Adonis Stergiopoulos

Results of the First RPKI Deployathon

Contributors: Nathalie Trenaman, Melchior Aelmans, Vesna Manojlovic

5 min read

0 You have liked this article 0 times.
0

The RIPE NCC and Juniper Networks co-hosted the first Deployathon on RPKI – a two-day event that brought together network professionals from 7 countries to work on practical aspects of routing security.


How it all started

Internet routing was built on trust. Back in the early days of the Internet, network operators exchanged traffic with people they knew, had coffee with and trusted. As the Internet grew bigger, they started to interact with network operators they didn't necessarily know. With prefix hijacks taking place on a daily basis, trust was lost along the way. RPKI was introduced almost a decade ago, to make internet routing more secure.                       

How Internet BGP Routing was first drawn on two napkins, often referred to as the "Two-napkin Protocol"

Why a Deployathon?

We (the RIPE NCC's Community Builders) have held eight hackathons, all of which were very well received. With RPKI gaining more traction, we chose to modify our well-used hackathon formula. This time, we have brought together 'facilitators' who could guide network professionals through the entire process of deploying RPKI, learn from each other and help them make informed decisions for their routing.

What happened

The first ever RPKI Deployathon took place on 7-8 March 2019 at the Juniper Networks offices in Amsterdam and this marks a new milestone in our Community Building efforts! We had an overwhelming response from applicants – more than 60 people applied to be part of it, and we would like to thank everyone for their interest. 

Both days kicked off with strong coffee, Deployathon t-shirts and many tins of Dutch 'stroopwafels' – a local delicacy that has now become a tradition every time we host a hackathon.

We invited six speakers to share best practices when deploying RPKI – things to consider in terms of policies, what to do and to avoid with router configuration. The speakers took on active roles as facilitators throughout the Deployathon, answering questions and guiding participants when needed.

Hands-on Work

After the morning talks, participants worked in groups to do the actual hands-on technical work, focusing on the following topics:

1) Setting Up a Validator

There are currently three available choices for a Validator:

Developers from each organisation were present to help participants set up their Validators, see how they were using them, identify and report any problems. During the Deployathon, they were even able to fix some bugs!

Facilitatorsencouraged participants to test all three Validators, and later in production, use more than one when deploying RPKI on their infrastructure. A small piece of wisdom from our facilitators - is it recommended to use all three Validators when configuring your router(s).

2) Generating Certificates and Route Origin Authorisations (ROAs)

Members of our team ran sessions on how to create a ROAs in a test environment and how this can be done through the RIPE NCC’s LIR portal. We also tried to assist participants who were using Internet resources from the other RIRs.

Total number of ROAs during the first day of the RPKI Deployathon (7 March 2019)

3) Configuring Routers and using a Validator

This work was done using a network emulation platform, provided by Tesuto. Using this platform, network operators could test implementing RPKI in a test environment and receive hands-on assistance when deploying it.

4) Policies and exceptions

The ultimate goal of RPKI is to reject invalid BGP announcements, the so-called "invalid==reject" policy. Operators recommend, however, to manually check invalid BGP announcements before start rejecting them. This will help spot potential problems before they arise. There is also the option to temporarily whitelist invalid BGP announcements in your Validator while contacting the organisation that created the associated ROA.

Conclusion and Next Steps

At the end of each day, we wrote our results on a whiteboard, documenting our progress and things participants would like to work on going ahead.

Top three tips from our facilitators:

  • Create your ROAs. You can do this on the LIR Portal before publishing them into production
  • Make sure you use a test environment before deploying on live routers
  • Don't be scared to deploy RPKI

We want to thank all our participants for attending, our sponsors and speakers as well as the people who showed their interest in participating. The materials used during the Deployathon can be found on GitHub.

If you would like to take part in one of our next hackathons, keep an eye on RIPE Labs.

The RPKI Deployathon In Numbers

0 You have liked this article 0 times.
0

About the author

Comments 0