Has Anyone managed to get Delegated RPKI working with ARIN

Alex Band alex at nlnetlabs.nl
Thu Apr 2 07:49:56 UTC 2020


Final update:

On April 1st ARIN deployed support for the RFC 8183 RPKI key exchange format:
https://www.arin.net/vault/participate/acsp/suggestions/2020-3.html

You will no longer need the “ARIN Compatible" toggle in Krill as described in the previous email. The toggle will be removed in version 0.6, due next week. 

-Alex


> On 25 Feb 2020, at 13:40, Alex Band <alex at nlnetlabs.nl> wrote:
> 
> An update:
> 
> The setup process with ARIN has now been fixed in Krill 0.5.0, which was just released:
> https://www.nlnetlabs.nl/news/2020/Feb/25/krill.0.5.0-released/
> 
> We have worked around the issue by transforming the child request XML file in the user interface using a toggle:
> https://rpki.readthedocs.io/en/latest/krill/parent-interactions.html#arin
> 
> The ensured that Krill is compatible with both the old and new response file format. Once ARIN conforms to RFC 8183, this toggle will be removed in a future version. We have also fixed two blocking issues with APNIC, ensuring Krill now works with every RIR implementation.
> 
> Looking forward to your feedback on this release.
> 
> Cheers,
> 
> Alex
> 
>> On 13 Feb 2020, at 09:48, Alex Band <alex at nlnetlabs.nl> wrote:
>> 
>> Hi there!
>> 
>> There is also this somewhat hacky SED command to transform the Request XML into the format that ARIN accepts, in case you’d like to use something other than the XSL:
>> 
>> https://sed.js.org/?gist=3f08fb293c8825855bb26f2865161575
>> 
>> –– Looping in John Curran
>> 
>> John, I appreciate ARIN has accepted RFC 8183 compatibility as an ACSP suggestion:
>> 
>> https://www.arin.net/participate/community/acsp/suggestions/2020-3/
>> 
>> Looking at the XML though, the changes needed to make this work are one tag, a URL and a version number. Could this please be tracked as a simple bug instead of a "feature to include in our future RPKI improvements”?
>> 
>> In the mean time I have added a warning to the documentation:
>> https://rpki.readthedocs.io/en/latest/krill/manage-cas.html#step-1-get-the-request-xml-file
>> 
>> Thanks!
>> 
>> -Alex
>> 
>>> On 5 Feb 2020, at 16:48, Tim Bruijnzeels <tim at nlnetlabs.nl> wrote:
>>> 
>>> Hi,
>>> 
>>> Everyone is welcome to read that list of course, but the TL;DR is:
>>> 
>>> ARIN currently uses a pre RFC 8183 format for the identity exchange. It would be good if this were updated. New versions of rpkid as well as Krill have issues with the old format.
>>> 
>>> In the meantime this XSL provided by rpki.net can be of help:
>>> https://raw.githubusercontent.com/dragonresearch/rpki.net/master/potpourri/oob-translate.xsl
>>> 
>>> Note: if you are planning to give Krill a try we recommend that you wait for version 0.5. We expect to have this version ready in 1-2 weeks. It will include usability improvements, better monitoring and a UI.
>>> 
>>> Kind regards,
>>> 
>>> Tim
>>> 
>>> 
>>> 
>>>> On 5 Feb 2020, at 16:03, Christopher Munz-Michielin <christopher at ve7alb.ca> wrote:
>>>> 
>>>> Brilliant! Thanks for the write up Cynthia, I'll have a read through!
>>>> 
>>>> Chris
>>>> 
>>>> On 2020-02-05 1:56 a.m., Cynthia Revström wrote:
>>>>> (Re-sent as I forgot to include the ML the first time, oops)
>>>>> Hi Chris,
>>>>> 
>>>>> I recently figured it out and posted it on the NLNetLabs RPKI mailing list. https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html <https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html>
>>>>> I hope it helps :)
>>>>> 
>>>>> - Cynthia
>>>>> 
>>>>> On Wed, Jan 29, 2020 at 6:31 PM Christopher Munz-Michielin <christopher at ve7alb.ca <mailto:christopher at ve7alb.ca>> wrote:
>>>>> 
>>>>>  Hi Nanog,
>>>>> 
>>>>>  Posting here since my Google-fu is coming up short.  I'm trying to setup delegated RPKI in ARIN using rpki.net <http://rpki.net>'s rpkid Python daemon and am running into an issue submitting the identity file to ARIN's control panel. The same file submitted to RIPE's  test environment at https://localcert.ripe.net/#/rpki works without issue, while submitting to ARIN results in "Invalid Identity.xml file."
>>>>> 
>>>>>  The guide I'm following is this one: https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-ca.md and I'm able to get as far as generating the identity file.
>>>>> 
>>>>>  Wondering if anyone has gone down this road before and has any helpful hints to make this work?
>>>>> 
>>>>>  Cheers,
>>>>>  Chris
>>>>> 
>>> 
>> 




More information about the NANOG mailing list