REN Routing Security

[Brad Fleming <>]

Regarding the RPKI discussion:

Does the group envision upstreams managing ROAs for others’ IP space? For example, University of Kansas and Emporia State University are both downstream members of KanREN. KU has IPs which pre-date ARIN while ESU receives a /19 reallocated from a KanREN /16. Does this group see KanREN providing ROA management for KU, ESU, or both? For reference, we already built ROAs for ESU on their behalf.

And I 100% agree on a toolset to help manage RPKI elements. I liken it to DNSSEC when speaking with users locally; you can do it all by hand and it’ll work fine.. but rue the key rotation day. When we deployed a management tool for DNSSEC signing a zone became a fairly simple task. The RPKI issue will only become a bigger issue as path validation comes into focus too. Does anyone out there know of a project or vendor’s product to help manage and rotate ROAs?

--
Brad Fleming
Assistant Director for Technology
Kansas Research and Education Network
Office: 785-856-9805
Mobile: 785-865-7231
NOC: 785-856-9820

On May 16, 2018, at 3:05 PM, Karl Newell <> wrote:

Meeting notes from the REN Routing Security meeting on 5/8/18

 

Upcoming meetings

-UPenn RPKI

-CAIDA BGP Artemis

 

MANRS discussion

-Dale – ESnet finalized their MANRS submission

-Need to sign up per ASN

-Participants need to complete 2 of the 4 actions

-We can document participation as a service offered

-MANRS is attractive because it’s high level with options

-Internet2 will track MANRS metrics (participants, actions, dates)

-This group can develop a cookbook of specific actions to take

-Discussed setting a goal for implementing MANRS - end of June 2018 was discussed as a possibility

 

IRR discussion

-Which IRR to use?  Depends on region.

-Data should be pulled from multiple IRRs or at least one that syncs from the others

-Internet2 Members should publish their data in ARIN or Radb

 

RPKI discussion

-need to drive the costs down for BGPmon down.  >$300K to support entire R&E route table

-members should develop a BGP hijack playbook (what to do, who to contact when your routes are hijacked)

-talk to ARIN about bulk import of ROAs for initialization

-Can upstreams maintain ROAs?  Need to discuss with ARIN

                -This parallels SSL generation and delegation

-Need toolset to ease maintenance

                -Compare to the InCommon Cert Manager and Lets Encrypt – both helped drive adoption of SSL certs

                -Can we do the same for RPKI?

 

 

REN Routing Security Agenda

-Introductions

-Agenda bash

-Discussion of MANRS

-Discussion of Internet Routing Registries

-Discussion of RPKI

-Meeting frequency

 

Attendance:

Mark Brochu, Internet2

Ryan Nobrega, Internet2

Paul Howell, Internet2

John Dundas, CENIC,

Jamie Curtis, REANNZ

David Wilde, AARnet

Karl Newell, Internet2

Matt Mullins, Indiana U

Andrew Gallo, GWU

Jeff Bartig, Internet2

Caren Litvanyi, Indiana U

Mian Usman, GÉANT

Mike Milliken, Merit

Mark Beadles, OARnet

David Marble, OSHEAN

Ryan Kocsondy, CEN

 

Remote:

Dale Carder, ESnet

Anita Nikolich

 

 

 

--

Karl Newell

Cyberinfrastructure Security Engineer

Internet2

520-344-0459