[lacnog] NTT now treats RPKI ROAs as IRR route(6)-objects
Roque Gagliano
rgaglian en gmail.com
Vie Jul 20 05:26:51 BRT 2018
Hello,
Great initiative! Congrats.
Roque
On Thu, Jul 19, 2018, 23:16 Job Snijders <job en ntt.net> wrote:
> Dear LACNOG
>
> [ TL:DR - From now on, NTT / AS 2914 allows customers to either register
> their announcements in the IRR, or as RPKI ROAs. This is a convenience
> service for the South American region where IRR is not the norm but
> RPKI is commonly available. Previously NTT only accepted IRR and
> ARIN-WHOIS. I hope competitors and partners will use this approach too! ]
>
> As most of you know, the Resource Public Key Infrastructure (RPKI) is a
> modern reimagination of the good ole' IRR system we have come to love
> and hate. The main advantage of the RPKI is that a consumer of the data
> can cryptographically verify whether it was the actual owner of the IP
> prefix that created a so-called "RPKI ROA".
> (more reading:
> https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure)
>
> Given that RPKI ROAs are somewhat equivalent to IRR route-objects, but
> more reliable in terms of authoritativeness, NTT now has an automated
> nightly process that converts RPKI information into IRR format so that
> our toolchain can consume the data as if it were just another IRR
> source.
>
> Using RPKI ROAs as if they are IRR route(6)-objects is a transitional
> step towards increased security in the routing ecosystem.
>
> We are not the first to explore this method (see post-scriptum), but I
> think we are the first to republish elements from RPKI ROAs via a
> publicly accessible IRRd instance queryable with the RADB IRRd protocol.
> This means that anyone that points their bgpq3 or peval programs at
> rr.ntt.net can leverage this method without having to update anything
> else in the pipeline.
>
> An example can be inspected here:
>
> job en eng0 ~$ whois -h rr.ntt.net 193.0.6.139
> [Querying rr.ntt.net]
> [rr.ntt.net]
> route: 193.0.0.0/21
> descr: RIPE-NCC
> origin: AS3333
> mnt-by: RIPE-NCC-MNT
> changed: unread en ripe.net 20000101
> source: RIPE
> remarks: ****************************
> remarks: * THIS OBJECT IS MODIFIED
> remarks: * Please note that all data that is generally regarded
> as personal
> remarks: * data has been removed from this object.
> remarks: * To view the original object, please query the RIPE
> Database at:
> remarks: * http://www.ripe.net/whois
> remarks: ****************************
>
> route: 193.0.0.0/21
> descr: RPKI ROA for 193.0.0.0/21
> remarks: This route object represents routing data retrieved from
> the RPKI
> remarks: The original data can be found here:
> https://rpki.gin.ntt.net/r/AS3333/193.0.0.0/21
> remarks: This route object is the result of an automated
> RPKI-to-IRR conversion process.
> remarks: maxLength 21
> origin: AS3333
> mnt-by: MAINT-JOB
> changed: job en ntt.net 20180718
> source: RPKI # Trust Anchor: RIPE NCC RPKI Root
> job en eng0 ~$
>
> The first object is an actual IRR "route:" object from the RIPE NCC
> operated IRR, the second object is a representation of the RPKI ROA in
> RPSL format published via rr.ntt.net.
>
> In general we can state that RPKI data is very good quality data,
> however please keep in mind that it may not be /correct/ data. In this
> context "Good Quality" means that it cannot easily be forged or tampered
> with by adversaries (but of course that doesn't protect the legitimate
> owner against making misconfigurations). Just like with IRR
> route(6)-objects, owners may input the wrong origin ASN in this type of
> object or configure the wrong MaxLength.
>
> NTT operates a "RPKI Cache Validator" at https://rpki.gin.ntt.net/
> Everyone is free to inspect and click around in this webinterface.
> Instead of https://rpki.gin.ntt.net/, there also is a command line
> interface available via BGPMon's whois service:
>
> job en vurt ~$ whois -h whois.bgpmon.com 193.0.0.0/21
> % This is the BGPmon.net whois Service
> % You can use this whois gateway to retrieve information
> % about an IP adress or prefix
> % We support both IPv4 and IPv6 address.
> %
> % For more information visit:
> % https://portal.bgpmon.net/bgpmonapi.php
>
> Prefix: 193.0.0.0/21
> Prefix description: RIPE-NCC
> Country code: NL
> Origin AS: 3333
> Origin AS Name: Reseaux IP Europeens Network Coordination Centre
> (RIPE NCC)
> RPKI status: ROA validation successful
> First seen: 2011-10-19
> Last seen: 2018-07-19
> Seen by #peers: 77
>
> Notice in the above output the "ROA validation successful".
>
> Nota bene: the fact that NTT uses RPKI ROA information in the prefix
> filter generation process - does _not_ mean that NTT does "RPKI Origin
> Validation" for BGP updates (yet). RPKI Origin Validation is an
> additional security layer that we hope to deploy in the not too distant
> future. Using RPKI ROAs in this way is an important step forward in this
> process.
>
> Kind regards,
>
> Job Snijders
>
> Post scriptum on prior work:
>
> Dragon Research Labs implemented the idea in 2015:
>
> https://github.com/dragonresearch/rpki.net/blob/master/potpourri/roa-to-irr.py
>
> RIPE NCC's RPKI Validator added RPSL export functionality in 2015:
> https://mailman.nanog.org/pipermail/nanog/2015-May/075185.html
>
> Arouteserver added native support for this method in October 2017.
> https://github.com/pierky/arouteserver/issues/19
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20180720/5bfc8e54/attachment-0001.html>
Más información sobre la lista de distribución LACNOG