Hi Michael, Sound like you have an RPKI validator setup already, would you mind querying AS133366/159.21.142.0/23 and letting me know the result? Thanks, Bill On 2014-03-20 13:07, Michael Fincham wrote:

On Thu, 20 Mar 2014 15:04:59 +1300, Dean Pemberton wrote: jump through legal hoops

While I agree that making this a requirement is daft, it is a matter of a checkbox on a webpage to say you agree to their terms - it's quite straightforward.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Thanks Tim, My concern is that the only place that shows our ROA as valid is whois.bgpmon.net. As this has a mirror of RADb. Without a replica of RADb the query fails. If you query our block in here: http://localcert.ripe.net:8088/roas to see if its valid, it doesn't exist as the route object doesn't exist in ARIN's database and this doesn't have a copy of the RADb database. I basically looking for more confirmation that the behaviour of the RIPE RPKI is operationally correct. Only 4 out of our 7 upstream carriers use RADb. I haven't yet asked them if they use RPKI. Cheers, Bil On 2014-03-20 13:39, Tim Hoffman wrote:

http://rpki-validator.lab.hotplate.co.nz [1]

—hoff

On 20/03/2014, at 3:37 pm, Bill Walker wrote:

Hi Michael,

Sound like you have an RPKI validator setup already, would you mind querying AS133366/159.21.142.0/23 and letting me know the result?

Thanks,

Bill

On 2014-03-20 13:07, Michael Fincham wrote:

On Thu, 20 Mar 2014 15:04:59 +1300, Dean Pemberton wrote: jump through legal hoops While I agree that making this a requirement is daft, it is a matter of a checkbox on a webpage to say you agree to their terms - it's quite straightforward. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Links: ------ [1] http://rpki-validator.lab.hotplate.co.nz

Hi Dean, Thanks for the reply. Looks like I need to do some real world testing, instead of online research. Cheers, Bill On 2014-03-20 13:04, Dean Pemberton wrote:

Maybe...

At the moment because of the way that ARIN have chosen to allow people to use their RPKI trust anchor, your ROAs may just get ignored unless they are in a more accessible place.

The rpki.net framework installs the following trust anchors by default without the need for terms and conditions (ie in an open manner).

ca0.rpki.net localcert.ripe.net repo0.rpki.net repository.lacnic.net rpki-pilot.lab.dtag.de rpki-repository.nic.ad.jp rpki-testbed.apnic.net rpki.afrinic.net rpki.apnic.net rpki.ripe.net

Their webpage gives the following guidance: http://rpki.net/wiki/doc/RPKI/RP

"Also note that, at least for now, ARIN's trust anchor locator is absent from the default set of trust anchors. This is not an accident: it's the direct result of a deliberate policy decision by ARIN to require anyone using their trust anchor to jump through legal hoops (https://www.arin.net/resources/rpki/faq.html#tal). If you have a problem with this, complain to ARIN. If and when ARIN changes this policy, we will be happy to include their trust anchor locator along with those of the other RIRs."

Regards, Dean

On Wed, Mar 19, 2014 at 10:42 AM, Bill Walker wrote: Hi All,

Hoping someone can help. I am in the middle of a project to build 4 PoP's in Chicago, London, Sydney and Mumbai. As part of this I have been given the role of creating all the necessary Route objects etc. Our address space is from ARIN, but our ASN's are from RIPE, APNIC & ARIN. I have created as-set, aut-num and route objects in RADb to enable us to manage them from a single point. However I would like to setup ROA records for these route objects. I have setup RPKI with ARIN and created our first ROA object.

Onto my question, am I likely to have operational issues if the route objects are in RADb and the ROA with ARIN?

TIA,

Bill _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog