During IETF 95 in Buenos Aires, RIPE NCC and APNIC staff worked on prototype signer/validator implementations of the draft RPSL signature specification.
This specification allows parties to use RPKI to sign an RPSL object, meaning clients can verify that the certified resource holder has authorized the creation of that object.
There are several potential applications for this specification:
- Legitimacy of Address (LoA) checks
Some ISPs require signed LoA statements, on APNIC letterhead, before they will allow transit. Providing a verifiable RPSL object instead will be cheaper and quicker, and standardizing its use will dramatically reduce the scope for fraud in this sort of situation. - IRR mirroring integrity
Today, IRRs mirror data amongst themselves, but a client of a specific IRR has no way of verifying mirrored information. If resource holders sign their RPSL objects, IRR clients can be assured of authenticity, regardless of the immediate source of the object. - Cross-registry authentication
Current efforts to deprecate out-of-region object creation in the RIPE NCC database are causing understandable community concern about the different route[6] object authorization requirements in other registries, among other things. Supporting signatures over those objects will allow clients in every region to distinguish objects signed only by the address range holder from those signed by both the address range holder and the ASN holder. They can then filter that data accordingly; for example, by ignoring the former category when constructing route filters.
Participate in testing
APNIC’s current prototype supports object creation and validation using the public test whois database and RPKI systems. As is typical during interoperability testing, a number of suggestions and clarifications to the specification were documented. These will be followed up within the working group as testing continues.
If you would like to test the prototype, please let us know below in the comments section and we can organize access for you.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.