#rpki — Public Fediverse posts

La cybersécuritay, c'est compliquay. Comment la Corée du Nord a coupé sa liaison Internet en voulant la sécuriser. https://labs.ripe.net/author/romain_fontugne/from-bgp-data-to-insight-simplifying-real-time-routing-analysis/

#BGP #RPKI

🚨 More new routing insights on Radar!

- Track #RPKI ROA deployment history at a global/country/ASN level, going back 3+ years for valid prefixes & address space

https://radar.cloudflare.com/routing/rpki#rpki-roa-deployment

- Country level announced IP address space graphs now include a "Show top ASes" toggle. Stacked area graphs make it easier to identify the providers behind large address space withdrawals.

Example: https://radar.cloudflare.com/routing/ir?dateStart=2026-01-04&dateEnd=2026-01-10#announced-ip-address-space

Weekend Reads

* How crazy is .internal/DOT
https://ant.isi.edu/~hardaker/papers/2026-04-27-analyzing-dot-internal-to-dot.pdf
* RIPE NCC RPKI exploit chain
https://mxsasha.eu/posts/ripe-ncc-rpki-exploit-chain/
* Bellovin book: Don't get hacked
https://www.cs.columbia.edu/~smb/homesec/index.html
* Internet Protocol Journal May 2026
https://ipj.dreamhosters.com/wp-content/uploads/2026/04/291-ipj.pdf
* Cloudflare 2026-Q1 Internet disruptions report
https://blog.cloudflare.com/q1-2026-internet-disruption-summary/

#DNS #RPKI #RIPE #Infosec #Outages

rpki-client 9.8 released

Routing security matters to all of us (even those of us who seldom give the subject any thought), and the rpki-client project announced the release of a new version of their Resource Public Key Infrastructure (RPKI) client, with a number of improvements.

The announcement reads

• List: openbsd-announce
• Subject: rpki-client 9.8 released
• From: Sebastian Benoit

• Date: 2026-04-14 23:20:42

  rpki-client 9.8 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon.
  It is recommended
  that all users upgrade to this version for improved reliability.

  rpki-client is a FREE, easy-to-use implementation of the Resource
  Public Key Infrastructure (RPKI) for Relying Parties to facilitate
  validation of BGP announcements. The program queries the global RPKI
  repository system and validates untrusted network inputs. The program
  outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads
  in configuration formats suitable for OpenBGPD and BIRD, and supports
  emitting CSV and JSON for consumption by other routing stacks.

  See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
  Origin Validation help secure the global Internet routing system.

  rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker,
  Job Snijders, Theo Buehler, Theo de Raadt, and Sebastian Benoit as part
  of the OpenBSD Project.

  This release includes the following changes to the previous release:

  • Various refactoring for improved compatibility with various libcryptoimplementations and in CA/BGPsec certificate handling.
  • Fixed an accounting issue in HTTP gzip compression detection.
  • Added a warning in extra verbose mode (-vv) about standardsnon-compliant Issuer and Subject ASN.1 string encodings.
  • Added a check for canonical encoding of ASPA eContent in alignmentwith draft-ietf-sidrops-aspa-profile-22.
  • Ensure that a repository timeout correctly stops repositoryprocessing. Thanks to Fedor Vompe from Deutsche Telekom for reporting.
  • Fixed a defect in Canonical Cache Representation ROAIPAddressFamilysort order. As a result, rpki-client 9.8 cannot parse rpki-client9.7's .ccr files and vice versa. Thanks to Bart Bakker from RIPE NCCfor reporting.
  • Fixed an issue in the parser for the locally configured constraints.Thanks to Daniel Anderson.
  • A malicious RRDP Publication Server can cause a NULL dereference.Thanks to Daniel Anderson for reporting.
  • A malicious RPKI Publication Server can cause an incorrect error exit.Thanks to Yuheng Zhang, Qi Wang, Jianjun Chen from Tsinghua University,and Teatime Lab for reporting.

Go read ALL about it here!

https://undeadly.org/cgi?action=article;sid=20260415115612

#rpki #client #resource #public #key #infrastructure #openBSD #OpenSource #programming #networking

rpki-client 9.8 released https://undeadly.org/cgi?action=article;sid=20260415115612 #openbsd #rpkiclient #rpki #routing #security #bgp #networking #libresoftware #freesofware

On Tuesday, 7 April, the Global Internet Standards Testing Community (GISTC) held its 3rd online meeting, which was chaired by Alena Muravska from @ripencc.

The GISTC brings together organisations from all over the world around #InternetStandards the Internet.nl test tool and open-source code.

Its goal is to enable knowledge exchange, coordination of efforts, and of course to collaboratively improve the adoption of modern internet standards like #IPv6, #DNSSEC, #DANE, #DMARC, and #RPKI.

1/3

Weekend Reads

* Email address obfuscation in 2026
https://spencermortensen.com/articles/email-obfuscation/
* Profile of Kimwolf botnet researcher
https://www.wsj.com/tech/kimwolf-hack-residential-proxy-networks-a712ab59?st=dHJ5oe
* Quantifying AI data center heat impacts
https://arxiv.org/abs/2603.20897
* Characterizing invalid routes via Tunnels
https://arxiv.org/abs/2603.29207
* Detecting anomalous topology, routes, and congestion
https://arxiv.org/abs/2603.25875

#EMail #Kimwolf #AI #RPKI #BGP

🚀 Ah, the noble quest to secure the Internet's mailman! 🌍 #BGP is still as safe as letting toddlers handle your bank transactions. But fear not, because #ISPs will definitely implement #RPKI and save the day...right after they solve world peace and cure aging. 😂
https://isbgpsafeyet.com/ #InternetSecurity #CyberSecurity #Humor #HackerNews #ngated

Last week I was in Stockholm for the route servers workshop organised by #Euro-IX. I presented my work on the #Debian packaging of software like #BIRD, #OpenBGPD and the #RPKI validators.

Slides are available at https://www.linux.it/~md/text/ixp-debian-rsws2026.pdf .

Interesting discussion about distribution / decentralization / de facto concentration of the #RPKI at #IETF125, which reminds me of discussions about the fediverse, Bluesky, etc.

To explore the #RPKI database: https://rpkiviews.org/

#IETF125

"RPKI has been around for a while... more than a decade..."

🤔

🧐

😱

"more than a decade"??

... I remember when it began... 😃

#IETF #IETF125 #RPKI #RoutingSecurity #MANRS

"ARIN's Director of Customer Technical Services, Brad Gorman, is bringing RPKI expertise to the Toronto Network Operators Group's inaugural full-day conference."

Learn:
🔹 What RPKI actually does
🔹 Why it matters for YOUR network
🔹 How to deploy it safely
🔹 Where to start (no theory overload!)

See ARIN"S original post here: https://www.instagram.com/p/DV2VLbfDTN4/

Join us on April 13th and check out the full agenda here:

https://tornog.ca/events/tornog-1/agenda/

#TORNOG #RPKI #RoutingSecurity #Toronto #NetworkOperations

Weekend Reads

* Post-quantum RPKI framework
https://arxiv.org/abs/2603.06968
* DNSSEC negative trust anchors
https://quad9.net/news/blog/dnssec-ntas-no-good-compromises/
* AS112 deployment characteristics
https://0x03c0.com/files/pam26-as112-camera-ready-with-notice.pdf
* Geoff Huston on Internet timekeeping
https://www.potaroo.net/ispcol/2026-03/nts.html
* Measuring IX route servers prefix coverage
https://blog.benjojo.co.uk/post/how-far-can-you-get-with-ix-route-servers

#RPKI #DNSSEC #DNS #NTP #BGP

The agenda for TORNOG 1 is live! https://tornog.ca/events/tornog-1/agenda/

Join us for the the inaugural TORNOG full day conference on April 13th, at the MaRS Centre in Toronto!

#Toronto #RPKI #Fiber #IX #Sovereignty #AutonomousResilience #CloudNetwork #NetworkAutomation

Krill 0.16.0 is now available.

This release of our #RPKI Certification Authority reverts back to downloading the RISwhois data and processing it locally for analysing ROAs rather than using an external API.

The Krill daemon will now also listen on a Unix socket which allows it to use the name of the local user for authentication, making it unnecessary to specify the authentication token when using krillc locally.

https://community.nlnetlabs.nl/t/krill-0-16-0-fruher-war-mehr-lametta-released/73

Blogged: Using RPKI on MikroTik RouterOS 7 (7.21)

https://www.tabsoverspaces.com/id/233962

#mikrotik #security #bgp #rpki

#ASPA is an emerging standard intended to help further improve routing security. You can now track ASPA deployment at a global, country/region, and ASN level on Cloudflare Radar, including real-time searching for ASPA entries.

Explore it at https://radar.cloudflare.com/routing#rpki-aspa-deployment

#RPKI

We just published 0.16.0-RC1 of our #RPKI Certification Authority Krill, which reverts back to downloading the RISwhois data and processing it locally for analysing ROAs rather than using an external API.

In addition, there are quite a few fixes and improvements. For instance, there now is a man page for the config file, so you can now do man krill.conf for information about the config.

https://community.nlnetlabs.nl/t/krill-0-16-0-rc1-released/73/1

Still seeing this on a dead #RPKI PP. I hope this thing isn't used to validate routes on a real network:

GET /rrdp/notification.xml HTTP/1.1 RIPE NCC RPKI Validator/3.1-2020.08.20.14.52

@jhaas @drscriptt Meanwhile, as more #RPKI invalid #BGP routes are dropped, we are working on making the invisible visible again with Rotonda. https://ripe91.ripe.net/programme/meeting-plan/sessions/15/CLRNRY/

@drscriptt @jhaas I remember launching #RPKI in 2011. It took years of publishing ROAs, learning from mistakes and fixing bad quality ROAs before the operator community got to the point where they felt comfortable dropping invalid routes.

ASPA will be the same, although perhaps a bit quicker because of the huge installed base of (ASPA capable) validators: https://rov-measurements.nlnetlabs.net/stats/

Routinator, our RPKI validation software, now sees more than 1000 Autonomous System Provider Authorization (ASPA) objects in the wild. These are published by operators to detect and prevent BGP route leaks.

ASPAs can be created in the hosted RPKI services of the RIPE NCC and ARIN, as well as our open-source RPKI Certification Authority software, Krill.

Open-source routing projects such as BIRD, OpenBGPD and FRRouting already offer support for ASPA, while major commercial vendor support is expected later this year.

#OpenSource #OpenStandards #IETF #RPKI #BGP #RoutingSecurity

Another noteworthy addition to the ASPA club

https://social.bgp.tools/@newaspa/statuses/01KGFYF1F9CV5J7X52QA70DYSY

#RPKI

It's not 7018, but a noteworthy addition to the growing community of ASPA users:

https://social.bgp.tools/@newaspa/statuses/01KFX7FXW1CKEGPGEQ1XAEEFZA

#RPKI

The Internet Last Week

* Microsoft services outage
https://www.tomsguide.com/news/live/microsoft-down-live-updates-outage-jan-22-26
https://www.msn.com/en-us/news/technology/microsoft-releases-statement-as-office-teams-365-outages-continue/ar-AA1ULzFd
* ARIN Online ASPA feature support
https://www.arin.net/announcements/20260120/
* Iran Internet partial traffic recovery
https://noc.social/@cloudflareradar/115939119806231525
https://transparencyreport.google.com/traffic/overview?hl=en&fraction_traffic=start:1768694400000;end:1769299199999;product:19;region:IR&lu=fraction_traffic
https://infosec.exchange/@dougmadory/115923020252033160
https://mastodon.social/@netblocks/115955109593934791
https://dnsmon.ripe.net/ir?start=2026-01-18T00:00:00.000Z&end=2026-01-24T23:59:00.000Z&zone=ir.&protocol=udp
https://dnsmon.ripe.net/ir?start=2026-01-18T00:00:00.000Z&end=2026-01-24T23:59:00.000Z&zone=ir.&protocol=tcp
* .il TLD ilns.iland.net.il NS outage
https://dnsmon.ripe.net/il?start=2026-01-18T00:00:00.000Z&end=2026-01-24T23:59:00.000Z&zone=il.&protocol=udp
https://dnsmon.ripe.net/il?start=2026-01-18T00:00:00.000Z&end=2026-01-24T23:59:00.000Z&zone=il.&protocol=tcp

#Microsoft #ARIN #RPKI #Iran #IL

We've added an Autonomous System Provider Authorization (ASPA) for our ASN (401720) which we operate many of our core services on.

https://console.rpki-client.org/AS401720.html

What is an ASPA? https://www.arin.net/resources/manage/rpki/aspa/

#ARIN #RPKI #BGP

Weekend Reads

* A look at GeoIP
https://www.potaroo.net/ispcol/2025-12/geoip.html
* Tor network pentest report
https://blog.torproject.org/code-audit-network-health-tools/TTP-code-audit-network-health-report.pdf
* RPKI publication practices
https://arxiv.org/abs/2512.16369
* World's hottest data centers
https://restofworld.org/2025/data-center-heat-map/
* Measuring people to government paths
https://arxiv.org/abs/2512.13994

#GeoIP #Tor #RPKI #DataCenters #BGP

The @ripencc recently added the ability to specify Autonomous System Provider Authorization (ASPA) objects in their #RPKI dashboard.

Routinator currently sees 322 published ASPAs. 🚀

Did you review your provider-customer relationships yet?

#OpenSource #RoutingSecurity #BGP

https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/aspa/

Weekend Reads

* NANOG 95 report
https://www.potaroo.net/ispcol/2025-11/nanog95.html
* RPKI signed checklists
https://pulse.internetsociety.org/wp-content/uploads/2025/12/RPKI-Signed-Checklist-Report_FINAL-1.pdf
* Day in the life of RIPE Atlas
https://arxiv.org/abs/2511.22474
* Aggressive negative caching resolvers
https://tma.ifip.org/2025/wp-content/uploads/sites/14/2025/06/tma2025_paper26.pdf
* IAB workshop on IP address geolocation
https://datatracker.ietf.org/group/ipgeows/materials/

#NANOG95 #RPKI #RIPE #DNS #Geolocation

If you or your colleagues have ROAs in the #AFRINIC #RPKI repository, see this email from @job

Those with a non-conformant subject name can reissue the ROA themselves, the others will need to be fixed by the registry.

https://lists.afrinic.net/pipermail/dbwg/2025-November/000546.html

The Internet Last Week

* DENOG 17
https://www.denog.de/de/meetings/denog17/
* Rostelecom network disruptions
https://mastodon.social/@netblocks/115555860051811398
https://mezha.net/eng/bukvy/internet-outages-hit-russian-regions-amid-sovereign-runet-controls/
* ARIN RPKI repository disruption testing
https://arin.statuspage.io/incidents/jpc4yjkwl4jd
https://lists.arin.net/pipermail/arin-tech-discuss/2025-November/001251.html
* Operation Endgame phase 3 cybercrime take down
https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down

#DENOG17 #Rostelecom #ARIN #RPKI #Cybercrime

ROA Planner, as seen on the #NANOG list:

https://rootbeer.testing.ns.internet2.edu/roa-planner/

"The implementation remains fragile and will be unavailable intermittently, but we hope to improve it over the next couple of weeks."

aka beta test.

#RPKI

Weekend Reads

* How AI can help cybersecurity
https://www.foreignaffairs.com/guest-pass/redeem/Jh1vJ6PqTwc
* Notes on active queue management
https://dipsingh.github.io/Active-Queue-Mgmt/
* Myanmar Starlink-connected scam compounds
https://www.france24.com/en/live-news/20251014-myanmar-scam-cities-booming-despite-crackdown-using-musk-s-starlink
* BGP hijacking without full ROV deployment
https://drive.google.com/file/d/1894aGcP3e_ZUu5APzj4R7dIft7bjs5Op/view
* Unencrypted satellite communication eavesdropping
https://satcom.sysnet.ucsd.edu/

#AI #AQM #Starlink #BGP #RPKI #Satelitte

Members of the Dutch Internet Standards Platform, Alena Muravska (@ripencc ) and @wouterkobes (@forumstandaardisatie), will take part in #SEEDIG10 on 10 and 11 October in Athens. Together with other panelists, they will share their perspectives and expertise during the session 'Securing the Internet Routing in the SEE Region' on 10 October.

More information can be found on the #SEEDIG10 event page: https://seedig.net/seedig-10/

#InternetStandards #RoutingSecurity #RPKI #SEEDIG

We have just released the second release candidate for Krill 0.15.0. The release contains a lot of internal refactoring, along with a couple of changes.

The most important one is the way multi-user authentication works.If you are not running Krill with just the admin token, you may want to read https://krill.docs.nlnetlabs.nl/en/v0.15.0-rc2/multi-user.html. We’ll write a migration guide before the full 0.15.0 release. #RPKI #OpemSource #rustlang https://github.com/NLnetLabs/krill/releases

📍 We’re bringing some of our top training courses to #Paris!

🗓 26 May – #RIPEDatabase
🗓 27 May – #IPv6 #Security
🗓 28 May – #BGP #RPKI #IRR

🎓 Full-day, hands-on & expert-led.
Non-members welcome if spots are available.

𝐒𝐞𝐜𝐮𝐫𝐞 𝐲𝐨𝐮𝐫 𝐬𝐩𝐨𝐭 𝐧𝐨𝐰: https://learning.ripe.net/w/

#RIPE #Training #Networking #DNS

And to finish off this release-packed Thursday, we're happy to offer the first Release Candidate of our #RPKI proxy RTRTR, version 0.3.2-rc1. This release adds #ASPA support to the JSON input and output, and more… https://github.com/NLnetLabs/rtrtr/releases/tag/v0.3.2-rc1

also available in English:
Adoption of RPKI/ROV security protocol progressing very quickly -- Next step is implementation of ASPA

Although RPKI/ROV is being adopted very quickly, it's still early days for the other two RPKI-based protocols. Anyone now running RPKI with ROV will be able to take the next step to ASPA in the next few years. Where BGPsec is concerned, it's a question of waiting for the next generation of routing systems.

#RPKI #ASPA #BGPsec #BGP #IPv6 #InternetSecurity

op SIDN.nl:
RPKI/ROV-beveiligingsprotocol maakt razendsnelle adoptie door -- Volgende stap is implementatie van ASPA
https://www.sidn.nl/nieuws-en-blogs/rpki-rov-beveiligingsprotocol-maakt-razendsnelle-adoptie-door

Waar RPKI/ROV een heel snelle adoptie heeft doorgemaakt, is het voor de andere twee RPKI-gebaseerde protocollen nog net te vroeg. Wie nu RPKI met ROV heeft draaien, zal een dezer jaren de vervolgstap naar ASPA kunnen maken. Voor BGPsec is het wachten op de volgende generatie routersystemen.

#RPKI #ASPA #BGPsec #BGP #IPv6 #InternetSecurity

Is Your Internet Service Provider (ISP) Secure? Test It Now!

https://www.byteswifts.com/2025/02/is-your-isp-secure-test-it-now.html

#CyberSecurity #ISP #BGPHijacking #DataProtection #OnlineSecurity #TechNews #CyberThreats #InternetPrivacy #SecureInternet #NetworkSecurity #CyberAwareness #Hacking #TechTips #Cloudflare #BGP #RPKI #ITSecurity #CyberAttack #InfoSec #CyberDefense #VPN #OnlinePrivacy #SecurityTips #CyberSec #TechUpdates #DigitalSecurity #Hackers #ITSupport #Networking #CyberProtection #SecureYourData #DigitalSafety #Tech

This is great news! I have long been a huge of Internet.nl as a test site for compliance with the latest standards- and now they have added #RPKI into their scoring. (The RPKI test was there for the last 2 years, but didn’t count toward the score - now it does!)

This is a way to hopefully get people paying more attention to #RoutingSecurity and #MANRS

From: @internet_nl
https://mastodon.nl/@internet_nl/113906271350500646

Routinator offered support for #RPKI Autonomous System Provider Authorization (ASPA) as an experimental feature for a number of years already. Standardization has now progressed far enough in the #IETF that we feel comfortable making #ASPA a core feature in Routinator 0.14.1. #OpenSource #OpenStandards https://github.com/NLnetLabs/routinator/releases/tag/v0.14.1

The only sure place & time to see me at #38c3 is Stage YELL / #Day3 at 14:45, when I am giving a talk (with my colleague from @ripencc ) about #RIPE #whois #BGP #security #RPKI #IPv6 #IPv4

https://events.ccc.de/congress/2024/hub/en/event/the-whois-protocol-for-internet-routing-policy-or-how-plaintext-retrieved-over-tcp-43-ends-up-in-router-configurations/

Other than that: Tea-house, Botanical Garden, cycling together...

& let's talk about #climate #justice #ecocide #sustainability #NVC #green #tech #hackathon #stroopwafels #diversity #DEI #JEDI #squirrels #LikaLodge

rpki-client stricter aging policy for Trust Anchor certificates commited to -current https://www.undeadly.org/cgi?action=article;sid=20241219163800 #openbsd #rpki-client #rpki #routing #certificates #trustanchor #ta #networking #bgp #freesoftware #libresoftware

rpki-client 9.2 released https://www.undeadly.org/cgi?action=article;sid=20240825091342 #openbsd #rpki-client #routing #security #cryptography #keys #cryptokeys #bgp #routingsecurity

The Internet Last Week

* Amazon IPv4 pricing changes in effect
https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address-charge-public-ip-insights/
https://aws.amazon.com/blogs/compute/announcing-ipv6-instance-bundles-and-pricing-update-on-amazon-lightsail/
* BGP routes covered by ROAs passes 50%
https://www.kentik.com/blog/rpki-rov-deployment-reaches-major-milestone/
* EDUCAUSE Cybersecurity and Privacy Professionals Conference 2024
https://events.educause.edu/cybersecurity-and-privacy-professionals-conference/2024
* SANOG 41
https://www.sanog.org/sanog41

#AWS #IPv4 #BGP #RPKI #EDUCAUSE #SANOG

The Internet Last Week

* Amazon IPv4 pricing changes in effect
https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address-charge-public-ip-insights/
https://aws.amazon.com/blogs/compute/announcing-ipv6-instance-bundles-and-pricing-update-on-amazon-lightsail/
* BGP routes covered by ROAs passes 50%
https://www.kentik.com/blog/rpki-rov-deployment-reaches-major-milestone/
* EDUCAUSE Cybersecurity and Privacy Professionals Conference 2024
https://events.educause.edu/cybersecurity-and-privacy-professionals-conference/2024
* SANOG 41
https://www.sanog.org/sanog41

#AWS #IPv4 #BGP #RPKI #EDUCAUSE #SANOG

The Internet Last Week

* Amazon IPv4 pricing changes in effect
https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address-charge-public-ip-insights/
https://aws.amazon.com/blogs/compute/announcing-ipv6-instance-bundles-and-pricing-update-on-amazon-lightsail/
* BGP routes covered by ROAs passes 50%
https://www.kentik.com/blog/rpki-rov-deployment-reaches-major-milestone/
* EDUCAUSE Cybersecurity and Privacy Professionals Conference 2024
https://events.educause.edu/cybersecurity-and-privacy-professionals-conference/2024
* SANOG 41
https://www.sanog.org/sanog41

#AWS #IPv4 #BGP #RPKI #EDUCAUSE #SANOG

The Internet Last Week

* Amazon IPv4 pricing changes in effect
https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address-charge-public-ip-insights/
https://aws.amazon.com/blogs/compute/announcing-ipv6-instance-bundles-and-pricing-update-on-amazon-lightsail/
* BGP routes covered by ROAs passes 50%
https://www.kentik.com/blog/rpki-rov-deployment-reaches-major-milestone/
* EDUCAUSE Cybersecurity and Privacy Professionals Conference 2024
https://events.educause.edu/cybersecurity-and-privacy-professionals-conference/2024
* SANOG 41
https://www.sanog.org/sanog41

#AWS #IPv4 #BGP #RPKI #EDUCAUSE #SANOG