[RPKI] Potential for test/dev trust anchor?

Andrew Gray agray at blargh.com
Mon Feb 25 02:48:29 UTC 2019



On 2/24/2019 7:35 PM, Job Snijders wrote:
> Hi Andrew,
> 
> On Sun, Feb 24, 2019 at 03:40:53PM -0700, Andrew Gray wrote:
>> At the RPKI round table before NANOG 75 last week, a few people were
>> commenting about the inability to test or see what potential ROA
>> entries may do, especially inside other providers networks.  This
>> seems to be somewhat of a hindrance to adoption under the "well, if I
>> advertise nothing, things keep working, but if I screw it up, I break
>> things" issue.
>>
>> I spoke with a couple other folks at that round table one-on-one, but
>> I wanted to toss out an idea to a wider audience: Could a dev/testing
>> trust anchor be set up by the community, and have a couple of the tier
>> 1 providers provide feedback from that through one of the various
>> looking glass systems?
>>
>> This would allow people to use that test trust anchor to verify they
>> have advertisements correct, things do what they want, etc., before
>> then pulling the advertisement over to whichever RIR is appropriate
>> for production work.
>>
>> Thoughts?
> 
> It'll be very hard to have large transit providers run some kind of
> *simulation* in their *production* networks (and looking glass). Such
> networks would need to implement logic that somehow marks RPKI invalid
> BGP announcements with different communities depending on the TAL, and
> depending on the TAL reject or accept it.

I wasn't thinking this would be part of the production networks.  More 
like a side service that is offered, with a on-the-side box doing prefix 
validations against a different set of TALs with a simple web front end 
(ala the existing looking glasses).

> This seems like a lot of work, if you at the same time can do this
> simulation yourself. For instance the RIPE RPKI Validator has a 'BGP
> preview' feature which can perhaps be used, you'd need to stand up your
> own 'fake TAL' but this is where the NLNet Labs 'krill' software maybe
> can be of use.

True, but I'm unsure of the availability of such a tool from the other 
RIRs.  More to the point, this doesn't really provide the "what will 
Level3/NTT/WeBeInternetPeeringAndMore do with my announcement" that it 
seemed like people were looking for - that final reassurance that this 
ROA won't drop their company/ISP/what-have-you off the face of the 
Internet.

Thanks,
Andrew



More information about the RPKI mailing list