[RPKI] Repository URLs

Chriztoffer Hansen ch at ntrv.dk
Fri Oct 29 07:44:28 UTC 2021


On Thu, 28 Oct 2021 at 22:24, Alex Band <alex at nlnetlabs.nl> wrote:
> There’s not any naming convention you can reliably use.

Indeed!

"Assumptions is the mother of all fuck-ups(!)" still holds true.
Assuming people _outside_ your organization will continue the "trend"
of using rrdp/rpki in the uri string is not a safe bet. Worst case
scenario is you will have prefixes being blackholed or non-existent in
your network (rejected / not-found), affecting your organization and
any downstream networks.

I view the options are to apply for an exception to your
organization's security policy for your Routinator instances
(depending on how hardline your internal requirements are), or operate
Routinator instances on the premise of risking not being able to reach
publications endpoints when an uri changes or new ones are being
added.

If you can implement Policy Based Routing on your host running
Routinator, you _could_ potentially allow Routinator to access _all_
internet endpoints 443/tcp, 873/tcp. And have the usual security
policy apply to lookups from the host? Potentially look into the use
of containers (docker?) or Linux Namespaces to isolate Routinator
traffic from the host traffic.



More information about the RPKI mailing list