Skip to main content

Using the Resource Public Key Infrastructure to Construct Validated IRR Data

This policy proposal has been withdrawn
2008-04
Publication date:
06 Jan 2011
State:
Withdrawn
Draft document
Draft
Author(s)
  • Randy Bush [IIJ]
  • Kurtis Lindqvist [Netnod Internet Exchange Ab]
  • Randy Bush [IIJ]
  • Kurtis Lindqvist [Netnod Internet Exchange Ab]
Proposal Version
1.0 - 29 Apr 2008
All Versions
Withdrawn
10 Jul 2010
State Discription
Proposers decided to withdraw the proposal
Working Group
Routing Working Group
Proposal type
  • New
Policy term
Permanent
This is a proposal to introduce a new registry that augments IRR data with the formally verifiable trust model of the Resource Public Key Infrastructure (RPKI) and provide ISPs with the tools to generate an overlay to the IRR which is much more strongly trustable.

Summary of Proposal:

This is a proposal to introduce a new registry that augments IRR data with the formally verifiable trust model of the Resource Public Key Infrastructure (RPKI) and provide ISPs with the tools to generate an overlay to the IRR which is much more strongly trustable.

Summary of Current Problem

The current methods for adding or updating Internet Routing Registry (IRR) data have weak security, and lack an inherent formally verifiable structure, resulting in a low level of trust in IRR data.

To address the problem of this low level of trust in IRR data, there have been proposals to use Resource Public Key Infrastructure (RPKI) to sign IRR data. The problem with most of the proposed schemes, however, is that they are conceptually weak and hard to implement due to the differences between the trust structures of the the IRR and the RPKI.

More recently, however, Ruediger Volk has described a very simple method of using the RPKI that involves no change to the IRR, software that uses the IRR, or the RPKI.

This is a proposal to implement Ruediger Volk's idea to strengthen the operators' use of data in the global IRR.

Details of the Proposal:

It is proposed that:

The RIPE NCC publish a new IRR registry that contains route objects generated from Route Origin Authorizations (ROAs) in the RPKI.

Note that this would be from the global RPKI, and would therefore cover the entire routing space, in so much as the RPKI covers the global space.

Operators who use the IRR to generate routing filters would be able to put this new IRR registry logically in front of the other registries, therefore preferring formally validatable routing origin information generated from the RPKI.

This new registry would be made available as an IRR publication point.

The RIPE NCC publish an open source tool that enables network operators to generate their own overlay IRR publication points. While such a generated IRR publication point should be identical to the one generated and made available by the RIPE NCC as above, it allows the security conscious operator to have a more formal trust model, as it prevents attacks on the IRR segment generated and served by the RIPE NCC.

Rationale:

Arguments Supporting this Proposal
  • Router filters would be more reliable as they would prefer RPKI validated origins, where available, rather than those not validated
    in the RPKI. ISPs would achieve this by configuring tools that automatically generate router filters to give priority to the IRR publication point of the new registry based on RPKI-signed objects.
  • The community will have an enhanced ability to filter BGP peer prefixes at no additional cost or changes to the data or tool bases. This would increase the reliability of the global routing system.
  • This new IRR publication point would be much simpler than other current ideas about how to use RPKI in conjunction with IRR data.
  • This proposal requires no changes to RPSL, the IRR, IRRToolSets, or the RPKI.
Arguments Opposing this Proposal

None are known.