[RPKI] Potential for test/dev trust anchor?

[Job Snijders]

On Sun, Feb 24, 2019 at 07:48:29PM -0700, Andrew Gray wrote:
> On 2/24/2019 7:35 PM, Job Snijders wrote:
> > On Sun, Feb 24, 2019 at 03:40:53PM -0700, Andrew Gray wrote:
> > > At the RPKI round table before NANOG 75 last week, a few people
> > > were commenting about the inability to test or see what potential
> > > ROA entries may do, especially inside other providers networks.
> > > This seems to be somewhat of a hindrance to adoption under the
> > > "well, if I advertise nothing, things keep working, but if I screw
> > > it up, I break things" issue.
> > > 
> > > I spoke with a couple other folks at that round table one-on-one,
> > > but I wanted to toss out an idea to a wider audience: Could a
> > > dev/testing trust anchor be set up by the community, and have a
> > > couple of the tier 1 providers provide feedback from that through
> > > one of the various looking glass systems?
> > > 
> > > This would allow people to use that test trust anchor to verify
> > > they have advertisements correct, things do what they want, etc.,
> > > before then pulling the advertisement over to whichever RIR is
> > > appropriate for production work.
> > > 
> > > Thoughts?
> > 
> > It'll be very hard to have large transit providers run some kind of
> > *simulation* in their *production* networks (and looking glass).
> > Such networks would need to implement logic that somehow marks RPKI
> > invalid BGP announcements with different communities depending on
> > the TAL, and depending on the TAL reject or accept it.
> 
> I wasn't thinking this would be part of the production networks.  More
> like a side service that is offered, with a on-the-side box doing
> prefix validations against a different set of TALs with a simple web
> front end (ala the existing looking glasses).

Ah, that is more feasable, but probably won't finalize in a uniform
approach across multiple transit providers / ixp route servers. At the
moment of writing all looking glasses are one-offs with no industry
standard.

> > This seems like a lot of work, if you at the same time can do this
> > simulation yourself. For instance the RIPE RPKI Validator has a 'BGP
> > preview' feature which can perhaps be used, you'd need to stand up
> > your own 'fake TAL' but this is where the NLNet Labs 'krill'
> > software maybe can be of use.
> 
> True, but I'm unsure of the availability of such a tool from the other
> RIRs.  More to the point, this doesn't really provide the "what will
> Level3/NTT/WeBeInternetPeeringAndMore do with my announcement" that it
> seemed like people were looking for - that final reassurance that this
> ROA won't drop their company/ISP/what-have-you off the face of the
> Internet.

Not entirely sure, but I'd like to note that the RIPE NCC RPKI Validator
works for RPKI TALs from all RIRs. It is not "RIPE specific" software.
RIPE's validator software uses the RIS dataset (many networks, like NTT
feed into that).

Kind regards,

Job