Blogged: Using RPKI on MikroTik RouterOS 7 (7.21)
#RPKI
#ASPA is an emerging standard intended to help further improve routing security. You can now track ASPA deployment at a global, country/region, and ASN level on Cloudflare Radar, including real-time searching for ASPA entries.
Explore it at https://radar.cloudflare.com/routing#rpki-aspa-deployment
We just published 0.16.0-RC1 of our #RPKI Certification Authority Krill, which reverts back to downloading the RISwhois data and processing it locally for analysing ROAs rather than using an external API.
In addition, there are quite a few fixes and improvements. For instance, there now is a man page for the config file, so you can now do man krill.conf for information about the config.
https://community.nlnetlabs.nl/t/krill-0-16-0-rc1-released/73/1
Still seeing this on a dead #RPKI PP. I hope this thing isn't used to validate routes on a real network:
GET /rrdp/notification.xml HTTP/1.1 RIPE NCC RPKI Validator/3.1-2020.08.20.14.52
@jhaas @drscriptt Meanwhile, as more #RPKI invalid #BGP routes are dropped, we are working on making the invisible visible again with Rotonda. https://ripe91.ripe.net/programme/meeting-plan/sessions/15/CLRNRY/
@drscriptt @jhaas I remember launching #RPKI in 2011. It took years of publishing ROAs, learning from mistakes and fixing bad quality ROAs before the operator community got to the point where they felt comfortable dropping invalid routes.
ASPA will be the same, although perhaps a bit quicker because of the huge installed base of (ASPA capable) validators: https://rov-measurements.nlnetlabs.net/stats/
Routinator, our RPKI validation software, now sees more than 1000 Autonomous System Provider Authorization (ASPA) objects in the wild. These are published by operators to detect and prevent BGP route leaks.
ASPAs can be created in the hosted RPKI services of the RIPE NCC and ARIN, as well as our open-source RPKI Certification Authority software, Krill.
Open-source routing projects such as BIRD, OpenBGPD and FRRouting already offer support for ASPA, while major commercial vendor support is expected later this year.
#OpenSource #OpenStandards #IETF #RPKI #BGP #RoutingSecurity
Another noteworthy addition to the ASPA club
https://social.bgp.tools/@newaspa/statuses/01KGFYF1F9CV5J7X52QA70DYSY
It's not 7018, but a noteworthy addition to the growing community of ASPA users:
https://social.bgp.tools/@newaspa/statuses/01KFX7FXW1CKEGPGEQ1XAEEFZA
The Internet Last Week
* Microsoft services outage
https://www.tomsguide.com/news/live/microsoft-down-live-updates-outage-jan-22-26
https://www.msn.com/en-us/news/technology/microsoft-releases-statement-as-office-teams-365-outages-continue/ar-AA1ULzFd
* ARIN Online ASPA feature support
https://www.arin.net/announcements/20260120/
* Iran Internet partial traffic recovery
https://noc.social/@cloudflareradar/115939119806231525
https://transparencyreport.google.com/traffic/overview?hl=en&fraction_traffic=start:1768694400000;end:1769299199999;product:19;region:IR&lu=fraction_traffic
https://infosec.exchange/@dougmadory/115923020252033160
https://mastodon.social/@netblocks/115955109593934791
https://dnsmon.ripe.net/ir?start=2026-01-18T00:00:00.000Z&end=2026-01-24T23:59:00.000Z&zone=ir.&protocol=udp
https://dnsmon.ripe.net/ir?start=2026-01-18T00:00:00.000Z&end=2026-01-24T23:59:00.000Z&zone=ir.&protocol=tcp
* .il TLD ilns.iland.net.il NS outage
https://dnsmon.ripe.net/il?start=2026-01-18T00:00:00.000Z&end=2026-01-24T23:59:00.000Z&zone=il.&protocol=udp
https://dnsmon.ripe.net/il?start=2026-01-18T00:00:00.000Z&end=2026-01-24T23:59:00.000Z&zone=il.&protocol=tcp
We've added an Autonomous System Provider Authorization (ASPA) for our ASN (401720) which we operate many of our core services on.
https://console.rpki-client.org/AS401720.html
What is an ASPA? https://www.arin.net/resources/manage/rpki/aspa/
We have published Krill 0.15.1, which fixes a bug that causes CAs not to clear certification requests with their parents when they receive a new certificate.
This causes the CA to re-request a new certificate every time it contacts the parent which by default happens once a day. Another consequence is that this blocks key rolls from progressing.
We strongly encourage users of Krill 0.15.0 to upgrade at their earliest convenience.
https://community.nlnetlabs.nl/t/krill-0-15-1-contains-adult-language-released/64/1
I submitted a Pull Request to update MacPorts' rpki-client to 9.7 here:
https://github.com/macports/macports-ports/pull/30763
GitHub's Continuous Integration checks passed!
It's up to someone else with commit access to merge it.
For whatever reason? The rpki-client.org website main page hasn't been updated to reflect the release of 9.7 yet, but it's there on the mirrors (and I verified the tarball with signify) and an undeadly.org story was posted, so I am guessing I didn't really beat anything to the punch so much as the World Wide Web isn't a first class citizen contrasted with those toiling in the realms of securing routing protocols, as it should be.
#RPKI #rpkiclient #MacPorts #OpenBSD #OpenBGPD #BGP #OpenSource
https://github.com/macports/macports-ports/pull/30763
GitHub's Continuous Integration checks passed!
It's up to someone else with commit access to merge it.
For whatever reason? The rpki-client.org website main page hasn't been updated to reflect the release of 9.7 yet, but it's there on the mirrors (and I verified the tarball with signify) and an undeadly.org story was posted, so I am guessing I didn't really beat anything to the punch so much as the World Wide Web isn't a first class citizen contrasted with those toiling in the realms of securing routing protocols, as it should be.
#RPKI #rpkiclient #MacPorts #OpenBSD #OpenBGPD #BGP #OpenSource
IP hijacking remains a threat in 2026 as well (more info available here 👉 https://www.spamhaus.org/resource-hub/hijacking/); we strongly recommend deploying #RPKI and our #DROP and ASN-DROP lists to protect your infrastructure. ISPs and hosting providers are also encouraged to use the latter for customer vetting, to make sure IP hijackers can't even bring the stolen resources aboard (hint to G-Core Labs 😉 ).
DROP & ASN-DROP 👉 https://www.spamhaus.org/blocklists/do-not-route-or-peer/
3/3
rpki-client 9.7 released https://undeadly.org/cgi?action=article;sid=20260114104154 #openbsd #rpkiclient #rpki #routing #security #networking #bgp
It’s official and we are proud as hell! 😎
sys4 will send 3 of its experts to work at the EU commissions’ Multistakeholder Forum on Internet Standards Deployment „to guide deployment of key Internet standards under NIS2 network security measures and promote wider industry uptake.“
We - @cstrotm (DNS / DNSSEC), Gert Doering (IPv6, RPKI) and @patrickbenkoetter (TLS, DANE, MTA-STS, SPF, DKIM, DMARC) - will work on recommendations and best practices.
Our intent is to recommend what’s reasonable for customer security on the Internet and we expect the one or the other company to disagree for economic reasons. Like they have disagreed since we started to talk with them more than 10 years ago. And the market didn’t fix it. Well… let’s see if working in the Forum will do the trick.
https://digital-strategy.ec.europa.eu/en/news/european-commission-seeks-participants-multi-stakeholder-forum-internet-standards-deployment
#dns #dnssec #ipv6 #rpki #tls #dane #mtasts #spf #dkim #dmarc
We're happy to introduce the NLnet Labs Community Forum. https://blog.nlnetlabs.nl/introducing-the-nlnet-labs-community-forum/
🎁 bgpkit-parser v0.14 released. We added #RPKI RTR messages parsing and encoding support with a RTR client example. We also added support for negative filters. Queries like `--filter "origin_asn!=400644"` now works as expected.
More details at https://github.com/bgpkit/bgpkit-parser/releases/tag/v0.14.0
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst