RIPE NCC Validator for Resource Certification
On 1 January 2011, all five Regional Internet Registries (RIRs) will deploy a system that can issue digital certificates along with the assignment or allocation of Internet number resources (IPv4 and IPv6 addresses, as well as Autonomous System Numbers). These “resource certificates” will certify that the holder of the certificate has been officially assigned or allocated the particular resource. The resource certification system is based on Public Key Infrastructure (PKI) principles.
Resource certification can be used to help secure routing. The system will allow holders of Internet resources to sign cryptographically verifiable messages that can help humans or machines to make more secure routing decisions .
Route Origin Authorisation
With a resource certificate, a resource holder will be able to create a Route Origin Authorisation (ROA) object. This is a standardised document that essentially states that the holder of a certain prefix authorises a particular Autonomous System (AS) to announce that prefix. A ROA can be compared to white listing: a network operator who needs to make a decision about whether to accept a certain prefix may prefer a route announcement that is supported by a ROA (positive statement) over an announcement for the same space that does not have an associated ROA.
The RIPE NCC Validator
In order to enable the network operator to make these routing decisions, the RIPE NCC developed a command line validator that is capable of doing:
• Top-down validation of a complete repository; or
• Bottom-up validation for a specific object, such as a ROA
We are looking for feedback on this tool. Is it easy and logical to use? What additional features does it need? How would you see integrating it in your workflow?
If the community agrees that this is a valuable tool, we would like to release the source code under an open source license in the near future.
Using the validator
It has been tested on Linux and MacOS X. Since the RPKI repository uses rsync as an access method, the tool requires that rsync is installed on your system. No Trust Anchors (TAs) are preconfigured, so you will need to download an RPKI certificate to use as a TA. You can download the RIPE NCC’s resource Trust Anchor using this command:
rsync rsync://certrepo.ripe.net/rta/CN=RTA,O=RIPE%20NCC,C=NL.cer ./ripe-ncc-ta.cer
Please note that because this tool was written in Java, it requires a recent Java Runtime Environment to be available on your system. See the README file for more details.
RIPE NCC Validator for Resource Certification and README file
Method 1: Top-Down validation
You can use the validator to validate all the objects and certificates published under the RIPE NCC TA and export all validated ROA data. Simply run the following command:
/path/to/validator $ bin/certification-validator --top-down -t
./ripe-ncc-ta.cer -o out --roa-export roas.csv
Note that the tool needs an output directory to store the downloaded certificates and objects. It starts by downloading everything it needs to an unvalidated sub-directory, and will then copy all validated objects to a "validated" sub-directory.
The CSV file contains all the validated prefix information found in validated ROAs, and looks like this:
URI,ASN,IP Prefix,Max Length,Not Before,Not After
"rsync://certrepo.ripe.net/prod/54/eb6d87-36e7-4b13-aa1d-f1f5b0ad8bcc/1/iErZusCSmkGJdHuvf2remUDaFmU.roa",AS3333,126.96.36.199/24,,2010-07-21 09:55:56,2011-07-01 00:00:00
Method 2: Bottom-Up validation
You can also use the validator to validate a specific object, such as a ROA. If you have run the top-down validation described above, you can try it on any one of the validated .roa files. Or you can download a test ROA set up by the RIPE NCC using this command:
To run the validator in bottom-up mode you can use a command like this:
validator $ bin/certification-validator -t ./ripe-ncc-ta.cer -f ./bl.roa -p
This should result in output similar to this:
17:47:05,012 INFO rsync://certrepo.ripe.net/rta/CN=RTA,O=RIPE%20NCC,C=NL.cer is VALID
17:47:05,755 INFO rsync://certrepo.ripe.net/rta/CN=RTA,O=RIPE%20NCC,C=NL.crl is VALID
17:47:05,761 INFO rsync://certrepo.ripe.net/rta/CN=EQPBzzm03_gZdrqO6tOS7eHjyXY.cer is VALID
17:47:06,406 INFO rsync://certrepo.ripe.net/prod/d7/0b38ff-44ce-44c2-805b-50b7489300ed/1/EQPBzzm03_gZdrqO6tOS7eHjyXY.crl is VALID
17:47:06,412 INFO rsync://certrepo.ripe.net/prod/d7/0b38ff-44ce-44c2-805b-50b7489300ed/1/CfWKr5qQwLRdsnw67qLOqSAQq4g.cer is VALID
17:47:12,009 INFO rsync://certrepo.ripe.net/prod/54/eb6d87-36e7-4b13-aa1d-f1f5b0ad8bcc/1/CfWKr5qQwLRdsnw67qLOqSAQq4g.crl is VALID
17:47:12,012 INFO file:/Users/tim/Development/runtime/validator/./bl.roa is VALID
Content type: 1.2.840.1135188.8.131.52.1.24
Signing time: 2010-08-02T09:44:35.000Z
The README file has more information about how to use the validator.
Test portal for members
The RIPE NCC offers a hosted, fully automated resource certification beta service for LIRs.
In the initial phase of deployment, we will only certify Provider Aggregatable (PA) address space allocated to LIRs. The service will allow users to set up ROA configurations, while automatically taking care of all the low-level crypto operations, as well as ensuring that the correct ROA objects are generated and published.
If you want to use the hosted test system now you will need to:
• Log in as the admin user for your regid
• Make your normal user a member of the certification group
• Log in as that user
• Click the certification link in the left-hand menu
• Click "Yes" to activate your hosted Certificate Authority (CA)
In the longer term, also it will be possible to certify other Internet resources, including PI address assignments, Autonomous System Numbers (ASNs) and ERX resources. We also plan to add functionality that will enable members to run their own local RPKI system. This will allow more fine-grained control over system behaviour, local handling of private keys, and integration with other systems.
Test Trust Anchor certificates for the other RIRs can be downloaded from:
The RIPE NCC validator is one of several tools that can be used for validation purposes. There are related initiatives by ISC and BBN. ISC's rcynic validator can be downloaded here: http://subvert-rpki.hactrn.net/rcynic/
BBN's updated validator will be available for public download soon.