31
August
2021

From the Community Security

From IRR Data Veracity to RPKI Validator Software: Let’s Keep Up the Routing Security Enthusiasm!

Subscribe for more like this

Share

Array

By Andrew Gallo, Principal IT Architect, The George Washington University

Estimated reading time: 3 minutes

Routing security continues to be an active area of discussion, both in the research and education networking community and across the industry. Let’s keep the enthusiasm going!  

IRR Data Clean-Up

Steven Wallace, Internet2 Security Architect, has been holding virtual office hours to help community members with all things related to Internet Routing Registries (IRR). He also has automated the generation of IRR reports for all Internet2 connector networks, which can be found on Internet2’s GitHub

The volume and, more importantly, the veracity of member data in the IRRs has dramatically improved because of this collaborative effort.

RPKI Validator Software Evaluation

A recent project I completed was an evaluation of Resource Public Key Infrastructure (RPKI) validator software. Validators, validating caches, or relying party software, is a key component of the RPKI system that collects and validates Resource Origin Authorizations (ROAs) and provides a simplified feed to the routing infrastructure. 

Late last year, RIPE NCC announced that it was stopping the development of its popular Validator software. Citing competing demands for resources, Validator would be deprecated, end-of-life, end-of-support, and archived in various stages in 2021. Fortunately, network operators have several options available to replace RIPE’s software. 

Earlier this year, I began an effort to evaluate a number of alternatives. What follows is a summary of the process and findings. A more detailed version is included in the 2021 version of Juniper’s Day One: Deploying BGP Routing Security.

More about the Evaluation Process

The evaluation included four open-source software packages:

  • OctoRPKI from Cloudflare
  • Prover maintained by Mikhail Puzanov of RIPE NCC
  • Routinator from NLnet Labs
  • FORT from LACNIC, the Regional Internet Registry for Latin America and the Caribbean, and NIC.MX the National Internet Registry for Mexico

All software was installed on standardized virtual machines (2 2.3Ghz vCPUs with 8GB of RAM) on Debian 10. I installed Prometheus and Grafana to monitor the VMs and, if the software exposed metrics, the validator itself.

All packages were fairly easy to install, configure, and run.  

Evaluation Findings 

  • OctoRPKI is a validation software only. To provide the validation process results to routers, a companion program called GoRTR needed to be installed. The separation of function adds a bit of complexity, but also allows some flexibility. GoRTR can be configured to pull data from sources other than OctoRPKI.
  • Prover now has a binary package available; however, at the beginning of the evaluation, it had to be built from source. It is written in Haskell. Preparing the environment and compiling the package was time consuming—but ultimately straightforward and successful.  
  • Routinator was straightforward to install. Monitoring is easy as it has a pre-built Grafana dashboard and simple webUI for running queries for the validity of a prefix/ASN pair. An API is also available.  
  • FORT was recently presented at a Cyberinfrastructure Engineering Lunch and Learn (view the recording). The software is easy to install. There is no web interface or Prometheus endpoint. 

Comparing these four software packages on performance did not reveal any major differences. Memory and CPU usage were modest, validation run times were reasonable, and validation results as determined by ROA counts were essentially the same (allowing for minor differences in how often the validators fetched objects from the publication points).

Given the ease with which any of these packages could be installed and maintained, and the modest VM requirements, deploying one’s own validation system is a low-effort project. Which one is right for your network might come down to the installation method, package management systems supported, or simply personal preference.

Have questions, need more information, or have your own experiences to share? Please get in touch with me: agallo@gwu.edu 

This blog post is submitted by Internet2 community member Andrew Gallo, Principal IT Architect at The George Washington University. Viewpoints expressed in this post are those of the author and are shared for informational purposes only.