Internet2 Network Security SIG

[Karl Newell <>]

Below are the notes from the RPKI session held at Global Summit two weeks ago.  

One action item is to form a group to start implementing RPKI.  Some community members have already embarked on this journey and we’ll look to them for guidance.  I figure we can use this list to communicate until there’s too much chatter and we can split off.  

I’ll send more emails as I figure out a framework for this project.  In the meantime, who’s interested in participating?  How much experience do you have with RPKI?

Cheers,

Karl

notes from RPKI

  develop document for CIO,CISO

    focuses on RPKI awareness and addressing ARIN policy concerns

    Steve Wallace, Andrew Gallo to lead?

  Russ Clark - share documentation on RPKI experiences

    Tested both ARIN and self-generated certs

    Do you still want to self sign certs?

    Cisco 6500 doesn’t support. ASR does support but few have ASR's

    If you have current RSA with them, ARIN won’t demand you do the click through.

  General discussion:

    ARIN needs agreements for legacy v4 space. Many university IPv4 blocks pre-date ARIN.

    Do schools need to bring ARIN agreements up to date?

    DNSSEC also requires ARIN agreement.

    Are there incidents to share where it would influence opinion?

    Lobby CIO’s to make a statement

    For cloud services you should ask what the resource does – do they use RPKI?

    Stakeholders:

    -CIOs

    -CISO’s

    -network engineers

     

    BGP hijacks – metrics on malicious vs fat finger?

     

    Focus on IPv6 because you had to have signed the RSA

  Action items:

    CIO/CISO document

      Steve Wallace, Andrew Gallo

    Form group to start implementing RPKI (Karl will put out a call to Security WG)

      separate email list if necessary

      two distinct projects

        create and sign ROA

          hosted vs delegated

        validate routes

--

Karl Newell

Cyberinfrastructure Security Engineer

Internet2

520-344-0459