Mailing List Archive

> i kinda hacked with emacs and get
>
> rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
>
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB

btw this is not correct/useful anyway. it probably should be more like

rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB

I concur.

Four out of five RIR Trust Anchor Locators were recently updated to allow fetching the Trust Anchor via an HTTPS URI, further removing the dependence on rsync. Sadly, most TALs are not clearly published anywhere and I had to get them though GitHub issues and emails to be able to include them in the latest Routinator release.

These are what we believe to be the correct, up-to-date RPKI TALs:

https://github.com/NLnetLabs/routinator/tree/master/tals

You can find more discussion about this topic here:

https://github.com/NICMx/FORT-validator/issues/34
https://github.com/RIPE-NCC/rpki-validator-3/pull/215

RPA grief aside, ARIN seems to be the only RIR that publishes the latest version of their TAL clearly and correctly:

https://www.arin.net/resources/manage/rpki/tal/

-Alex


> On 2 Aug 2020, at 20:52, Randy Bush <randy@psg.com> wrote:
>
> so i was trying to ensure i had a current set of TALs and was directed to
>
> https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure
>
> the supposed TAL at the bottom of the page is pretty creative. anyone
> know what to do there?
>
> i kinda hacked with emacs and get
>
> rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
>
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
>
> but kinda expected an rrdp uri too
>
> and, to add insult to injury, the APNIC web page with their TAL
>
> https://www.apnic.net/community/security/resource-certification/
>
> requires javascript!
>
> not to mention the ARIN stupidity
>
> as if we needed another exercise in bureaucrats making operations
> painful. most operations of any size have internal departments
> perfectly capable of doing that.
>
> randy

On Mon, 3 Aug 2020, Alex Band wrote:

> These are what we believe to be the correct, up-to-date RPKI TALs:
>
> https://github.com/NLnetLabs/routinator/tree/master/tals
>
<rhetorical question>

why is it so hard that all RIRs make their TAL files available under
the same URL path but different hosts, e.g., https://ripe.net/rpki/tal,
https://arin.net/rpki/tal ?

</rhetorical question>

obviously, a single TAL would be better but this needs even more
rhetoric ...


cheers
matthias

--
Matthias Waehlisch
. Freie Universitaet Berlin, Computer Science
.. http://www.cs.fu-berlin.de/~waehl

On Sun, 2 Aug 2020 18:52:11 +0000
Randy Bush <randy@psg.com> wrote:

> not to mention the ARIN stupidity

Notwithstanding the RPA, downloading ARIN's TAL is straightforward:

As documented here:

<https://www.arin.net/resources/manage/rpki/tal/>

One can wget, curl, or whatever this:

<https://www.arin.net/resources/manage/rpki/arin.tal>

John

On Mon, Aug 03, 2020 at 08:17:55AM -0500, John Kristoff wrote:
> On Sun, 2 Aug 2020 18:52:11 +0000
> Randy Bush <randy@psg.com> wrote:
>
> > not to mention the ARIN stupidity
>
> Notwithstanding the RPA, downloading ARIN's TAL is straightforward:
>
> As documented here:
>
> <https://www.arin.net/resources/manage/rpki/tal/>
>
> One can wget, curl, or whatever this:
>
> <https://www.arin.net/resources/manage/rpki/arin.tal>

I dunno, 'straightforward' to me would mean the ARIN TA is installed by
default when you install a RPKI Cache Validator implementation, all
without requiring lawyers well-versed in both your native language AND
in the American legal system.

I can do DNSSEC, RPKI ROV, Signify, Web PKIs like TLS - all without
kludges. Here is a video (10 min) where I show how you can bootstrap a
system from 0 to 100 without relying party agreements:
https://www.youtube.com/watch?v=oBwAQep7Q7o

The highlight of the video is when I access ARIN's website over HTTPS,
after having resolved their webserver's IP address with a DNSSEC
validating recursor... to discover I need to get a lawyer to download a
.tal file which exists to protect *ARIN* members. Shouldn't ARIN members
demand that the process is as frictionless as possible? (both the new
and old RPA are the opposite of frictionless).

ARIN members (the RPKI users) depend on network operators both inside
and outside the ARIN region to honor their ROAs. The internet is global.
The ARIN ROA's will not be honored if the ARIN .tal file is missing. The
ARIN .tal file is missing because it cannot be included in open source
software without making things very awkward.

It is an insane situation. ARIN resource holders using ARIN's RPKI TA
are measurably *less* protected than their RIPE, APNIC, LACNIC and
AFRINIC counterparts.

Get this:

When you transfer your IP space away from ARIN, to *ANY* other RIR,
you'll derive *MORE* benefits from your RPKI ROA signing efforts. You
don't even need to renumber out of your space to improve your routing
security posture!

I believe ARIN's policy to institute a significant legal barrier to RPKI
infrastructure negatively impacts ARIN's own members.

Imagine having to sign a contract with DigiCert to obtain the public key
to be able to visit https://paypal.com. Ha-ha-ha-ha... folly. It would
be bad for business.

Kind regards,

Job

> why is it so hard that all RIRs make their TAL files available under
> the same URL path but different hosts, e.g., https://ripe.net/rpki/tal,
> https://arin.net/rpki/tal ?

no, you are supposed to get TRUST material from alex's secret stash.
sigh.

it should be a dnssec lookup of ripe.net, tls secured lookup, find a TAL
as defind in the RFCs, and fetch it via tls.

randy

> On Aug 3, 2020, at 07:54 , Job Snijders <job@ntt.net> wrote:
>
> On Mon, Aug 03, 2020 at 08:17:55AM -0500, John Kristoff wrote:
>> On Sun, 2 Aug 2020 18:52:11 +0000
>> Randy Bush <randy@psg.com> wrote:
>>
>>> not to mention the ARIN stupidity
>>
>> Notwithstanding the RPA, downloading ARIN's TAL is straightforward:
>>
>> As documented here:
>>
>> <https://www.arin.net/resources/manage/rpki/tal/>
>>
>> One can wget, curl, or whatever this:
>>
>> <https://www.arin.net/resources/manage/rpki/arin.tal>
>
> I dunno, 'straightforward' to me would mean the ARIN TA is installed by
> default when you install a RPKI Cache Validator implementation, all
> without requiring lawyers well-versed in both your native language AND
> in the American legal system.

I was able to download it just now without any authentication, lawyers, contracts,
or anything else… What more is it you are asking for?

> I can do DNSSEC, RPKI ROV, Signify, Web PKIs like TLS - all without
> kludges. Here is a video (10 min) where I show how you can bootstrap a
> system from 0 to 100 without relying party agreements:
> https://www.youtube.com/watch?v=oBwAQep7Q7o

I just obtained the ARIN TAL without ever signing an RPA. What am I missing?

All I did was follow the URL John provided.

Owen

While I certainly agree with you, I have a certainly-naive question - what the difference is between ARIN and RIPE's T&C:

Aug 3 19:07:15 rpki-validator rpki-client[16164]: The RIPE NCC Certification Repository is subject to Terms and Conditions
Aug 3 19:07:15 rpki-validator rpki-client[16164]: See
http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc

As far as I understand, to use RIPE's RPKI repo I have to similarly agree with RIPE's legal contract as well, though
they are somewhat less aggressive about making sure I check a box before using it.

Matt

On 8/3/20 10:54 AM, Job Snijders wrote:
> On Mon, Aug 03, 2020 at 08:17:55AM -0500, John Kristoff wrote:
>> On Sun, 2 Aug 2020 18:52:11 +0000
>> Randy Bush <randy@psg.com> wrote:
>>
>>> not to mention the ARIN stupidity
>>
>> Notwithstanding the RPA, downloading ARIN's TAL is straightforward:
>>
>> As documented here:
>>
>> <https://www.arin.net/resources/manage/rpki/tal/>
>>
>> One can wget, curl, or whatever this:
>>
>> <https://www.arin.net/resources/manage/rpki/arin.tal>
>
> I dunno, 'straightforward' to me would mean the ARIN TA is installed by
> default when you install a RPKI Cache Validator implementation, all
> without requiring lawyers well-versed in both your native language AND
> in the American legal system.
>
> I can do DNSSEC, RPKI ROV, Signify, Web PKIs like TLS - all without
> kludges. Here is a video (10 min) where I show how you can bootstrap a
> system from 0 to 100 without relying party agreements:
> https://www.youtube.com/watch?v=oBwAQep7Q7o
>
> The highlight of the video is when I access ARIN's website over HTTPS,
> after having resolved their webserver's IP address with a DNSSEC
> validating recursor... to discover I need to get a lawyer to download a
> .tal file which exists to protect *ARIN* members. Shouldn't ARIN members
> demand that the process is as frictionless as possible? (both the new
> and old RPA are the opposite of frictionless).
>
> ARIN members (the RPKI users) depend on network operators both inside
> and outside the ARIN region to honor their ROAs. The internet is global.
> The ARIN ROA's will not be honored if the ARIN .tal file is missing. The
> ARIN .tal file is missing because it cannot be included in open source
> software without making things very awkward.
>
> It is an insane situation. ARIN resource holders using ARIN's RPKI TA
> are measurably *less* protected than their RIPE, APNIC, LACNIC and
> AFRINIC counterparts.
>
> Get this:
>
> When you transfer your IP space away from ARIN, to *ANY* other RIR,
> you'll derive *MORE* benefits from your RPKI ROA signing efforts. You
> don't even need to renumber out of your space to improve your routing
> security posture!
>
> I believe ARIN's policy to institute a significant legal barrier to RPKI
> infrastructure negatively impacts ARIN's own members.
>
> Imagine having to sign a contract with DigiCert to obtain the public key
> to be able to visit https://paypal.com. Ha-ha-ha-ha... folly. It would
> be bad for business.
>
> Kind regards,
>
> Job
>

> I dunno, 'straightforward' to me would mean the ARIN TA is installed by
> default when you install a RPKI Cache Validator implementation

uh, i want a trustable downlad of trust anchors. and it ain't from
vendors.

but yes, arin's legal dos it typical arin. but, if i ignore the bumph,
i can connect to their web site dnssec, tls, ... and get a viable TAL
which meets RFC specs. that seems to me more than one can say for some
other RIRs.

randy

Hi Randy, all,

We’ve updated our page: https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure <https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure>
It now shows the correct TALs:
https://tal.rpki.ripe.net/ripe-ncc.tal <https://tal.rpki.ripe.net/ripe-ncc.tal> (preferred)
https://tal.rpki.ripe.net/ripe-ncc-rfc8630.tal <https://tal.rpki.ripe.net/ripe-ncc-rfc8630.tal>
https://tal.rpki.ripe.net/ripe-ncc-validator-3.tal <https://tal.rpki.ripe.net/ripe-ncc-validator-3.tal> (RIPE NCC RPKI Validator 3 format)

I hope this helps.

Best regards,
Nathalie Trenaman
RIPE NCC


> Op 2 aug. 2020, om 20:52 heeft Randy Bush <randy@psg.com> het volgende geschreven:
>
> so i was trying to ensure i had a current set of TALs and was directed to
>
> https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure
>
> the supposed TAL at the bottom of the page is pretty creative. anyone
> know what to do there?
>
> i kinda hacked with emacs and get
>
> rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
>
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
>
> but kinda expected an rrdp uri too
>
> and, to add insult to injury, the APNIC web page with their TAL
>
> https://www.apnic.net/community/security/resource-certification/
>
> requires javascript!
>
> not to mention the ARIN stupidity
>
> as if we needed another exercise in bureaucrats making operations
> painful. most operations of any size have internal departments
> perfectly capable of doing that.
>
> randy

> https://tal.rpki.ripe.net/ripe-ncc.tal (preferred)

looks great visually. stuffed in a dragon validator, just for qa.

thanks!

randy

Hi all,

We've also simplified our webpage:
https://afrinic.net/rpki/tal

And the URL to the TAL:
https://rpki.afrinic.net/tal/afrinic.tal

Cheers,
Amreesh Phokeer
AFRINIC


On Thu, Aug 6, 2020 at 4:59 PM Randy Bush <randy@psg.com> wrote:

> > https://tal.rpki.ripe.net/ripe-ncc.tal (preferred)
>
> looks great visually. stuffed in a dragon validator, just for qa.
>
> thanks!
>
> randy
>

> We've also simplified our webpage:
> https://afrinic.net/rpki/tal
>
> And the URL to the TAL:
> https://rpki.afrinic.net/tal/afrinic.tal

thanks! wfm

randy