[RPKI] Repository URLs
jac.tech0 at gmail.com
Thu Oct 28 20:19:17 UTC 2021
Hi Alex, Chriztoffer, Ben,
Thanks so much for your replies. They are very clear. I have a much better
I noticed all the URLs have either "rrdp" or "rpki" string in them. Is
there a naming convention on how the URL name is composed? If my proxy
supports filtering on wild card, something like *rrdp* or *rpki*, that
might be a compromise between security requirements and routing
On Fri, Oct 29, 2021 at 1:03 AM Alex Band <alex at nlnetlabs.nl> wrote:
> Hi Jacqui,
> Let me re-order your two emails and reply in-line…
> > On Thu, Oct 28, 2021 at 9:04 PM Jacquie Zhang <jac.tech0 at gmail.com>
> > Hi,
> > On page https://rpki-validator.ripe.net/ui/repositories I see 40 URLs.
> I'm wondering whether each URL here is corresponding to a CA. The top 5 are
> the Root CAs then followed by 35 child CAs.
> > Is this correct?
> No, each URL corresponds to an RPKI publication point. Behind each
> publication point can be one, or multiple CAs. In addition, each
> publication point has an *must* have rsync URI and *may* have an HTTP URI.
> If the latter is available,
> Routinator will prefer to use RRDP via the HTTPS URI if it is available,
> but will try the rsync URI if RRDP fails. For example, if
> https://rrdp.rpki.nlnetlabs.nl/ is unavailable, Routinator will try to
> fetch from rsync://rsync.rpki.nlnetlabs.nl/ instead.
> > Does this mean there are only 35 organisations in the whole world that
> are running Delegated Model, the rest are all running Hosted Model?
> Not at all. For example, https://rrdp.rpki.nlnetlabs.nl/ hosts just one
> CA, but https://rpki-repo.registro.br/ hosts more than a 1000 CAs.
> > If a new organisation started RPKI and decided to run Delegated Model,
> should we expect to see a new URL appearing here?
> That depends if they want to run their own publication server, or choose
> to use one that is offered by as a service. NIC.br and APNIC offer RPKI
> publication services, ARIN will start offering this in December 2021 and
> other RIRs have this on their roadmap.
> That means if you want to run Delegated RPKI in the RIPE region, today you
> will have to run your own. That might change in the future, and some will
> want to migrate.
> > I have a list of the URLs from a few months ago and that list doesn't
> match today's list . Should I interpret this as that the URL list here is
> dynamic, some URLs appear when new organisations adopt RPKI and some URLs
> disappear when some organisations quit RPKI? (I can't imagine any org would
> quit RPKI.)
> The list is absolutely dynamic. New organisations can start running
> Delegated RPKI with their own publication server, some may migrate from
> their own to one that is offered as a service, or an organisation can
> migrate from one hostname to another.
> > Just wanted to add, what I wanted to get from understanding this is, our
> Routinators are behind proxy servers, our security policy requires the
> proxy server to explicitly whitelist each URL the Routinator will access.
> If this list changes often and the proxy is not keeping up with the
> changes, the Routinator will miss some ROA publication points. For our
> proxy whitelist to work we need this URL list to be static, preferably
> never changes.
> New publication points can appear or change at any moment in any region,
> so using an allow list on your proxy is not going to scale.
> Please keep in mind that for Route Origin Validation to work properly, you
> will need all of the published RPKI data in order to make reliable routing
> decisions. Having partial data may lead to an incorrect validation state of
> certain routes.
> In short, please allow your relying party software to access any URI on
> port 443 and 873.
> > Thanks for your time.
> > Jacquie
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the RPKI