APNIC releases major upgrade to RPKI
APNIC has deployed a major upgrade to its Resource Certification system, RPKI.
APNIC has deployed a major upgrade to its Resource Certification system, RPKI. This upgrade includes a revised user interface (UI) to the MyAPNIC managed portal for RPKI management, and also includes new functionality to allow resource holders to operate their own locally managed RPKI system and communicate with the APNIC RPKI using the standard “RPKI Provisioning Protocol”.
New RPKI UI in MyAPNIC
MyAPNIC now has a revised user interface for RPKI services. This new interface follows the style of information management by the by the RIPE NCC in their online portal, and reflects a close associating of RPKI object management and routing in BGP.
When a user wishes to generate Route Origination Attestations (ROAs) in the user interface, the portal will let them specify a list of prefixes from their set of managed resources and originating AS Numbers. The system constructs the necessary certificates and set of ROAs from this list, and will keep these ROAs active and valid for as long as you wish the associated route advertisements to be valid in RPKI-terms.
By removing or changing a prefix entry in the MyAPNIC portal, this manual override can alter the override the automated function of ROA generation.
Further enhancements are planned for this user interface, including the provision of a view of current BGP routing, and an ability to pre-select all current BGP-advertised routes as the basis of your set of ROAs. APNIC’s aim is to ensure that the look and feel of this interface maintains strong consistency with the tools being developed by the RIPE NCC.
RPKI Provisioning Protocol
APNIC uses the RPKI Provisioning Protocol (RFC6492) internally to manage Member RPKI certification separately from its own RPKI service, which signs over member resources. This service has now been extended to provide a public access port and a system for uploading your child engine details via MyAPNIC.
APNIC adopted the .XML interchange format defined by the code at https://trac.rpki.net/. Using the commands in the RPKI system you can easily identify the child .XML file, and upload to APNIC via the MyAPNIC portal. This will generate a matching parent.XML reply file, to be used to bootstrap your child RPKI service. This process exchanges business PKI (bPKI) public key certificates to authorize the use of the service in a secure manner, and enables APNIC to be your parent RPKI engine. All resources managed under APNIC will then be available in RPKI to your local RPKI system.
This new service permits APNIC address holders to manage the RPKI services in-house, and obtain their covering RPKI certificates from APNIC over this RPKI Provisioning Protocol, as an alternative to the use of the MyAPNIC portal for RPKI management.