ACSP Suggestion 2008.14: Construct Validated IRR Data
- Danny McPherson
- Submitted On:
- 9 June 2008
Develop validated IRR data infrastructure constructed from RPKI in coordination with other RIRs. Initial proposals have been submitted to APNIC, RIPE and ARIN PPML. Full text below. I would very much like to see ARIN do this in order to facilitate IRR and RPSL extensions that enable inter-provider route filtering and advertisement authorization.
- On hold
- 20 July 2011
23 June 2008
With regards to your suggestion to "develop validated IRR data infrastructure constructed from RPKI in coordination with other RIRs," ARIN believes this suggestion should be implemented.
ARIN, through its contractors, is developing a RPKI implementation. This work is a very intensive effort that has involved a lot of research and emerging standards work that is not yet finalized. Regardless, ARIN is planning to pilot the work that ISC has done by the end of 2008.
Once this RPKI pilot is firmly established and standards are finalized, ARIN will implement this suggestion. We are hesitant to place a completion date on this suggestion at this point given that it is unknown when the standards and associated RPKI code will be completed.
Suggestion 2008.14 will remain open until the suggestion is implemented.
20 July 2011
After analyzing the data in our IRR, we have concluded that there is limited crossover data between the ARIN registration system and the IRR. The IRR contains data for which validation against the registration system does not appear to be applicable. Integrating IRR with ARIN Online will be implemented in the future. However, significant internal work remains to be completed, such as completing this year's ARIN online objectives, migration to a new database platform, etc. We will continue to keep your suggestion on the product roadmap. This suggestion will remain open until resolved.
9 June 2008
Using the Resource Public Key Infrastructure to Construct Validated IRR Data
Authors: Randy Bush & Danny McPherson
Date: April 7, 2008
This is a proposal to introduce a new registry that augments Internet Routing Registry (IRR) data with the formally verifiable trust model of the Resource Public Key Infrastructure (RPKI) and provide ISPs with the tools to generate an overlay to the IRR which is much more strongly trustable.
2. Summary of current problem
The current methods for adding or updating Internet Routing Registry
(IRR) data have weak security, and lack an inherently formally verifiable structure, resulting in a low level of trust in IRR data. To address the problem of this low level of trust in IRR data, there have been proposals to use Resource Public Key Infrastructure (RPKI) to sign IRR data. The problem with most of the proposed schemes, however, is that they are conceptually weak and hard to implement due to the differences between the trust structures of the IRR and the RPKI. More recently, however, Ruediger Volk has described a very simple method of using the RPKI that involves no change to the IRR, software that uses the IRR, or the RPKI.
This is a proposal to implement Ruediger Volk's idea to strengthen the operators' use of data in the global IRR.
3. Situation in other RIRs
This proposal has been made in APNIC, and will be made in RIPE very soon.
4. Details of the proposal
It is proposed that:
4.1 ARIN publish a new IRR that contains 'route' objects generated from Route Origin Authorizations (ROAs) in the RPKI.
- This new IRR would accept 'route' objects generated from the global RPKI, and would therefore cover the entire routing space, in so much as the RPKI covers the global space.
- Operators who use the IRR to generate routing filters can choose to put this new IRR registry logically in front of the other registries. Operators can then give preference to routing origin information that can be formally validated, and eventually, can would be able to filter explicitly based on this information.
- This new registry would be made available as an IRR publication point
4.2 ARIN publish an open source tool that enables network operators to generate their own overlay IRR publication points themselves.
- Such generated IRR publication points should be identical to the one generated and made available today by ARIN.
- Producing overlay IRR publication points allows security conscious operators to have a more formal trust model that prevents attacks on the IRR segment generated and served by ARIN.
5. Advantages and disadvantages of the proposal
- Router filters would be more reliable as they would prefer RPKI validated origins, where available, rather than those not validated in the RPKI. ISPs would achieve this by configuring tools that automatically generate router filters to give priority to the IRR publication point of the new registry based on RPKI-signed objects.
- The community will have an enhanced ability to filter BGP peer prefixes at no additional cost or changes to the data or tool bases. This would increase the reliability and security of the global routing system.
- This new IRR publication point would be much simpler than other current ideas about how to use RPKI in conjunction with IRR data.
- This proposal requires no changes to RPSL, the IRR, IRR toolsets, or the RPKI.
- None are known
6. Effect on ARIN members
See 'Advantages' above.
7. Effect on NIRs
None are known