Local Certification Service Launched

Alex Band — Aug 16, 2011 04:55 PM
Filed under: , ,
In order to use the RIPE NCC Resource Certification (RPKI) Service, the only option up to now was to rely on the hosted system in the LIR Portal. Today we are releasing a proof of concept of the Local Certification Service. This allows RIPE NCC members to run Resource Certification on their own systems.

On 1 January 2011, we launched the hosted RIPE NCC Resource Certification Service. This system allows our members to securely create a digital certificate listing their Internet number resources. Using it, they can create Route Origin Authorisation (ROA) objects, stating which Autonomous Systems are authorised to originate their prefixes, through a web interface in the LIR Portal

The hosted platform caters to the majority of our membership. So far, over 570 LIRs have generated a resource certificate and most have specified their routing information. The result is that almost 180,000 IPv4 /24 equivalents are now covered by a ROA. For detailed information, please refer to our Certification Statistics page

From the beginning, we have said that the hosted system was only a partial implementation, and that the service would be complemented by the possibility of running Resource Certification on your own systems. This makes the LIR the owner of the private key, allows them to host their own repository with certificates and ROAs, and opens up possibilities for scripting and more integration into their workflows. 

Today we are releasing the Local Certification Service. There are two elements that make it work:

  1. The up/down provisioning protocol, enabling communication between parent and child certificate authorities
  2. The child certificate authority software, allowing the creation, provisioning, management and publication of your own resource certificate

The up/down protocol is a production implementation, and follows the IETF Internet Draft. This allows for third-party software, such as rpkid, to interoperate with the RIPE NCC parent system through the proposed standards. 

To give you an idea of how a software package released by the RIPE NCC could work, we are offering a child certificate authority implementation as a proof of concept. For now, it will only allow you create a resource certificate and demonstrate the provisioning by the RIPE NCC parent system via a pilot server. Also, it will publish the certificate in the LIR's own repository and make it available over rsync. If there is strong community demand for developing this concept into a production software package, allowing the creation and management of ROAs, etc. then we will add that to our roadmap.

Now, let's have a look at how the system works...

First, download the package containing the Local Certification Service software. The README file will outline all of the steps needed to get started. After configuring rsync, the database files and the web server, it's time to fire up the web-based interface, which looks like this:

1. Configure the repositoryTo set up your repository, you will need to enter the rsync hostname, port and module, as well as the base directory on your disk. Once you're done, save the configuration and continue to the second step:

2. Download your Identity CertificateThe software package will generate an identity certificate, which is used by the parent system to identify your LIR. You will need to download this file and open the LIR Portal Pilot Server in a new window:

3. Log into the LIR Portal Pilot Server

Please note that this is not the regular LIR Portal but a separate server set up for this proof of concept. However, the LIR Portal Administrator will need to have given you permissions for the "Certification" group in the regular LIR Portal for you to gain access. The credentials you enter here are linked to the identity certificate you will upload in the next step:

4. Upload your Identity Certificate XML fileClick "Choose File" and browse to the XML file you just downloaded from the Local Certification Service interface. After clicking "Upload", the certificate will be verified:

5. Download the Issuer Identity CertificateIf verification is successful, the RIPE NCC parent system will generate an Issuer Identity Certificate, which you need to download and configure in the Local Certification Service system:

6. Upload the Issuer Identity Certificate in the LCSClick "Choose File" and browse to the Issuer Identity Certificate XML file, which also contains the provisioning URL. Through this channel, all updates to the resource certificate will be processed. After clicking "Upload and Request Resource Certificate", the process is complete and you will have a valid resource certificate, listing your Internet number resources, published in your own public repository:

7. Resource Certificate createdThere are some other things this proof of concept will let you do. One is allowing you to update the resource certificate contents if you have received or returned resources. Other things are performing a key rollover and configuring the rsync publication interval.

Of course, there is much more functionality we can implement. If the community would like us to develop this proof of concept into a production service, we can add features such as the ability to create ROAs, allow you to publish your certificate and ROAs in another repository than your own, build in an alerting system that compares your published ROAs to real world BGP routing and add scripting support as well as an API. 

We look forward to your feedback.

 

2 Comments

Leo Vegoda
Leo Vegoda says:
Aug 16, 2011 06:52 PM
Hi Alex,

The statement: "almost 180,000 IPv4 /24 equivalents are now covered by a ROA" sounds very impressive but what does it mean? It would be helpful if you could create trend lines for both the proportion of RIPE NCC IPv4 address space covered by a ROA and the proportion of prefixes allocated or assigned by the RIPE NCC covered by a ROA.

That way we will be able to evaluate the benefit Relying Parties will be able to gain from the service.

Thanks
Alex Band
Alex Band says:
Aug 31, 2011 10:18 PM
Hi Leo,

We're not visualizing that data yet, but LACNIC has some interesting daily fresh numbers available here:
http://www.labs.lacnic.net/[…]/rpki-evolution-report_EN.txt

In short, almost 10% of RIPE region IPv4 address space is now covered by a ROA.
Add comment

You can add a comment by filling out the form below. Only plain text is possible. Web and email addresses will be transformed into clickable links. Comments are moderated so they won't appear immediately.

Related Items
Increased Reach of RIPE Atlas Anchors

Increasing the reach of RIPE Atlas anchors is one of the highest priority goals of RIPE Atlas Team. ...

Proposing Making RIPE Atlas Data More Public

RIPE Atlas is now three years old, and is moving from a prototype to production service. Based on ...

Modifications to the IP Analyser to Reflect New Policy

We are in the process of implementing the policy regarding Post Depletion Adjustment of Procedures ...

RIPE Atlas: Improved Probe Pages

We've made it much easier to get an overview of the history and measurements for all the public ...

Visualising Bandwidth Capacity and Network Activity in RIPEstat Using M-Lab Data

As a result of the cooperation between the RIPE NCC and Measurement Lab (M-Lab), you can now ...

more ...