SlideShare a Scribd company logo

Resource Public Key Infrastructure (RPKI)

Bangladesh Network Operators Group
Bangladesh Network Operators Group

Resource Public Key Infrastructure (RPKI)

Internet
1 of 27
Download to read offline
Issue Date: Revision: Resource Public Key Infrastructure (RPKI) As part of bdNOG 2 Conference 11 November 2014 2014/11 2
Overview •  Routing “incidents” •  RPKI Technical Details •  RPKI and BGPsec •  Components and Implementation •  Deployment Status in the RIRs •  APNIC Resource Certification 2
Misdirection / Hijacking Incidents •  YouTube Incident –  Occurred 24 Feb 2008 (for about 2 hours) –  Pakistan Telecom announced YT block •  Google (AS15169) services downed –  Occurred 5 Nov 2012 (for 30 minutes) –  Moratel Indonesia (AS23947) 3 How frequent do these hijacking incidents happen?
How we address this… •  A network should only originate his own prefix –  How do we verify? –  How do we avoid false advertisement? •  A provider should filter prefixes they propagate from customers –  Check the legitimacy of address (LoA) –  Transitive trust; BGP is a trust-based system 4
WHOIS DB – Legitimacy of Address 5
What is RPKI? •  Resource Public Key Infrastructure (RPKI) •  A robust security framework for verifying the association between resource holder and their Internet resources •  Created to address the issues in RFC 4593 “Generic Threats to Routing Protocols” •  Helps to secure Internet routing by validating routes –  Proof that prefix announcements are coming from the legitimate holder of the resource RFC 6480 – An Infrastructure to Support Secure Internet Routing (Feb 2012) 6
Benefits of RPKI - Routing •  Prevents route hijacking –  A prefix originated by an AS without authorization –  Reason: malicious intent •  Prevents mis-origination –  A prefix that is mistakenly originated by an AS which does not own it –  Also route leakage –  Reason: configuration mistake / fat finger 7
BGP Security (BGPsec) •  Extension to BGP that provides improved security for BGP routing •  Currently an IETF Internet draft •  Implemented via a new optional non-transitive BGP path attribute that contains a digital signature •  Two things: –  BGP Prefix Origin Validation (using RPKI) –  BGP Path Validation •  Similar efforts in the early days – IDR working group, S- BGP 8
“Right” to Resources •  ISP gets their resources from the RIR •  ISP notifies its upstream of the prefixes to be announced •  Upstream must check the WHOIS database if resource has been delegated to customer ISP We need to be able to authoritatively prove who owns an IP Prefix and what AS(s) may announce it. 9
RPKI Infrastructure •  A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents •  Main Components: –  Certificate Authority (CA) –  Relying Party (RP) –  Routers with RPKI support 10
Issuing Party •  Internet Registries (RIR, NIR, Large LIRs) •  Acts as a Certificate Authority and issues certificates for customers •  Provides a web interface to issue ROAs for customer prefixes •  Publishes the ROA records APNIC RPKI Engine publication MyAPNIC GUI rpki.apnic.net Repository 11
Route Origin Authorization (ROA) •  A digital object that contains a list of address prefixes and one AS number •  It is an authority created by a prefix holder to authorize an AS Number to originate one or more specific route advertisements •  Publish an ROA using MyAPNIC 12
X.509 Certificate with 3779 Extension •  Resource certificates are based on the X.509 v3 certificate format (RFC 5280) •  Extended by RFC 3779 – binds a list of resources (IP, ASN) to the subject of the certificate •  SIA – Subject Information Access; contains a URI that references the directory X.509 Certificate RFC 3779 Extension SIA Owner's Public Key 13
Relying Party (RP) IANA Repo APNIC Repo RIPE Repo LIR Repo LIR Repo RP Cache (gather) Validated Cache RPKI-Rtr Protocol rpki.ripe.net Software which gathers data from CAs Also called RP cache or validator 14
RPKI Components 15 Trust Anchor RP CACHE Trust Anchor RPKI-Rtr Protocol APNIC RPKI Engine Trust Anchor publicationMyAPNIC GUI rpki.apnic.net ca0.rpki.net rpki.ripe.net
Router Origin Validation •  Router must support RPKI •  Checks an RP cache / validator •  Validation returns 3 states: –  Valid = when authorization is found for prefix X –  Invalid = when authorization is found for prefix X but not from ASN Y –  Unknown = when no authorization data is found •  Vendor support: –  Cisco IOS – solid in 15.2 –  Cisco IOS/XR – shipped in 4.3.2 –  Juniper – shipped in 12.2 –  Alcatel Lucent – in development 16
RIR Statistics 17 Ref: http://rpki.surfnet.nl/perrir.html Based on RIS Database dumps from RIPE-NCC
RPKI Monitor 18 Ref: NIST RPKI Monitor
APNIC RPKI Service •  Enhancement to the RIRs –  Offers verifiable proof of resource holdings •  Resource certification is an opt-in service –  Resource holders choose to request a certificate and profice their public key to be certified •  APNIC has integrated the RPKI management service into MyAPNIC for APNIC Member use 19
What you need to know •  You are encouraged to experiment, test, play and develop •  RPKI standards are still being developed, and the operating environment for RPKI use is still fragile •  It’s ready for testing and prototyping, but is probably not ready for production use just yet •  Please tell us what you find but don’t rely on it in your network yet 20
What You Can Do Now? •  Create ROA records in MyAPNIC •  Build an RP cache •  Configure your router to use the cache (or a public one) •  Create BGP policies Best to do it in a test environment for now! ☺ 21
Build an RP Cache •  Download and install from rpki.net –  Instructions here: https://trac.rpki.net/wiki/doc/RPKI/Installation/ UbuntuPackages 22 The RP cache has a web interface
Configure Router to Use Cache router bgp 651nn … bgp rpki server tcp 10.0.0.3 port 43779 refresh 60 bgp rpki server tcp 147.28.0.84 port 93920 refresh 60 … 23 RPKI Lab – Randy Bush
BGP Table r0.sea#sh ip bgp Network Next Hop Metric LocPrf Weight Path * i I198.180.150.0 144.232.9.61 100 0 1239 3927 i *> I 199.238.113.9 0 2914 3927 i * I 129.250.11.41 0 2914 3927 i *> V198.180.152.0 199.238.113.9 0 2914 4128 i * V 129.250.11.41 0 2914 4128 i *> N198.180.155.0 199.238.113.9 0 2914 22773 i * N 129.250.11.41 0 2914 22773 i *> N198.180.160.0 199.238.113.9 0 2914 23308 13408 5752 i * N 129.250.11.41 0 2914 23308 13408 5752 i RPKI Lab – Randy Bush 24
More References •  Securing BGP –  The Internet Protocol Journal, Volume 14, No. 2 •  An Infrastructure to Support Secure Internet Routing –  RFC6480 •  A Reappraisal of Validation in the RPKI –  Labs.apnic.net/blabs •  An Introduction to Routing Security (and RPKI Tools) •  MyAPNIC Resource Certification Guide 25
Questions 26
THANK YOU www.facebook.com/APNIC www.twitter.com/apnic www.youtube.com/apnicmultimedia www.flickr.com/apnic www.weibo.com/APNICrir 27

Recommended

RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial Bangladesh Network Operators Group
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationAPNIC
 
Certification
CertificationCertification
CertificationRIPE NCC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)Fakrul Alam
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX UpdatesMyNOG
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingAPNIC
 
Resource Certification
Resource CertificationResource Certification
Resource CertificationRIPE NCC
 

Recommended

RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial Bangladesh Network Operators Group
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationAPNIC
 
Certification
CertificationCertification
CertificationRIPE NCC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)Fakrul Alam
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX UpdatesMyNOG
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingAPNIC
 
Resource Certification
Resource CertificationResource Certification
Resource CertificationRIPE NCC
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC UpdatesMyNOG
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesMyNOG
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification TutorialRIPE NCC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...akg1330
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshFakrul Alam
 
RPKI
RPKIRPKI
RPKIRIPE NCC
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approachAPNIC
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI statusAPNIC
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIAPNIC
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Juniper Networks
 
ISOC Engagement Activities
ISOC Engagement ActivitiesISOC Engagement Activities
ISOC Engagement ActivitiesBangladesh Network Operators Group
 
ICANN Engagement Update
ICANN Engagement UpdateICANN Engagement Update
ICANN Engagement UpdateBangladesh Network Operators Group
 

More Related Content

What's hot

APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC UpdatesMyNOG
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesMyNOG
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification TutorialRIPE NCC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...akg1330
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshFakrul Alam
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approachAPNIC
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI statusAPNIC
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIAPNIC
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Juniper Networks
 

What's hot (20)

APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practice
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
RPKI
RPKIRPKI
RPKI
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approach
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI status
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKI
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
 

Viewers also liked

Best Current Operational Practice (BCOP) - Updates from around the world
Best Current Operational Practice (BCOP) - Updates from around the worldBest Current Operational Practice (BCOP) - Updates from around the world
Best Current Operational Practice (BCOP) - Updates from around the worldBangladesh Network Operators Group
 
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment Challenges of L2 NID Based Architecture for vCPE and NFV Deployment
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment Bangladesh Network Operators Group
 

Viewers also liked (20)

ISOC Engagement Activities
ISOC Engagement ActivitiesISOC Engagement Activities
ISOC Engagement Activities
 
ICANN Engagement Update
ICANN Engagement UpdateICANN Engagement Update
ICANN Engagement Update
 
Converged & Efficient Licensing Framework
Converged & Efficient Licensing FrameworkConverged & Efficient Licensing Framework
Converged & Efficient Licensing Framework
 
Best Current Operational Practice (BCOP) - Updates from around the world
Best Current Operational Practice (BCOP) - Updates from around the worldBest Current Operational Practice (BCOP) - Updates from around the world
Best Current Operational Practice (BCOP) - Updates from around the world
 
IPv6 Address & Deployment Planning
IPv6 Address & Deployment PlanningIPv6 Address & Deployment Planning
IPv6 Address & Deployment Planning
 
bdNOG Conference Report
bdNOG Conference Report bdNOG Conference Report
bdNOG Conference Report
 
bdCERT Activities Update
bdCERT Activities UpdatebdCERT Activities Update
bdCERT Activities Update
 
Securing Asterisk: A practical approach
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approach
 
Traffic Engineering for CDNs
Traffic Engineering for CDNs Traffic Engineering for CDNs
Traffic Engineering for CDNs
 
EDNS0 Client-Subnet for DNS Based CDNs
EDNS0 Client-Subnet for DNS Based CDNs EDNS0 Client-Subnet for DNS Based CDNs
EDNS0 Client-Subnet for DNS Based CDNs
 
APNIC42 Announcement
APNIC42 AnnouncementAPNIC42 Announcement
APNIC42 Announcement
 
Dot BD Domain and Shared Registry Model- A Policy Proposal
Dot BD Domain and Shared Registry Model- A Policy Proposal Dot BD Domain and Shared Registry Model- A Policy Proposal
Dot BD Domain and Shared Registry Model- A Policy Proposal
 
OpenStack Cloud Administration Through Live Demonstration
OpenStack Cloud Administration Through Live DemonstrationOpenStack Cloud Administration Through Live Demonstration
OpenStack Cloud Administration Through Live Demonstration
 
Inter-AS MPLS VPN Deployment
Inter-AS MPLS VPN DeploymentInter-AS MPLS VPN Deployment
Inter-AS MPLS VPN Deployment
 
Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS
 
Broadband for Digital Bangladesh & recommendation from ISPAB
Broadband for Digital Bangladesh & recommendation from ISPABBroadband for Digital Bangladesh & recommendation from ISPAB
Broadband for Digital Bangladesh & recommendation from ISPAB
 
Awareness of Children Internet Addiction
Awareness of Children Internet Addiction Awareness of Children Internet Addiction
Awareness of Children Internet Addiction
 
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment Challenges of L2 NID Based Architecture for vCPE and NFV Deployment
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment
 
Participant Access Control in IP Multicasting
Participant Access Control in IP Multicasting Participant Access Control in IP Multicasting
Participant Access Control in IP Multicasting
 
Practical Implementation of BGP Community with Geotags
Practical Implementation of BGP Community with GeotagsPractical Implementation of BGP Community with Geotags
Practical Implementation of BGP Community with Geotags
 

Similar to Resource Public Key Infrastructure (RPKI)

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Route Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringAPNIC
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4APNIC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?APNIC
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 
Recent Developments in RPKI
Recent Developments in RPKIRecent Developments in RPKI
Recent Developments in RPKIRIPE NCC
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfRIPE NCC
 

Similar to Resource Public Key Infrastructure (RPKI) (20)

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
Route Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKI
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh Phokeer
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net tools
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
Recent Developments in RPKI
Recent Developments in RPKIRecent Developments in RPKI
Recent Developments in RPKI
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 

Recently uploaded

Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 

Recently uploaded (20)

Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 

Resource Public Key Infrastructure (RPKI)

  • 1. Issue Date: Revision: Resource Public Key Infrastructure (RPKI) As part of bdNOG 2 Conference 11 November 2014 2014/11 2
  • 2. Overview •  Routing “incidents” •  RPKI Technical Details •  RPKI and BGPsec •  Components and Implementation •  Deployment Status in the RIRs •  APNIC Resource Certification 2
  • 3. Misdirection / Hijacking Incidents •  YouTube Incident –  Occurred 24 Feb 2008 (for about 2 hours) –  Pakistan Telecom announced YT block •  Google (AS15169) services downed –  Occurred 5 Nov 2012 (for 30 minutes) –  Moratel Indonesia (AS23947) 3 How frequent do these hijacking incidents happen?
  • 4. How we address this… •  A network should only originate his own prefix –  How do we verify? –  How do we avoid false advertisement? •  A provider should filter prefixes they propagate from customers –  Check the legitimacy of address (LoA) –  Transitive trust; BGP is a trust-based system 4
  • 5. WHOIS DB – Legitimacy of Address 5
  • 6. What is RPKI? •  Resource Public Key Infrastructure (RPKI) •  A robust security framework for verifying the association between resource holder and their Internet resources •  Created to address the issues in RFC 4593 “Generic Threats to Routing Protocols” •  Helps to secure Internet routing by validating routes –  Proof that prefix announcements are coming from the legitimate holder of the resource RFC 6480 – An Infrastructure to Support Secure Internet Routing (Feb 2012) 6
  • 7. Benefits of RPKI - Routing •  Prevents route hijacking –  A prefix originated by an AS without authorization –  Reason: malicious intent •  Prevents mis-origination –  A prefix that is mistakenly originated by an AS which does not own it –  Also route leakage –  Reason: configuration mistake / fat finger 7
  • 8. BGP Security (BGPsec) •  Extension to BGP that provides improved security for BGP routing •  Currently an IETF Internet draft •  Implemented via a new optional non-transitive BGP path attribute that contains a digital signature •  Two things: –  BGP Prefix Origin Validation (using RPKI) –  BGP Path Validation •  Similar efforts in the early days – IDR working group, S- BGP 8
  • 9. “Right” to Resources •  ISP gets their resources from the RIR •  ISP notifies its upstream of the prefixes to be announced •  Upstream must check the WHOIS database if resource has been delegated to customer ISP We need to be able to authoritatively prove who owns an IP Prefix and what AS(s) may announce it. 9
  • 10. RPKI Infrastructure •  A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents •  Main Components: –  Certificate Authority (CA) –  Relying Party (RP) –  Routers with RPKI support 10
  • 11. Issuing Party •  Internet Registries (RIR, NIR, Large LIRs) •  Acts as a Certificate Authority and issues certificates for customers •  Provides a web interface to issue ROAs for customer prefixes •  Publishes the ROA records APNIC RPKI Engine publication MyAPNIC GUI rpki.apnic.net Repository 11
  • 12. Route Origin Authorization (ROA) •  A digital object that contains a list of address prefixes and one AS number •  It is an authority created by a prefix holder to authorize an AS Number to originate one or more specific route advertisements •  Publish an ROA using MyAPNIC 12
  • 13. X.509 Certificate with 3779 Extension •  Resource certificates are based on the X.509 v3 certificate format (RFC 5280) •  Extended by RFC 3779 – binds a list of resources (IP, ASN) to the subject of the certificate •  SIA – Subject Information Access; contains a URI that references the directory X.509 Certificate RFC 3779 Extension SIA Owner's Public Key 13
  • 14. Relying Party (RP) IANA Repo APNIC Repo RIPE Repo LIR Repo LIR Repo RP Cache (gather) Validated Cache RPKI-Rtr Protocol rpki.ripe.net Software which gathers data from CAs Also called RP cache or validator 14
  • 16. Router Origin Validation •  Router must support RPKI •  Checks an RP cache / validator •  Validation returns 3 states: –  Valid = when authorization is found for prefix X –  Invalid = when authorization is found for prefix X but not from ASN Y –  Unknown = when no authorization data is found •  Vendor support: –  Cisco IOS – solid in 15.2 –  Cisco IOS/XR – shipped in 4.3.2 –  Juniper – shipped in 12.2 –  Alcatel Lucent – in development 16
  • 19. APNIC RPKI Service •  Enhancement to the RIRs –  Offers verifiable proof of resource holdings •  Resource certification is an opt-in service –  Resource holders choose to request a certificate and profice their public key to be certified •  APNIC has integrated the RPKI management service into MyAPNIC for APNIC Member use 19
  • 20. What you need to know •  You are encouraged to experiment, test, play and develop •  RPKI standards are still being developed, and the operating environment for RPKI use is still fragile •  It’s ready for testing and prototyping, but is probably not ready for production use just yet •  Please tell us what you find but don’t rely on it in your network yet 20
  • 21. What You Can Do Now? •  Create ROA records in MyAPNIC •  Build an RP cache •  Configure your router to use the cache (or a public one) •  Create BGP policies Best to do it in a test environment for now! ☺ 21
  • 22. Build an RP Cache •  Download and install from rpki.net –  Instructions here: https://trac.rpki.net/wiki/doc/RPKI/Installation/ UbuntuPackages 22 The RP cache has a web interface
  • 23. Configure Router to Use Cache router bgp 651nn … bgp rpki server tcp 10.0.0.3 port 43779 refresh 60 bgp rpki server tcp 147.28.0.84 port 93920 refresh 60 … 23 RPKI Lab – Randy Bush
  • 24. BGP Table r0.sea#sh ip bgp Network Next Hop Metric LocPrf Weight Path * i I198.180.150.0 144.232.9.61 100 0 1239 3927 i *> I 199.238.113.9 0 2914 3927 i * I 129.250.11.41 0 2914 3927 i *> V198.180.152.0 199.238.113.9 0 2914 4128 i * V 129.250.11.41 0 2914 4128 i *> N198.180.155.0 199.238.113.9 0 2914 22773 i * N 129.250.11.41 0 2914 22773 i *> N198.180.160.0 199.238.113.9 0 2914 23308 13408 5752 i * N 129.250.11.41 0 2914 23308 13408 5752 i RPKI Lab – Randy Bush 24
  • 25. More References •  Securing BGP –  The Internet Protocol Journal, Volume 14, No. 2 •  An Infrastructure to Support Secure Internet Routing –  RFC6480 •  A Reappraisal of Validation in the RPKI –  Labs.apnic.net/blabs •  An Introduction to Routing Security (and RPKI Tools) •  MyAPNIC Resource Certification Guide 25