subject:"RPKI TAs"

Re: RPKI TAs

2020-08-12 Thread Amreesh Phokeer

Hi all,

We've also simplified our webpage:
https://afrinic.net/rpki/tal

And the URL to the TAL:
https://rpki.afrinic.net/tal/afrinic.tal

Cheers,
Amreesh Phokeer
AFRINIC


On Thu, Aug 6, 2020 at 4:59 PM Randy Bush  wrote:

> > https://tal.rpki.ripe.net/ripe-ncc.tal (preferred)
>
> looks great visually.  stuffed in a dragon validator, just for qa.
>
> thanks!
>
> randy
>

Re: RPKI TAs

2020-08-12 Thread Randy Bush

> We've also simplified our webpage:
> https://afrinic.net/rpki/tal
> 
> And the URL to the TAL:
> https://rpki.afrinic.net/tal/afrinic.tal

thanks!  wfm

randy

Re: RPKI TAs

2020-08-06 Thread Randy Bush

> https://tal.rpki.ripe.net/ripe-ncc.tal (preferred)

looks great visually.  stuffed in a dragon validator, just for qa.

thanks!

randy

Re: RPKI TAs

2020-08-06 Thread Nathalie Trenaman

Hi Randy, all,

We’ve updated our page: 
https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure
 

It now shows the correct TALs:
https://tal.rpki.ripe.net/ripe-ncc.tal  
(preferred)
https://tal.rpki.ripe.net/ripe-ncc-rfc8630.tal 
 
https://tal.rpki.ripe.net/ripe-ncc-validator-3.tal 
 (RIPE NCC RPKI Validator 3 
format)

I hope this helps. 

Best regards,
Nathalie Trenaman
RIPE NCC


> Op 2 aug. 2020, om 20:52 heeft Randy Bush  het volgende 
> geschreven:
> 
> so i was trying to ensure i had a current set of TALs and was directed to
> 
>
> https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure
> 
> the supposed TAL at the bottom of the page is pretty creative.  anyone
> know what to do there?
> 
> i kinda hacked with emacs and get
> 
>rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
> 
>
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
> 
> but kinda expected an rrdp uri too
> 
> and, to add insult to injury, the APNIC web page with their TAL
> 
>https://www.apnic.net/community/security/resource-certification/
> 
> requires javascript!
> 
> not to mention the ARIN stupidity
> 
> as if we needed another exercise in bureaucrats making operations
> painful.  most operations of any size have internal departments
> perfectly capable of doing that.
> 
> randy

Re: RPKI TAs

2020-08-03 Thread Randy Bush

> I dunno, 'straightforward' to me would mean the ARIN TA is installed by
> default when you install a RPKI Cache Validator implementation

uh, i want a trustable downlad of trust anchors.  and it ain't from
vendors.

but yes, arin's legal dos it typical arin.  but, if i ignore the bumph,
i can connect to their web site dnssec, tls, ... and get a viable TAL
which meets RFC specs.  that seems to me more than one can say for some
other RIRs.

randy

Re: RPKI TAs

2020-08-03 Thread Matt Corallo

While I certainly agree with you, I have a certainly-naive question - what the 
difference is between ARIN and RIPE's T:

Aug  3 19:07:15 rpki-validator rpki-client[16164]: The RIPE NCC Certification 
Repository is subject to Terms and Conditions
Aug  3 19:07:15 rpki-validator rpki-client[16164]: See
http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc

As far as I understand, to use RIPE's RPKI repo I have to similarly agree with 
RIPE's legal contract as well, though
they are somewhat less aggressive about making sure I check a box before using 
it.

Matt

On 8/3/20 10:54 AM, Job Snijders wrote:
> On Mon, Aug 03, 2020 at 08:17:55AM -0500, John Kristoff wrote:
>> On Sun, 2 Aug 2020 18:52:11 +
>> Randy Bush  wrote:
>>
>>> not to mention the ARIN stupidity
>>
>> Notwithstanding the RPA, downloading ARIN's TAL is straightforward:
>>
>> As documented here:
>>
>>   
>>
>> One can wget, curl, or whatever this:
>>
>>   
> 
> I dunno, 'straightforward' to me would mean the ARIN TA is installed by
> default when you install a RPKI Cache Validator implementation, all
> without requiring lawyers well-versed in both your native language AND
> in the American legal system.
> 
> I can do DNSSEC, RPKI ROV, Signify, Web PKIs like TLS - all without
> kludges. Here is a video (10 min) where I show how you can bootstrap a
> system from 0 to 100 without relying party agreements:
> https://www.youtube.com/watch?v=oBwAQep7Q7o
> 
> The highlight of the video is when I access ARIN's website over HTTPS,
> after having resolved their webserver's IP address with a DNSSEC
> validating recursor... to discover I need to get a lawyer to download a
> .tal file which exists to protect *ARIN* members. Shouldn't ARIN members
> demand that the process is as frictionless as possible? (both the new
> and old RPA are the opposite of frictionless).
> 
> ARIN members (the RPKI users) depend on network operators both inside
> and outside the ARIN region to honor their ROAs. The internet is global.
> The ARIN ROA's will not be honored if the ARIN .tal file is missing. The
> ARIN .tal file is missing because it cannot be included in open source
> software without making things very awkward.
> 
> It is an insane situation. ARIN resource holders using ARIN's RPKI TA
> are measurably *less* protected than their RIPE, APNIC, LACNIC and
> AFRINIC counterparts.
> 
> Get this:
> 
> When you transfer your IP space away from ARIN, to *ANY* other RIR,
> you'll derive *MORE* benefits from your RPKI ROA signing efforts. You
> don't even need to renumber out of your space to improve your routing
> security posture!
> 
> I believe ARIN's policy to institute a significant legal barrier to RPKI
> infrastructure negatively impacts ARIN's own members.
> 
> Imagine having to sign a contract with DigiCert to obtain the public key
> to be able to visit https://paypal.com. Ha-ha-ha-ha... folly. It would
> be bad for business.
> 
> Kind regards,
> 
> Job
>

Re: RPKI TAs

2020-08-03 Thread Owen DeLong




> On Aug 3, 2020, at 07:54 , Job Snijders  wrote:
> 
> On Mon, Aug 03, 2020 at 08:17:55AM -0500, John Kristoff wrote:
>> On Sun, 2 Aug 2020 18:52:11 +
>> Randy Bush  wrote:
>> 
>>> not to mention the ARIN stupidity
>> 
>> Notwithstanding the RPA, downloading ARIN's TAL is straightforward:
>> 
>> As documented here:
>> 
>>  
>> 
>> One can wget, curl, or whatever this:
>> 
>>  
> 
> I dunno, 'straightforward' to me would mean the ARIN TA is installed by
> default when you install a RPKI Cache Validator implementation, all
> without requiring lawyers well-versed in both your native language AND
> in the American legal system.

I was able to download it just now without any authentication, lawyers, 
contracts,
or anything else… What more is it you are asking for?

> I can do DNSSEC, RPKI ROV, Signify, Web PKIs like TLS - all without
> kludges. Here is a video (10 min) where I show how you can bootstrap a
> system from 0 to 100 without relying party agreements:
> https://www.youtube.com/watch?v=oBwAQep7Q7o

I just obtained the ARIN TAL without ever signing an RPA. What am I missing?

All I did was follow the URL John provided.

Owen

Re: RPKI TAs

2020-08-03 Thread Randy Bush

>   why is it so hard that all RIRs make their TAL files available under 
> the same URL path but different hosts, e.g., https://ripe.net/rpki/tal, 
> https://arin.net/rpki/tal ?

no, you are supposed to get TRUST material from alex's secret stash.
sigh.

it should be a dnssec lookup of ripe.net, tls secured lookup, find a TAL
as defind in the RFCs, and fetch it via tls.

randy

Re: RPKI TAs

2020-08-03 Thread Job Snijders

On Mon, Aug 03, 2020 at 08:17:55AM -0500, John Kristoff wrote:
> On Sun, 2 Aug 2020 18:52:11 +
> Randy Bush  wrote:
> 
> > not to mention the ARIN stupidity
> 
> Notwithstanding the RPA, downloading ARIN's TAL is straightforward:
> 
> As documented here:
> 
>   
> 
> One can wget, curl, or whatever this:
> 
>   

I dunno, 'straightforward' to me would mean the ARIN TA is installed by
default when you install a RPKI Cache Validator implementation, all
without requiring lawyers well-versed in both your native language AND
in the American legal system.

I can do DNSSEC, RPKI ROV, Signify, Web PKIs like TLS - all without
kludges. Here is a video (10 min) where I show how you can bootstrap a
system from 0 to 100 without relying party agreements:
https://www.youtube.com/watch?v=oBwAQep7Q7o

The highlight of the video is when I access ARIN's website over HTTPS,
after having resolved their webserver's IP address with a DNSSEC
validating recursor... to discover I need to get a lawyer to download a
.tal file which exists to protect *ARIN* members. Shouldn't ARIN members
demand that the process is as frictionless as possible? (both the new
and old RPA are the opposite of frictionless).

ARIN members (the RPKI users) depend on network operators both inside
and outside the ARIN region to honor their ROAs. The internet is global.
The ARIN ROA's will not be honored if the ARIN .tal file is missing. The
ARIN .tal file is missing because it cannot be included in open source
software without making things very awkward.

It is an insane situation. ARIN resource holders using ARIN's RPKI TA
are measurably *less* protected than their RIPE, APNIC, LACNIC and
AFRINIC counterparts.

Get this:

When you transfer your IP space away from ARIN, to *ANY* other RIR,
you'll derive *MORE* benefits from your RPKI ROA signing efforts. You
don't even need to renumber out of your space to improve your routing
security posture!

I believe ARIN's policy to institute a significant legal barrier to RPKI
infrastructure negatively impacts ARIN's own members.

Imagine having to sign a contract with DigiCert to obtain the public key
to be able to visit https://paypal.com. Ha-ha-ha-ha... folly. It would
be bad for business.

Kind regards,

Job

Re: RPKI TAs

2020-08-03 Thread John Kristoff

On Sun, 2 Aug 2020 18:52:11 +
Randy Bush  wrote:

> not to mention the ARIN stupidity

Notwithstanding the RPA, downloading ARIN's TAL is straightforward:

As documented here:

  

One can wget, curl, or whatever this:

  

John

Re: RPKI TAs

2020-08-03 Thread Matthias Waehlisch

On Mon, 3 Aug 2020, Alex Band wrote:

> These are what we believe to be the correct, up-to-date RPKI TALs:
> 
> https://github.com/NLnetLabs/routinator/tree/master/tals
> 

  why is it so hard that all RIRs make their TAL files available under 
the same URL path but different hosts, e.g., https://ripe.net/rpki/tal, 
https://arin.net/rpki/tal ?

  obviously, a single TAL would be better but this needs even more 
rhetoric ...

cheers
  matthias

-- 
Matthias Waehlisch
.  Freie Universitaet Berlin, Computer Science
.. http://www.cs.fu-berlin.de/~waehl

Re: RPKI TAs

2020-08-03 Thread Alex Band

I concur.

Four out of five RIR Trust Anchor Locators were recently updated to allow 
fetching the Trust Anchor via an HTTPS URI, further removing the dependence on 
rsync. Sadly, most TALs are not clearly published anywhere and I had to get 
them though GitHub issues and emails to be able to include them in the latest 
Routinator release.

These are what we believe to be the correct, up-to-date RPKI TALs:

https://github.com/NLnetLabs/routinator/tree/master/tals

You can find more discussion about this topic here:

https://github.com/NICMx/FORT-validator/issues/34
https://github.com/RIPE-NCC/rpki-validator-3/pull/215

RPA grief aside, ARIN seems to be the only RIR that publishes the latest 
version of their TAL clearly and correctly:

https://www.arin.net/resources/manage/rpki/tal/

-Alex


> On 2 Aug 2020, at 20:52, Randy Bush  wrote:
> 
> so i was trying to ensure i had a current set of TALs and was directed to
> 
>
> https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure
> 
> the supposed TAL at the bottom of the page is pretty creative.  anyone
> know what to do there?
> 
> i kinda hacked with emacs and get
> 
>rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
> 
>
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
> 
> but kinda expected an rrdp uri too
> 
> and, to add insult to injury, the APNIC web page with their TAL
> 
>https://www.apnic.net/community/security/resource-certification/
> 
> requires javascript!
> 
> not to mention the ARIN stupidity
> 
> as if we needed another exercise in bureaucrats making operations
> painful.  most operations of any size have internal departments
> perfectly capable of doing that.
> 
> randy

Re: RPKI TAs

2020-08-02 Thread Randy Bush

> i kinda hacked with emacs and get
> 
> rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
> 
> 
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB

btw this is not correct/useful anyway.  it probably should be more like

rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer


MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB

RPKI TAs

2020-08-02 Thread Randy Bush

so i was trying to ensure i had a current set of TALs and was directed to


https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure

the supposed TAL at the bottom of the page is pretty creative.  anyone
know what to do there?

i kinda hacked with emacs and get

rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info


MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB

but kinda expected an rrdp uri too

and, to add insult to injury, the APNIC web page with their TAL

https://www.apnic.net/community/security/resource-certification/

requires javascript!

not to mention the ARIN stupidity

as if we needed another exercise in bureaucrats making operations
painful.  most operations of any size have internal departments
perfectly capable of doing that.

randy

Re: RPKI TAs

Re: RPKI TAs

Re: RPKI TAs

Re: RPKI TAs

Re: RPKI TAs

Re: RPKI TAs

Re: RPKI TAs

Re: RPKI TAs

Re: RPKI TAs

Re: RPKI TAs

Re: RPKI TAs

Re: RPKI TAs

Re: RPKI TAs

RPKI TAs

14 matches

Site Navigation

Mail list logo

Footer information