Re: [sidr] A quick note from RPKI in the wild

Matthias Waehlisch <> Mon, 05 December 2011 22:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0EE8D21F85DB for <>; Mon, 5 Dec 2011 14:39:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.249
X-Spam-Status: No, score=-106.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KrqgBOkT7ur9 for <>; Mon, 5 Dec 2011 14:39:51 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E88AB21F85D1 for <>; Mon, 5 Dec 2011 14:39:50 -0800 (PST)
Received: from [] ( by with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.72 (FreeBSD)) (envelope-from <>) id 1RXhCP-000HfB-D0; Mon, 05 Dec 2011 23:39:49 +0100
Date: Mon, 05 Dec 2011 16:39:46 -0600
From: Matthias Waehlisch <>
To: Alex Band <>
In-Reply-To: <>
Message-ID: <Pine.WNT.4.64.1112051619410.6148@mw-PC>
References: <>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-HTW-SPAMINFO: this message was scanned by eXpurgate (
Subject: Re: [sidr] A quick note from RPKI in the wild
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Dec 2011 22:39:52 -0000

Hi Alex,

  great! Also the extended RPKI Validator web interface.

  Just for completeness: As mentioned at the last IETF meeting, we also 
provide a public RTR origin server instance. You can connect via 
unprotected TCP or SSH:


  It currently runs rtr-origin but as soon as NCC Validation tool is 
released we will also set such a cache server up.

  Using both, and, 
allows to test failover.

  Overall, nice playground!


Matthias Waehlisch
.  Freie Universitaet Berlin, Inst. fuer Informatik, AG CST
.  Takustr. 9, D-14195 Berlin, Germany
.. ..
:. Also: ..

On Mon, 5 Dec 2011, Alex Band wrote:

> The RIPE NCC launched a Resource Certification platform on 1.1.2011, where members can choose to set up a certificate listing their address blocks. They can run RPKI software themselves, or use a hosted platform in our web portal. So far 715 out of our ~7500 members have done this. Out of the top 100 largest LIRs in our region, 28 have a certificate set up. About half of the enabled members have the certificate solely to get validatable proof of holdership of the address space they hold (for now?), the rest use it for BGP origin validation. 
> By the latter group, 416 Route Origin Authorization (ROA) objects have been created, covering the equivalent of 230,000 /24 prefixes and 8,600 /32 IPv6 prefixes. MaxLength in ROAs is sorely misunderstood, lots of education is needed there. Most leave the field blank, causing more specific announcements to be invalid.
> Lately though, there lots of activity with regards to tooling and testbeds. EuroTransit have set up a testbed with Randy/Rob's tools, as well as the NCC's: 
> They also made two public RPKI capable Juniper routers available. You can log into them using telnet with these details:
> IPs: and
> user: rpki
> password: testbed
> You can run commands such as "show validation database" , "show validation statistics", "show validation session", "show bgp neighbor", "show bgp summary" and lastly "show route protocol bgp validation-state", followed by the state (valid, invalid, unknown or unverified)
> I'm curious to hear what you think.
> Cheers,
> Alex Band
> P.S. Here you can grab a pre-release of the NCC Validation tool that they run there (requires *NIX w/ Java, rsync):