[RPKI] Routinator repository blacklisted

Slav Messetchkov slav.messetchkov at sasktel.com
Tue Nov 29 22:38:08 UTC 2022


Hi Alex,

Thanks for your reply and clarifications!

I'm still puzzled about what constitutes a "Repository" and how it is administered. I have trouble understanding how a tiny entity like mnihyc, publishing a single IPv6 /40 range can be listed together with ARIN, RIPE, and the likes. Since the RIRs are ultimately the sources of truth, where the root certificates are stored, what value could a repository with a single (duplicate?) entry add? In that sense, is it possible for us to limit/exclude/filter Repositories in our deployment of Routinator?

Please help me understand this, and sorry for the many questions, we're still new to Routinator and origin validation.

Thanks in advance!

Slav Messetchkov
Sr. Engineer Core Network & Service Development
SaskTel, TSI/NSD
ph: 306-777-1988
m: 604-516-9676

-----Original Message-----
From: Alex Band <alex at nlnetlabs.nl>
Sent: Tuesday, November 29, 2022 8:10 AM
To: Slav Messetchkov <slav.messetchkov at sasktel.com>
Cc: rpki at lists.nlnetlabs.nl; Takaya Ono <takaya.ono at sasktel.com>; Kim Huartson <kim.huartson at sasktel.com>; Rick Wanner <rick.wanner at sasktel.com>
Subject: Re: [RPKI] Routinator repository blacklisted

EXTERNAL EMAIL: Be suspicious of content, links, and attachments.

Hi Slav,

Any IP resource holder can choose to run Delegated RPKI and host their own repository for publishing ROAs. The people at mnihyc chose to do this, and currently publish a single ROA to authorise 2406:4440:e000::/40 to be originated from AS140938:

https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjdr.nlnetlabs.nl%2F%23%2Fsearch%2Fmnihyc.com&data=05%7C01%7Cslav.messetchkov%40sasktel.com%7Cf2b063611367447479d508dad2242b99%7Ccb42ff00c2e141e891e9ca6fdc104885%7C1%7C0%7C638053350066391425%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7gORmqhC5GUn%2BdYkskfzNCBzhoaluH51pFnfrpwhyow%3D&reserved=0

You can find more information about the resource here:

https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstat.ripe.net%2Fapp%2Flaunchpad%2FS1_2406%3A4440%3Ae000%3A%3A%252F40_C13C31C20C6C7C1C18C29C30C14C17C24C27C2C21C37C16C11C10&data=05%7C01%7Cslav.messetchkov%40sasktel.com%7Cf2b063611367447479d508dad2242b99%7Ccb42ff00c2e141e891e9ca6fdc104885%7C1%7C0%7C638053350066391425%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qCaUAcUJ02FlJitiFECCa2c67UEiSZo5AjMfu2GjCyo%3D&reserved=0

It's always possible that Spamhaus makes a claim with regards to the trustworthiness of a certain (sub)domain. Be that as it may, RPKI does guarantee object security. That means that only the legitimate holder of the IP prefix - as determined by the RIR - is capable of producing a cryptographically signed statement about the resource. RPKI Relying Party software such as Routinator will follow the chain of trust all the way to the root certificate, in this case APNIC, and only when everything is correctly verified the validated ROA payload is offered to your routers. In addition, this being a PKI, RP software will not accept any objects that aren't listed on the manifest.

All in all, you can be sure that by validating RPKI content by connecting to the Trust Anchors of the five RIRs, you're only pulling in legitimate data, regardless of the repository where it is retrieved from and what transport is used.

-Alex

> On 29 Nov 2022, at 00:58, Slav Messetchkov via RPKI <rpki at lists.nlnetlabs.nl> wrote:
>
> Hello,
>  We have been using Routinator as RPKI ROA proxy for several months now. Recently we noticed that the following sites, which are listed amongst Routinator's repositories, have been blacklisted on Gremlins, and access to them is being blocked by our Spamhaus RPZ:
>  rpki-rrdp.mnihyc.com
> rpki-rsync.mnihyc.com
>  They are currently being blocked approximately 1000 times per day.
>  List of Blacklists: List:  DRBL vote node gremlin.ru  Host:
> vote.drbl.gremlin.ru  Rating:  3
> List:  DRBL work node gremlin.ru  Host:  work.drbl.gremlin.ru  Rating:
> 3  Apparently this has been happening on and off for at least six months.
>  Has anyone else run into that? Are these sites trustworthy? And more broadly, how is the Repositories' security posture validated? In our experience the Spamhaus feed has a very low false-positive count, so for now we're treating this as a threat and blocking it. If a site is compromised, is there a way to drop it from the list of Repositories, so that Routinator doesn't send 1000s of unnecessary requests daily?
>  Thanks in advance for any advice on this matter!
>  Slav Messetchkov
> Sr. Engineer Core Network & Service Development SaskTel, TSI/NSD
> NOTICE: This confidential e-mail message is only for the intended
> recipients. If you are not the intended recipient, be advised that
> disclosing, copying, distributing, or any other use of this message,
> is strictly prohibited. In such case, please destroy this message and
> notify the sender. -- RPKI mailing list RPKI at lists.nlnetlabs.nl
> https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.nlnetlabs.nl%2Fmailman%2Flistinfo%2Frpki&data=05%7C01%7Cslav.mes
> setchkov%40sasktel.com%7Cf2b063611367447479d508dad2242b99%7Ccb42ff00c2
> e141e891e9ca6fdc104885%7C1%7C0%7C638053350066391425%7CUnknown%7CTWFpbG
> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
> 3D%7C3000%7C%7C%7C&sdata=WTLEgWsp1RzCTJqax9GG0WElHys9zwAFjcy3Qda5f
> WA%3D&reserved=0

NOTICE: This confidential e-mail message is only for the intended recipients. If you are not the intended recipient, be advised that disclosing, copying, distributing, or any other use of this message, is strictly prohibited. In such case, please destroy this message and notify the sender.


More information about the RPKI mailing list