Page MenuHomePhabricator

Implement RPKI (Resource Public Key Infrastructure)
Closed, ResolvedPublic

Description

Wikimedia should implement RPKI (https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure) for it's IP space and ASes. According to http://rpki.surfnet.nl/top500.php , of the biggest sites on the internet only Facebook has implemented it.

Looks like it isn't yet implemented for the US (http://rpki.surfnet.nl/peras.php?asn=14907) and for Europe (http://rpki.surfnet.nl/peras.php?asn=43821).

The Europe part is quite easy to implement. Just sign in to the LIR portal at RIPE (https://certification.ripe.net/) and follow the instructions at http://www.ripe.net/lir-services/resource-management/certification

For the US part it's a bit more red tape, see the instructions at https://www.arin.net/resources/rpki/

Details

Reference
bz59115

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 2:36 AM
bzimport set Reference to bz59115.
bzimport added a subscriber: Unknown Object (MLST).
faidon lowered the priority of this task from Low to Lowest.Sep 2 2015, 9:39 PM
faidon updated the task description. (Show Details)
faidon removed a project: WMF-General-or-Unknown.
faidon set Security to None.
ayounsi added subscribers: BBlack, faidon.

ARIN is also very straightforward (everything can be done online).
See this copy of a blog post I wrote in 2013 https://labs.ripe.net/Members/mirjam/mozilla-uses-rpki

To get this going and keep it simple I suggest we allow both our AS to advertise all of our allocations and larger prefixes (smaller subnets).
For this we need to list/document all our ranges (good exercise to do anyway) per RIR.
EDIT: added there: https://wikitech.wikimedia.org/wiki/IP_allocations
Note that even if we miss a range, it would not show up as "failed" during a verification, but as "unknown", like they currently are.

Hey, a new network engineer. :-)
Fun info at https://stat.ripe.net/AS43821#tabId=routing and https://stat.ripe.net/AS14907#tabId=routing . Would love to see some progress on this.

Created the following ROAs via RIPE's website for our two least used prefixes:
Edit: added the 3rd RIPE prefix
Edit2: Added ARIN v6
Edit3: Added ARIN v4

AS numberPrefixUp to
AS438212a02:ec80::/2948
AS149072a02:ec80::/2948
AS43821185.15.56.0/2224
AS14907185.15.56.0/2224
AS4382191.198.174.0/2424
AS1490791.198.174.0/2424
AS438212620:0:860::/4648
AS149072620:0:860::/4648
AS43821198.35.26.0/2324
AS14907198.35.26.0/2324
AS43821208.80.152.0/2224
AS14907208.80.152.0/2224

Added RIPE alerts about unknown and invalid prefixes to be sent to noc@wiki...
Enabled ROA validation for the same prefixes in BGPmon

Will monitor them and add the 3rd RIPE prefix later on.
Waiting for ARIN's ToS to gets approved.

RFC 8205 (BGPSec) got published this week, which will use RPKI to secure against bad route announcements by signing UPDATE messages - https://tools.ietf.org/html/rfc8205

Added the key pair generated for ARIN to the pw repository.
Generated a SOA for the v6 ARIN prefix, if no issues after propagation, I'll generate the last two ARIN v4 SOAs.

Added doc/runbook on verifying ROAs:
https://wikitech.wikimedia.org/wiki/Network_monitoring#BGPmon_alerts

We're all done here!