On Sunday, 17 February 2019, 51 representatives from 37 organisations came together in Cloudflare's San Francisco offices for a roundtable discussion. The aim was to discuss operational aspects of RPKI deployment. RPKI technology is nowadays seen as the best way forward to secure the Internet's routing tables. Participants came from all market verticals: large telecom operators, government agencies, Content Delivery Networks (CDNs), Regional Internet Registries (RIRs), and cloud providers.
We wanted operators to work together and bring Internet routing one step closer to a point where security of the global routing table is far more comprehensive than it is today.
Nathalie Trenaman chairing a discussion on the need for 24/7 support for RPKI
In roughly six hours a wide range of topics related to Resource Public Key Infrastructure (RPKI) were covered. Participants actively discussed and shared knowledge and insights. Topics ranged from how to scale RPKI infrastructure, RPKI's features, new use cases for RPKI data, discussion on service level expectations and developments in the RPKI software ecosystem.
Job Snijders from NTT Communications kicked off the day's informal program with an update on various RPKI related software packages. He highlighted:
- The OpenBSD community is working on rpki-client(1), (a new BSD-licensed RPKI Cache Validator),
- A new capability in pmacct which allows operators to classify which and how much traffic is being sent in context of the validation state of the source or destination, and
- An update on how RPKI will integrate into the new IRRd
Later on in the day Louis Poinsignon from Cloudflare unveiled a new open source RPKI software toolset and an RPKI Cache Validator implementation called OctoRPKI. It is great to see diversity in the RPKI software landscape improve month by month.
A topic that triggered lively discussion was BGP Remote Triggered Blackholing. Participants discussed various ways how RPKI data can be used to validate requests for discarding of traffic. Different implementation methods were highlighted, each with their own set of pros and cons. We suspect that we haven't heard the final word on the topic of blackholing yet!
Another major theme throughout the day was the resiliency of RPKI's underlying core infrastructure:
- Participants expressed a desire for the RPKI Repository Delta Protocol (RRDP) to replace rsync to improve availability and scalability.
- There was also talk about what else the RIRs could do to meet the operational expectations of their stakeholders (many of which drive 24/7 global businesses); for instance it was suggested to encourage all RIRs to set up emergency phones and strive to provide round-the-clock support on RPKI serivces.
- And there is the need for more stringent monitoring of all aspects of RPKI infrastructure.
It is very encouraging to see so many high-profile organisations collaborate and share experiences in an informal setting. Plus there was no debate about the value of RPKI, or if it’s the best solution. We're now clearly past that point!