[RPKI] Potential for test/dev trust anchor?

Job Snijders job at ntt.net
Mon Feb 25 02:35:30 UTC 2019


Hi Andrew,

On Sun, Feb 24, 2019 at 03:40:53PM -0700, Andrew Gray wrote:
> At the RPKI round table before NANOG 75 last week, a few people were
> commenting about the inability to test or see what potential ROA
> entries may do, especially inside other providers networks.  This
> seems to be somewhat of a hindrance to adoption under the "well, if I
> advertise nothing, things keep working, but if I screw it up, I break
> things" issue.
> 
> I spoke with a couple other folks at that round table one-on-one, but
> I wanted to toss out an idea to a wider audience: Could a dev/testing
> trust anchor be set up by the community, and have a couple of the tier
> 1 providers provide feedback from that through one of the various
> looking glass systems?
> 
> This would allow people to use that test trust anchor to verify they
> have advertisements correct, things do what they want, etc., before
> then pulling the advertisement over to whichever RIR is appropriate
> for production work.
> 
> Thoughts?

It'll be very hard to have large transit providers run some kind of
*simulation* in their *production* networks (and looking glass). Such
networks would need to implement logic that somehow marks RPKI invalid
BGP announcements with different communities depending on the TAL, and
depending on the TAL reject or accept it.

This seems like a lot of work, if you at the same time can do this
simulation yourself. For instance the RIPE RPKI Validator has a 'BGP
preview' feature which can perhaps be used, you'd need to stand up your
own 'fake TAL' but this is where the NLNet Labs 'krill' software maybe
can be of use.

Kind regards,

Job



More information about the RPKI mailing list