RPKI publication

Christopher Morrow morrowc.lists at gmail.com
Fri Nov 23 21:48:14 UTC 2018

On Fri, Nov 23, 2018 at 2:31 PM Alex Band <alex at nlnetlabs.nl> wrote:

> Hi Jeff,
> While I can’t offer you a solution today, I’m happy to tell you we’ve
> recognised this particular use case and are working on a free, open source
> solution.
> We're building a toolset that allows you to run a CA as a child of one or
> multiple RIRs transparently and publish using your own or a third party
> publication server. In addition, we’ll provide validation software.
> https://www.nlnetlabs.nl/projects/rpki/project-plan/
> For the validation software we have running code that is already used in
> production in various places:
> https://github.com/NLnetLabs/routinator
> With development ongoing, we’re still in the process of getting this fully
> funded as we’re a small non-profit. So far the RIPE NCC Community Projects
> Fund and Brazilian registry NIC.br are contributing to financing this
> project. Our goal to to provide something that is on par with our other
> projects, such as NSD and Unbound.
> Happy to keep you updated on the progress.
> Cheers,
> Alex Band
> NLnet Labs
> > On 23 Nov 2018, at 18:51, Jeff McAdams <jeffm at iglou.com> wrote:
> >
> > OK, I'm trying to do the responsible thing and further the progress and
> > deployment of RPKI.  I feel like I have a pretty good handle on a path
> > forward for doing validation and routing-policy based on ROA validation.

hey thanks! :)

> > However, I also feel like I'm really banging my head against a wall
> trying
> > to set up publication of ROAs.  $employer has IP space from several RIRs,
> > and enough space that there is a pretty strong desire to have our own
> > publication system for this, but I'm really struggling to find extant
> > software to do this.

I think there are 3 options:
  ripe validator v2 (potentially v3?) -

  rpki.net validator - https://github.com/dragonresearch/rpki.net
  bbn rpstir - https://github.com/bgpsecurity/rpstir

> Are there people doing their own publication?  Or is everyone just using
> > Hosted ARIN/RIPE/APNIC/etc. systems?  My colleagues and I feel like
> trying
> > to manage and automate processes against multiple RIRs is not ideal, so
> > setting up a publication system that can use the Up-Down protocol, or
> > perhaps publish our own publication points, or whatever is the best way
> to
> > handle this would be desired.
> >
> > Can anyone point me to some facilitating resources on this?  Software
> > packages that are reasonably current and maintained and not a total pain
> > to deploy?
> >
> > --
> > Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20181123/31a20f17/attachment.html>

More information about the NANOG mailing list