creating a ROA in RPKI, it can have an effect on one or more BGP announcements, making them either Valid, Invalid or NotFound. Understanding what exactly determines these three states is not immediately obvious, especially in the beginning. At times, this can make creating ROAs a bit of a shot in the dark. I’ve seen several examples in the past where an operator created a ROA in their RIR Portal, waited for it to be published and then checked in services like BGPMon or the HE BGP Toolkit to see if everything turned out as expected. This is why, during my time at the RIPE NCC, we put a lot of work into making it immediately obvious what the effect of a ROA is going to be on the BGP announcements with your address space. Several RIRs have followed in these footsteps since. I presented on this journey at NANOG 63 in 2015: https://archive.nanog.org/meetings/abstract?id=2500 Now, in my new adventure at NLnet Labs, we’ve gotten the same team together to make simple, intuitive ROA management for Delegated RPKI available for everyone, seamlessly across RIR regions. With Krill 0.7.1 ‘Sobremesa’ you can easily create and maintain ROAs in a user interface that incorporates all of the best practices and lessons learned over the last 10 years and monitor them in ways never before possible, such as through Prometheus. Blog post with details: http://link.medium.com/1SsTJSAvB7 All the best, Alex
Hi Adam,
On 25 Jun 2020, at 16:55, Adam Thompson <athompson@merlin.mb.ca> wrote:
So in the ARIN world, Krill only works with "delegated" RPKI, not "hosted" RPKI - do I understand that correctly?
Krill is RPKI Certificate Authority software to run Delegated RPKI under one or multiple RIRs simultaneously. It’s an all-in choice, so you would choose Delegated instead of Hosted.
If so, are there any plans to allow Krill's analytics and rules to monitor ARIN Hosted RPKI ROAs?
That’s not possible, as Krill can only monitor its own ROAs and not ones that are published elsewhere. Perhaps BGP Alerter is a solution for you: https://github.com/nttgin/BGPalerter Cheers, Alex
-Adam
Adam Thompson Consultant, Infrastructure Services
100 - 135 Innovation Drive Winnipeg, MB, R3T 6A8 (204) 977-6824 or 1-800-430-6404 (MB only) athompson@merlin.mb.ca www.merlin.mb.ca
From: NANOG <nanog-bounces+athompson=merlin.mb.ca@nanog.org> on behalf of Alex Band <alex@nlnetlabs.nl> Sent: Thursday, June 25, 2020 8:31:52 AM To: Nanog Subject: Ensuring RPKI ROAs match your routing intent
Hi everyone,
Over the last two years NLnet Labs has been working on free, open source RPKI software and research for the community, supported by the RIPE NCC Community Projects Fund, Brazilian NIR NIC.br and Asia Pacific RIR APNIC. I have an update that we’d like to share.
When creating a ROA in RPKI, it can have an effect on one or more BGP announcements, making them either Valid, Invalid or NotFound. Understanding what exactly determines these three states is not immediately obvious, especially in the beginning.
At times, this can make creating ROAs a bit of a shot in the dark. I’ve seen several examples in the past where an operator created a ROA in their RIR Portal, waited for it to be published and then checked in services like BGPMon or the HE BGP Toolkit to see if everything turned out as expected.
This is why, during my time at the RIPE NCC, we put a lot of work into making it immediately obvious what the effect of a ROA is going to be on the BGP announcements with your address space. Several RIRs have followed in these footsteps since.
I presented on this journey at NANOG 63 in 2015: https://archive.nanog.org/meetings/abstract?id=2500
Now, in my new adventure at NLnet Labs, we’ve gotten the same team together to make simple, intuitive ROA management for Delegated RPKI available for everyone, seamlessly across RIR regions.
With Krill 0.7.1 ‘Sobremesa’ you can easily create and maintain ROAs in a user interface that incorporates all of the best practices and lessons learned over the last 10 years and monitor them in ways never before possible, such as through Prometheus.
Blog post with details: http://link.medium.com/1SsTJSAvB7
All the best,
Alex
Perhaps BGP Alerter is a solution for you: https://github.com/nttgin/BGPalerter
yes! very happy user here. i run it into the slack api. randy
participants (3)
-
Adam Thompson
-
Alex Band
-
Randy Bush