<div dir="auto">Hello,<div dir="auto"><br></div><div dir="auto">Great initiative! Congrats.</div><div dir="auto"><br></div><div dir="auto">Roque</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jul 19, 2018, 23:16 Job Snijders <<a href="mailto:job@ntt.net">job@ntt.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear LACNOG<br>
<br>
[ TL:DR - From now on, NTT / AS 2914 allows customers to either register<br>
their announcements in the IRR, or as RPKI ROAs. This is a convenience<br>
service for the South American region where IRR is not the norm but<br>
RPKI is commonly available. Previously NTT only accepted IRR and<br>
ARIN-WHOIS. I hope competitors and partners will use this approach too! ]<br>
<br>
As most of you know, the Resource Public Key Infrastructure (RPKI) is a<br>
modern reimagination of the good ole' IRR system we have come to love<br>
and hate. The main advantage of the RPKI is that a consumer of the data<br>
can cryptographically verify whether it was the actual owner of the IP<br>
prefix that created a so-called "RPKI ROA".<br>
(more reading: <a href="https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure" rel="noreferrer noreferrer" target="_blank">https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure</a>)<br>
<br>
Given that RPKI ROAs are somewhat equivalent to IRR route-objects, but<br>
more reliable in terms of authoritativeness, NTT now has an automated<br>
nightly process that converts RPKI information into IRR format so that<br>
our toolchain can consume the data as if it were just another IRR<br>
source.<br>
<br>
Using RPKI ROAs as if they are IRR route(6)-objects is a transitional<br>
step towards increased security in the routing ecosystem.<br>
<br>
We are not the first to explore this method (see post-scriptum), but I<br>
think we are the first to republish elements from RPKI ROAs via a<br>
publicly accessible IRRd instance queryable with the RADB IRRd protocol.<br>
This means that anyone that points their bgpq3 or peval programs at<br>
<a href="http://rr.ntt.net" rel="noreferrer noreferrer" target="_blank">rr.ntt.net</a> can leverage this method without having to update anything<br>
else in the pipeline.<br>
<br>
An example can be inspected here:<br>
<br>
job@eng0 ~$ whois -h <a href="http://rr.ntt.net" rel="noreferrer noreferrer" target="_blank">rr.ntt.net</a> 193.0.6.139<br>
[Querying <a href="http://rr.ntt.net" rel="noreferrer noreferrer" target="_blank">rr.ntt.net</a>]<br>
[<a href="http://rr.ntt.net" rel="noreferrer noreferrer" target="_blank">rr.ntt.net</a>]<br>
route: <a href="http://193.0.0.0/21" rel="noreferrer noreferrer" target="_blank">193.0.0.0/21</a><br>
descr: RIPE-NCC<br>
origin: AS3333<br>
mnt-by: RIPE-NCC-MNT<br>
changed: <a href="mailto:unread@ripe.net" target="_blank" rel="noreferrer">unread@ripe.net</a> 20000101<br>
source: RIPE<br>
remarks: ****************************<br>
remarks: * THIS OBJECT IS MODIFIED<br>
remarks: * Please note that all data that is generally regarded as personal<br>
remarks: * data has been removed from this object.<br>
remarks: * To view the original object, please query the RIPE Database at:<br>
remarks: * <a href="http://www.ripe.net/whois" rel="noreferrer noreferrer" target="_blank">http://www.ripe.net/whois</a><br>
remarks: ****************************<br>
<br>
route: <a href="http://193.0.0.0/21" rel="noreferrer noreferrer" target="_blank">193.0.0.0/21</a><br>
descr: RPKI ROA for <a href="http://193.0.0.0/21" rel="noreferrer noreferrer" target="_blank">193.0.0.0/21</a><br>
remarks: This route object represents routing data retrieved from the RPKI<br>
remarks: The original data can be found here: <a href="https://rpki.gin.ntt.net/r/AS3333/193.0.0.0/21" rel="noreferrer noreferrer" target="_blank">https://rpki.gin.ntt.net/r/AS3333/193.0.0.0/21</a><br>
remarks: This route object is the result of an automated RPKI-to-IRR conversion process.<br>
remarks: maxLength 21<br>
origin: AS3333<br>
mnt-by: MAINT-JOB<br>
changed: <a href="mailto:job@ntt.net" target="_blank" rel="noreferrer">job@ntt.net</a> 20180718<br>
source: RPKI # Trust Anchor: RIPE NCC RPKI Root<br>
job@eng0 ~$<br>
<br>
The first object is an actual IRR "route:" object from the RIPE NCC<br>
operated IRR, the second object is a representation of the RPKI ROA in<br>
RPSL format published via <a href="http://rr.ntt.net" rel="noreferrer noreferrer" target="_blank">rr.ntt.net</a>.<br>
<br>
In general we can state that RPKI data is very good quality data,<br>
however please keep in mind that it may not be /correct/ data. In this<br>
context "Good Quality" means that it cannot easily be forged or tampered<br>
with by adversaries (but of course that doesn't protect the legitimate<br>
owner against making misconfigurations). Just like with IRR<br>
route(6)-objects, owners may input the wrong origin ASN in this type of<br>
object or configure the wrong MaxLength.<br>
<br>
NTT operates a "RPKI Cache Validator" at <a href="https://rpki.gin.ntt.net/" rel="noreferrer noreferrer" target="_blank">https://rpki.gin.ntt.net/</a><br>
Everyone is free to inspect and click around in this webinterface.<br>
Instead of <a href="https://rpki.gin.ntt.net/" rel="noreferrer noreferrer" target="_blank">https://rpki.gin.ntt.net/</a>, there also is a command line<br>
interface available via BGPMon's whois service: <br>
<br>
job@vurt ~$ whois -h <a href="http://whois.bgpmon.com" rel="noreferrer noreferrer" target="_blank">whois.bgpmon.com</a> <a href="http://193.0.0.0/21" rel="noreferrer noreferrer" target="_blank">193.0.0.0/21</a><br>
% This is the BGPmon.net whois Service<br>
% You can use this whois gateway to retrieve information<br>
% about an IP adress or prefix<br>
% We support both IPv4 and IPv6 address.<br>
%<br>
% For more information visit:<br>
% <a href="https://portal.bgpmon.net/bgpmonapi.php" rel="noreferrer noreferrer" target="_blank">https://portal.bgpmon.net/bgpmonapi.php</a><br>
<br>
Prefix: <a href="http://193.0.0.0/21" rel="noreferrer noreferrer" target="_blank">193.0.0.0/21</a><br>
Prefix description: RIPE-NCC<br>
Country code: NL<br>
Origin AS: 3333<br>
Origin AS Name: Reseaux IP Europeens Network Coordination Centre (RIPE NCC)<br>
RPKI status: ROA validation successful<br>
First seen: 2011-10-19<br>
Last seen: 2018-07-19<br>
Seen by #peers: 77<br>
<br>
Notice in the above output the "ROA validation successful".<br>
<br>
Nota bene: the fact that NTT uses RPKI ROA information in the prefix<br>
filter generation process - does _not_ mean that NTT does "RPKI Origin<br>
Validation" for BGP updates (yet). RPKI Origin Validation is an<br>
additional security layer that we hope to deploy in the not too distant<br>
future. Using RPKI ROAs in this way is an important step forward in this<br>
process.<br>
<br>
Kind regards,<br>
<br>
Job Snijders<br>
<br>
Post scriptum on prior work:<br>
<br>
Dragon Research Labs implemented the idea in 2015:<br>
<a href="https://github.com/dragonresearch/rpki.net/blob/master/potpourri/roa-to-irr.py" rel="noreferrer noreferrer" target="_blank">https://github.com/dragonresearch/rpki.net/blob/master/potpourri/roa-to-irr.py</a><br>
<br>
RIPE NCC's RPKI Validator added RPSL export functionality in 2015:<br>
<a href="https://mailman.nanog.org/pipermail/nanog/2015-May/075185.html" rel="noreferrer noreferrer" target="_blank">https://mailman.nanog.org/pipermail/nanog/2015-May/075185.html</a><br>
<br>
Arouteserver added native support for this method in October 2017.<br>
<a href="https://github.com/pierky/arouteserver/issues/19" rel="noreferrer noreferrer" target="_blank">https://github.com/pierky/arouteserver/issues/19</a><br>
_______________________________________________<br>
LACNOG mailing list<br>
<a href="mailto:LACNOG@lacnic.net" target="_blank" rel="noreferrer">LACNOG@lacnic.net</a><br>
<a href="https://mail.lacnic.net/mailman/listinfo/lacnog" rel="noreferrer noreferrer" target="_blank">https://mail.lacnic.net/mailman/listinfo/lacnog</a><br>
Cancelar suscripcion: <a href="https://mail.lacnic.net/mailman/options/lacnog" rel="noreferrer noreferrer" target="_blank">https://mail.lacnic.net/mailman/options/lacnog</a><br>
</blockquote></div>