[nis-ip] Delegated RPKI now available

Nato Internet Service info at nat.moe
Fri Sep 4 23:16:06 UTC 2020

NIS IP space users,

NIS now supports delegated RPKI. Delegated RPKI allows you to run your own Certificate Authority (CA). Using your own CA, you can sign Route Origin Authorizations (ROAs) yourself. 

NIS's delegated RPKI service uses the up/down RPKI protocol and supports RFC 8183 [1]. You will need to provide your child request XML to setup identity exchange for delegated RPKI. 

Before you begin, you must have:

- Direct IP allocation(s) from NIS,
- a software/hardware infrastructure in which to host a CA and make it highly available, and
- an up/down identity (created with software that supports delegated RPKI).

To setup delegated RPKI:

1. Obtain software that supports delegated RPKI, such as Krill [2] or Dragon Research Lab's RPKI Toolkit [3].
2. Set up the CA in your software.
3. Use your RPKI software to generate a child request XML file, which contains your up/down identity information and repository reference. 
4. Submit your child request XML file to us through our ticket system [4].
5. We will set up your child CA and send you the parent response XML file.
6. Submit the parent response XML you got to your RPKI software, and confirm with an RPKI validator, such as RIPE's RPKI validator [5], that your repository is properly configured and reachable. Depends on which block you have, you will either see it in ARIN (2602:feda:: block) or APNIC (2406:4440:: block). 

Should you have any questions or concerns, feel free to reply directly to this email.

Nato Internet Service

[1] https://tools.ietf.org/html/rfc8183
[2] https://www.nlnetlabs.nl/projects/rpki/krill
[3] https://github.com/dragonresearch/rpki.net
[4] https://service.nat.moe/open.php?topicId=19
[5] https://rpki-validator.ripe.net/trust-anchors

More information about the ip-service mailing list