April 9, 2020
The APRICOT 2020 Summit hosted an RPKI (Resource Public Key Infrastructure) Deployathon during its Melbourne, Australia event in February 2020. The APRICOT RPKI Deployathon was held as a follow-on to a similar activity held as part of a Routing Security Workshop during the APNIC 48 Conference in Chiang Mai, Thailand in September 2019.
This time around the Deployathon was held separately from any technical training so that facilitators and participants could focus on exploration, rather than trying to mix exploration with tuition. Further, it was assembled by industry partners, led by Philip Smith (NSRC), collaborating with Aftab Siddiqui (ISOC), Tashi Phuntsho (APNIC), Taiji Kimura (JPNIC), and Mark Tinka (SEACOM). This small team designed the programme and procured content and resources for the day long Deployathon, and the following half day technical Plenary. The Deployathon venue facilities were generously sponsored by JPNIC.
The goal of this RPKI Deployathon was to build upon the learning experience from the previous attempt, allowing participants to deploy RPKI and Route Validation in a safe, simulated lab environment. The objective is to help the Internet industry learn from real operational deployment experiences and be better informed to make recommended improvements to existing software, processes and best practice advice that ultimately improves Internet routing security.
The website for the day long practical Deployathon can be found at:
The practical session was held on Monday 17th February, and covered the following topics:
- Background of RPKI, Route Origin Authorisation, and Route Origin Validation
- Installing and configuring validators
- Configuring routers to talk to validators and implementing route origin validation
- Exploring router vendor implementation features
Physical router hardware was provided by AARNET (four Juniper MX204), APNIC (two Cisco ASR1002), and Nokia, with Warren Finch (APNIC) also providing a Cisco IOS-XE virtual environment for participants as well. Ubuntu 16.04 containers for validator install were also provisioned by Warren allowing participants to install and configure the four most popular validators available today: NLNetLabs Routinator, RIPE NCC Validator, Cloudflare OktoRPKI, and NIC Mexico's FORT.
A detailed summary of the outcomes of the day long practical lab was presented on the following morning's RPKI Plenary sessions and is available on the APRICOT website:
Overall, the conclusion from the day long activity:
- Routinator just works, easiest to install and get running. The other validators have larger memory/resource foot prints, are harder to get running, and still need much improved documentation (despite findings and recommendations from the event held at APNIC 48).
- Cisco IOS/IOS-XE caused participants great concern with non-standard defaults, including the automatic dropping of Invalids, and the propagation by iBGP of NotFounds as Valids. Juniper’s JunOS and Nokia's SR-OS worked as documented, and conformed to IETF standards as far as could be ascertained.
The RPKI Plenary session also covered deployment experiences from various operators and other stakeholders, in a short talk format. The presentations are on the APRICOT website also:
The Deployathon was also supported by Warrick Mitchell of AARNET and Md Abdul Awal, NSRC / Mozilla OIE Fellow, who both drew from their own experience to help participants during the lab work. Awal also presented on his Mozilla Fellowship project work in Bangladesh and South Asia attempting to improve the Routing Security in that region.
Participation was around 50 for the Monday 17th February technical component, and close to 80 for the wrap-up Plenary on the following Tuesday 18th February morning.
The Deployathon was designed and implemented by partners from across the industry, demonstrating the effectiveness of collaboration amongst the key stakeholders as we all strive to deploy the first steps need to secure the global Internet routing system.
For more information about Internet routing protocols, routing best practices, routing security including the MANRS (Mutually Agreed Norms for Routing Security) initiative, NSRC has produced a large set of instructional videos: https://learn.nsrc.org/.