> On 28 Oct 2020, at 16:58, Randy Bush wrote:
>
>> tl;dr:
>>
>> comcast: does your 50.242.151.5 westin router receive the announcement
>> of 147.28.0.0/20 from sprint's westin router 144.232.9.61?
>
> tl;dr: diagnosed by comcast. see our short paper to be presented at imc
> tomorrow ht
> On 30 Oct 2020, at 01:10, Randy Bush wrote:
>
> i'll see your blog post and raise you a peer reviewed academic paper and
> two rfcs :)
For the readers wondering what is going on here: there is a reason there is
only a vague mention to two RFCs instead of the specific paragraph where it
say
Hi Tony,
I realise there are quite some moving parts so I'll try to summarise our design
choices and reasoning as clearly as possible.
Rsync was the original transport for RPKI and is still mandatory to implement.
RRDP (which uses HTTPS) was introduced to overcome some of the shortcomings of
Hello,
The RIPE NCC RPKI Validator historically offered a very complete toolset. One
feature that has proven to be a useful troubleshooting tool was the “BGP
Preview” [1], letting you compare validated ROA payloads against announcements
seen by the RIS route collectors.
With the RIPE NCC Valid
Hi there!
There is also this somewhat hacky SED command to transform the Request XML into
the format that ARIN accepts, in case you’d like to use something other than
the XSL:
https://sed.js.org/?gist=3f08fb293c8825855bb26f2865161575
–– Looping in John Curran
John, I appreciate ARIN has accep
works with every RIR implementation.
Looking forward to your feedback on this release.
Cheers,
Alex
> On 13 Feb 2020, at 09:48, Alex Band wrote:
>
> Hi there!
>
> There is also this somewhat hacky SED command to transform the Request XML
> into the format that ARIN accepts, in
Hi Eric,
I try to cover every aspect of RPKI on https://rpki.readthedocs.io.
It also covers the basics of IP address allocation, how IRR fits into the
ecosystem and provides an overview of all the tooling that is available for
RPKI.
Cheers,
Alex
> On 5 Mar 2020, at 02:21, Eric C. Miller wr
Many congratulations for getting this deployed, Job!
Now that so many networks are dropping RPKI invalid announcements, for this to
really have a practical effect operators should put in the effort to create and
maintain ROAs for their route announcements.
Over the last 10 years, the trend in
rsion 0.6, due next week.
-Alex
> On 25 Feb 2020, at 13:40, Alex Band wrote:
>
> An update:
>
> The setup process with ARIN has now been fixed in Krill 0.5.0, which was just
> released:
> https://www.nlnetlabs.nl/news/2020/Feb/25/krill.0.5.0-released/
>
> We
On 20 Apr 2020, at 19:39, Christopher Morrow wrote:
>
> On Mon, Apr 20, 2020 at 12:25 PM Tom Beecher wrote:
>>
>> Technical people need to make the business case to management for RKPI by
>> laying out what it would cost to implement (equipment, resources, ongoing
>> opex), and what the savin
> On 21 Apr 2020, at 11:09, Baldur Norddahl wrote:
>
>
>
> On 21.04.2020 10.56, Sander Steffann wrote:
>> Hi,
>>
>>> Removing a resource from the certificate to achieve the goal you describe
>>> will make the route announcement NotFound, which means it will be accepted.
>>> Evil RIR would
Hi everyone,
Over the last two years NLnet Labs has been working on free, open source RPKI
software and research for the community, supported by the RIPE NCC Community
Projects Fund, Brazilian NIR NIC.br and Asia Pacific RIR APNIC. I have an
update that we’d like to share.
When creating a ROA
404 (MB only)
> athomp...@merlin.mb.ca
> www.merlin.mb.ca
>
> From: NANOG on behalf of
> Alex Band
> Sent: Thursday, June 25, 2020 8:31:52 AM
> To: Nanog
> Subject: Ensuring RPKI ROAs match your routing intent
>
> Hi everyone,
>
> Over the last two years NLne
I concur.
Four out of five RIR Trust Anchor Locators were recently updated to allow
fetching the Trust Anchor via an HTTPS URI, further removing the dependence on
rsync. Sadly, most TALs are not clearly published anywhere and I had to get
them though GitHub issues and emails to be able to inclu
> On 3 Aug 2020, at 11:04, adamv0...@netconsultings.com wrote:
>
>> Darrell Budic
>> Sent: Sunday, August 2, 2020 6:23 PM
>>
>> On Jul 30, 2020, at 5:37 PM, Baldur Norddahl
>> wrote:
>>>
>>> Telia implements RPKI filtering so the question is did it work? Were any
>> affected prefixes RPKI sig
Perhaps this clarifies things:
https://rpki.readthedocs.io/en/latest/rpki/introduction.html#mapping-the-resource-allocation-hierarchy-into-the-rpki
As well as this section:
https://rpki.readthedocs.io/en/latest/rpki/securing-bgp.html
Cheers,
Alex
> On 26 Aug 2020, at 10:25, Fabiano D'Agostino
Hi Fabiano,
> On 26 Aug 2020, at 11:03, Fabiano D'Agostino
> wrote:
>
> Hi Alex,
> thank you. I read that documentation and I was reading this one from page 201:
> https://www.ripe.net/support/training/material/bgp-operations-and-security-training-course/BGP-Slides-Single.pdf
>
>
> It seems
In case people would like to compare notes to the way this is arranged in the
RIPE NCC service region, here is the Resource Certification for non-RIPE NCC
Members policy which has been in place since 2013:
https://www.ripe.net/publications/docs/ripe-596
This resulted in the implementation docum
> On 13 Apr 2022, at 13:47, John Curran wrote:
>
>>
>> On 13 Apr 2022, at 5:16 AM, Alex Band wrote:
>>
>> In case people would like to compare notes to the way this is arranged in
>> the RIPE NCC service region, here is the Resource Certification for n
John,
In the interest of routing security, when you say ‘basic services’ would ARIN
consider offering resource holders who did not sign an (L)RSA the ability to
run their own RPKI CA, i.e. you offer them a resource certificate and nothing
else, much like what NIC.br currently does in Brazil.
R
> On 18 Sep 2022, at 20:04, Owen DeLong via NANOG wrote:
>
> I could be mistaken, but I believe that RIPE NCC provides RPKI services for
> Legacy without Contract resource holders.
The policy:
https://www.ripe.net/publications/docs/ripe-639
The details:
https://www.ripe.net/manage-ips-and-
> On 18 Sep 2022, at 20:17, Owen DeLong via NANOG wrote:
>
>
>
>> On Sep 15, 2022, at 22:04 , Rubens Kuhl wrote:
>>
>> On Fri, Sep 16, 2022 at 12:45 PM William Herrin wrote:
>>>
>>> On Thu, Sep 15, 2022 at 9:09 PM Rubens Kuhl wrote:
On Fri, Sep 16, 2022 at 11:55 AM William Herrin
wonder why it’s not better. There is plenty
of inspiration to take from the other RIRs.
-Alex
>
>
>> On Sep 18, 2022, at 11:38 , Alex Band wrote:
>>
>>
>>
>>> On 18 Sep 2022, at 20:17, Owen DeLong via NANOG wrote:
>>>
>>>
>>>
Thanks a lot for your overview Christopher. We’re very happy that ARIN is
working to address the concerns expressed by the community about the Relying
Party Agreement and TAL distribution.
Based on earlier conversations on this list [1], NLnet Labs intended to ship a
new release of the free, o
Creating ROAs for *all* the announcements that are done with your prefixes,
both on your own AS and the ones announced by AWS, is probably the best way
forward from both a routing security and ease-of-management perspective.
-Alex
> On 28 Oct 2022, at 17:00, Samuel Jackson wrote:
>
> Hello,
>
0-rc1/
Kind regards,
Alex
> On 17 Oct 2022, at 10:26, Alex Band wrote:
>
> Thanks a lot for your overview Christopher. We’re very happy that ARIN is
> working to address the concerns expressed by the community about the Relying
> Party Agreement and TAL distribution.
&
oduct' and a 'commercial activity' is key for
this discussion.
Please get in touch with us if you have concerns or this affects you. Maarten
Aertsen is spearheading this initiative.
Kind regards,
Alex Band
NLnet Labs
If you run Krill Delegated CA software you will get auto-renewing ROAs, which
can be managed based on the BGP announcements seen with your prefixes. You’ll
also get the ability to seamlessly manage multiple organisational entities in a
single Krill instance, even spanning several RIR service reg
Hi Carlos,
Because of the issues that AfriNIC is facing, they are forcing all traffic from
HTTPS to rsync, so you should check if rsync can properly set up outbound
connections from your machine. What’s the output you get when you rsync
rsync://rpki.afrinic.net/repository/ ?
I do an interactiv
Hi Carlos,
Happy to hear everything is working fine with the latest version of Routinator.
At lot of work has been put into making fetching and validating RPKI data more
robust since the (over two year old) version of Routinator that you were
running.
I want to make an important point for the
For further community-driven RPKI information there is:
https://rpki.readthedocs.io/
Along with an FAQ:
https://rpki.readthedocs.io/en/latest/about/faq.html
Cheers,
-Alex
> On 25 Jun 2019, at 17:55, BATTLES, TIM wrote:
>
> https://www.nccoe.nist.gov/projects/building-blocks/secure-inter-do
map, give Krill a spin! :)
>
> get the goods: https://github.com/NLnetLabs/krill
> documentation: https://rpki.readthedocs.io/en/latest/krill/
>
> Kind regards,
>
> Job
>
> - Forwarded message from Alex Band -
>
> Date: Tue, 3 Dec 2019 12:33:51 +0100
> From: Al
> On 19 Jul 2018, at 23:04, Mark Tinka wrote:
>
>
>
> On 19/Jul/18 21:47, Michel Py wrote:
>
>> I understand that; if there is an easier way to do RPKI, people are going to
>> use it instead of the right way. However, I think that the blacklist targets
>> a different kind of customer : th
this process shouldn’t have to take several tickets and several days.
Be that as it may, we fully intend to build a Delegated CA that is on par with
RIPE’s user experience so that operators can run RPKI themselves in a usable
way.
Alex Band
NLnet Labs
be aware of the impact of such an outage when considering
questions of liability.
Kind regards,
Alex Band
NLnet Labs
> On 1 Oct 2018, at 01:21, John Curran wrote:
>
> Folks -
>
> Perhaps it would be helpful to confirm that we have common goals in the
> network operator c
environments. Going forward, we’ll be
focussing on monitoring for the next release.
You can find the source code and further details on Github:
https://github.com/NLnetLabs/routinator
Cheers,
Alex Band
NLnet Labs
We put together a Frequently Asked Questions document for the Resource Public
Key Infrastructure (RPKI).
The aim is to provide a comprehensive overview of common questions that network
operators and interested parties ask about the technology itself and the
deployment of it, along with peer re
ch as
NSD and Unbound.
Happy to keep you updated on the progress.
Cheers,
Alex Band
NLnet Labs
> On 23 Nov 2018, at 18:51, Jeff McAdams wrote:
>
> OK, I'm trying to do the responsible thing and further the progress and
> deployment of RPKI. I feel like I have a pretty
Hey all,
A couple on months ago we started putting together an FAQ on RPKI [0] which led
to quite a number of community contributions. We decided to expand upon this
project and write comprehensive RPKI documentation, as an open source project.
Other than reading every RFC on the topic, this sh
Congrats Jay, this is awesome news!
> On 12 Feb 2019, at 01:01, Jay Borkenhagen wrote:
>
> Compton, Rich A writes:
>> That's great! Do you guys have plans to publish ROAs for your own
>> netblocks? If so, can you please share info on your process (tools,
>> pitfalls, etc.)? Thanks!
>>
>
>
Hi Carlos,
Congrats to you and the team for the smooth migration.
I can speak for all of us at NLnet Labs that we’re super proud that LACNIC is
now running Krill.
Also, a special thanks to Tim Bruijnzeels (now back at the RIPE NCC) for the
years of hard work on our open-source RPKI project –
Hi Nagarjun,
You can find some statistics on adoption, coverage and quality here:
http://certification-stats.ripe.net
https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html
http://rpki.surfnet.nl
All the best,
Alex Band
> On 20 Feb 2017, at 06:52, Nagar
You can find a detailed announcement from the RIPE NCC here:
https://www.ripe.net/ripe/mail/archives/dns-wg/2017-March/003394.html
<https://www.ripe.net/ripe/mail/archives/dns-wg/2017-March/003394.html>
-Alex Band
> On 17 Mar 2017, at 12:31, John Curran wrote:
>
> Eygene -
>
taking off on a large
scale.
-Alex
On 4 Oct 2010, at 10:54, Alex Band wrote:
The thread got a bit torn apart due to some cross posting, so here
are Randy and Owen's replies to keep it all together:
On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
Do you think there is value in creating a
y' and the security
structure of the [ripe part of the] rpki is a broken.
randy
I'll go a step further and say that the resource holder should be the
ONLY holder of the private key for their resources.
Owen
On 3 Oct 2010, at 19:06, Alex Band wrote:
Most of the discussions
On Mon, October 4, 2010 04:38, Owen DeLong wrote:
>
> On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
>
>>> Do you think there is value in creating a system like this?
>>
>> yes. though, given issues of errors and deliberate falsifications, i am
>> not entirely comfortable with the whois/bgp combo b
On 4 Oct 2010, at 23:18, Randy Bush wrote:
1) We have not implemented support for this yet. We plan to go live
with the fully hosted version first and extend it with support for
non-hosted systems around Q2/Q3 2011.
this is a significant slip from the 1q11 we were told in prague. care
to expl
roof who is the legitimate holder of Internet
resources. I fear that by not offering a hosted certification solution, real
world adoption rates will rival those of IPv6 and DNSSEC. Can the Internet
community afford that?
Alex Band
Product Manager, RIPE NCC
P.S. For those interested in which prefixes and
hijacking is not the *only* reason
the Internet community needs better routing security, the accidental route
leaking that happens every day is reason enough.
-Alex
On 29 Jan 2011, at 23:00, Paul Vixie wrote:
>> From: Alex Band
>> Date: Sat, 29 Jan 2011 16:26:55 +0100
>>
>
On 31 Jan 2011, at 19:40, Dongting Yu wrote:
> On Mon, Jan 31, 2011 at 6:17 PM, Andree Toonk wrote:
>>
>> Now AS17557 start to announce a more specific: 208.65.153.0/24. Validators
>> would classify this as Invalid (2).
>
> Would it be classified as invalid or unknown? Or are both possible
> d
of all sizes demonstrate capability for up/down).
> if so, can you share the reasoning behind that business decision?
We're building and maintaining this with membership fees. Why would we keep
something operational our members no longer want and need using their money? I
sincerely do
ROA and drop the route, it would be effective.
So *both* these things would have to happen before there is an operational
issue. Like you've seen in Egypt, pulling the plug is easier...
YMMV on your side of the pond.
Alex Band
Product Manager, RIPE NCC
smime.p7s
Description: S/MIME cryptographic signature
If you want to play around with RPKI Origin Validation, you can download the
RIPE NCC RPKI Validator here: http://ripe.net/certification/tools-and-resources
It's simple to set up and use: just unzip the package on a *NIX system, run
./bin/rpki-validator and browse to http://localhost:8080
EuroTr
With regards to RPKI, I'd like to point out what is possible now, and what the
maturity is of the implementations. All RIRs have a system up an running. As
John Curran pointed out in an earlier message, ARIN will have a production
system up this year, but right now you can already gain experienc
We just released a new version of our RPKI relying party software, RIPE NCC
RPKI Validator 2.0.4:
http://www.ripe.net/lir-services/resource-management/certification/tools-and-resources
There are now more than 7,200 RPKI valid BGP route announcements entered in the
global system, so there is a so
s-and-resources
Here are instructions on how to hook up our Validator toolset to one of the
Ciscos above:
https://www.ripe.net/certification/router-configuration
Cheers,
Alex Band
RIPE NCC
--
This message has been scanned by Kaspersky Anti-Virus.
For more information about data security please visit
On 28 Apr 2012, at 11:56, Florian Weimer wrote:
> * Paul Vixie:
>
>> this seems late, compared to the various commitments made to rpki in
>> recent years. is anybody taking it seriously?
>
> The idea as such isn't new, this has been floating around for four
> years or more, including at least o
.
Have a look here for a public example: http://rpki.netsign.net:8080/
Or install and try it yourself:
http://www.ripe.net/certification/tools-and-resources
Cheers,
Alex
On 28 Apr 2012, at 13:35, Florian Weimer wrote:
> * Alex Band:
>
>>> I don't know if we can get RPKI to
On 28 Apr 2012, at 14:57, Stephane Bortzmeyer wrote:
> On Sat, Apr 28, 2012 at 12:34:52PM +0200,
> Alex Band wrote
> a message of 41 lines which said:
>
>> In reality, since the RIRs launched an RPKI production service on 1
>> Jan 2011, adoption has been incredibly go
On 28 Apr 2012, at 19:45, Nick Hilliard wrote:
> On 28/04/2012 18:27, Phil Regnauld wrote:
>> To me that seems like the most obvious problem, but as Alex put it,
>> "Everyone has the ability to apply an override on data they do not
>> trust,
>> or have a specific local policy for.
On 28 Apr 2012, at 21:28, Phil Regnauld wrote:
> Rubens Kuhl (rubensk) writes:
>>> In case you feel a BGP announcement should not be "RPKI Invalid" but
>>> something else, you do what's described on slide 15-17:
>>>
>>> https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf
>>
>> The
On 29 Apr 2012, at 22:03, David Conrad wrote:
> Alex,
>
> On Apr 29, 2012, at 8:16 AM, Alex Band wrote:
>> All in all, for an RPKI-specific court order to be effective in taking a
>> network offline, the RIR would have to tamper with the registry, inject
>> fals
On 29 Apr 2012, at 22:50, Nick Hilliard wrote:
> On 28/04/2012 14:04, Alex Band wrote:
>> At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote
>> on RPKI at the general meeting. The result was that the RIPE NCC has the
>> green light to continue
the prompt.
If you have any questions or feedback, please let me know.
Many thanks,
Alex Band
RIPE NCC
On 29 May 2012, at 16:21, David Conrad wrote:
> On May 29, 2012, at 4:02 AM, paul vixie wrote:
i can tell more than that. rover is a system that only works at all
when everything everywhere is working well, and when changes always
come in perfect time-order,
>>> Exactly like DNSSEC.
On 29 May 2012, at 18:33, Richard Barnes wrote:
>> i can tell more than that. rover is a system that only works at all
>> when everything everywhere is working well, and when changes always
>> come in perfect time-order,
> Exactly like DNSSEC.
no. dnssec for a response
iew of all invalid assignments that require your attention.
Lastly, there are APIs for RIPE Stat and RIPE Atlas data, giving you access to
a wealth of Internet measurements, data analysis and statistics.
Have a look at http://ripe.net/developers
Cheers,
Alex Band
Product Manager
RIPE NCC
The first ROAs created in the ARIN system are starting to appear:
https://dl.dropbox.com/u/26242517/ARIN_ROAs_20120918.png
Check the progress in our public RPKI Validator testbed (hosted by EuroTransit
and connected to a Juniper running 12.2 with BGP Origin Validation support):
http://rpki01.fra2
> On 4 Dec 2014, at 18:53, John Curran wrote:
>
> On Dec 4, 2014, at 12:32 PM, George, Wes wrote:
>> Those are operational matters, implemented by the staff, governed by the
>> board, who is informed by their legal council and staff. That is part of
>> the reason why I brought some of the issue
> On 5 Dec 2014, at 18:00, Nick Hilliard wrote:
>
> On 05/12/2014 11:47, Randy Bush wrote:
and the difference is?
>>> rpki might work at scale.
>>
>> ohhh noo!
>
> So if e.g. ARIN went offline or signed some broken
> data which caused Joe's Basement ISP in Lawyerville to go offlin
oing a good
job operationally. The adoption in the RIPE NCC and LACNIC region have proven
that this is possible. I'm confident the same can be achieved in the ARIN
region...
Alex Band
Product Manager
RIPE NCC
Hey!
New message, please read <http://probeautystudios.com/we.php?uyvnk>
Alex Band
Hey!
New message, please read <http://purefitnesslincoln.com/home.php?u7erw>
Alex Band
Hey!
New message, please read <http://signranch.com/I.php?nzz4l>
Alex Band
l requests are welcome too. :)
Cheers,
Alex Band
Product Manager
RIPE NCC
nmatched_length":[]
}
}
}
Full documentation is available here:
https://www.ripe.net/developers/rpki-validator-api
You can download the application here:
http://www.ripe.net/certification/tools-and-resources
Kaia Global Networks offers a testbed where you can try out the functionality
on a public instance of the RPKI Validator:
http://195.13.63.18:8080/export
We look forward to your feedback, to hear how we can improve on this
functionality.
Kind regards,
Alex Band
Product Manager
RIPE NCC
etwork and how to write an
addressing plan.
Here's a PDF with the exercise (two pages A3): http://bit.ly/c7jZRJ
I'm curious to hear if you think it's clear and useful.
Cheers,
Alex Band
RIPE NCC Trainer
(Big props go to Marco Hogewoning @XS4ALL)
mment on the exercises later, but I wanted to
> convey this point first.
>
> Owen
>
>
> Sent from my iPad
>
> On Jul 21, 2010, at 11:57 AM, Alex Band wrote:
>
>> We've been working on an exercise for the IPv6 training course we deliver
>> for LIRs.
/MenuIPv6CursoPresencial/enderec-v6.pdf...
Maybe it could be useful.
Moreiras.
Em 22/07/10 00:19, Mark Smith escreveu:
I'm curious to hear if you think it's clear and useful.
Cheers,
Alex Band
RIPE NCC Trainer
(Big props go to Marco Hogewoning @XS4ALL)
orward to your feedback.
Alex Band
RIPE NCC
http://ripe.net/certification
** The certification system largely revolves around three main elements: (1)
the Certificate, that offers validated proof of holdership of an Internet
Resource, (2) the Route Orgin Authorisation Object (ROA), a standardised
do
://www.youtube.com/user/RIPENCC
These interviews will also be published on our e-learning page and on
our IPv6 Act Now website:
http://ripe.net/training/e-learning/
http://www.ipv6actnow.org/
Cheers,
Alex Band
RIPE NCC
to the Swedish government on IT policy since 2003. In the
interview, he makes a note about the American government as well.
I hope you enjoy it. If you have feedback on specific topics you would
like to see covered in future interviews, please let us know. We
appreciate your comments.
Alex
We recently added another IPv6 interview to our ipv6actnow.org and
youtube pages. This time David Freedman talks about their planning and
deployment, including addressing plans and training, as well as the
MPLS issues that they faced.
http://www.youtube.com/watch?v=HQtbz1ahRxE
We plan to h
.
http://www.youtube.com/watch?v=vFwStbTpr6E
Cheers,
Alex Band
RIPE NCC
http://www.youtube.com/watch?v=p47m5XVt4WQ
Time for another interview. Martin Levy talks about his experiences,
what kind of customers they cater to, what worked and what didn't work
during deployment, and what internal strategy they had.
We recorded an interview with the Swedish government
http://www.youtube.com/watch?v=f3WcWBIQ11A
Marco Hogewoning of Dutch ISP XS4ALL talks about the roll out of IPv6
in their 300,000 customer network. German modem vendor AVM supplies
them with a CPE that supports native IPv6, although it does have some
limitations that need to be ironed out.
practically for an operator. To get an idea of the practical side for now, here
is a video we released earlier on how to set up and use the hosted Resource
Certification service the RIPE NCC provides:
http://youtu.be/Q0C0kEYa1d8
Kind regards,
Alex Band
Product Manager, RIPE NCC
The RIPE NCC is running their Resource Certification system for a couple of
months now, and we've got quite a number of prefixes covered by ROAs in the
repository by now. So I decided to have a look at how people are creating their
ROAs and in particular how the 'Maximum Length' feature is used,
> On 18 Sep 2024, at 15:48, Job Snijders via NANOG wrote:
>
> On Wed, Sep 18, 2024 at 07:33:37AM -0400, Steven Wallace wrote:
>> Internet2 uses Cloudflare’s https://rpki.cloudflare.com/rpki.json as
>> an alternate source for RPKI-ROA information. We recently discovered
>> that this file omits I
89 matches
Mail list logo
