[afnog] RPKI

Mark Tinka mark.tinka at seacom.mu
Fri Jul 31 08:40:03 UTC 2015

On 31/Jul/15 10:03, Saul wrote:

> TA=?

Trust Anchor.

In PKI, TA's are authoritative entities for which trust is assumed. The
TA is identified by a self-signed X.509 CA certificate, from which the
trust is derived.

In RPKI, the TA's are typically the RIR's (AFRINIC, APNIC, ARIN, LACNIC
and RIPE). However, there could be other TA's that are not necessarily
RIR's, provided you trust them as an RPKI operator. For example, the
RPKI.net project provides their own "altca" TA. Because I know Randy and
Rob, I trust that TA and use it.

The final goal was to harmonize the TA structure such that RP tools do
not query all available TA's, but rather, query a single TA that,
in-turn, is authoritative for all other TA's out there. This has never
materialized, for various reasons, I assume. But I believe there is some
work going on this area.

> Could you elaborate on that please?

I spoke about this a little bit on the SAFNOG mailing list, but for the
benefit of those on AfNOG, we've seen two major issues with RPKI
implementations in Cisco IOS and IOS XE in recent months.

A severe bug in IOS XE implementations causes the router to crash when
RPKI is enabled, due to some illegal memory access. This only affects
64-bit IOS XE systems, e.g., ASR1000, ASR900, e.t.c.

In both IOS and IOS XE, the system automatically applies validation
policy without operator intervention. This is in violation of the RFC.

Both of these issues have been fixed, and Randy and I are working with
Cisco to ensure these fixes actually work. We're also trying to improve
management of RPKI in IOS and IOS XE.

These issues do not appear to affect IOS XR.

RPKI implementation in Junos has been stable, although a little more
cumbersome to configure. Not a show-stopper, however.


More information about the afnog mailing list