RIPE NCC RPKI Validator

RIPE NCC RPKI Validator
Name	RIPE NCC RPKI Validator
Developer	RIPE NCC
Programming language	Go
Operating system	Linux, macOS, Windows
License	Open source

Contents

Overview
History and Development
Features and Functionality
Deployment and Configuration
Security and Reliability
Reception and Adoption

RIPE NCC RPKI Validator The RIPE NCC RPKI Validator is a software tool for validating Resource Public Key Infrastructure (RPKI) data to support secure Border Gateway Protocol (BGP) route origin validation. It is maintained by the RIPE NCC and interacts with repositories and caches maintained by organizations such as the Internet Assigned Numbers Authority, the Regional Internet Registrys, and network operators participating in the Internet Engineering Task Force standards process. The validator is used by network operators, Internet service providers, and content delivery networks to increase routing security and interoperability with routing policy frameworks like BGP and routing registries such as the Routing Assets Database.

Overview

The validator implements RPKI mechanisms developed in the IETF working groups and follows specifications published by the IETF including documents tied to the Routing Area Working Group and the SIDR Working Group. It retrieves cryptographic objects from distributed publication points operated by entities such as the Internet Corporation for Assigned Names and Numbers delegates and integrates with RPKI repositories mirrored by caches like the RIPE NCC RPKI Validator’s upstream caches. Operators use the validator to generate validation state, produce RPKI-to-Router (RTR) sessions with routers from vendors like Cisco Systems, Juniper Networks, and Arista Networks, and to feed collectors such as RouteViews and RIPE RIS for operational visibility.

History and Development

Development traces to efforts by the RIPE NCC to operationalize RPKI after standardization work by the IETF SIDR and IETF MANRS initiatives. Early RPKI deployments involved collaboration with stakeholders including the Internet Engineering Task Force, the Regional Internet Registries such as ARIN, APNIC, LACNIC, and AfriNIC, and operator communities exemplified by the MANRS community. The project incorporated lessons from incidents involving route misannouncements and influences from incidents studied by organizations like the European Network Coordination Centre and research groups at universities collaborating with the RIPE NCC. Over time, the validator evolved to support protocols such as the RTR, and interoperated with routing platforms and monitoring systems used by Netflix, Google, Facebook, and academic networks.

Features and Functionality

The validator provides RPKI origin validation, cache ingestion, certificate chain building, and Route Origin Authorization (ROA) processing, aligning with specifications authored within the IETF and reviewed by bodies such as the Internet Architecture Board. It exposes status via APIs consumable by network management stacks from vendors like Cisco Systems and Huawei, and integrates with routing policies enforced on platforms developed by Juniper Networks and Arista Networks. The software supports automated publication point discovery for entities like the Regional Internet Registrys, handles cryptographic operations based on standards from the Public Key Infrastructure community, and produces outputs compatible with monitoring and telemetry systems used by Akamai, Cloudflare, and research projects at institutions like MIT and University of Cambridge.

Deployment and Configuration

Operators deploy the validator on systems running distributions from vendors such as Red Hat, Debian, and Ubuntu or on appliances offered by network equipment vendors like Dell EMC. Configuration typically involves establishing trust anchors provided by organizations including the RIPE NCC and configuring RTR sessions to routers from Cisco Systems, Juniper Networks, Arista Networks, and other vendors. Integrations are common with route collectors and measurement platforms such as RouteViews, RIPE RIS, and analytics platforms from companies like ThousandEyes and teams at CAIDA. Enterprises and research networks in universities like Stanford University and ETH Zurich deploy the validator alongside BGP control-plane tooling and network automation frameworks inspired by projects from the IETF and the Open Networking Foundation.

Security and Reliability

The validator hardens operational security following recommendations from the IETF and collaborative efforts including MANRS. It validates certificate chains issued by registries including ARIN, APNIC, LACNIC, and AfriNIC and mitigates risks associated with route hijacking incidents that have affected large-scale operators like Google and Amazon Web Services. Reliability is reinforced through measures such as cache redundancy, monitoring by platforms like Prometheus and Grafana in production deployments, and coordination with RPKI repository operators and registry teams at the RIPE NCC and other Regional Internet Registries to handle revocations and certificate rollovers.

Reception and Adoption

Adoption of the validator reflects broader uptake of RPKI by network operators, content providers, and cloud platforms including Google, Amazon Web Services, Microsoft Azure, and Cloudflare. It is referenced in operational guidance by industry groups such as MANRS and has been discussed in forums including the IETF meetings, regional events like RIPE Meetings, and research publications from institutions like UC Berkeley and ETH Zurich. The tool is used in production by national research and education networks and large service providers, and it is part of ongoing efforts by the RIPE NCC and partner organizations to improve routing security across the global Internet.

Category:Internet routing