[RPKI] Repository URLs
alex at nlnetlabs.nl
Thu Oct 28 14:03:00 UTC 2021
Let me re-order your two emails and reply in-line…
> On Thu, Oct 28, 2021 at 9:04 PM Jacquie Zhang <jac.tech0 at gmail.com> wrote:
> On page https://rpki-validator.ripe.net/ui/repositories I see 40 URLs. I'm wondering whether each URL here is corresponding to a CA. The top 5 are the Root CAs then followed by 35 child CAs.
> Is this correct?
No, each URL corresponds to an RPKI publication point. Behind each publication point can be one, or multiple CAs. In addition, each publication point has an *must* have rsync URI and *may* have an HTTP URI. If the latter is available,
Routinator will prefer to use RRDP via the HTTPS URI if it is available, but will try the rsync URI if RRDP fails. For example, if https://rrdp.rpki.nlnetlabs.nl/ is unavailable, Routinator will try to fetch from rsync://rsync.rpki.nlnetlabs.nl/ instead.
> Does this mean there are only 35 organisations in the whole world that are running Delegated Model, the rest are all running Hosted Model?
Not at all. For example, https://rrdp.rpki.nlnetlabs.nl/ hosts just one CA, but https://rpki-repo.registro.br/ hosts more than a 1000 CAs.
> If a new organisation started RPKI and decided to run Delegated Model, should we expect to see a new URL appearing here?
That depends if they want to run their own publication server, or choose to use one that is offered by as a service. NIC.br and APNIC offer RPKI publication services, ARIN will start offering this in December 2021 and other RIRs have this on their roadmap.
That means if you want to run Delegated RPKI in the RIPE region, today you will have to run your own. That might change in the future, and some will want to migrate.
> I have a list of the URLs from a few months ago and that list doesn't match today's list . Should I interpret this as that the URL list here is dynamic, some URLs appear when new organisations adopt RPKI and some URLs disappear when some organisations quit RPKI? (I can't imagine any org would quit RPKI.)
The list is absolutely dynamic. New organisations can start running Delegated RPKI with their own publication server, some may migrate from their own to one that is offered as a service, or an organisation can migrate from one hostname to another.
> Just wanted to add, what I wanted to get from understanding this is, our Routinators are behind proxy servers, our security policy requires the proxy server to explicitly whitelist each URL the Routinator will access. If this list changes often and the proxy is not keeping up with the changes, the Routinator will miss some ROA publication points. For our proxy whitelist to work we need this URL list to be static, preferably never changes.
New publication points can appear or change at any moment in any region, so using an allow list on your proxy is not going to scale.
Please keep in mind that for Route Origin Validation to work properly, you will need all of the published RPKI data in order to make reliable routing decisions. Having partial data may lead to an incorrect validation state of certain routes.
In short, please allow your relying party software to access any URI on port 443 and 873.
> Thanks for your time.
More information about the RPKI