To be fair, these days that doesn’t sound hard, with all the news and political drama coming from over there. Sometimes it even feels as if we cannot get around the US even for one single day. But when it comes to deploying RPKI based validation, it is very important not to forget about them.
As you know, we have deployed RPKI validation on the Fusix ISP network. RPKI is a publication mechanism which provides certified lists of IP prefixes and networks (Autonomous Systems – AS) that are allowed to announce the prefixes. These lists are used to validate BGP announcements and make informed decisions when to accept an announcement or not. In order to validate the announcements, RPKI relies on Regional Internet Registries (RIR’s) to provide the right information on which IP prefixes an AS should announce and certify it.
With most RIR’s it is no problem to download these certificates, also called ‘Trust Anchor Locations’. And once you have them, your validation software can use them to make sure that the routing is safe. But if you want to download the Trust Anchor Locations from ARIN RIR, pay very close attention! Because ARIN – American Registry for Internet Numbers – sees the information that you request as confidential. What they exactly mean by that, nobody knows exactly. There are different talks ongoing between ARIN and validators, but there is no news about that at the moment.
The result is that it takes a bit more effort to gain the Trust Anchor Locations for the AS networks in the US. ARIN want you to agree to all kinds of terms, before you can download the Anchors, which practically speaking means that you have to check a lot of boxes with legal statements. It sounds tedious, but if you don’t do it, the information that ARIN provides is somewhat useless, because there are no certificates for the ASNs. And without them, implementing RPKI will not be complete.
We feel that deploying RPKI is very important to make the Internet more safe. It is something that we very much focus on at Fusix. And we would like to see other ISPs do the same and make the internet a better place. But that does mean doing it right. Thanks to ARIN, it takes more effort. So make sure you tick all the boxes and get the right – validated – information that you need to make the Internet safe.