Skip to Content.
Sympa Menu

ren-routing-security - Re: [REN-Routing-Security] Luncheon meeting notes 5/8/18

Subject: REN Routing Security

List archive

Re: [REN-Routing-Security] Luncheon meeting notes 5/8/18


Chronological Thread 
  • From: Brad Fleming <>
  • To:
  • Subject: Re: [REN-Routing-Security] Luncheon meeting notes 5/8/18
  • Date: Wed, 16 May 2018 17:17:24 -0500
  • Ironport-phdr: 9a23:0HrCbhFvBLGTAniY6/QrxZ1GYnF86YWxBRYc798ds5kLTJ7zocSwAkXT6L1XgUPTWs2DsrQY07GQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDSwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VDK/5KlpVRDokj8KOT4l/27Yl8J+gqxbrgyjqBJ8xIDZe5uaOOZ7fq7HfdMWWWhMU8BMXCJBGIO8aI4PAvIcMOZCtYbyukYFoxu6BQayAePvyzlIhnDr1qA9yOsuDA/G3Ag+ENILsXTUqtr1ObwRUe+vyqnI1yvMb/VM1Tf79ofIbgksrPeRVrxzacrc0VcjGgLZgliSrIHlMTCY2f8Rv2We4OdsSf6jhmAipg5tvjSvyMIhh4zXio4L11/I7Tt1zYcpKdGmTUN2b8KoHZpVuiyULIR2TMwvTmRqtSok1LEKpZu2cSgFxZs52hLSbv+KfoyV7h35UeuRLzR1i297d7+6hBu/9Uutxff6W8KpylhFtDBFncPJtn0V1xzc9MyHSvxl80ekwzmP1gTT5vhDIUAoiabXMpEgzqAumpUOq0jDESj2mEL5jK+SaEoo4PSn6+PiYrn+p5+cMZF7ih3mP6gwm8GzHeY1Pw0AX2WY4uuwyLju8ELlTLlWgPA7l7XWvIzUJckeo6O1HRFZ3Zs75xa6FTim0dAYnXcdLFJCfRKKl5PmNEzAIPD8E/i/hlWskDFkx/3dPb3uGJPNLmLdn7fnZ7p97VBTyBYrwdBF+51UEq0BIO70WkLprtzXEBk5PxWuw+bgFdV9yoIeWWSAAqOAK6Pdr0OH5v81I+mNeI8UuC3wK/wk5/71kX85gkERcbOo3ZsRdHC3AO5mI0OHbnrwnNsNC3kFsRcjTL+itFrXSzNVImy1Qr494D5+E4+tEJ3CWpGFgbqd0T29E4EMIG1KFwOiC3DtIq+eUvtERiafJ85nnXRQX7SvT4Ik1BehnAzzzaBqKKzS9zFO5sGr78R8++CGzUJ6zjdzFcnIi2w=

Regarding the RPKI discussion:

Does the group envision upstreams managing ROAs for others’ IP space? For example, University of Kansas and Emporia State University are both downstream members of KanREN. KU has IPs which pre-date ARIN while ESU receives a /19 reallocated from a KanREN /16. Does this group see KanREN providing ROA management for KU, ESU, or both? For reference, we already built ROAs for ESU on their behalf.

And I 100% agree on a toolset to help manage RPKI elements. I liken it to DNSSEC when speaking with users locally; you can do it all by hand and it’ll work fine.. but rue the key rotation day. When we deployed a management tool for DNSSEC signing a zone became a fairly simple task. The RPKI issue will only become a bigger issue as path validation comes into focus too. Does anyone out there know of a project or vendor’s product to help manage and rotate ROAs?
--
Brad Fleming
Assistant Director for Technology
Kansas Research and Education Network
Office: 785-856-9805
Mobile: 785-865-7231
NOC: 785-856-9820

On May 16, 2018, at 3:05 PM, Karl Newell <> wrote:

Meeting notes from the REN Routing Security meeting on 5/8/18
 
Upcoming meetings
-UPenn RPKI
-CAIDA BGP Artemis
 
MANRS discussion
-Dale – ESnet finalized their MANRS submission
-Need to sign up per ASN
-Participants need to complete 2 of the 4 actions
-We can document participation as a service offered
-MANRS is attractive because it’s high level with options
-Internet2 will track MANRS metrics (participants, actions, dates)
-This group can develop a cookbook of specific actions to take
-Discussed setting a goal for implementing MANRS - end of June 2018 was discussed as a possibility
 
IRR discussion
-Which IRR to use?  Depends on region.
-Data should be pulled from multiple IRRs or at least one that syncs from the others
-Internet2 Members should publish their data in ARIN or Radb
 
RPKI discussion
-need to drive the costs down for BGPmon down.  >$300K to support entire R&E route table
-members should develop a BGP hijack playbook (what to do, who to contact when your routes are hijacked)
-talk to ARIN about bulk import of ROAs for initialization
-Can upstreams maintain ROAs?  Need to discuss with ARIN
                -This parallels SSL generation and delegation
-Need toolset to ease maintenance
                -Compare to the InCommon Cert Manager and Lets Encrypt – both helped drive adoption of SSL certs
                -Can we do the same for RPKI?
 
 
REN Routing Security Agenda
-Introductions
-Agenda bash
-Discussion of MANRS
-Discussion of Internet Routing Registries
-Discussion of RPKI
-Meeting frequency
 
Attendance:
Mark Brochu, Internet2
Ryan Nobrega, Internet2
Paul Howell, Internet2
John Dundas, CENIC,
Jamie Curtis, REANNZ
David Wilde, AARnet
Karl Newell, Internet2
Matt Mullins, Indiana U
Andrew Gallo, GWU
Jeff Bartig, Internet2
Caren Litvanyi, Indiana U
Mian Usman, GÉANT
Mike Milliken, Merit
Mark Beadles, OARnet
David Marble, OSHEAN
Ryan Kocsondy, CEN
 
Remote:
Dale Carder, ESnet
Anita Nikolich
 
 
 
--
Karl Newell
Cyberinfrastructure Security Engineer
Internet2
520-344-0459




Archive powered by MHonArc 2.6.19.

Top of Page