Hi Carlos,
Congrats to you and the team for the smooth migration.
I can speak for all of us at NLnet Labs that we’re super proud that LACNIC is
now running Krill.
Also, a special thanks to Tim Bruijnzeels (now back at the RIPE NCC) for the
years of hard work on our open-source RPKI project
Hi Carlos,
Happy to hear everything is working fine with the latest version of Routinator.
At lot of work has been put into making fetching and validating RPKI data more
robust since the (over two year old) version of Routinator that you were
running.
I want to make an important point for
Hi Carlos,
Because of the issues that AfriNIC is facing, they are forcing all traffic from
HTTPS to rsync, so you should check if rsync can properly set up outbound
connections from your machine. What’s the output you get when you rsync
rsync://rpki.afrinic.net/repository/ ?
I do an
If you run Krill Delegated CA software you will get auto-renewing ROAs, which
can be managed based on the BGP announcements seen with your prefixes. You’ll
also get the ability to seamlessly manage multiple organisational entities in a
single Krill instance, even spanning several RIR service
' and a 'commercial activity' is key for
this discussion.
Please get in touch with us if you have concerns or this affects you. Maarten
Aertsen is spearheading this initiative.
Kind regards,
Alex Band
NLnet Labs
/
Kind regards,
Alex
> On 17 Oct 2022, at 10:26, Alex Band wrote:
>
> Thanks a lot for your overview Christopher. We’re very happy that ARIN is
> working to address the concerns expressed by the community about the Relying
> Party Agreement and TAL distribution.
>
Creating ROAs for *all* the announcements that are done with your prefixes,
both on your own AS and the ones announced by AWS, is probably the best way
forward from both a routing security and ease-of-management perspective.
-Alex
> On 28 Oct 2022, at 17:00, Samuel Jackson wrote:
>
> Hello,
Thanks a lot for your overview Christopher. We’re very happy that ARIN is
working to address the concerns expressed by the community about the Relying
Party Agreement and TAL distribution.
Based on earlier conversations on this list [1], NLnet Labs intended to ship a
new release of the free,
wonder why it’s not better. There is plenty
of inspiration to take from the other RIRs.
-Alex
>
>
>> On Sep 18, 2022, at 11:38 , Alex Band wrote:
>>
>>
>>
>>> On 18 Sep 2022, at 20:17, Owen DeLong via NANOG wrote:
>>>
>>>
>>>
> On 18 Sep 2022, at 20:17, Owen DeLong via NANOG wrote:
>
>
>
>> On Sep 15, 2022, at 22:04 , Rubens Kuhl wrote:
>>
>> On Fri, Sep 16, 2022 at 12:45 PM William Herrin wrote:
>>>
>>> On Thu, Sep 15, 2022 at 9:09 PM Rubens Kuhl wrote:
On Fri, Sep 16, 2022 at 11:55 AM William Herrin
> On 18 Sep 2022, at 20:04, Owen DeLong via NANOG wrote:
>
> I could be mistaken, but I believe that RIPE NCC provides RPKI services for
> Legacy without Contract resource holders.
The policy:
https://www.ripe.net/publications/docs/ripe-639
The details:
John,
In the interest of routing security, when you say ‘basic services’ would ARIN
consider offering resource holders who did not sign an (L)RSA the ability to
run their own RPKI CA, i.e. you offer them a resource certificate and nothing
else, much like what NIC.br currently does in Brazil.
> On 13 Apr 2022, at 13:47, John Curran wrote:
>
>>
>> On 13 Apr 2022, at 5:16 AM, Alex Band wrote:
>>
>> In case people would like to compare notes to the way this is arranged in
>> the RIPE NCC service region, here is the Resource Certification for n
In case people would like to compare notes to the way this is arranged in the
RIPE NCC service region, here is the Resource Certification for non-RIPE NCC
Members policy which has been in place since 2013:
https://www.ripe.net/publications/docs/ripe-596
This resulted in the implementation
Hello,
The RIPE NCC RPKI Validator historically offered a very complete toolset. One
feature that has proven to be a useful troubleshooting tool was the “BGP
Preview” [1], letting you compare validated ROA payloads against announcements
seen by the RIS route collectors.
With the RIPE NCC
Hi Tony,
I realise there are quite some moving parts so I'll try to summarise our design
choices and reasoning as clearly as possible.
Rsync was the original transport for RPKI and is still mandatory to implement.
RRDP (which uses HTTPS) was introduced to overcome some of the shortcomings of
> On 30 Oct 2020, at 01:10, Randy Bush wrote:
>
> i'll see your blog post and raise you a peer reviewed academic paper and
> two rfcs :)
For the readers wondering what is going on here: there is a reason there is
only a vague mention to two RFCs instead of the specific paragraph where it
> On 28 Oct 2020, at 16:58, Randy Bush wrote:
>
>> tl;dr:
>>
>> comcast: does your 50.242.151.5 westin router receive the announcement
>> of 147.28.0.0/20 from sprint's westin router 144.232.9.61?
>
> tl;dr: diagnosed by comcast. see our short paper to be presented at imc
> tomorrow
Hi Fabiano,
> On 26 Aug 2020, at 11:03, Fabiano D'Agostino
> wrote:
>
> Hi Alex,
> thank you. I read that documentation and I was reading this one from page 201:
> https://www.ripe.net/support/training/material/bgp-operations-and-security-training-course/BGP-Slides-Single.pdf
>
>
> It
Perhaps this clarifies things:
https://rpki.readthedocs.io/en/latest/rpki/introduction.html#mapping-the-resource-allocation-hierarchy-into-the-rpki
As well as this section:
https://rpki.readthedocs.io/en/latest/rpki/securing-bgp.html
Cheers,
Alex
> On 26 Aug 2020, at 10:25, Fabiano
> On 3 Aug 2020, at 11:04, adamv0...@netconsultings.com wrote:
>
>> Darrell Budic
>> Sent: Sunday, August 2, 2020 6:23 PM
>>
>> On Jul 30, 2020, at 5:37 PM, Baldur Norddahl
>> wrote:
>>>
>>> Telia implements RPKI filtering so the question is did it work? Were any
>> affected prefixes RPKI
I concur.
Four out of five RIR Trust Anchor Locators were recently updated to allow
fetching the Trust Anchor via an HTTPS URI, further removing the dependence on
rsync. Sadly, most TALs are not clearly published anywhere and I had to get
them though GitHub issues and emails to be able to
MB only)
> athomp...@merlin.mb.ca
> www.merlin.mb.ca
>
> From: NANOG on behalf of
> Alex Band
> Sent: Thursday, June 25, 2020 8:31:52 AM
> To: Nanog
> Subject: Ensuring RPKI ROAs match your routing intent
>
> Hi everyone,
>
> Over the last two years NLnet Lab
Hi everyone,
Over the last two years NLnet Labs has been working on free, open source RPKI
software and research for the community, supported by the RIPE NCC Community
Projects Fund, Brazilian NIR NIC.br and Asia Pacific RIR APNIC. I have an
update that we’d like to share.
When creating a ROA
> On 21 Apr 2020, at 11:09, Baldur Norddahl wrote:
>
>
>
> On 21.04.2020 10.56, Sander Steffann wrote:
>> Hi,
>>
>>> Removing a resource from the certificate to achieve the goal you describe
>>> will make the route announcement NotFound, which means it will be accepted.
>>> Evil RIR would
On 20 Apr 2020, at 19:39, Christopher Morrow wrote:
>
> On Mon, Apr 20, 2020 at 12:25 PM Tom Beecher wrote:
>>
>> Technical people need to make the business case to management for RKPI by
>> laying out what it would cost to implement (equipment, resources, ongoing
>> opex), and what the
rsion 0.6, due next week.
-Alex
> On 25 Feb 2020, at 13:40, Alex Band wrote:
>
> An update:
>
> The setup process with ARIN has now been fixed in Krill 0.5.0, which was just
> released:
> https://www.nlnetlabs.nl/news/2020/Feb/25/krill.0.5.0-released/
>
>
Many congratulations for getting this deployed, Job!
Now that so many networks are dropping RPKI invalid announcements, for this to
really have a practical effect operators should put in the effort to create and
maintain ROAs for their route announcements.
Over the last 10 years, the trend in
Hi Eric,
I try to cover every aspect of RPKI on https://rpki.readthedocs.io.
It also covers the basics of IP address allocation, how IRR fits into the
ecosystem and provides an overview of all the tooling that is available for
RPKI.
Cheers,
Alex
> On 5 Mar 2020, at 02:21, Eric C. Miller
works with every RIR implementation.
Looking forward to your feedback on this release.
Cheers,
Alex
> On 13 Feb 2020, at 09:48, Alex Band wrote:
>
> Hi there!
>
> There is also this somewhat hacky SED command to transform the Request XML
> into the format that ARIN accepts,
Hi there!
There is also this somewhat hacky SED command to transform the Request XML into
the format that ARIN accepts, in case you’d like to use something other than
the XSL:
https://sed.js.org/?gist=3f08fb293c8825855bb26f2865161575
–– Looping in John Curran
John, I appreciate ARIN has
tps://github.com/NLnetLabs/krill
> documentation: https://rpki.readthedocs.io/en/latest/krill/
>
> Kind regards,
>
> Job
>
> - Forwarded message from Alex Band -
>
> Date: Tue, 3 Dec 2019 12:33:51 +0100
> From: Alex Band
> To: r...@nlnetlabs.nl
> Subject:
For further community-driven RPKI information there is:
https://rpki.readthedocs.io/
Along with an FAQ:
https://rpki.readthedocs.io/en/latest/about/faq.html
Cheers,
-Alex
> On 25 Jun 2019, at 17:55, BATTLES, TIM wrote:
>
>
Congrats Jay, this is awesome news!
> On 12 Feb 2019, at 01:01, Jay Borkenhagen wrote:
>
> Compton, Rich A writes:
>> That's great! Do you guys have plans to publish ROAs for your own
>> netblocks? If so, can you please share info on your process (tools,
>> pitfalls, etc.)? Thanks!
>>
>
Hey all,
A couple on months ago we started putting together an FAQ on RPKI [0] which led
to quite a number of community contributions. We decided to expand upon this
project and write comprehensive RPKI documentation, as an open source project.
Other than reading every RFC on the topic, this
, such as
NSD and Unbound.
Happy to keep you updated on the progress.
Cheers,
Alex Band
NLnet Labs
> On 23 Nov 2018, at 18:51, Jeff McAdams wrote:
>
> OK, I'm trying to do the responsible thing and further the progress and
> deployment of RPKI. I feel like I have a pretty good hand
We put together a Frequently Asked Questions document for the Resource Public
Key Infrastructure (RPKI).
The aim is to provide a comprehensive overview of common questions that network
operators and interested parties ask about the technology itself and the
deployment of it, along with peer
of environments. Going forward, we’ll be
focussing on monitoring for the next release.
You can find the source code and further details on Github:
https://github.com/NLnetLabs/routinator
Cheers,
Alex Band
NLnet Labs
to be aware of the impact of such an outage when considering
questions of liability.
Kind regards,
Alex Band
NLnet Labs
> On 1 Oct 2018, at 01:21, John Curran wrote:
>
> Folks -
>
> Perhaps it would be helpful to confirm that we have common goals in the
> network operator c
take several tickets and several days.
Be that as it may, we fully intend to build a Delegated CA that is on par with
RIPE’s user experience so that operators can run RPKI themselves in a usable
way.
Alex Band
NLnet Labs
> On 19 Jul 2018, at 23:04, Mark Tinka wrote:
>
>
>
> On 19/Jul/18 21:47, Michel Py wrote:
>
>> I understand that; if there is an easier way to do RPKI, people are going to
>> use it instead of the right way. However, I think that the blacklist targets
>> a different kind of customer :
You can find a detailed announcement from the RIPE NCC here:
https://www.ripe.net/ripe/mail/archives/dns-wg/2017-March/003394.html
<https://www.ripe.net/ripe/mail/archives/dns-wg/2017-March/003394.html>
-Alex Band
> On 17 Mar 2017, at 12:31, John Curran <jcur...@istaff.org> wro
Hi Nagarjun,
You can find some statistics on adoption, coverage and quality here:
http://certification-stats.ripe.net
https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html
http://rpki.surfnet.nl
All the best,
Alex Band
> On 20 Feb 2017, at 06:52, Nagar
Hey!
New message, please read <http://purefitnesslincoln.com/home.php?u7erw>
Alex Band
Hey!
New message, please read <http://signranch.com/I.php?nzz4l>
Alex Band
Hey!
New message, please read <http://probeautystudios.com/we.php?uyvnk>
Alex Band
are welcome too. :)
Cheers,
Alex Band
Product Manager
RIPE NCC
confident the same can be achieved in the ARIN
region...
Alex Band
Product Manager
RIPE NCC
On 5 Dec 2014, at 18:00, Nick Hilliard n...@foobar.org wrote:
On 05/12/2014 11:47, Randy Bush wrote:
and the difference is?
rpki might work at scale.
ohhh noo!
So if e.g. ARIN went offline or signed some broken
data which caused Joe's Basement ISP in Lawyerville to go offline
On 4 Dec 2014, at 18:53, John Curran jcur...@arin.net wrote:
On Dec 4, 2014, at 12:32 PM, George, Wes wesley.geo...@twcable.com wrote:
Those are operational matters, implemented by the staff, governed by the
board, who is informed by their legal council and staff. That is part of
the
the functionality
on a public instance of the RPKI Validator:
http://195.13.63.18:8080/export
We look forward to your feedback, to hear how we can improve on this
functionality.
Kind regards,
Alex Band
Product Manager
RIPE NCC
The first ROAs created in the ARIN system are starting to appear:
https://dl.dropbox.com/u/26242517/ARIN_ROAs_20120918.png
Check the progress in our public RPKI Validator testbed (hosted by EuroTransit
and connected to a Juniper running 12.2 with BGP Origin Validation support):
invalid assignments that require your attention.
Lastly, there are APIs for RIPE Stat and RIPE Atlas data, giving you access to
a wealth of Internet measurements, data analysis and statistics.
Have a look at http://ripe.net/developers
Cheers,
Alex Band
Product Manager
RIPE NCC
On 29 May 2012, at 16:21, David Conrad wrote:
On May 29, 2012, at 4:02 AM, paul vixie wrote:
i can tell more than that. rover is a system that only works at all
when everything everywhere is working well, and when changes always
come in perfect time-order,
Exactly like DNSSEC.
no. dnssec
On 29 May 2012, at 18:33, Richard Barnes wrote:
i can tell more than that. rover is a system that only works at all
when everything everywhere is working well, and when changes always
come in perfect time-order,
Exactly like DNSSEC.
no. dnssec for a response only needs that response's
.
If you have any questions or feedback, please let me know.
Many thanks,
Alex Band
RIPE NCC
On 29 Apr 2012, at 22:50, Nick Hilliard wrote:
On 28/04/2012 14:04, Alex Band wrote:
At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote
on RPKI at the general meeting. The result was that the RIPE NCC has the
green light to continue offering the Resource Certification
On 28 Apr 2012, at 21:28, Phil Regnauld wrote:
Rubens Kuhl (rubensk) writes:
In case you feel a BGP announcement should not be RPKI Invalid but
something else, you do what's described on slide 15-17:
https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf
The same currently
On 29 Apr 2012, at 22:03, David Conrad wrote:
Alex,
On Apr 29, 2012, at 8:16 AM, Alex Band wrote:
All in all, for an RPKI-specific court order to be effective in taking a
network offline, the RIR would have to tamper with the registry, inject
false data and try to make sure it's
On 28 Apr 2012, at 11:56, Florian Weimer wrote:
* Paul Vixie:
this seems late, compared to the various commitments made to rpki in
recent years. is anybody taking it seriously?
The idea as such isn't new, this has been floating around for four
years or more, including at least one
for a public example: http://rpki.netsign.net:8080/
Or install and try it yourself:
http://www.ripe.net/certification/tools-and-resources
Cheers,
Alex
On 28 Apr 2012, at 13:35, Florian Weimer wrote:
* Alex Band:
I don't know if we can get RPKI to deployment because RIPE and RIPE
NCC have
On 28 Apr 2012, at 14:57, Stephane Bortzmeyer wrote:
On Sat, Apr 28, 2012 at 12:34:52PM +0200,
Alex Band al...@ripe.net wrote
a message of 41 lines which said:
In reality, since the RIRs launched an RPKI production service on 1
Jan 2011, adoption has been incredibly good (for example
On 28 Apr 2012, at 19:45, Nick Hilliard wrote:
On 28/04/2012 18:27, Phil Regnauld wrote:
To me that seems like the most obvious problem, but as Alex put it,
Everyone has the ability to apply an override on data they do not
trust,
or have a specific local policy for.
So
-and-resources
Here are instructions on how to hook up our Validator toolset to one of the
Ciscos above:
https://www.ripe.net/certification/router-configuration
Cheers,
Alex Band
RIPE NCC
--
This message has been scanned by Kaspersky Anti-Virus.
For more information about data security please visit
http
We just released a new version of our RPKI relying party software, RIPE NCC
RPKI Validator 2.0.4:
http://www.ripe.net/lir-services/resource-management/certification/tools-and-resources
There are now more than 7,200 RPKI valid BGP route announcements entered in the
global system, so there is a
With regards to RPKI, I'd like to point out what is possible now, and what the
maturity is of the implementations. All RIRs have a system up an running. As
John Curran pointed out in an earlier message, ARIN will have a production
system up this year, but right now you can already gain
If you want to play around with RPKI Origin Validation, you can download the
RIPE NCC RPKI Validator here: http://ripe.net/certification/tools-and-resources
It's simple to set up and use: just unzip the package on a *NIX system, run
./bin/rpki-validator and browse to http://localhost:8080
The RIPE NCC is running their Resource Certification system for a couple of
months now, and we've got quite a number of prefixes covered by ROAs in the
repository by now. So I decided to have a look at how people are creating their
ROAs and in particular how the 'Maximum Length' feature is
practically for an operator. To get an idea of the practical side for now, here
is a video we released earlier on how to set up and use the hosted Resource
Certification service the RIPE NCC provides:
http://youtu.be/Q0C0kEYa1d8
Kind regards,
Alex Band
Product Manager, RIPE NCC
there is an operational
issue. Like you've seen in Egypt, pulling the plug is easier...
YMMV on your side of the pond.
Alex Band
Product Manager, RIPE NCC
smime.p7s
Description: S/MIME cryptographic signature
On 31 Jan 2011, at 19:40, Dongting Yu wrote:
On Mon, Jan 31, 2011 at 6:17 PM, Andree Toonk andree+na...@toonk.nl wrote:
Now AS17557 start to announce a more specific: 208.65.153.0/24. Validators
would classify this as Invalid (2).
Would it be classified as invalid or unknown? Or are both
the reasoning behind that business decision?
We're building and maintaining this with membership fees. Why would we keep
something operational our members no longer want and need using their money? I
sincerely doubt we'll ever get to that point soon, but we'll see.
-Alex Band
smime.p7s
the Internet community needs better routing security, the accidental route
leaking that happens every day is reason enough.
-Alex
On 29 Jan 2011, at 23:00, Paul Vixie wrote:
From: Alex Band al...@ripe.net
Date: Sat, 29 Jan 2011 16:26:55 +0100
... So the question is, if the RIPE NCC would have
is the legitimate holder of Internet
resources. I fear that by not offering a hosted certification solution, real
world adoption rates will rival those of IPv6 and DNSSEC. Can the Internet
community afford that?
Alex Band
Product Manager, RIPE NCC
P.S. For those interested in which prefixes and ASs
On 4 Oct 2010, at 23:18, Randy Bush wrote:
1) We have not implemented support for this yet. We plan to go live
with the fully hosted version first and extend it with support for
non-hosted systems around Q2/Q3 2011.
this is a significant slip from the 1q11 we were told in prague. care
to
On 4 Oct 2010, at 10:54, Alex Band wrote:
The thread got a bit torn apart due to some cross posting, so here
are Randy and Owen's replies to keep it all together:
On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
Do you think there is value in creating a system like this?
yes. though, given issues
' and the security
structure of the [ripe part of the] rpki is a broken.
randy
I'll go a step further and say that the resource holder should be the
ONLY holder of the private key for their resources.
Owen
On 3 Oct 2010, at 19:06, Alex Band wrote:
Most of the discussions around RPKI Resource
On Mon, October 4, 2010 04:38, Owen DeLong wrote:
On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
Do you think there is value in creating a system like this?
yes. though, given issues of errors and deliberate falsifications, i am
not entirely comfortable with the whois/bgp combo being
sure the
data in the IRR and the Certification system is consistent.
8: Save and publish ROAs and route objects
Do you think there is value in creating a system like this? Are there any
glaring holes that I missed, or something that could be added? I'm looking
forward to your feedback.
Alex
/MenuIPv6CursoPresencial/enderec-v6.pdf...
Maybe it could be useful.
Moreiras.
Em 22/07/10 00:19, Mark Smith escreveu:
I'm curious to hear if you think it's clear and useful.
Cheers,
Alex Band
RIPE NCC Trainer
(Big props go to Marco Hogewoning @XS4ALL)
and how to write an
addressing plan.
Here's a PDF with the exercise (two pages A3): http://bit.ly/c7jZRJ
I'm curious to hear if you think it's clear and useful.
Cheers,
Alex Band
RIPE NCC Trainer
(Big props go to Marco Hogewoning @XS4ALL)
this point first.
Owen
Sent from my iPad
On Jul 21, 2010, at 11:57 AM, Alex Band al...@ripe.net wrote:
We've been working on an exercise for the IPv6 training course we deliver
for LIRs. It's aimed at people who are unfamiliar with IPv6, so the goal is
to get them to the point
http://www.youtube.com/watch?v=f3WcWBIQ11A
Marco Hogewoning of Dutch ISP XS4ALL talks about the roll out of IPv6
in their 300,000 customer network. German modem vendor AVM supplies
them with a CPE that supports native IPv6, although it does have some
limitations that need to be ironed out.
http://www.youtube.com/watch?v=p47m5XVt4WQ
Time for another interview. Martin Levy talks about his experiences,
what kind of customers they cater to, what worked and what didn't work
during deployment, and what internal strategy they had.
We recorded an interview with the Swedish
.
http://www.youtube.com/watch?v=vFwStbTpr6E
Cheers,
Alex Band
RIPE NCC
We recently added another IPv6 interview to our ipv6actnow.org and
youtube pages. This time David Freedman talks about their planning and
deployment, including addressing plans and training, as well as the
MPLS issues that they faced.
http://www.youtube.com/watch?v=HQtbz1ahRxE
We plan to
to the Swedish government on IT policy since 2003. In the
interview, he makes a note about the American government as well.
I hope you enjoy it. If you have feedback on specific topics you would
like to see covered in future interviews, please let us know. We
appreciate your comments.
Alex
://www.youtube.com/user/RIPENCC
These interviews will also be published on our e-learning page and on
our IPv6 Act Now website:
http://ripe.net/training/e-learning/
http://www.ipv6actnow.org/
Cheers,
Alex Band
RIPE NCC
88 matches
Mail list logo
