Moving RPKI beyond routing security

By on 20 Nov 2020

Category: Tech matters

Tags: , , , ,

Blog home

Resource Public Key Infrastructure (RPKI) is used for improving Border Gateway Protocol (BGP) routing security. Often the terms RPKI, ROA (Route Origin Authorization) and ROV (Route Origin Validation) are used interchangeably.

But did you know that, in fact, the term RPKI refers to the Resource Public Key Infrastructure only? It is the basic infrastructure that allows resource holders to make signed statements about their Internet number resources. And while routing security is the primary use case for RPKI, there are many other interesting statements that one may want to make about one’s IP addresses or Autonomous Systems Numbers (ASNs)!

Resource Tagged Attestations, or RTAs, are a new type of RPKI object that is being proposed by authors from APNIC and NLnet Labs in the IETF. They allow any arbitrary file to be signed ‘with resources’ by one or more parties. The RTA object is a separate file that cryptographically connects the document with a set of resources. The receiver of the object can use an RPKI validator to show these resources, and verify that it was created by the rightful holder(s) of those resources.

The file can be anything. Interpreting what the resources mean in relation to the content of the file is not part of the RTA specification itself. For example, the file could be a pdf document that is meant to be read by humans, such as a letter of authority, and the reader can then verify that the resources match the content. But this can also be used by machines. For example, for bring-your-own-ip-prefix functionality offered by some cloud providers, they could ask a user for a specific piece of data (a challenge if you will) to be signed and process their RTA as proof of holdership.

Create and validate RTA objects today!

As a part of the RTA development effort, NLnet Labs has now introduced proof-of-concept support for this in Routinator and Krill, which is interoperable with the RTA signing function in development at APNIC.

Read: APNIC now supports RFC-aligned ‘publish in parent’ self-hosted RPKI

Because it is still early days in the development of this standard we have not yet added this support by default. However, if you want to experiment with RTA today, you can install special versions of Routinator and Krill on a test machine and get your hands dirty!

Step 1: Build Krill and Routinator with RTA support

Install Routinator and Krill using Cargo. For this, you can follow the directions on installing Rust on your system described here. But explicitly enable the ‘rta’ feature when you build the binaries:

 cargo install routinator --features rta
 cargo install krill --features rta 

Step 2: Set up a test Krill instance under the NLnet Labs testbed

We will assume that you will run Krill on a test machine where you have shell access. At this time RTA support has not yet been added to the user interface, so we will use the ‘krillc’ Command Line Interface (CLI) client here.

Choose a secret token and CA Name and set the following environment variables:

 KRILL_CLI_MY_CA=<YOUR-CA> 
 KRILL_CLI_TOKEN=<YOUR-SECRET> 

Choose a working directory and set the following environment variable:

 KRILL_DIR=</path/to/your/data> 
 mkdir -p $KRILL_DIR 
 cd $KRILL_DIR  

Configure and run Krill:

  krillc config simple --data $KRILL_DIR \ 
                    --logfile $KRILL_DIR/krill.log \ 
                    --token $KRILL_CLI_TOKEN > $KRILL_DIR/krill.conf 
  nohup krill -c $KRILL_DIR/krill.conf &  

Create your CA

  krillc add 

Set up your CA using the NLnet Labs test service as a parent and repository. 

To add the Publication Server, generate a request XML file:

  krillc repo request 

Then copy and upload it under “Register Publisher” here:
https://testbed.rpki.nlnetlabs.nl/

Next, copy the response and put in a file on your system, here we will use ‘ca-repo-res.xml’ as the filename. Then add the repository to your CA:

  krillc repo update --response ./ca-repo-res.xml 

To add the testbed parent to your CA generate a request file and upload it under the “Register CA” tab of the same url as above. You can choose any resources for testing. Here we will use: 192.168.0.0/16.

  krillc parents request 

Copy the response and put in a file on your system. Here we will use ‘ca-par-res.xml’ as the filename. Then add the parent to your CA:

  krillc parents add --parent testbed --response ./ca-par-res.xml 

Wait a couple of seconds for Krill to synchronize with the parent and publish to the repository. Then verify its status with the ‘show’ command. You should now see something like this:

 krillc show 
 Name:     ca
 
 Base uri: rsync://testbed.rpki.nlnetlabs.nl/repo/ca1605603913302/ 
 RRDP uri: https://testbed.rpki.nlnetlabs.nl/rrdp/notification.xml 

 ID cert PEM: 
 -----BEGIN CERTIFICATE-----
MIIDNDCCAhygAwIBAgIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhEM0M0
NTg5RTQ0RTM3MDc3ODEyMjdDRkYyQUVCNUEwREVGQzhGRjlGMB4XDTIwMTExNzA4
NTEzMFoXDTM1MTExNzA4NTYzMFowMzExMC8GA1UEAxMoRDNDNDU4OUU0NEUzNzA3
NzgxMjI3Q0ZGMkFFQjVBMERFRkM4RkY5RjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALhMLqsPNJyh5Xl6qJjh940VVxlwAQgXvHh1VJtfjC9FIfg9D/Mf
9xMsNVmKFcFuv1qX0bvGQTTuq7+npTr7/muamr/tFlY8mljuxalAmxgZwljEzEKb
quqaAS8XuLZ+9pRpMM8Ob20zYMmF3M6ae1ww/jUdSxf3z332sqYfV7zvW0b1vMD+
x3yNOLlLsJnNvITsq5EU41DYvMUg8YRTrjHQRLEmlJKdkN/9/h6Wew7g6saa9BTf
4RHxQCRwFH/5mekzeOeUxhmlJPetCBMOQY9grw2sUZcVLTYBsw7/x7Nm0HkJzgC0
qPgfOi47j0j+merpjAjMXuuiV1nOryt6MvECAwEAAaNTMFEwDwYDVR0TAQH/BAUw
AwEB/zAdBgNVHQ4EFgQU08RYnkTjcHeBInz/KutaDe/I/58wHwYDVR0jBBgwFoAU
08RYnkTjcHeBInz/KutaDe/I/58wDQYJKoZIhvcNAQELBQADggEBACpsHZ0lsFja
rkJ0q6MmtmHlIhMiSU4qFGV8dLDjpYKBgmxpzn7uedCoC63/Q7I7QhZY30YPB9i5
HA4WOr9mEU4VW5oZ9/WHHO4gOeiz8L5gcIYUAf5Blhs1/jnKIA/Rs+Ob8l6R5GZi
jP9wzVB8x5PuqnL2+Ha2ssC/pUnPRppZNAe4q4bScdfCb8fUt0XBwyD2hFOCnSL7
ppJKk1ixQnpIXLZ0zm3PASYIUxiwZ0Qu9OQdb/v4L3Jm3+Fzc//0RH3134iXSR0I
nfrH4LP593gLP3UfooMD5UimCT480q+KgL342Non1l9mfcIfIsXrNepbFPbD5Bck
lQEz36jJSoQ=
-----END CERTIFICATE-----

Hash: f988a5af965f3ef3137653ac2f400fc50265121ff1ea9b6bb317c66845669a8d

Total resources:
    ASNs: 
    IPv4: 192.168.0.0/16
    IPv6: 

Parents:
Handle: testbed Kind: RFC 6492 Parent

Resource Class: 0
Parent: testbed
State: active    Resources:
    ASNs: 
    IPv4: 192.168.0.0/16
    IPv6: 

Current objects:
  D666691C314C6B52995365EAC4F60E4D1EFC1DEF.mft
  D666691C314C6B52995365EAC4F60E4D1EFC1DEF.crl

Children:
<none>

Step 3: Sign an RTA

Now we can start signing any file we like. Here we will sign the Krill configuration file that you just created. But, of course, feel free to sign cat videos if you want!

 krillc rta sign --ipv4 192.168.0.0/24 \
              --days 365 \
              --name RTA1 \
              --in $KRILL_DIR/krill.conf 

To show your RTAs you can use the following:

 krillc rta list
 RTA1

You can save an RTA to disk as follows:

krillc rta show --name RTA1 --out $KRILL_DIR/krill.conf.rta

Step 4: Validate

Since we are running our Krill under the NLnet Labs testbed, you will need to configure Routinator to use its TAL:

 mkdir ~/.rpki-cache/tals
 cd ~/.rpki-cache/tals
 wget https://testbed.rpki.nlnetlabs.nl/testbed.tal
 cd - 

Now anyone can validate that the signature matches the file, in this case provided that they added the NLnet Labs testbed TAL as described above. If the signature is valid, Routinator will report the resources covered by it:

 % routinator -q rta ./krill.conf ./krill.conf.rta
 192.168.0.0/24 

Future work

APNIC and NLnet Labs plan to update the RTA document and seek standardization in the IETF. When the standard becomes more crystallized we plan to give this more prominent support in Krill, for example, by adding a user interface to manage RTAs under your CA.

Tim Bruijnzeels is a senior software developer at NLnet Labs, who has been involved in RPKI standards development and software implementation for well over 10 years.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please click the refresh button next to the equation below to reload the CAPTCHA (Note: your comment will not be deleted).

Top