Send sanog mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sanog.org/mailman/listinfo/sanog
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of sanog digest..."
Today's Topics:
1. Removing the four stale TAL from the APNIC RPKI validation
set. (George Michaelson)
----------------------------------------------------------------------
Message: 1
Date: Tue, 27 Feb 2018 10:14:57 +0545
From: George Michaelson <[email protected]>
To: [email protected]
Subject: [SANOG] Removing the four stale TAL from the APNIC RPKI
validation set.
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
Updating RPKI trust anchor configuration
-------------------------------------------------------
APNIC has completed the process of transitioning from its previous Resource
Public Key Infrastructure (RPKI) trust anchor arrangement to a new single trust
anchor configuration. Each RIR will publish an 'all resources' global trust
anchor, under which its own regional resources (IP addresses and ASNs) will be
certified. APNICs trust anchor is one of the previous five, which has been
retained as the sole trust anchor over all APNIC resource certificate products.
If you are using relying-party software, such as the Dragon Research Labs RPKI
Toolkit, RPSTIR or the RIPE NCC?s RPKI Validator, you are advised to update
your software?s configuration to use only the current APNIC trust anchor,
rather than the set of five APNIC trust anchors that were previously in use.
The update is to remove four of the five: One has been retained as the current
live Trust Anchor. Note: this update is not critical. However, if it is not
done, the software will log or report warnings about being unable to retrieve
the trust anchors that are no longer being used. All resources now validate
under the single active trust anchor and no orphan products are valid under the
other prior trust anchors.
The current APNIC TAL is as follows:
------
rsync://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx9RWSL61YAAYumEiU8z8
qH2ETVIL01ilxZlzIL9JYSORMN5Cmtf8V2JblIealSqgOTGjvSjEsiV73s67zYQI
7C/iSOb96uf3/s86NqbxDiFQGN8qG7RNcdgVuUlAidl8WxvLNI8VhqbAB5uSg/Mr
LeSOvXRja041VptAxIhcGzDMvlAJRwkrYK/Mo8P4E2rSQgwqCgae0ebY1CsJ3Cjf
i67C1nw7oXqJJovvXJ4apGmEv8az23OLC6Ki54Ul/E6xk227BFttqFV3YMtKx42H
cCcDVZZy01n7JjzvO8ccaXmHIgR7utnqhBRNNq5Xc5ZhbkrUsNtiJmrZzVlgU6Ou
0wIDAQAB
------
Configuring Relying Party Software
-----------------------------------------------
RIPE NCC RPKI Validator: If you upgrade to RIPE validator
rpki-validator-app-2.24 the correct Trust Anchor is configured. No further
work is required.
Dragon Research Labs Rcynic Validator: If you run rcynic, you need to remove
all the TAL, TA or CER entries in rcynic.conf except ones which point to
apnic-rpki-root-iana-origin.cer or the related TAL. If you use the
trusted-certs/ directory, simply remove the four files which are named for the
non-APNIC RIR as follows:
cd /etc/trust-anchors # or wherever you place the TAL files
rm apnic-rpki-root-ripe-origin.tal
rm apnic-rpki-root-arin-origin.tal
rm apnic-rpki-root-lacnic-origin.tal
rm apnic-rpki-root-afrinic-origin.tal
RPSTIR To modify an installed RPSTIR system, locate the /usr/local/etc/rpstir
directory and remove all but the current live APNIC TAL.
More information is in the attached PDF describing how to update the trust
anchor configuration in these three popular relying-partner software systems.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: update-tal.pdf
Type: application/pdf
Size: 38687 bytes
Desc: not available
URL:
<https://lists.sanog.org/pipermail/sanog/attachments/20180227/2925d7c7/attachment.pdf>
-------------- next part --------------
-George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL:
<https://lists.sanog.org/pipermail/sanog/attachments/20180227/2925d7c7/attachment.bin>
------------------------------
Subject: Digest Footer
_______________________________________________
sanog mailing list
[email protected]
https://lists.sanog.org/mailman/listinfo/sanog
------------------------------
End of sanog Digest, Vol 73, Issue 5
************************************
