Hi Alex, Chriztoffer, Ben, Thanks so much for your replies. They are very clear. I have a much better understanding now.
I noticed all the URLs have either "rrdp" or "rpki" string in them. Is there a naming convention on how the URL name is composed? If my proxy supports filtering on wild card, something like *rrdp* or *rpki*, that might be a compromise between security requirements and routing requirements. Thanks again, Jacquie On Fri, Oct 29, 2021 at 1:03 AM Alex Band <[email protected]> wrote: > Hi Jacqui, > > Let me re-order your two emails and reply in-lineā¦ > > > On Thu, Oct 28, 2021 at 9:04 PM Jacquie Zhang <[email protected]> > wrote: > > Hi, > > > > On page https://rpki-validator.ripe.net/ui/repositories I see 40 URLs. > I'm wondering whether each URL here is corresponding to a CA. The top 5 are > the Root CAs then followed by 35 child CAs. > > > > Is this correct? > > No, each URL corresponds to an RPKI publication point. Behind each > publication point can be one, or multiple CAs. In addition, each > publication point has an *must* have rsync URI and *may* have an HTTP URI. > If the latter is available, > > Routinator will prefer to use RRDP via the HTTPS URI if it is available, > but will try the rsync URI if RRDP fails. For example, if > https://rrdp.rpki.nlnetlabs.nl/ is unavailable, Routinator will try to > fetch from rsync://rsync.rpki.nlnetlabs.nl/ instead. > > > Does this mean there are only 35 organisations in the whole world that > are running Delegated Model, the rest are all running Hosted Model? > > Not at all. For example, https://rrdp.rpki.nlnetlabs.nl/ hosts just one > CA, but https://rpki-repo.registro.br/ hosts more than a 1000 CAs. > > > If a new organisation started RPKI and decided to run Delegated Model, > should we expect to see a new URL appearing here? > > That depends if they want to run their own publication server, or choose > to use one that is offered by as a service. NIC.br and APNIC offer RPKI > publication services, ARIN will start offering this in December 2021 and > other RIRs have this on their roadmap. > > That means if you want to run Delegated RPKI in the RIPE region, today you > will have to run your own. That might change in the future, and some will > want to migrate. > > > I have a list of the URLs from a few months ago and that list doesn't > match today's list . Should I interpret this as that the URL list here is > dynamic, some URLs appear when new organisations adopt RPKI and some URLs > disappear when some organisations quit RPKI? (I can't imagine any org would > quit RPKI.) > > The list is absolutely dynamic. New organisations can start running > Delegated RPKI with their own publication server, some may migrate from > their own to one that is offered as a service, or an organisation can > migrate from one hostname to another. > > <snip> > > > Just wanted to add, what I wanted to get from understanding this is, our > Routinators are behind proxy servers, our security policy requires the > proxy server to explicitly whitelist each URL the Routinator will access. > If this list changes often and the proxy is not keeping up with the > changes, the Routinator will miss some ROA publication points. For our > proxy whitelist to work we need this URL list to be static, preferably > never changes. > > New publication points can appear or change at any moment in any region, > so using an allow list on your proxy is not going to scale. > > Please keep in mind that for Route Origin Validation to work properly, you > will need all of the published RPKI data in order to make reliable routing > decisions. Having partial data may lead to an incorrect validation state of > certain routes. > > In short, please allow your relying party software to access any URI on > port 443 and 873. > > > https://routinator.docs.nlnetlabs.nl/en/stable/installation.html#system-requirements > > > Thanks for your time. > > Cheers! > > -Alex > > > Jacquie > >
-- RPKI mailing list [email protected] https://lists.nlnetlabs.nl/mailman/listinfo/rpki
