The RIPE NCC and Juniper Networks co-hosted the first Deployathon on RPKI – a two-day event that brought together network professionals from 7 countries to work on practical aspects of routing security.
How it all started
Internet routing was built on trust. Back in the early days of the Internet, network operators exchanged traffic with people they knew, had coffee with and trusted. As the Internet grew bigger, they started to interact with network operators they didn't necessarily know. With prefix hijacks taking place on a daily basis, trust was lost along the way. RPKI was introduced almost a decade ago, to make internet routing more secure.
How Internet BGP Routing was first drawn on two napkins, often referred to as the "Two-napkin Protocol"
Why a Deployathon?
We (the RIPE NCC's Community Builders) have held eight hackathons, all of which were very well received. With RPKI gaining more traction, we chose to modify our well-used hackathon formula. This time, we have brought together 'facilitators' who could guide network professionals through the entire process of deploying RPKI, learn from each other and help them make informed decisions for their routing.
The first ever RPKI Deployathon took place on 7-8 March 2019 at the Juniper Networks offices in Amsterdam and this marks a new milestone in our Community Building efforts! We had an overwhelming response from applicants – more than 60 people applied to be part of it, and we would like to thank everyone for their interest.
Both days kicked off with strong coffee, Deployathon t-shirts and many tins of Dutch 'stroopwafels' – a local delicacy that has now become a tradition every time we host a hackathon.
We invited six speakers to share best practices when deploying RPKI – things to consider in terms of policies, what to do and to avoid with router configuration. The speakers took on active roles as facilitators throughout the Deployathon, answering questions and guiding participants when needed.
After the morning talks, participants worked in groups to do the actual hands-on technical work, focusing on the following topics:
1) Setting Up a Validator
There are currently three available choices for a Validator:
Developers from each organisation were present to help participants set up their Validators, see how they were using them, identify and report any problems. During the Deployathon, they were even able to fix some bugs!
Facilitatorsencouraged participants to test all three Validators, and later in production, use more than one when deploying RPKI on their infrastructure. A small piece of wisdom from our facilitators - is it recommended to use all three Validators when configuring your router(s).
2) Generating Certificates and Route Origin Authorisations (ROAs)
Members of our team ran sessions on how to create a ROAs in a test environment and how this can be done through the RIPE NCC’s LIR portal. We also tried to assist participants who were using Internet resources from the other RIRs.
Total number of ROAs during the first day of the RPKI Deployathon (7 March 2019)
3) Configuring Routers and using a Validator
This work was done using a network emulation platform, provided by Tesuto. Using this platform, network operators could test implementing RPKI in a test environment and receive hands-on assistance when deploying it.
4) Policies and exceptions
The ultimate goal of RPKI is to reject invalid BGP announcements, the so-called "invalid==reject" policy. Operators recommend, however, to manually check invalid BGP announcements before start rejecting them. This will help spot potential problems before they arise. There is also the option to temporarily whitelist invalid BGP announcements in your Validator while contacting the organisation that created the associated ROA.
Conclusion and Next Steps
At the end of each day, we wrote our results on a whiteboard, documenting our progress and things participants would like to work on going ahead.
Serious momentum is the end-of-day statement from @RIPE_NCC’s #RPKIDeployathon day one. These numbers, curated by @Ms_Multicolor, are brilliant! A worthwhile day and a great step-forward for #RPKI and secure routing. 17 LIRs, ~220 ROAs, 14 validators installed. #progress pic.twitter.com/Zky3RreL4C— Martin J. Levy (@mahtin) March 7, 2019
Top three tips from our facilitators:
- Create your ROAs. You can do this on the LIR Portal before publishing them into production
- Make sure you use a test environment before deploying on live routers
- Don't be scared to deploy RPKI
We want to thank all our participants for attending, our sponsors and speakers as well as the people who showed their interest in participating. The materials used during the Deployathon can be found on GitHub.
If you would like to take part in one of our next hackathons, keep an eye on RIPE Labs.