Job Snijders

RPKI: The Way Forward - Report on February 2019 RPKI Roundtable

Job Snijders
Contributors: Nathalie Trenaman
0 You have liked this article 0 times.

On Sunday, 17 February 2019, 51 representatives from 37 organisations came together in Cloudflare's San Francisco offices for a roundtable discussion. The aim was to discuss operational aspects of RPKI deployment. RPKI technology is nowadays seen as the best way forward to secure the Internet's routing tables. Participants came from all market verticals: large telecom operators, government agencies, Content Delivery Networks (CDNs), Regional Internet Registries (RIRs), and cloud providers.

We wanted operators to work together and bring Internet routing one step closer to a point where security of the global routing table is far more comprehensive than it is today.

Nathalie Trenaman chairing a discussion on the need for 24/7 support for RPKI

In roughly six hours a wide range of topics related to Resource Public Key Infrastructure (RPKI) were covered. Participants actively discussed and shared knowledge and insights. Topics ranged from how to scale RPKI infrastructure, RPKI's features, new use cases for RPKI data, discussion on service level expectations and developments in the RPKI software ecosystem.

Job Snijders from NTT Communications kicked off the day's informal program with an update on various RPKI related software packages. He highlighted:

  • The OpenBSD community is working on rpki-client(1), (a new BSD-licensed RPKI Cache Validator),
  • A new capability in pmacct which allows operators to classify which and how much traffic is being sent in context of the validation state of the source or destination, and 
  • An update on how RPKI will integrate into the new IRRd

Later on in the day Louis Poinsignon from Cloudflare unveiled a new open source RPKI software toolset and an RPKI Cache Validator implementation called OctoRPKI. It is great to see diversity in the RPKI software landscape improve month by month.

A topic that triggered lively discussion was BGP Remote Triggered Blackholing. Participants discussed various ways how RPKI data can be used to validate requests for discarding of traffic. Different implementation methods were highlighted, each with their own set of pros and cons. We suspect that we haven't heard the final word on the topic of blackholing yet!

Another major theme throughout the day was the resiliency of RPKI's underlying core infrastructure:

  • Participants expressed a desire for the RPKI Repository Delta Protocol (RRDP) to replace rsync to improve availability and scalability.
  • There was also talk about what else the RIRs could do to meet the operational expectations of their stakeholders (many of which drive 24/7 global businesses); for instance it was suggested to encourage all RIRs to set up emergency phones and strive to provide round-the-clock support on RPKI serivces.
  • And there is the need for more stringent monitoring of all aspects of RPKI infrastructure.

It is very encouraging to see so many high-profile organisations collaborate and share experiences in an informal setting. Plus there was no debate about the value of RPKI, or if it’s the best solution. We're now clearly past that point!

0 You have liked this article 0 times.

You may also like

View more

About the author

Job Snijders Based in Amsterdam, Netherlands

Job Snijders is an Internet Engineer at Fastly where he analyzes and architects global networks for future growth. Job has been actively involved in the Internet community in both operational, engineering, and architectural capacity, as a frequent presenter at network operator events such as NANOG, ITNOG, DKNOG, RIPE, NLNOG & APRICOT, and in a number of community projects for over 15 years. Job is co-chair of the IETF GROW working group, co-chair of the RIPE Routing Working Group, vice president of PeeringDB, director of the Route Server Support Foundation, manager of the IRRd v4 project, and Art Director for the OpenBSD project. Job's special interests are BGP routing policies, RPKI based routing security, and large Internet scale PKIX-RPKI & BGP deployments. Job helps maintain several tools such as IRRd, rpki-client, bgpq4, OpenBGPD, irrtree, rtrsub, and irrexplorer, and is active in the IETF where they have coauthored or contributed to RFCs and Internet-Drafts. Job has experience with the implementation and operation of RPKI Certificate Authorities, Publication Servers, and Relying Parties.

Comments 0