[sidr] A quick note from RPKI in the wild

Alex Band <alexb@ripe.net> Mon, 05 December 2011 22:02 UTC

Return-Path: <alexb@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 69F801F0C85 for <sidr@ietfa.amsl.com>; Mon, 5 Dec 2011 14:02:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id fdDMEPAVfL8w for <sidr@ietfa.amsl.com>; Mon, 5 Dec 2011 14:02:35 -0800 (PST)
Received: from postlady.ripe.net (postlady.ipv6.ripe.net [IPv6:2001:67c:2e8:11::c100:1341]) by ietfa.amsl.com (Postfix) with ESMTP id 7F9221F0C47 for <sidr@ietf.org>; Mon, 5 Dec 2011 14:02:34 -0800 (PST)
Received: from dodo.ripe.net ([]) by postlady.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <alexb@ripe.net>) id 1RXgcJ-0002Eq-Rr for sidr@ietf.org; Mon, 05 Dec 2011 23:02:33 +0100
Received: from mandrill.ripe.net ([] helo=[IPv6:::1]) by dodo.ripe.net with esmtp (Exim 4.72) (envelope-from <alexb@ripe.net>) id 1RXgcJ-00058q-Me for sidr@ietf.org; Mon, 05 Dec 2011 23:02:31 +0100
From: Alex Band <alexb@ripe.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D37338E3-7AC9-4ACE-B821-273EBA879969"
Date: Mon, 05 Dec 2011 23:02:31 +0100
Message-Id: <F88C726A-DB3E-452D-9906-67B84F9B19C8@ripe.net>
To: sidr@ietf.org
Mime-Version: 1.0 (Apple Message framework v1251.1)
X-Mailer: Apple Mail (2.1251.1)
X-RIPE-Spam-Level: ----
X-RIPE-Spam-Report: Spam Total Points: -4.1 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.2 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message
X-RIPE-Signature: ddd0bbf11d1e21354000f5f053f5ae69cef36877863a6c0fb064f98fb8eb50a3
Subject: [sidr] A quick note from RPKI in the wild
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2011 22:02:36 -0000

The RIPE NCC launched a Resource Certification platform on 1.1.2011, where members can choose to set up a certificate listing their address blocks. They can run RPKI software themselves, or use a hosted platform in our web portal. So far 715 out of our ~7500 members have done this. Out of the top 100 largest LIRs in our region, 28 have a certificate set up. About half of the enabled members have the certificate solely to get validatable proof of holdership of the address space they hold (for now?), the rest use it for BGP origin validation. 

By the latter group, 416 Route Origin Authorization (ROA) objects have been created, covering the equivalent of 230,000 /24 prefixes and 8,600 /32 IPv6 prefixes. MaxLength in ROAs is sorely misunderstood, lots of education is needed there. Most leave the field blank, causing more specific announcements to be invalid.

Lately though, there lots of activity with regards to tooling and testbeds. EuroTransit have set up a testbed with Randy/Rob's tools, as well as the NCC's: 


They also made two public RPKI capable Juniper routers available. You can log into them using telnet with these details:

IPs: and
user: rpki
password: testbed

You can run commands such as "show validation database" , "show validation statistics", "show validation session", "show bgp neighbor", "show bgp summary" and lastly "show route protocol bgp validation-state", followed by the state (valid, invalid, unknown or unverified)

I'm curious to hear what you think.


Alex Band

P.S. Here you can grab a pre-release of the NCC Validation tool that they run there (requires *NIX w/ Java, rsync):