We're celebrating reaching 10,000 generated Certificate Authorities. This is a big milestone for RPKI and proof that more operators are seeing the need for routing security.
A bit of an introduction
Resource Public Key Infrastructure (RPKI) is currently a hot topic amongst network engineers. There are presentations on successful deployments at almost every NOG event, we hear operators’ deployment stories on a daily basis, and we see more and more networks dropping RPKI invalid BGP announcements. These are very good news for the global routing security!
The first step in deploying RPKI is to set up a Certificate Authority and to generate a certificate. This allows you to create your Route Origin Authorisations (ROAs). RIPE NCC members or PI holders can choose the hosted platform, where all keys and keyrolls are managed by the RIPE NCC in an automated way – this is currently the option that is most preferred by our members. Very soon, our friends at NLNet Labs will launch a software package, called Krill, that allows members to easily set up and manage their own Certificate Authority (CA).
Reaching 10,000 Certificates
Today, we're celebrating reaching 10,000 generated Certificate Authorities! Of course, our team dug a bit deeper into these certificates to find out how many of them have actually created their ROAs – this is currently the main reason to set up your CA.
We were a bit surprised to find out that 25.4% of those 10.000 CAs haven’t set up their ROAs yet, and we will look into why the haven't done so. By creating ROAs, other operators can make safer routing decisions about which routes to accept or drop in BGP.
We celebrated this milestone with a cake
Currently, we see that 7,460 CAs are responsible for the creation of over 12,800 ROAs (Source: http://certification-stats.ripe.net/).
We still have a long way to go, and as the RIPE NCC, we are here to help. We offer RPKI hands-on face-to-face training courses, webinars and a website where you can find all the information you need. There has also been a great community effort to build extensive RPKI user documentation. In case you have any questions about RPKI, you can reach us via the contact form on our website or send an e-mail to firstname.lastname@example.org.