[RPKI] Routinator via whitelist proxy.

Tony Tauber ttauber at 1-4-5.net
Sat Nov 16 15:38:36 UTC 2024 

Hello,

If you're talking about the outbound connection from Routinator, or any
RPKI RP (Relying Party) software, to the various PPs (Publication Points)
that are part of the RPKI system, then the answer is "no".

Not only are the destinations DNS-based (vs. IP address based, so the
mapping can change at any time), the list itself is dynamic as PPs in the
delegated mode can change at any time (be added or deleted).

These things are entirely fundamental to the design of RPKI itself and not
simply a feature of the Routinator software.
They are extremely unlikely to ever change, though maybe someone else will
answer with something clever that I'm not thinking of.

In summary, you need to allow all outbound access from the RP software host
to any destination on the Internet via TCP port 443 for RRDP and TCP port
873 for RSYNC.

That is all and hopefully answers your question.

Cheers,
Tony


On Fri, Nov 15, 2024 at 5:50 AM Mariusz Klinski via RPKI <
rpki at lists.nlnetlabs.nl> wrote:

> Hello All,
>
>
> I have seen a similar question posted previously, but I haven’t come
> across an answer to it. The question was asked two years ago, so perhaps
> the situation has changed since then.
>
>
> In VF Germany, we are currently testing RPKI access via a proxy whitelist.
> Initially, we whitelisted only the Regional Internet Registry (RIR)
> addresses. However, after further investigation, I found that several other
> domains are also being accessed following the initial request. Some of
> these domains appear legitimate, while others do not.
>
>
> My question is: Are all the URLs that Routinator accesses essential for
> proper operation? If so, how often is this list of URLs updated? We could
> write a script to capture all the domains Routinator contacts and whitelist
> them on a regular basis, but if we are planning to implement this in a live
> network, we need to understand how this list is generated and how
> frequently it needs to be checked.
>
>
> The commands I used to get the list of URLs:
>
> The 1st iteration after installation:
>
> *ubuntu at instance-20241104-1345:~$* routinator -vv vrps > ./routinator.log
> 2>&1 &
>
> [1] 4394
>
> *ubuntu at instance-20241104-1345:~$* grep -oP '://[^/]+\b' routinator.log |
> sed 's/\:\/\///g' | sort -u
>
> dev.tw
>
> oto.wakuwaku.ne.jp
>
> repo.kagl.me
>
> repo.rpki.space
>
> repodepot.wildtky.com
>
> rpki-pp.com
>
> rpki-repo.registro.br
>
> rpki-rps.arin.net
>
> rpki-rrdp.us-east-2.amazonaws.com
>
> rpki.admin.freerangecloud.com
>
> rpki.afrinic.net
>
> rpki.apnic.net
>
> rpki.arin.net
>
> rpki.ripe.net
>
> rpki.roa.net
>
> rpki.sub.apnic.net
>
> rrdp-rps.arin.net
>
> rrdp.afrinic.net
>
> rrdp.apnic.net
>
> rrdp.arin.net
>
> rrdp.lacnic.net
>
> rrdp.paas.rpki.ripe.net
>
> rrdp.ripe.net
>
> rrdp.rp.ki
>
> rrdp.sub.apnic.net
>
> rsync.paas.rpki.ripe.net
>
> *ubuntu at instance-20241104-1345:~$*
>
>
>
> The 2nd iteration:
>
>
> *ubuntu at instance-20241104-1345:~$* routinator -vv vrps > ./routinator.log
> 2>&1 &
>
> [1] 4417
>
> *ubuntu at instance-20241104-1345:~$* grep -oP '://[^/]+\b' routinator1.log
> | sed 's/\:\/\///g' | sort -u
>
> 0.sb
>
> ca.nat.moe
>
> ca.rg.net
>
> chloe.sobornost.net
>
> cloudie-repo.rpki.app
>
> cloudie.rpki.app
>
> dev.tw
>
> krill.accuristechnologies.ca
>
> krill.ca-bc-01.ssmidge.xyz
>
> krill.stonham.info
>
> krill.stonham.uk
>
> krill.uta.ng
>
> krill.uta.ng:3030
>
> magellan.ipxo.com
>
> oto.wakuwaku.ne.jp
>
> pub.krill.ausra.cloud
>
> repo-rpki.idnic.net
>
> repo.kagl.me
>
> repo.rpki.space
>
> repodepot.wildtky.com
>
> rov-measurements.nlnetlabs.net
>
> rpki-01.pdxnet.uk
>
> rpki-pp.com
>
> rpki-publication.haruue.net
>
> rpki-repo.as207960.net
>
> rpki-repo.registro.br
>
> rpki-repository.nic.ad.jp
>
> rpki-rps.arin.net
>
> rpki-rrdp.mnihyc.com
>
> rpki-rrdp.us-east-2.amazonaws.com
>
> rpki.0i1.eu
>
> rpki.admin.freerangecloud.com
>
> rpki.afrinic.net
>
> rpki.apernet.io
>
> rpki.apnic.net
>
> rpki.arin.net
>
> rpki.as207960.net
>
> rpki.athene-center.net
>
> rpki.cc
>
> rpki.cernet.edu.cn
>
> rpki.cnnic.cn
>
> rpki.co
>
> rpki.folf.systems
>
> rpki.komorebi.network
>
> rpki.komorebi.network:3030
>
> rpki.luys.cloud
>
> rpki.miralium.net
>
> rpki.multacom.com
>
> rpki.netiface.net
>
> rpki.owl.net
>
> rpki.pudu.be
>
> rpki.qs.nu
>
> rpki.rand.apnic.net
>
> rpki.ripe.net
>
> rpki.roa.net
>
> rpki.sailx.co
>
> rpki.sn-p.io
>
> rpki.sub.apnic.net
>
> rpki.tools.westconnect.ca
>
> rpki.uz
>
> rpki.xa.wiki
>
> rpki.xindi.eu
>
> rpki.zappiehost.com
>
> rpki01.hel-fi.rpki.win
>
> rpki01.hel-fi.rpki.win:44595
>
> rpkica.mckay.com
>
> rrdp-rps.arin.net
>
> rrdp.afrinic.net
>
> rrdp.apnic.net
>
> rrdp.arin.net
>
> rrdp.krill.nlnetlabs.nl
>
> rrdp.lacnic.net
>
> rrdp.paas.rpki.ripe.net
>
> rrdp.ripe.net
>
> rrdp.rp.ki
>
> rrdp.rpki.co
>
> rrdp.rpki.tianhai.link
>
> rrdp.sub.apnic.net
>
> rrdp.twnic.tw
>
> rsync.paas.rpki.ripe.net
>
> rsync.rpki.tianhai.link
>
> sakuya.nat.moe
>
> x-8011.p.u9sv.com
>
> *ubuntu at instance-20241104-1345:~$*
>
>
>
>
> Thank you for your help!
>
> Mariusz Klinski
>
> [image: 1699298305576.jpeg]
>
> Mariusz Klinski - MiD Consulting Sp. z o.o.
> <https://www.linkedin.com/in/mariusz-klinski-78819722/>
> linkedin.com <https://www.linkedin.com/in/mariusz-klinski-78819722/>
> <https://www.linkedin.com/in/mariusz-klinski-78819722/>
>
>
> --
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20241116/7c971ef1/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1699298305576.jpeg
Type: image/jpeg
Size: 10768 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20241116/7c971ef1/attachment-0001.jpeg>

More information about the RPKI mailing list