quote from AWS document(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html)
- X.509 Self-sign certificate
- A certificate standard most commonly used to encrypt and authenticate data within a network. It is a certificate used by AWS to validate control over IP space from an RDAP record. For more information about X.509 certificates, see RFC 3280.
- Registry Data Access Protocol (RDAP)
- A querying resource for registration data. It is updated by customers and used by AWS to verify control of an address space in the Regional Internet Registries (RIR).
- Route Origin Authorization (ROA)
- An object created by RIRs for customers to authenticate IP advertisement in particular autonomous systems. For an overview, see Route Origin Authorizations (ROAs) on the ARIN website.
Generate RSA 2048 private key
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private-key.pem
Use following command to check private key and also the password
openssl pkey -in private-key.pem -text
Generate the public key from private key
openssl rsa -in private-key.pem -pubout > public-key.pem
Create X509 certificate from private key, in this example the certificate will expires after 365(1years)
openssl req -new -x509 -key private-key.pem -days 365 -out certificate.pem
We can check to certificate’s detail with following command
openssl x509 -text -noout -in certificate.pem
Take out the newline character and save to a new file
cat certificate.pem | tr -d "\\n" > certificate.public.pem
Normally, you should update RDAP by update information to RIR.
In Taiwan, you can send email to [email protected] with attach certificate.public.pem to request them help to update RDAP.
whois -h whois.apnic.net <CIDR> | grep remarks | grep CERTIFICATE
Should get output which similar to the following
In Taiwan, TWNIC provide RPKI management system[1].
Create ROA with this RPKI system.
For each prefix you should create two entries for ASN 14618 and 16509.
Use Cloudflare tool to verify ROA is public or not.
<aside> 📌 Cloudflare can verify ROA does not mean AWS can. Sometimes it might take longer to sync, but usually, AWS not take so long.
</aside>
Use AWS cli to find account ID, the “Account” in following result is what we need.
○ → aws sts get-caller-identity
{
"Account": "xxxxxxxxxxxx",
"UserId": "yyyyyyyyyyyyyyyyyyyy",
"Arn": "arn:aws:iam::zzzzzzzzzzzzzzz:user/<user-id>"
}
<aside> 📌 CIDR format should be like 192.168.1.0/24
</aside>
export text_message="1|aws|<account-id>|<CIDR>|<expire-date>|SHA256|RSAPSS"
signed_message=$( echo -n $text_message | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\\n")
Enter pass phrase for private-key.pem:
After generated signed message, use provision-byoip-cidr command to provision address
aws ec2 provision-byoip-cidr --cidr <CIDR> --cidr-authorization-context Message="$text_message",Signature="$signed_message" --region <region>
{
"ByoipCidr": {
"Cidr": <CIDR>,
"State": "pending-provision"
}
}
aws ec2 describe-byoip-cidrs --max-results 5 --region <region>
{
"ByoipCidrs": [
{
"Cidr": <CIDR-you-provided>,
"State": "provisioned",
"StatusMessage": "Cidr successfully provisioned into Ipv4Pool: <IPv4PoolId>"
}
]
}
aws ec2 advertise-byoip-cidr --cidr <CIDR-you-provided>
aws ec2 describe-byoip-cidrs --max-results 5
{
"ByoipCidrs": [
{
"Cidr": <CIDR-you-provided>,
"StatusMessage": "Cidr successfully provisioned into Ipv4Pool: <IPv4PoolId>",
"State": "advertised"
}
]
}
aws ec2 describe-public-ipv4-pools --region ap-northeast-3
{
"PublicIpv4Pools": [
{
"TotalAvailableAddressCount": 256,
"Description": "",
"Tags": [],
"PoolAddressRanges": [
{
"AddressCount": 256,
"LastAddress": <the last address in CIDR>, ex.192.168.1.255,
"AvailableAddressCount": 256,
"FirstAddress": <the first address in CIDR>, ex.192.168.1.0
}
],
"TotalAddressCount": 256,
"PoolId": <IPv4PoolId>,
"NetworkBorderGroup": "ap-northeast-3"
}
]
}
An error occurred (InvalidParameterValue) when calling the ProvisionByoipCidr operation: Invalid CidrAuthorizationContext: Message is not well-formed.
Please check the text_message format is correct or not.
An error occurred (InvalidParameterValue) when calling the ProvisionByoipCidr operation: Invalid CidrAuthorizationContext: Authorization is for a different CIDR.
The CIDR in text_message is different from the parameter which binds with provision-byoip-cidr command.
An error occurred (InvalidParameterValue) when calling the ProvisionByoipCidr operation: Invalid CidrAuthorizationContext: Authorization has expired.
Something wrong with the date in text_message.
[1] TWNIC RPKI Management System
RPKI-網際網路號碼資源公鑰基礎設施管理系統-RPKI Management System (twnic.tw)
[2] Cloudflare RPKI validator