[RPKI] Routinator via whitelist proxy.
Mariusz Klinski
mtklinski at gmail.com
Thu Nov 14 16:06:20 UTC 2024
Hello All,
I have seen a similar question posted previously, but I haven’t come across an answer to it. The question was asked two years ago, so perhaps the situation has changed since then.
In VF Germany, we are currently testing RPKI access via a proxy whitelist. Initially, we whitelisted only the Regional Internet Registry (RIR) addresses. However, after further investigation, I found that several other domains are also being accessed following the initial request. Some of these domains appear legitimate, while others do not.
My question is: Are all the URLs that Routinator accesses essential for proper operation? If so, how often is this list of URLs updated? We could write a script to capture all the domains Routinator contacts and whitelist them on a regular basis, but if we are planning to implement this in a live network, we need to understand how this list is generated and how frequently it needs to be checked.
The commands I used to get the list of URLs:
The 1st iteration after installation:
ubuntu at instance-20241104-1345:~$ routinator -vv vrps > ./routinator.log 2>&1 &
[1] 4394
ubuntu at instance-20241104-1345:~$ grep -oP '://[^/]+\b' routinator.log | sed 's/\:\/\///g' | sort -u
dev.tw
oto.wakuwaku.ne.jp
repo.kagl.me
repo.rpki.space
repodepot.wildtky.com
rpki-pp.com
rpki-repo.registro.br
rpki-rps.arin.net
rpki-rrdp.us-east-2.amazonaws.com
rpki.admin.freerangecloud.com
rpki.afrinic.net
rpki.apnic.net
rpki.arin.net
rpki.ripe.net
rpki.roa.net
rpki.sub.apnic.net
rrdp-rps.arin.net
rrdp.afrinic.net
rrdp.apnic.net
rrdp.arin.net
rrdp.lacnic.net
rrdp.paas.rpki.ripe.net
rrdp.ripe.net
rrdp.rp.ki
rrdp.sub.apnic.net
rsync.paas.rpki.ripe.net
ubuntu at instance-20241104-1345:~$
The 2nd iteration:
ubuntu at instance-20241104-1345:~$ routinator -vv vrps > ./routinator.log 2>&1 &
[1] 4417
ubuntu at instance-20241104-1345:~$ grep -oP '://[^/]+\b' routinator1.log | sed 's/\:\/\///g' | sort -u
0.sb
ca.nat.moe
ca.rg.net
chloe.sobornost.net
cloudie-repo.rpki.app
cloudie.rpki.app
dev.tw
krill.accuristechnologies.ca
krill.ca-bc-01.ssmidge.xyz
krill.stonham.info
krill.stonham.uk
krill.uta.ng
krill.uta.ng:3030
magellan.ipxo.com
oto.wakuwaku.ne.jp
pub.krill.ausra.cloud
repo-rpki.idnic.net
repo.kagl.me
repo.rpki.space
repodepot.wildtky.com
rov-measurements.nlnetlabs.net
rpki-01.pdxnet.uk
rpki-pp.com
rpki-publication.haruue.net
rpki-repo.as207960.net
rpki-repo.registro.br
rpki-repository.nic.ad.jp
rpki-rps.arin.net
rpki-rrdp.mnihyc.com
rpki-rrdp.us-east-2.amazonaws.com
rpki.0i1.eu
rpki.admin.freerangecloud.com
rpki.afrinic.net
rpki.apernet.io
rpki.apnic.net
rpki.arin.net
rpki.as207960.net
rpki.athene-center.net
rpki.cc
rpki.cernet.edu.cn
rpki.cnnic.cn
rpki.co
rpki.folf.systems
rpki.komorebi.network
rpki.komorebi.network:3030
rpki.luys.cloud
rpki.miralium.net
rpki.multacom.com
rpki.netiface.net
rpki.owl.net
rpki.pudu.be
rpki.qs.nu
rpki.rand.apnic.net
rpki.ripe.net
rpki.roa.net
rpki.sailx.co
rpki.sn-p.io
rpki.sub.apnic.net
rpki.tools.westconnect.ca
rpki.uz
rpki.xa.wiki
rpki.xindi.eu
rpki.zappiehost.com
rpki01.hel-fi.rpki.win
rpki01.hel-fi.rpki.win:44595
rpkica.mckay.com
rrdp-rps.arin.net
rrdp.afrinic.net
rrdp.apnic.net
rrdp.arin.net
rrdp.krill.nlnetlabs.nl
rrdp.lacnic.net
rrdp.paas.rpki.ripe.net
rrdp.ripe.net
rrdp.rp.ki
rrdp.rpki.co
rrdp.rpki.tianhai.link
rrdp.sub.apnic.net
rrdp.twnic.tw
rsync.paas.rpki.ripe.net
rsync.rpki.tianhai.link
sakuya.nat.moe
x-8011.p.u9sv.com
ubuntu at instance-20241104-1345:~$
Thank you for your help!
Mariusz Klinski
https://www.linkedin.com/in/mariusz-klinski-78819722/
Mariusz Klinski - MiD Consulting Sp. z o.o.
linkedin.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20241114/7c91e0bb/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1699298305576.jpeg
Type: image/jpeg
Size: 10768 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20241114/7c91e0bb/attachment-0001.jpeg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4508 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20241114/7c91e0bb/attachment-0001.bin>
More information about the RPKI
mailing list