You are here: Home > Publications > RIPE Labs > Amanda Gowland > RIPE NCC Validator for Resource Certification

RIPE NCC Validator for Resource Certification

Amanda Gowland — Aug 2010
Resource certification can be used to help secure routing. The resource certification system is based on Public Key Infrastructure (PKI) principles. The RIPE NCC Validator for resource certification can help network operators make the necessary routing decisions. You can download the tool below.

Resource Certification
On 1 January 2011, all five Regional Internet Registries (RIRs) will deploy a system that can issue digital certificates along with the assignment or allocation of Internet number resources (IPv4 and IPv6 addresses, as well as Autonomous System Numbers). These “resource certificates” will certify that the holder of the certificate has been officially assigned or allocated the particular resource. The resource certification system is based on Public Key Infrastructure (PKI) principles. 

Resource certification can be used to help secure routing. The system will allow holders of Internet resources to sign cryptographically verifiable messages that can help humans or machines to make more secure routing decisions .

Route Origin Authorisation
With a resource certificate, a resource holder will be able to create a Route Origin Authorisation (ROA) object. This is a standardised document that essentially states that the holder of a certain prefix authorises a particular Autonomous System (AS) to announce that prefix. A ROA can be compared to white listing: a network operator who needs to make a decision about whether to accept a certain prefix may prefer a route announcement that is supported by a ROA (positive statement) over an announcement for the same space that does not have an associated ROA. 

The RIPE NCC Validator
In order to enable the network operator to make these routing decisions, the RIPE NCC developed a command line validator that is capable of doing:

•    Top-down validation of a complete repository; or
•    Bottom-up validation for a specific object, such as a ROA

We are looking for feedback on this tool. Is it easy and logical to use? What additional features does it need? How would you see integrating it in your workflow?

If the community agrees that this is a valuable tool, we would like to release the source code under an open source license in the near future.

Using the validator

It has been tested on Linux and MacOS X. Since the RPKI repository uses rsync as an access method, the tool requires that rsync is installed on your system. No Trust Anchors (TAs) are preconfigured, so you will need to download an RPKI certificate to use as a TA. You can download the RIPE NCC’s resource Trust Anchor using this command:

rsync rsync://certrepo.ripe.net/rta/CN=RTA,O=RIPE%20NCC,C=NL.cer ./ripe-ncc-ta.cer

Please note that because this tool was written in Java, it requires a recent Java Runtime Environment to be available on your system. See the README file for more details.

Download: RIPE NCC Validator for Resource Certification and README file

Method 1: Top-Down validation

You can use the validator to validate all the objects and certificates published under the RIPE NCC TA and export all validated ROA data. Simply run the following command:

/path/to/validator $ bin/certification-validator --top-down -t
./ripe-ncc-ta.cer -o out --roa-export roas.csv

Note that the tool needs an output directory to store the downloaded certificates and objects. It starts by downloading everything it needs to an unvalidated sub-directory, and will then copy all validated objects to a "validated" sub-directory.

The CSV file contains all the validated prefix information found in validated ROAs, and looks like this:

URI,ASN,IP Prefix,Max Length,Not Before,Not After
...
"rsync://certrepo.ripe.net/prod/54/eb6d87-36e7-4b13-aa1d-f1f5b0ad8bcc/1/iErZusCSmkGJdHuvf2remUDaFmU.roa",AS3333,85.118.184.0/24,,2010-07-21 09:55:56,2011-07-01 00:00:00

Method 2: Bottom-Up validation
You can also use the validator to validate a specific object, such as a ROA. If you have run the top-down validation described above, you can try it on any one of the validated .roa files. Or you can download a test ROA set up by the RIPE NCC using this command:

rsync://certrepo.ripe.net/prod/54/eb6d87-36e7-4b13-aa1d-f1f5b0ad8bcc/1/iErZusCSmkGJdHuvf2remUDaFmU.roa

To run the validator in bottom-up mode you can use a command like this:

validator $ bin/certification-validator -t ./ripe-ncc-ta.cer -f ./bl.roa -p

This should result in output similar to this:

17:47:05,012 INFO  rsync://certrepo.ripe.net/rta/CN=RTA,O=RIPE%20NCC,C=NL.cer is VALID
17:47:05,755 INFO  rsync://certrepo.ripe.net/rta/CN=RTA,O=RIPE%20NCC,C=NL.crl is VALID
17:47:05,761 INFO  rsync://certrepo.ripe.net/rta/CN=EQPBzzm03_gZdrqO6tOS7eHjyXY.cer is VALID
17:47:06,406 INFO  rsync://certrepo.ripe.net/prod/d7/0b38ff-44ce-44c2-805b-50b7489300ed/1/EQPBzzm03_gZdrqO6tOS7eHjyXY.crl is VALID
17:47:06,412 INFO  rsync://certrepo.ripe.net/prod/d7/0b38ff-44ce-44c2-805b-50b7489300ed/1/CfWKr5qQwLRdsnw67qLOqSAQq4g.cer is VALID
17:47:12,009 INFO  rsync://certrepo.ripe.net/prod/54/eb6d87-36e7-4b13-aa1d-f1f5b0ad8bcc/1/CfWKr5qQwLRdsnw67qLOqSAQq4g.crl is VALID
17:47:12,012 INFO  file:/Users/tim/Development/runtime/validator/./bl.roa is VALID
Content type: 1.2.840.113549.1.9.16.1.24
Signing time: 2010-08-02T09:44:35.000Z
ASN: AS3333
Prefixes:
    85.118.184.0/24

The README file has more information about how to use the validator.

Test portal for members

The RIPE NCC offers a hosted, fully automated resource certification beta service for LIRs.

In the initial phase of deployment, we will only certify Provider Aggregatable (PA) address space allocated to LIRs. The service will allow users to set up ROA configurations, while automatically taking care of all the low-level crypto operations, as well as ensuring that the correct ROA objects are generated and published.

If you want to use the hosted test system now you will need to:
•    Log in as the admin user for your regid
•    Make your normal user a member of the certification group
•    Log in as that user
•    Click the certification link in the left-hand menu
•    Click "Yes" to activate your hosted Certificate Authority (CA)

In the longer term, also it will be possible to certify other Internet resources, including PI address assignments, Autonomous System Numbers (ASNs) and ERX resources. We also plan to add functionality that will enable members to run their own local RPKI system. This will allow more fine-grained control over system behaviour, local handling of private keys, and integration with other systems.

Other RIRs
Test Trust Anchor certificates for the other RIRs can be downloaded from:

AfriNIC     rsync://rpki.afrinic.net/repository/root.cer
APNIC      rsync://rpki.apnic.net/repository/APNIC.cer
ARIN        rsync://rpki-pilot.arin.net:10873/certrepo//e8/29afd2-319c-428f-b6b0-3528a7d24dcd/1/4789Xt9H2ltHuAXdrQ6GWXWH2Ao.cer
LACNIC    rsync://repository.lacnic.net/rpki/lacnic/ROOT_LACNIC_RPKI.cer

Other Tools
The RIPE NCC validator is one of several tools that can be used for validation purposes. There are related initiatives by ISC and BBN. ISC's rcynic validator can be downloaded here: http://subvert-rpki.hactrn.net/rcynic/

BBN's updated validator will be available for public download soon.

6 Comments

Anonymous says:
15 Oct, 2010 03:15 PM
Just an FYI, for some reason I can't pass %20 to rsync and have it consider a valid path, I had to use

rsync "rsync://certrepo.ripe.net/rta/CN=RTA,O=RIPE NCC,C=NL.cer" ./ripe-ncc-ta.cer

from the shell
Anonymous says:
15 Oct, 2010 04:15 PM
Hi Dave,

good point.

We actually also came to the conclusion that using spaces was not the best idea ;) And the inclusion of the O= and C= parts in the subject of the certificates is not following spec..

So.. in short yesterday's upgrade fixed this. We now have these publication points:

ETA rsync://certrepo.ripe.net/eta/CN=RIPE-NCC-ETA-2010-10-14.cer
RTA rsync://certrepo.ripe.net/rta/CN=RIPE-NCC-RTA-2010-10-14.cer

We made links so that the old publication points resolve to the same actual files. So the URIs in this article and the readme of the validator should still work, provided you can pass them on to rsync in your shell.

If not, please use the above locations for now. New, stable publication points will be made available when this service goes into production.

Anonymous says:
18 Aug, 2011 07:22 PM
Its been quite a while now, certificate is hosted somewhere else now:

rsync rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer ./ripe-ncc-ta.cer
Anonymous says:
15 Oct, 2010 03:17 PM
Also, I get this amusing error:


$ ripencc-rpki-validator/bin/certification-validator --top-down -t ripe-ncc-ta.cer -o out --roa-export roas.csv

14:17:25,960 ERROR org.bouncycastle.asn1.DERSequence cannot be cast to org.bouncycastle.asn1.ASN1OctetString
Anonymous says:
15 Oct, 2010 04:21 PM
I would like to investigate the problem so that it can be fixed. But I can't reproduce this error. If you can, can you please send some more details like the platform and java version you are using, and preferably a full stack trace to certtest@ripe.net?

Thanks for testing this tool :)
Anonymous says:
22 Oct, 2010 01:57 PM
As it turns out this issue was related to using GNU java instead of Sun java 1.6 that we use in developing and testing this tool.

Because Sun java should be available for all platforms without restrictions we have now updated the readme -- to be included in the next release. Sun java 1.6 is now listed as required.

The reason for this is that we would rather focus our efforts on improving functionality and usability for now. We expect that this will result in more value for the community than making sure the tool works with other java versions.

Regards,

Tim Bruijnzeels
Add comment

You can add a comment by filling out the form below. Only plain text is possible. Web and email addresses will be transformed into clickable links. Comments are moderated so they won't appear immediately.