so i was trying to ensure i had a current set of TALs and was directed to https://www.ripe.net/manage-ips-and-asns/resource-management/certification/r... the supposed TAL at the bottom of the page is pretty creative. anyone know what to do there? i kinda hacked with emacs and get rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB but kinda expected an rrdp uri too and, to add insult to injury, the APNIC web page with their TAL https://www.apnic.net/community/security/resource-certification/ requires javascript! not to mention the ARIN stupidity as if we needed another exercise in bureaucrats making operations painful. most operations of any size have internal departments perfectly capable of doing that. randy
i kinda hacked with emacs and get
rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
btw this is not correct/useful anyway. it probably should be more like rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
I concur. Four out of five RIR Trust Anchor Locators were recently updated to allow fetching the Trust Anchor via an HTTPS URI, further removing the dependence on rsync. Sadly, most TALs are not clearly published anywhere and I had to get them though GitHub issues and emails to be able to include them in the latest Routinator release. These are what we believe to be the correct, up-to-date RPKI TALs: https://github.com/NLnetLabs/routinator/tree/master/tals You can find more discussion about this topic here: https://github.com/NICMx/FORT-validator/issues/34 https://github.com/RIPE-NCC/rpki-validator-3/pull/215 RPA grief aside, ARIN seems to be the only RIR that publishes the latest version of their TAL clearly and correctly: https://www.arin.net/resources/manage/rpki/tal/ -Alex
On 2 Aug 2020, at 20:52, Randy Bush <randy@psg.com> wrote:
so i was trying to ensure i had a current set of TALs and was directed to
https://www.ripe.net/manage-ips-and-asns/resource-management/certification/r...
the supposed TAL at the bottom of the page is pretty creative. anyone know what to do there?
i kinda hacked with emacs and get
rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
but kinda expected an rrdp uri too
and, to add insult to injury, the APNIC web page with their TAL
https://www.apnic.net/community/security/resource-certification/
requires javascript!
not to mention the ARIN stupidity
as if we needed another exercise in bureaucrats making operations painful. most operations of any size have internal departments perfectly capable of doing that.
randy
On Mon, 3 Aug 2020, Alex Band wrote:
These are what we believe to be the correct, up-to-date RPKI TALs:
<rhetorical question> why is it so hard that all RIRs make their TAL files available under the same URL path but different hosts, e.g., https://ripe.net/rpki/tal, https://arin.net/rpki/tal ? </rhetorical question> obviously, a single TAL would be better but this needs even more rhetoric ... cheers matthias -- Matthias Waehlisch . Freie Universitaet Berlin, Computer Science .. http://www.cs.fu-berlin.de/~waehl
why is it so hard that all RIRs make their TAL files available under the same URL path but different hosts, e.g., https://ripe.net/rpki/tal, https://arin.net/rpki/tal ?
no, you are supposed to get TRUST material from alex's secret stash. sigh. it should be a dnssec lookup of ripe.net, tls secured lookup, find a TAL as defind in the RFCs, and fetch it via tls. randy
Hi Randy, all, We’ve updated our page: https://www.ripe.net/manage-ips-and-asns/resource-management/certification/r... <https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure> It now shows the correct TALs: https://tal.rpki.ripe.net/ripe-ncc.tal <https://tal.rpki.ripe.net/ripe-ncc.tal> (preferred) https://tal.rpki.ripe.net/ripe-ncc-rfc8630.tal <https://tal.rpki.ripe.net/ripe-ncc-rfc8630.tal> https://tal.rpki.ripe.net/ripe-ncc-validator-3.tal <https://tal.rpki.ripe.net/ripe-ncc-validator-3.tal> (RIPE NCC RPKI Validator 3 format) I hope this helps. Best regards, Nathalie Trenaman RIPE NCC
Op 2 aug. 2020, om 20:52 heeft Randy Bush <randy@psg.com> het volgende geschreven:
so i was trying to ensure i had a current set of TALs and was directed to
https://www.ripe.net/manage-ips-and-asns/resource-management/certification/r...
the supposed TAL at the bottom of the page is pretty creative. anyone know what to do there?
i kinda hacked with emacs and get
rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
but kinda expected an rrdp uri too
and, to add insult to injury, the APNIC web page with their TAL
https://www.apnic.net/community/security/resource-certification/
requires javascript!
not to mention the ARIN stupidity
as if we needed another exercise in bureaucrats making operations painful. most operations of any size have internal departments perfectly capable of doing that.
randy
https://tal.rpki.ripe.net/ripe-ncc.tal (preferred)
looks great visually. stuffed in a dragon validator, just for qa. thanks! randy
Hi all, We've also simplified our webpage: https://afrinic.net/rpki/tal And the URL to the TAL: https://rpki.afrinic.net/tal/afrinic.tal Cheers, Amreesh Phokeer AFRINIC On Thu, Aug 6, 2020 at 4:59 PM Randy Bush <randy@psg.com> wrote:
https://tal.rpki.ripe.net/ripe-ncc.tal (preferred)
looks great visually. stuffed in a dragon validator, just for qa.
thanks!
randy
We've also simplified our webpage: https://afrinic.net/rpki/tal
And the URL to the TAL: https://rpki.afrinic.net/tal/afrinic.tal
thanks! wfm randy
participants (5)
-
Alex Band
-
Amreesh Phokeer
-
Matthias Waehlisch
-
Nathalie Trenaman
-
Randy Bush