Treating RPKI ROAs as IRR route(6) objects

By on 1 Aug 2018

Category: Tech matters

Tags: , ,

Blog home

The Resource Public Key Infrastructure (RPKI) is a modern reimagination of the good ole’ Internet Routing Registry (IRR) system we have come to love and hate. The main advantage of RPKI is that consumers of the data can cryptographically verify whether they were the actual owners of the IP prefix that created a so-called RPKI Route Origin Authorization (ROA).

Learn more about Resource Certification

Given that RPKI ROAs are somewhat equivalent to IRR route objects — but more reliable in terms of authoritativeness — NTT now has an automated nightly process that converts RPKI information into IRR format so that our toolchain can consume the data as if it were just another IRR source.

Using RPKI ROAs as if they are IRR route(6) objects is a transitional step towards increased security in the routing ecosystem.

Although this is not a new method per se — Dragon Research Labs were the first to explore the idea in 2015, the same year that RIPE NCC’s RPKI Validator added RPSL export functionality; and A routeserver added native support for this method in 2017 — NTT is probably the  first to republish elements from RPKI ROAs via a publicly accessible IRR Daemon (IRRd) instance queryable with the RADB IRRd protocol. This means that anyone that points their bgpq3 or peval programs at rr.ntt.net can leverage this method without having to update anything else in the pipeline (see  example below):

job@vurt ~$ whois -h rr.ntt.net 193.0.6.139
[Querying rr.ntt.net]
[rr.ntt.net]
route:       193.0.0.0/21
descr:       RIPE-NCC
origin:      AS3333
mnt-by:      RIPE-NCC-MNT
changed:     unread@ripe.net 20000101
source:      RIPE
remarks:     ****************************
remarks:     * THIS OBJECT IS MODIFIED
remarks:     * Please note that all data that is generally regarded as personal
remarks:     * data has been removed from this object.
remarks:     * To view the original object, please query the RIPE Database at:
remarks:     * http://www.ripe.net/whois
remarks:     ****************************

route:       193.0.0.0/21
descr:       RPKI ROA for 193.0.0.0/21
remarks:     This route object represents routing data retrieved from the RPKI
remarks:     The original data can be found here:  htts://rpki.gin.ntt.net/r/AS3333/193.0.0.0/21
remarks:     This route object is the result of an automated RPKI-to-IRR conversion process.
remarks:     maxLength 21
origin:      AS3333
mnt-by:      MAINT-JOB
changed:     job@ntt.net 20180718
source:      RPKI  # Trust Anchor: RIPE NCC RPKI Root

The first object is an actual IRR ’route’ object from the RIPE NCC operated IRR. The second object is a representation of the RPKI ROA in RPSL format published via rr.ntt.net.

Good quality doesn’t mean correct

In general, we can state that RPKI data is good quality, however it may not be correct data. In this context ‘good quality’ means that it cannot easily be forged or tampered with by adversaries (but of course that doesn’t protect the legitimate owner against making misconfigurations). Just like with IRR route(6) objects, owners may input the wrong origin ASN in this type of object or configure the wrong MaxLength.

To assist with this, NTT operates a public RPKI Cache Validator, and  there is also a command line interface available via BGPMon’s whois service:

job@vurt ~$ whois -h whois.bgpmon.com 193.0.0.0/21
% This is the BGPmon.net whois Service
% You can use this whois gateway to retrieve information
% about an IP address or prefix
% We support both IPv4 and IPv6 address.
%
% For more information visit:
% https://portal.bgpmon.net/bgpmonapi.php

Prefix:              193.0.0.0/21
Prefix description:  RIPE-NCC
Country code:        NL
Origin AS:           3333
Origin AS Name:      Reseaux IP Europeens Network Coordination Centre (RIPE NCC)
RPKI status:         ROA validation successful
First seen:          2011-10-19
Last seen:           2018-07-19
Seen by #peers:      70

Notice in the above output the ROA validation is successful.

This is a convenient service for relevant regions of the world where IRR is not the norm but RPKI is commonly available. Previously NTT only accepted IRR and ARIN-WHOIS. I hope competitors and partners will use this approach too!

Nota bene: the fact that NTT uses RPKI ROA information in the prefix filter generation process, does not mean that NTT does ‘RPKI Origin Validation’ for BGP updates (yet). RPKI Origin Validation is an additional security layer that we hope to deploy in the not too distant future. Using RPKI ROAs as route(6) objects is an important step forward in this process.

Post adapted from email sent to RIPE NCC Routing Working Group.

Job Snijders is IP Development Engineer at NTT Communications.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please click the refresh button next to the equation below to reload the CAPTCHA (Note: your comment will not be deleted).

Top