[RPKI] Routinator repository blacklisted

Alex Band alex at nlnetlabs.nl
Tue Nov 29 16:09:35 UTC 2022


Hi Slav,

Any IP resource holder can choose to run Delegated RPKI and host their own repository for publishing ROAs. The people at mnihyc chose to do this, and currently publish a single ROA to authorise 2406:4440:e000::/40 to be originated from AS140938:

http://jdr.nlnetlabs.nl/#/search/mnihyc.com

You can find more information about the resource here:

https://stat.ripe.net/app/launchpad/S1_2406:4440:e000::%2F40_C13C31C20C6C7C1C18C29C30C14C17C24C27C2C21C37C16C11C10

It’s always possible that Spamhaus makes a claim with regards to the trustworthiness of a certain (sub)domain. Be that as it may, RPKI does guarantee object security. That means that only the legitimate holder of the IP prefix — as determined by the RIR – is capable of producing a cryptographically signed statement about the resource. RPKI Relying Party software such as Routinator will follow the chain of trust all the way to the root certificate, in this case APNIC, and only when everything is correctly verified the validated ROA payload is offered to your routers. In addition, this being a PKI, RP software will not accept any objects that aren’t listed on the manifest. 

All in all, you can be sure that by validating RPKI content by connecting to the Trust Anchors of the five RIRs, you’re only pulling in legitimate data, regardless of the repository where it is retrieved from and what transport is used.

-Alex

> On 29 Nov 2022, at 00:58, Slav Messetchkov via RPKI <rpki at lists.nlnetlabs.nl> wrote:
> 
> Hello,
>  We have been using Routinator as RPKI ROA proxy for several months now. Recently we noticed that the following sites, which are listed amongst Routinator’s repositories, have been blacklisted on Gremlins, and access to them is being blocked by our Spamhaus RPZ:
>  rpki-rrdp.mnihyc.com
> rpki-rsync.mnihyc.com
>  They are currently being blocked approximately 1000 times per day.
>  List of Blacklists: List:  DRBL vote node gremlin.ru  Host:  vote.drbl.gremlin.ru  Rating:  3
> List:  DRBL work node gremlin.ru  Host:  work.drbl.gremlin.ru  Rating:  3
>  Apparently this has been happening on and off for at least six months.
>  Has anyone else run into that? Are these sites trustworthy? And more broadly, how is the Repositories’ security posture validated? In our experience the Spamhaus feed has a very low false-positive count, so for now we’re treating this as a threat and blocking it. If a site is compromised, is there a way to drop it from the list of Repositories, so that Routinator doesn’t send 1000s of unnecessary requests daily?
>  Thanks in advance for any advice on this matter!
>  Slav Messetchkov
> Sr. Engineer Core Network & Service Development
> SaskTel, TSI/NSD
> NOTICE: This confidential e-mail message is only for the intended recipients. If you are not the intended recipient, be advised that disclosing, copying, distributing, or any other use of this message, is strictly prohibited. In such case, please destroy this message and notify the sender. -- 
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki




More information about the RPKI mailing list