RIPE NCC RPKI Test Environment

RIPE NCC RPKI Test Environment

The RIPE NCC RPKI Test Environment is a service provided on a best effort basis, but we try to maximise the availability. In addition, this server is where new beta features are deployed first, so you may encounter some functionality that is not available or that works differently than on the production system. Please contact us at sw-enhancements _at_ ripe _dot_ net if you have any questions or problems.

The Hosted Platform

If you would like to experiment with how Route Origin Authorisations (ROAs) affect your BGP announcements, we provide a hosted test environment. It is a mirror of the production service, running on a separate system. Any ROA you create in the test environment will not affect the production dataset.

The ROAs that you create here are published in a different repository, under a separate Trust Anchor:

rsync://localcert.ripe.net/ta/ripe-ncc-pilot.cer
https://localcert.ripe.net/ta/ripe-ncc-pilot.cer

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjaAKXZUuvhHLJC08qD7mf4b1nJ8+u22pGP2xWLWfP4ICmiv7Fazpq0FS/WUoUIe3dVU/QOcF4WKlG2ANmy33Vlraf3JGiPWqJUrZL7LxYjiMG7/N7gRsBDFoBcNDncODKPOnBf/AXbDVIa+vc+amWaav7cengvsR/wsPxYGoJY/26EJQG2EbDSDJr4/vH3Goe7qm6qL1505xE02+U21nVHU6123Q1eeBDzhzBz0MuxKijDse4HqQ2+Pe1IK9adntTeAnBjF3aDmuUcVysP5wAVuLQXHR7qXR05NUUPmC6kEyBl/rWhKXMnGgBXSq0so00B7leQKK+s/ICSCtm7zAjQIDAQAB

Copy the text above in a file called "RIPE-NCC-Pilot.tal" and save it into the /conf/tal directory of the RIPE NCC RPKI Validator to use it.

Running Your Own Certificate Authority

We offer members the ability to run their own RPKI Certificate Authority (CA), using the RIPE NCC RPKI Test Environment as a parent. Please note that at this time, the RIPE NCC parent system does not support publication of objects generated by a child CA. This means that you will have to host and publish all objects yourself. If you would like to set up a delegated CA, please follow these steps:

1. Install your Certificate Authority Software

1. Dragon Research Labs Certificate Authority RPKI Certificate Authority software by Dragon Research Labs, written in the Python programming language.
2. Krill RPKI Certificate Authority software by NLnet Labs, written in the Rust programming language.

For more information, visit https://rpki.readthedocs.io/en/latest/tools.html

2. Set up rpkid as a child to the RIPE NCC
The set-up procedure for using rpkid as a child to the RIPE NCC as a parent is almost identical to the procedure needed to set up rpkid as a self-hosted, self-publishing child to another rpkid instance. The main difference is in the way identity tokens are exchanged between the systems.

In order to make this work, simply follow all the steps described in the rpkid documentation, with these exceptions:

Uploading your identity.xml to the RIPE NCC
Once you have have generated the identity.xml for your rpkid (myrpki initialize), it will prompt you to send the file to your parent. At this point, follow these steps:

1. Make sure that your RIPE NCC Access account has at least the "REGULAR" permissions for your LIR. If not, please contact your LIR administrator.
2. Go to the RIPE NCC Non-Hosted Test Environment and activate your non-hosted CA.
3. Upload the identity.xml file generated by rpkid.
4. You will be taken to the "identity page" where you can download the identity.xml file that is generated by the server.
5. Use this file for the "configure_parent" command as described in the rpkid documentation.
6. Use the xml file generated by myrpki as input to the "configure_publication_client" command.
7. Use the xml file generated by "configure_publication_client" as input to the "configure_repository" command.

Re-initialising the system
The RIPE NCC RPKI Test Environment does not offer a way to re-initialise the identity exchange. If something went wrong or you want to restart the process for any reason, please REVOKE your current non-hosted CA by following these steps:

1. Open the "identity page" on the Non-Hosted Test Environment.
2. Click "REVOKE" to revoke your current Certificate Authority. Note: this step can not be undone!