SlideShare a Scribd company logo

Getting IPv6 & Securing your Routing

ā€¢
ā€¢
RIPE NCC
RIPE NCC

Presentation given by Ferenc Csorba at: IPv6 Kongress, Frankfurt, Germany, on 10-11 May 2012

Technology
1 of 98
Download to read offline
Getting IPv6 & Securing your Routing IPv6 Kongress May 2012, Frankfurt Sandra BrƔs & Ferenc Csorba, RIPE NCC
Schedule ā€¢ IPv4 exhaustion ā€¢ IPv6 address space ā€¢ European IPv6 deployment statistics ā€¢ BGP multihoming ā€¢ Routing Registry and the RIPE Database ā€¢ Resource Certiļ¬cation 2
RIPE / RIPE NCC RIPE Open community Develops addressing policies Working group mailing lists RIPE NCC Located in Amsterdam Not for proļ¬t membership organisation One of ļ¬ve RIRs 3
The five RIRs 4
Internet Number Resources ā€¢ IP addresses - IPv4 eg. 193.0.0.203 - IPv6 eg. 2001:610:240:11::c100:1319 ā€¢ Autonomous System Numbers (ASN) ā€¢ Other public services - Training Services - RIPE Labs - RIPE Database - RIPE Stat - K-root name server - RIPE Atlas - Measurement tools - E-learning 5
Registration 6
Conservation 7
Aggregation 8
Who makes policies? ICANN / IANA ASO AfriNIC Reach consensusARIN RIPE NCC across communities APNIC LACNIC AfriNIC RIPE ARIN APNIC LACNIC community community community community community proposal proposal Global proposal Policy Proposal proposal proposal 9
Why would you want to participate? ā€¢ Policy determines how you run your business ā€¢ Over 8000 LIRs ā€¢ Only a fraction are active participants in the PDP 10
How can you participate? ā€¢ Working Group mailing lists - RIPE website ā†’ RIPE ā†’ Mailing Lists ā€¢ Come to the RIPE Meetings - Two free tickets for new LIRs - Remote participation is also possible 11
IPv4 Address Pool Exhaustion
IANA IPv4 pool 40% 30% 20% 10% 0% 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 13
IPv4 address distribution /0 IANA /8 RIR /21 LIR /23 /25 /25 End User Allocation PA Assignment PI Assignment 14
IANA and RIRs IPv4 pool IANA Pool RIR Allocations Advertised RIR Pool Today 256 Data 192 128 64 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 15
Our slice of the IPv4 pie Legacy Other IANA AfriNIC LACNIC RIPE NCC ARIN APNIC 16
IPv4 exhaustion phases IPv4 still available. RIPE NCCā€™s allocation RIPE NCC can only RIPE NCC continues policy from last /8 distribute IPv6 distributing it applies ? now time IANA pool RIPE NCC RIPE NCC exhausted reaches pool ļ¬nal /8 exhausted Each of the 5 RIRs given a /8 17
Run Out Fairly (of IPv4) ā€¢ Gradually reduced allocation / assignment periods ā€¢ Needs for ā€œEntire Periodā€ of up to... - 12 months (January 2010) - 9 months (July 2010) - 6 months (January 2011) - 3 months (July 2011) ā€¢ 50% has to be used up by half-period 18
RIPE NCCā€™s last /8 ā€¢ We do things differently! ā€¢ Ensures IPv4 access for all members - 16000+ /22s in a /8 - members can get one /22 (=1024 addresses) - must already hold IPv6 - must qualify for allocation ā€¢ /16 set aside for unforeseen situations - if unused, will be distributed ā€¢ No PI 19
Transfer of IPv4 Allocations ā€¢ Policy 2007-08: Allocation Transfer Policy - Donā€™t buy your IPv4 on eBay! - Transfer unused allocations to another LIR - Minimum allocation size /21 - Evaluated by RIPE NCC - Update in RIPE Database http://www.ripe.net/lir-services/resource-management/listing 20
IPv4 Depletion in the RIPE NCCā€™s Region - https://www.ripe.net/internet-coordination/ipv4-exhaustion 21
0 75 150 225 300 2000-01 2000-07 2001-01 2001-07 2002-01 2002-07 2003-01 2003-07 2004-01 2004-07 2005-01 IPv4 Allocation Rate 2005-07 2006-01 2006-07 2007-01 2007-07 2008-01 2008-07 2009-01 2009-07 2010-01 2010-07 2011-01 2011-07 2012-01 22
IPv4 Depletion Worldwide IPv4 Pool in /8ā€™s 6 5 4 3 2 1 0 AfriNIC RIPE NCC LACNIC ARIN APNIC 23
IPv6 Address Space
Where do all the addresses come from? IETF IANA AfriNIC ARIN RIPE NCC APNIC LACNIC 8000 LIRs End Users 25
IPv6 address distribution /3 IANA /12 RIR /32 LIR /48 /56 /48 End User PA Allocation Provider Aggregatable PI Assignment Assignment 26
IPv6 basics ā€¢ IPv6 address: 128 bits - 32 bits in IPv4 ā€¢ Every subnet should be a /64 ā€¢ Customer assignments (sites) between: - /64 (1 subnet) - /48 (65536 subnets) ā€¢ Minimum allocation size /32 - 65536 /48ā€™s - 16777216 /56ā€™s 27
IPv4 vs IPv6 (rounded off) IPv4 IPv6 addresses 4x109 2x1019 subnets allocations 2x106 4x109 to members in each allocation: in each allocation: subnets addresses 2048 4x109 28
Classless Inter-Domain Routing (CIDR) IPv6 Chart Preļ¬x /48s /56s /64s Bits IPv4 CIDR Chart RIPE NCC /24 16M 4G 1T 104 /25 8M 2G 512G 103 IP Addresses Bits Preļ¬x Subnet Mask /26 4M 1G 256G 102 /27 2M 512M 128G 101 /28 1M 256M 64G 100 1 0 /32 255.255.255.255 /29 512K 128M 32G 99 2 1 /31 255.255.255.254 /30 256K 64M 16G 98 4 2 /30 255.255.255.252 /31 128K 32M 8G 97 8 3 /29 255.255.255.248 /32 64K 16M 4G 96 16 4 /28 255.255.255.240 /33 32K 8M 2G 95 32 5 /27 255.255.255.224 /34 16K 4M 1G 94 64 6 /26 255.255.255.192 /35 8K 2M 512M 93 128 7 /25 255.255.255.128 /36 4K 1M 256M 92 256 8 /24 255.255.255.0 /37 2K 512K 128M 91 512 9 /23 255.255.254.0 /38 1K 256K 64M 90 1K 10 /22 255.255.252.0 /39 512 128K 32M 89 2K 11 /21 255.255.248.0 /40 256 64K 16M 88 4K 12 /20 255.255.240.0 /41 128 32K 8M 87 8K 13 /19 255.255.224.0 /42 64 16K 4M 86 16 K 14 /18 255.255.192.0 /43 32 8K 1M 85 32 K 15 /17 255.255.128.0 /44 16 4K 1M 84 64 K 16 /16 255.255.0.0 /45 8 2K 512K 83 128 K 17 /15 255.254.0.0 /46 4 1K 256K 82 256 K 18 /14 255.252.0.0 /47 2 512 128K 81 512 K 19 /13 255.248.0.0 /48 1 256 64K 80 1M 20 /12 255.240.0.0 /49 128 32K 79 /50 64 16K 78 2M 21 /11 255.224.0.0 /51 32 8K 77 4M 22 /10 255.192.0.0 /52 16 4K 76 8M 23 /9 255.128.0.0 /53 8 2K 75 16 M 24 /8 255.0.0.0 /54 4 1K 74 32 M 25 /7 254.0.0.0 /55 2 512 73 64 M 26 /6 252.0.0.0 /56 1 256 72 128 M 27 /5 248.0.0.0 /57 128 71 256 M 28 /4 240.0.0.0 RIPE NCC /58 64 70 512 M 29 /3 224.0.0.0 /59 32 69 1024 M 30 /2 192.0.0.0 /60 16 68 2048 M 31 /1 128.0.0.0 /61 8 67 4096 M 32 /0 0.0.0.0 /62 4 66 /63 2 65 Contact Registration Services: /64 1 64 www.ripe.net 29
Address Notation 2001:0db8:003e:ef11:0000:0000:c100:004d 2001:0db8:003e:ef11: 0000:0000:c100:004d 2001:db8:3e:ef11:0:0:c100:4d 1 1 1 0 1 1 1 1 0 0 0 1 0 0 0 1 30
Getting an IPv6 allocation ā€¢ To qualify, an organisation must: - Be an LIR - Have a plan for making assignments within two years ā€¢ Minimum allocation size /32 ā€¢ Announcement as a single preļ¬x recommended 31
RIPE Policy Proposal 2011-04 ā€¢ Extension of the Minimum Size for IPv6 Initial Allocation - Proposes initial allocation up to a /29 - For example, for small LIRs to deploy IPv6 via 6RD (RFC 5969) DER DISCUSSION UN ā€¢ Proposal currently in Review Phase - The RIPE NCC is working on impact analysis 32
What does the first IPv6 allocation cost? - for all - pending General Meeting decision or: - for approximately 97% of the LIRs - more points, but not higher category! 33
Why Create an IPv6 Addressing Plan? ā€¢ Mental health during implementation(!) ā€¢ Easier implementation of security policies ā€¢ Efļ¬cient addressing plans are scalable ā€¢ More efļ¬cient route aggregation 34
IPv6 Subnetting 35
Make an addressing plan (I) ā€¢ Number of hosts is irrelevant ā€¢ Multiple /48s per pop can be used - separate blocks for infrastructure and customers - document address needs for allocation criteria ā€¢ /64 for all subnets - autoconļ¬guration works - renumbering easier - less typo errors because of simplicity 36
Make an addressing plan (II) ā€¢ Use one /64 block (per site) for loopbacks - One /128 per device - One /64 contains enough /128s for 18.446.744.073.709.551.616 devices 37
More On Addressing Plans for ISPs ā€¢ For private networks, look at ULA ā€¢ For servers you want manual conļ¬guration ā€¢ Use port numbers for addresses - pop server 2001:db8:1::110 - dns server 2001:db8:1::53 - etc... 38
Point-to-Point Connections ā€¢ How much space for point-to-point connections? - RFC4291: Interface IDs are required to be /64 - RFC3627: Use of /127 between routers considered harmful - RFC6547: RFC3627 to Historic Status - RFC6164: Using /127 on Inter-Router links ā€¢ Be safe: reserve a /64, assign a /127 per point-to-point connection 39
Customer assignments ā€¢ Give your customers enough addresses - Up to a /48 ā€¢ For more addresses, send in request form - Alternatively, make a sub-allocation ā€¢ Every assignment must now be registered in the RIPE database 40
Using AGGREGATED-BY-LIR ALLOCATED-BY-RIR ASSIGNED AGGREGATED-BY-LIR ALLOCATED-BY-LIR /36 /44 assignment-size: 56 /34 AGGREGATED-BY-LIR assignment-size: 48 /40 hint :) /48 /48 /48 /48 /48 41
Group assignments in the RIPE DB inet6num: Ā Ā Ā Ā Ā Ā  2001:db8:1000::/36 netname: Ā Ā Ā Ā Ā Ā Ā  Bluelight descr: Ā Ā Ā Ā Ā Ā Ā Ā Ā  We want more Bluelight B.V. descr: Ā Ā Ā Ā  Colocation services country: Ā Ā Ā Ā Ā Ā  Ā  NL admin-c: Ā Ā Ā Ā Ā Ā Ā  BN649-RIPE tech-c: Ā Ā Ā Ā Ā Ā Ā Ā  BN649-RIPE status: Ā Ā Ā Ā Ā Ā Ā Ā  AGGREGATED-BY-LIR assignment-size: 48 mnt-by: Ā Ā Ā Ā Ā Ā Ā Ā  BLUELIGHT-MNT notify: Ā Ā Ā Ā Ā Ā Ā Ā  noc@example.net changed: Ā Ā Ā Ā Ā Ā  noc@example.net 20110218 source: Ā Ā Ā Ā Ā Ā Ā  RIPE 42
Customers And Their /48 ā€¢ Customers have no idea how to handle 65536 subnets! ā€¢ Provide them with information ā€“ https://www.ripe.net/lir-services/training/material/IPv6- for-LIRs-Training-Course/IPv6_addr_plan4.pdf 43
IPv6 Address Management ā€¢ Your Excel sheet might not scale ā€“ There are 65.536 /48s in a /32 ā€“ There are 65.536 /64s in a /48 ā€“ There are 16.777.216 /56s in a /32 ā€¢ Find a suitable IPAM solution 44
Getting IPv6 PI address space ā€¢ To qualify, an organisation must: - Meet the contractual requirements for provider independent resources ā€¢ Minimum assignment size /48 45
Reverse DNS 2001:db8:3e:ef11::c100:4d 46
Reverse DNS 2001 db8 2001:0db8:003e:ef11:0000:0000 :c100: 004d . . . . . . . .ip6.arpa d.4.0.0.0.0.1.c.0.0.0.0.0.0.0.0.1.1.f.e.e. 3.0.0.8.b.d.0.1.0.0.2.ip6.arpa PTR yourname.domain.tld d.4.0.0.0.0.1.c.0.0.0.0.0.0.0.0.1.1.f.e.e.3.0.0.8.b.d.0.1.0.0.2.ip6.arpa PTR yourname.domain.tld 47
IPv6 Deployment Statistics
IPv6 Allocation Rate 2
IPv6 PI Assignments 3
Members with IPv6 and IPv4 7853 members with IP resources 3846 3918 89 IPv4 only IPv6 only IPv6 and IPv4 51
IPv6 Ripeness ā€¢ Rating system: - One star if the LIR has an IPv6 allocation - Additional stars if: - IPv6 Preļ¬x is announced on router - A route6 object is in the RIPE Database - Reverse DNS is set up - A list of all 4 star LIRs: http://ripeness.ripe.net/ 52
IPv6 RIPEness: 8097 LIRs (5 May 2012) 1 star 2 stars 3 stars 4 stars No IPv6 1 star 14% No IPv6 51% 2 stars 6% 3 stars 11% 4 stars 18%
0 225 450 675 900 Slovenia (47 LIRs) Netherlands (418 LIRs) 1star Czech Republic (221 LIRs) Germany (821 LIRs) 2star Switzerland ( 260 LIRs) Poland (214 LIRs) 3star Austria (155 LIRs) Portugal (37 LIRs) 4star Norway (163 LIRs) IPv6 RIPEness ā€“ countries (5 May 2012) Denmark (123 LIRs) 0star 54
0% 25% 50% 75% 100% Slovenia (47 LIRs) Netherlands (418 LIRs) 1star Czech Republic (221 LIRs) Germany (821 LIRs) 2star Switzerland (260 LIRs) Poland (214 LIRs) 3star Austria (155 LIRs) Portugal (37 LIRs) 4star Norway (163 LIRs) IPv6 RIPEness ā€“ relative (5 May 2012) Denmark (123 LIRs) 0star 55
IPv6 enabled ASes in global routing All Germany Belgium France Netherlands 50% http://v6ASNs.ripe.net 42% 33% 25% 17% 8% 0% 2004 2005 2006 2007 2008 2009 2010 2011 2012 56
World IPv6 Launch ā€¢ http://www.worldipv6launch.org/ 57
Useful information Websites ā€¢ http://www.getipv6.info/ ā€¢ http://www.ipv6actnow.org ā€¢ http://datatracker.ietf.org/wg/v6ops/ ā€¢ http://www.ripe.net/ripe/docs/ripe-501.html Mailing lists ā€¢ http://lists.cluenet.de/mailman/listinfo/ipv6-ops ā€¢ http://www.ripe.net/mailman/listinfo/ipv6-wg 58
Multihomed BGP Routing Setup
Scenario 1: LIR = PA allocation + ASN ISP 1 ISP 2 x AS3 AS7 AS4 AS5 AS6 ā€¢ Can make assignments to End Users 60
Scenario 2: End User = PI + ASN ISP 1 ISP 2 x ā€¢ Can NOT sub-assign further!!! - (in IPv4 can still use PI for xDSL, broadband...) 61
Scenario 3: LIR = PI + ASN ISP 1 ISP 2 x ā€¢ Can NOT sub-assign further!!! - (in IPv4 can still use PI for xDSL, broadband...) 62
Scenario 4: PI End User, not multihomed ISP 1 ISP 2 x ā€¢ Part of LIRā€™s AS number - does not want to / can not run BGP - still wants ā€œportableā€ addresses 63
How to get an AS Number ā€¢ Assignment requirements - Address space - Multihoming - One AS Number per network ā€¢ For LIR itself ā€¢ For End User - Sponsoring LIR requests it for End User - Direct Assignment User requests it for themselves 64
32-bit AS Numbers and you ā€¢ New format: ā€œAS4192351863ā€ ā€¢ Act now! ā€¢ Prepare for 32-bit ASNs in your organisation: - Check if hardware is compatible; if not, contact hardware vendor - Check if upstream uses compatible hardware; if not, they should upgrade! 65
RIPE Database
RIPE Database ā€¢ Public Internet resource and routing registry database 67
RIPE Database objects ā€¢ Resources ā€“ inetnum, inet6num, aut-num, domain ā€¢ Routing ā€“ route, route6, aut-num ā€¢ Security ā€“ mntner ā€¢ Contact ā€“ organisation, person, role 68
Protection mntner: LIR-MNT person: John Smith admin-c: JS123-RIPE nic-hdl: JS123-RIPE tech-c: JS123-RIPE address: sesamestreet 1 mnt-by: LIR-MNT phone: +1 555 0101 notify: noc@example.org e-mail: john@example.org mnt-nfy: list@example.org mnt-by: LIR-MNT abuse-mailbox: abuse@example.org auth: MD5-PW $1$xT9SJ 69
Protection inetnum: 85.11.186.0/25 descr: My Assignment status: ASSIGNED PA mnt-by: LIR-MNT admin-c: LA789-RIPE tech-c: LA789-RIPE mntner: LIR-MNT admin-c: LA789-RIPE person: John Smith tech-c: LA789-RIPE nic-hdl: JS123-RIPE mnt-by: LIR-MNT mnt-by: LIR-MNT notify: noc@example.org address: sesamestreet 1 mnt-nfy: list@example.org phone: +1 555 0101 abuse-mailbox: abuse@example.org e-mail: john@example.org auth: MD5-PW $1$xT9SJ aut-num: 64551 descr: My AS Number mnt-by: RIPE-NCC-END-MNT mnt-by: LIR-MNT org: ORG-BB2-RIPE admin-c: LA789-RIPE tech-c: LA789-RIPE 70
Routing Registry
What is ā€œInternet Routing Registryā€ ā€¢ Distributed databases with public routing policy information, mirroring each other: irr.net - APNIC, RADB, Level3, SAVVIS... ā€¢ RIPE NCC operates ā€œRIPE Routing Registryā€ ā€¢ Big operators make use of it - AS286 (KPN), AS5400 (BT), AS1299 (Telia), AS8918 (Carrier1), AS2764 (Connect), AS3561 (Savvis), AS3356 (Level 3)... 72
Publishing routing policy in IRR ā€¢ Required by some Transit Providers & IXPs - they use it for preļ¬x-based ļ¬ltering ā€¢ Allows for automated generation of preļ¬x ļ¬lters - and router conļ¬guration commands, based on RR ā€¢ Contributes to routing security - preļ¬x ļ¬ltering based on IRR registered routes prevents accidental leaks and route hijacking ā€¢ Good housekeeping 73
RIPE RR is part of the RIPE Database ā€¢ route[6] object creation is responsibility of LIR - every time you receive a new allocation, do create a route or route6 object ā€¢ route and route6 objects represent routed preļ¬x - address space being announced by an AS number 74
Route and route6 object organisation: ORG-BB2-RIPE route6: 2001:db8::/32 origin: AS2 tech-c: LA789-RIPE admin-c: JD1-RIPE mnt-by: RIPE-NCC-HM-MNT inet6num: 2001:db8::/32 aut-num: AS2 tech-c: LA789-RIPE tech-c: LA789-RIPE admin-c: JD1-RIPE admin-c: JD1-RIPE mnt-by: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT 75
IPv6 in the Routing Registry Route6 object: route6: 2001:DB8::/32 origin: AS65550 Aut-num object: aut-num: AS65550 mp-import: aļ¬ ipv6.unicast from AS64496 accept ANY mp-export: aļ¬ ipv6.unicast to AS64496 announce AS65550 76
Automation of router configuration ā€¢ Describing routing policy in aut-num enables generation of route-maps for policy routing ā€¢ Tools can read your policy towards peers - translation from RPSL to router conļ¬guration commands ā€¢ Tools collect the data your peers have in RR - if their data changes, you only have to periodically run your scripts to collect updates 77
Resource Certification
Limitations of the Routing Registry ā€¢ Many registries exist, operated by different parties: ā€“ Not all of them mirror each other ā€“ Do you trust the information they provide? ā€¢ The IRR system is far from complete ā€¢ Resulting ļ¬lters are hard to maintain and can take a lot of router memory 79
The RIPE NCC involvement in RPKI ā€¢ The authority who is the holder of an Internet Number Resource in our region ā€“ IPv4 and IPv6 address ranges ā€“ Autonomous System Numbers ā€¢ Information is kept in the registry ā€¢ Accuracy and completeness are key 80
Digital resource certificates ā€¢ Issue digital certiļ¬cates along with the registration of Internet Resources ā€¢ Two main purposes: ā€“ Make the registry more robust ā€“ Making Internet Routing more secure ā€¢ Validation is the added value 81
Using certificates ā€¢ Certiļ¬cation is a free, opt-in service ā€“ Your choice to request a certiļ¬cate ā€“ Linked to your membership ā€“ Renewed every 12 months ā€¢ Certiļ¬cate does not list any identity information ā€¢ Digital proof you are the holder of a resource 82
The PKI system ā€¢ The RIRs hold a self-signed root certiļ¬cate for all the resources that they have in the registry ā€“ They are the trust anchor for the system ā€¢ That root certiļ¬cate is used to sign a certiļ¬cate that lists your resources ā€¢ You can issue child certiļ¬cates for those resources to your customers ā€“ When making assignments or sub allocations 83
Certificate Authority (CA) Structure Root CA (RIPE NCC) Member CA (LIR) Customer CA 84
Which resources are certified? ā€¢ Provider Aggregatable (PA) IP addresses ā€¢ Provider Independent (PI) addresses marked as ā€œInfrastructureā€ ā€¢ Other resources will be added over time: ā€“ PI addresses for which we have a contract ā€“ ERX resources 85
Route Origination Authorisation (ROA) ā€¢ Next to the preļ¬x and the ASN which is allowed to announce it, the ROA contains: ā€“A minimum preļ¬x length ā€“A maximum preļ¬x length ā€“ An expiry date ā€¢ Multiple ROAs can exist for the same preļ¬x ā€¢ ROAs can overlap 86
Publication and validation ā€¢ ROAs are published in the same repositories as the certiļ¬cates and their keys ā€¢ You can download them and use software to verify all the cryptographic signatures are valid ā€“ Was this really the owner of the preļ¬x? ā€¢ You will end up with a list of preļ¬xes and the ASN that is expected to originate them ā€“ And you can be sure the information comes from the holder of the resources 87
Validator
ROA Validation ā€¢ You can download all the certiļ¬cates, public keys and ROAs which form the RPKI ā€¢ Software running on your own machine can retrieve and then verify the information ā€“ Cryptographic tools can check all the signatures ā€¢ The result is a list of all valid combinations of ASN and preļ¬x, the ā€œvalidated cacheā€ 89
Reasons for a ROA to be invalid ā€¢ The start date is in the future ā€“ Actually this is ļ¬‚agged as an error ā€¢ The end date is in the past ā€“ It is expired and the ROA will be ignored ā€¢ The signing certiļ¬cate or key pair has expired or has been revoked ā€¢ It does not validate back to a conļ¬gured trust anchor 90
The Decision Process ā€¢ When you receive a BGP announcement from one of your neighbors you can compare this to the validated cache ā€¢ There are three possible outcomes: ā€“ Unknown: there is no covering ROA for this preļ¬x ā€“ Valid: a ROA matching the preļ¬x and ASN is found ā€“ Invalid: There is a ROA but it does not match the ASN or the preļ¬x length 91
Modifying the Validated Cache ā€¢ The RIPE NCC Validator allows you to manually override the validation process ā€¢ Adding an ignore ļ¬lter will ignore all ROAs for a given preļ¬x ā€“ The end result is the validation state will be ā€œunknownā€ ā€¢ Creating a whitelist entry for a preļ¬x and ASN will locally create a valid ROA ā€“ The end result is the validation state becomes ā€œvalidā€ 92
The Decision is Yours ā€¢ The Validator is a tool which can help you making informed decisions about routing ā€¢ Using it properly can enhance the security and stability of the Internet ā€¢ It is your network and you make the ļ¬nal decision 93
Public Testbeds ā€¢ A few people allow access to routers that run RPKI and allow you to have a look at it ā€¢ RIPE NCC has a Cisco: ā€“ Telnet to rpki-rtr.ripe.net ā€“ User: ripe, no password ā€¢ Eurotransit has a Juniper: ā€“ Telnet to 193.34.50.25 or 193.34.50.26 ā€“ Username: rpki, password: testbed (http://www.ripe.net/lir-services/resource-management/certiļ¬cation/tools-and-resources) 94
Roadmap ā€¢ Support for non-hosted is still under development by the RIPE NCC ā€“ Expected release will be third quarter 2012 ā€¢ We can give you access to beta test ā€“ Mail certiļ¬cation@ripe.net if you are interested ā€¢ More information will be published on the certiļ¬cation website ā€“ http://www.ripe.net/certiļ¬cation 95
Follow us! @TrainingRIPENCC 96
Questions? training@ripe.net
The End! KрŠ°Š¹ Y Diwedd FĆ­ Š”Š¾Ņ£Ń‹ Finis LiĆ°ugt Ende Finvezh KiŠ½ŠµŃ†ŃŒ Konec Kraj Ƌnn Fund LƵpp Beigas VĆ©ge Son Kpaj An CrĆ­och ā€«×”×”וףā€¬ Endir Fine SfĆ¢rşit Fin Ī¤Ī­Ī»ĪæĻ‚ Einde ŠšŠ¾Š½eц Slut Slutt Pabaiga Amaia Loppu Tmiem Koniec Fim

Recommended

Eigrp
EigrpEigrp
Eigrp
firey
Ā 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab
Cisco Canada
Ā 
OSPF- Multi area
OSPF- Multi area OSPF- Multi area
OSPF- Multi area
Ahmed Ali
Ā 
Policy Based Routing (PBR)
Policy Based Routing (PBR)Policy Based Routing (PBR)
Policy Based Routing (PBR)
KHNOG
Ā 
IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 Fundamentals
Matt Bynum
Ā 
SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases
APNIC
Ā 
Ospf area types
Ospf area typesOspf area types
Ospf area types
CoderGenie Technologies
Ā 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing Introduction
Rasoul Mesghali, CCIE RS
Ā 

Recommended

Eigrp
EigrpEigrp
Eigrp
firey
Ā 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab
Cisco Canada
Ā 
OSPF- Multi area
OSPF- Multi area OSPF- Multi area
OSPF- Multi area
Ahmed Ali
Ā 
Policy Based Routing (PBR)
Policy Based Routing (PBR)Policy Based Routing (PBR)
Policy Based Routing (PBR)
KHNOG
Ā 
IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 Fundamentals
Matt Bynum
Ā 
SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases
APNIC
Ā 
Ospf area types
Ospf area typesOspf area types
Ospf area types
CoderGenie Technologies
Ā 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing Introduction
Rasoul Mesghali, CCIE RS
Ā 
A very good introduction to IPv6
A very good introduction to IPv6A very good introduction to IPv6
A very good introduction to IPv6
Syed Arshad
Ā 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACL
faust0
Ā 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorial
kriz5
Ā 
MPLS Concepts and Fundamentals
MPLS Concepts and FundamentalsMPLS Concepts and Fundamentals
MPLS Concepts and Fundamentals
Shawn Zandi
Ā 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
Ā 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
Cisco Canada
Ā 
Eigrp.ppt
Eigrp.pptEigrp.ppt
Eigrp.ppt
Edgardo Scrimaglia
Ā 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address Planning
APNIC
Ā 
IP Geolocation Demystified
IP Geolocation DemystifiedIP Geolocation Demystified
IP Geolocation Demystified
BigDataCloudAPI
Ā 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
ThousandEyes
Ā 
Arp
ArpArp
Arp
leehylton
Ā 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT Routing
Bangladesh Network Operators Group
Ā 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPd
Pavel Odintsov
Ā 
Eigrp new
Eigrp newEigrp new
Eigrp new
CYBERINTELLIGENTS
Ā 
MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]
MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]
MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]
APNIC
Ā 
CCNA IP Addressing
CCNA IP AddressingCCNA IP Addressing
CCNA IP Addressing
Dsunte Wilson
Ā 
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Bruno Teixeira
Ā 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
Edgardo Scrimaglia
Ā 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
Tim Martin
Ā 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)
Joud Khattab
Ā 
Simplified IPv6 Subnetting. Understanding Whatā€™s What.
Simplified IPv6 Subnetting. Understanding Whatā€™s What.Simplified IPv6 Subnetting. Understanding Whatā€™s What.
Simplified IPv6 Subnetting. Understanding Whatā€™s What.
SolarWinds
Ā 
IPv6 Addressing Plans and Subnetting
IPv6 Addressing Plans and SubnettingIPv6 Addressing Plans and Subnetting
IPv6 Addressing Plans and Subnetting
RIPE NCC
Ā 

More Related Content

What's hot

CCNA IP Addressing
CCNA IP AddressingCCNA IP Addressing
CCNA IP Addressing
Dsunte Wilson
Ā 

What's hot (20)

A very good introduction to IPv6
A very good introduction to IPv6A very good introduction to IPv6
A very good introduction to IPv6
Ā 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACL
Ā 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorial
Ā 
MPLS Concepts and Fundamentals
MPLS Concepts and FundamentalsMPLS Concepts and Fundamentals
MPLS Concepts and Fundamentals
Ā 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
Ā 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
Ā 
Eigrp.ppt
Eigrp.pptEigrp.ppt
Eigrp.ppt
Ā 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address Planning
Ā 
IP Geolocation Demystified
IP Geolocation DemystifiedIP Geolocation Demystified
IP Geolocation Demystified
Ā 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
Ā 
Arp
ArpArp
Arp
Ā 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT Routing
Ā 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPd
Ā 
Eigrp new
Eigrp newEigrp new
Eigrp new
Ā 
MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]
MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]
MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]
Ā 
CCNA IP Addressing
CCNA IP AddressingCCNA IP Addressing
CCNA IP Addressing
Ā 
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Ā 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
Ā 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
Ā 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)
Ā 

Viewers also liked

IPV6 addressing plan exercise-2
IPV6 addressing plan exercise-2IPV6 addressing plan exercise-2
IPV6 addressing plan exercise-2
stupidbopols
Ā 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
cyberjoex
Ā 

Viewers also liked (13)

Simplified IPv6 Subnetting. Understanding Whatā€™s What.
Simplified IPv6 Subnetting. Understanding Whatā€™s What.Simplified IPv6 Subnetting. Understanding Whatā€™s What.
Simplified IPv6 Subnetting. Understanding Whatā€™s What.
Ā 
IPv6 Addressing Plans and Subnetting
IPv6 Addressing Plans and SubnettingIPv6 Addressing Plans and Subnetting
IPv6 Addressing Plans and Subnetting
Ā 
Obtaining IPv4 Addresses
Obtaining IPv4 AddressesObtaining IPv4 Addresses
Obtaining IPv4 Addresses
Ā 
09 (IDNOG01) Introduction about APNIC by Wita Laksono
09 (IDNOG01) Introduction about APNIC by Wita Laksono09 (IDNOG01) Introduction about APNIC by Wita Laksono
09 (IDNOG01) Introduction about APNIC by Wita Laksono
Ā 
APNIC IRM Tutorial, by Sheryl Hermoso [APRICOT 2015]
APNIC IRM Tutorial, by Sheryl Hermoso [APRICOT 2015]APNIC IRM Tutorial, by Sheryl Hermoso [APRICOT 2015]
APNIC IRM Tutorial, by Sheryl Hermoso [APRICOT 2015]
Ā 
APNIC's Resource Certification Service
APNIC's Resource Certification ServiceAPNIC's Resource Certification Service
APNIC's Resource Certification Service
Ā 
Current RIPE Policy Developments and RIPE Policy Implementation
Current RIPE Policy Developments and RIPE Policy ImplementationCurrent RIPE Policy Developments and RIPE Policy Implementation
Current RIPE Policy Developments and RIPE Policy Implementation
Ā 
IPV6 addressing plan exercise-2
IPV6 addressing plan exercise-2IPV6 addressing plan exercise-2
IPV6 addressing plan exercise-2
Ā 
Preparing an IPv6 Addressing Planl
Preparing an IPv6 Addressing PlanlPreparing an IPv6 Addressing Planl
Preparing an IPv6 Addressing Planl
Ā 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
Ā 
RIPE Atlas
RIPE AtlasRIPE Atlas
RIPE Atlas
Ā 
Internet Operations and the RIRs
Internet Operations and the RIRsInternet Operations and the RIRs
Internet Operations and the RIRs
Ā 
Ip address and subnetting
Ip address and subnettingIp address and subnetting
Ip address and subnetting
Ā 

Similar to Getting IPv6 & Securing your Routing

Nathalie - Stavanger
Nathalie - StavangerNathalie - Stavanger
Nathalie - Stavanger
IPv6no
Ā 

Similar to Getting IPv6 & Securing your Routing (20)

IPv4 depletion & IPv6 deployment in the RIPE NCC service region
IPv4 depletion & IPv6 deployment in the RIPE NCC service regionIPv4 depletion & IPv6 deployment in the RIPE NCC service region
IPv4 depletion & IPv6 deployment in the RIPE NCC service region
Ā 
Kjell Leknes
Kjell LeknesKjell Leknes
Kjell Leknes
Ā 
IPv4 Depletion & IPv6 Deployment
IPv4 Depletion & IPv6 DeploymentIPv4 Depletion & IPv6 Deployment
IPv4 Depletion & IPv6 Deployment
Ā 
Update: IP addresses AS numbers and related things...
Update: IP addresses AS numbers and related things...Update: IP addresses AS numbers and related things...
Update: IP addresses AS numbers and related things...
Ā 
IPv6 Act Now!
IPv6 Act Now!IPv6 Act Now!
IPv6 Act Now!
Ā 
IPv4 and IPv6 - addressing Internet infrastructure
IPv4 and IPv6 - addressing Internet infrastructureIPv4 and IPv6 - addressing Internet infrastructure
IPv4 and IPv6 - addressing Internet infrastructure
Ā 
IPv6 Tutorial RIPE 60
IPv6 Tutorial RIPE 60IPv6 Tutorial RIPE 60
IPv6 Tutorial RIPE 60
Ā 
Your Slice of the IPv6 Cake
Your Slice of the IPv6 CakeYour Slice of the IPv6 Cake
Your Slice of the IPv6 Cake
Ā 
Leo Vegoda - IPv6: a universe if addresses
Leo Vegoda - IPv6: a universe if addressesLeo Vegoda - IPv6: a universe if addresses
Leo Vegoda - IPv6: a universe if addresses
Ā 
Facilitating IPv6 Deployment
Facilitating IPv6 DeploymentFacilitating IPv6 Deployment
Facilitating IPv6 Deployment
Ā 
IPv6 News from the RIPE NCC
IPv6 News from the RIPE NCCIPv6 News from the RIPE NCC
IPv6 News from the RIPE NCC
Ā 
Nathalie - Stavanger
Nathalie - StavangerNathalie - Stavanger
Nathalie - Stavanger
Ā 
Moving Towards IPv6
Moving Towards IPv6Moving Towards IPv6
Moving Towards IPv6
Ā 
IPv6 in Depth <<Kinda>>
IPv6 in Depth <<Kinda>>IPv6 in Depth <<Kinda>>
IPv6 in Depth <<Kinda>>
Ā 
IPv6 Deployment: Why and Why not?
IPv6 Deployment: Why and Why not?IPv6 Deployment: Why and Why not?
IPv6 Deployment: Why and Why not?
Ā 
IPv6 Deployment and Distribution in the RIPE NCC Service Region
IPv6 Deployment and Distribution in the RIPE NCC Service RegionIPv6 Deployment and Distribution in the RIPE NCC Service Region
IPv6 Deployment and Distribution in the RIPE NCC Service Region
Ā 
RIPE NCC Status Update
RIPE NCC Status UpdateRIPE NCC Status Update
RIPE NCC Status Update
Ā 
IPv4 Depletion and IPv6 Adoption Today
IPv4 Depletion and IPv6 Adoption TodayIPv4 Depletion and IPv6 Adoption Today
IPv4 Depletion and IPv6 Adoption Today
Ā 
RIPE Labs Operator Tools, Ideas, Analysis
RIPE Labs Operator Tools, Ideas, AnalysisRIPE Labs Operator Tools, Ideas, Analysis
RIPE Labs Operator Tools, Ideas, Analysis
Ā 
RIPE NCC Update
RIPE NCC UpdateRIPE NCC Update
RIPE NCC Update
Ā 

More from RIPE NCC

More from RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
Ā 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
Ā 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
Ā 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Ā 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
Ā 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Ā 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
Ā 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Ā 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
Ā 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
Ā 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
Ā 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
Ā 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Ā 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
Ā 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
Ā 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
Ā 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
Ā 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
Ā 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
Ā 
The RIPE NCCā€™s View of IPv6 in Sweden
The RIPE NCCā€™s View of IPv6 in SwedenThe RIPE NCCā€™s View of IPv6 in Sweden
The RIPE NCCā€™s View of IPv6 in Sweden
Ā 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Ā 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Ā 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
Ā 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Ā 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
Ā 

Recently uploaded (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Ā 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Ā 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Ā 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Ā 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Ā 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Ā 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Ā 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Ā 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Ā 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Ā 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Ā 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Ā 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Ā 
šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜
Ā 
Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024
Ā 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Ā 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Ā 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Ā 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
Ā 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Ā 

Getting IPv6 & Securing your Routing

  • 1. Getting IPv6 & Securing your Routing IPv6 Kongress May 2012, Frankfurt Sandra BrĆ”s & Ferenc Csorba, RIPE NCC
  • 2. Schedule ā€¢ IPv4 exhaustion ā€¢ IPv6 address space ā€¢ European IPv6 deployment statistics ā€¢ BGP multihoming ā€¢ Routing Registry and the RIPE Database ā€¢ Resource Certiļ¬cation 2
  • 3. RIPE / RIPE NCC RIPE Open community Develops addressing policies Working group mailing lists RIPE NCC Located in Amsterdam Not for proļ¬t membership organisation One of ļ¬ve RIRs 3
  • 5. Internet Number Resources ā€¢ IP addresses - IPv4 eg. 193.0.0.203 - IPv6 eg. 2001:610:240:11::c100:1319 ā€¢ Autonomous System Numbers (ASN) ā€¢ Other public services - Training Services - RIPE Labs - RIPE Database - RIPE Stat - K-root name server - RIPE Atlas - Measurement tools - E-learning 5
  • 9. Who makes policies? ICANN / IANA ASO AfriNIC Reach consensusARIN RIPE NCC across communities APNIC LACNIC AfriNIC RIPE ARIN APNIC LACNIC community community community community community proposal proposal Global proposal Policy Proposal proposal proposal 9
  • 10. Why would you want to participate? ā€¢ Policy determines how you run your business ā€¢ Over 8000 LIRs ā€¢ Only a fraction are active participants in the PDP 10
  • 11. How can you participate? ā€¢ Working Group mailing lists - RIPE website ā†’ RIPE ā†’ Mailing Lists ā€¢ Come to the RIPE Meetings - Two free tickets for new LIRs - Remote participation is also possible 11
  • 13. IANA IPv4 pool 40% 30% 20% 10% 0% 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 13
  • 14. IPv4 address distribution /0 IANA /8 RIR /21 LIR /23 /25 /25 End User Allocation PA Assignment PI Assignment 14
  • 15. IANA and RIRs IPv4 pool IANA Pool RIR Allocations Advertised RIR Pool Today 256 Data 192 128 64 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 15
  • 16. Our slice of the IPv4 pie Legacy Other IANA AfriNIC LACNIC RIPE NCC ARIN APNIC 16
  • 17. IPv4 exhaustion phases IPv4 still available. RIPE NCCā€™s allocation RIPE NCC can only RIPE NCC continues policy from last /8 distribute IPv6 distributing it applies ? now time IANA pool RIPE NCC RIPE NCC exhausted reaches pool ļ¬nal /8 exhausted Each of the 5 RIRs given a /8 17
  • 18. Run Out Fairly (of IPv4) ā€¢ Gradually reduced allocation / assignment periods ā€¢ Needs for ā€œEntire Periodā€ of up to... - 12 months (January 2010) - 9 months (July 2010) - 6 months (January 2011) - 3 months (July 2011) ā€¢ 50% has to be used up by half-period 18
  • 19. RIPE NCCā€™s last /8 ā€¢ We do things differently! ā€¢ Ensures IPv4 access for all members - 16000+ /22s in a /8 - members can get one /22 (=1024 addresses) - must already hold IPv6 - must qualify for allocation ā€¢ /16 set aside for unforeseen situations - if unused, will be distributed ā€¢ No PI 19
  • 20. Transfer of IPv4 Allocations ā€¢ Policy 2007-08: Allocation Transfer Policy - Donā€™t buy your IPv4 on eBay! - Transfer unused allocations to another LIR - Minimum allocation size /21 - Evaluated by RIPE NCC - Update in RIPE Database http://www.ripe.net/lir-services/resource-management/listing 20
  • 21. IPv4 Depletion in the RIPE NCCā€™s Region - https://www.ripe.net/internet-coordination/ipv4-exhaustion 21
  • 22. 0 75 150 225 300 2000-01 2000-07 2001-01 2001-07 2002-01 2002-07 2003-01 2003-07 2004-01 2004-07 2005-01 IPv4 Allocation Rate 2005-07 2006-01 2006-07 2007-01 2007-07 2008-01 2008-07 2009-01 2009-07 2010-01 2010-07 2011-01 2011-07 2012-01 22
  • 23. IPv4 Depletion Worldwide IPv4 Pool in /8ā€™s 6 5 4 3 2 1 0 AfriNIC RIPE NCC LACNIC ARIN APNIC 23
  • 25. Where do all the addresses come from? IETF IANA AfriNIC ARIN RIPE NCC APNIC LACNIC 8000 LIRs End Users 25
  • 26. IPv6 address distribution /3 IANA /12 RIR /32 LIR /48 /56 /48 End User PA Allocation Provider Aggregatable PI Assignment Assignment 26
  • 27. IPv6 basics ā€¢ IPv6 address: 128 bits - 32 bits in IPv4 ā€¢ Every subnet should be a /64 ā€¢ Customer assignments (sites) between: - /64 (1 subnet) - /48 (65536 subnets) ā€¢ Minimum allocation size /32 - 65536 /48ā€™s - 16777216 /56ā€™s 27
  • 28. IPv4 vs IPv6 (rounded off) IPv4 IPv6 addresses 4x109 2x1019 subnets allocations 2x106 4x109 to members in each allocation: in each allocation: subnets addresses 2048 4x109 28
  • 29. Classless Inter-Domain Routing (CIDR) IPv6 Chart Preļ¬x /48s /56s /64s Bits IPv4 CIDR Chart RIPE NCC /24 16M 4G 1T 104 /25 8M 2G 512G 103 IP Addresses Bits Preļ¬x Subnet Mask /26 4M 1G 256G 102 /27 2M 512M 128G 101 /28 1M 256M 64G 100 1 0 /32 255.255.255.255 /29 512K 128M 32G 99 2 1 /31 255.255.255.254 /30 256K 64M 16G 98 4 2 /30 255.255.255.252 /31 128K 32M 8G 97 8 3 /29 255.255.255.248 /32 64K 16M 4G 96 16 4 /28 255.255.255.240 /33 32K 8M 2G 95 32 5 /27 255.255.255.224 /34 16K 4M 1G 94 64 6 /26 255.255.255.192 /35 8K 2M 512M 93 128 7 /25 255.255.255.128 /36 4K 1M 256M 92 256 8 /24 255.255.255.0 /37 2K 512K 128M 91 512 9 /23 255.255.254.0 /38 1K 256K 64M 90 1K 10 /22 255.255.252.0 /39 512 128K 32M 89 2K 11 /21 255.255.248.0 /40 256 64K 16M 88 4K 12 /20 255.255.240.0 /41 128 32K 8M 87 8K 13 /19 255.255.224.0 /42 64 16K 4M 86 16 K 14 /18 255.255.192.0 /43 32 8K 1M 85 32 K 15 /17 255.255.128.0 /44 16 4K 1M 84 64 K 16 /16 255.255.0.0 /45 8 2K 512K 83 128 K 17 /15 255.254.0.0 /46 4 1K 256K 82 256 K 18 /14 255.252.0.0 /47 2 512 128K 81 512 K 19 /13 255.248.0.0 /48 1 256 64K 80 1M 20 /12 255.240.0.0 /49 128 32K 79 /50 64 16K 78 2M 21 /11 255.224.0.0 /51 32 8K 77 4M 22 /10 255.192.0.0 /52 16 4K 76 8M 23 /9 255.128.0.0 /53 8 2K 75 16 M 24 /8 255.0.0.0 /54 4 1K 74 32 M 25 /7 254.0.0.0 /55 2 512 73 64 M 26 /6 252.0.0.0 /56 1 256 72 128 M 27 /5 248.0.0.0 /57 128 71 256 M 28 /4 240.0.0.0 RIPE NCC /58 64 70 512 M 29 /3 224.0.0.0 /59 32 69 1024 M 30 /2 192.0.0.0 /60 16 68 2048 M 31 /1 128.0.0.0 /61 8 67 4096 M 32 /0 0.0.0.0 /62 4 66 /63 2 65 Contact Registration Services: /64 1 64 www.ripe.net 29
  • 31. Getting an IPv6 allocation ā€¢ To qualify, an organisation must: - Be an LIR - Have a plan for making assignments within two years ā€¢ Minimum allocation size /32 ā€¢ Announcement as a single preļ¬x recommended 31
  • 32. RIPE Policy Proposal 2011-04 ā€¢ Extension of the Minimum Size for IPv6 Initial Allocation - Proposes initial allocation up to a /29 - For example, for small LIRs to deploy IPv6 via 6RD (RFC 5969) DER DISCUSSION UN ā€¢ Proposal currently in Review Phase - The RIPE NCC is working on impact analysis 32
  • 33. What does the first IPv6 allocation cost? - for all - pending General Meeting decision or: - for approximately 97% of the LIRs - more points, but not higher category! 33
  • 34. Why Create an IPv6 Addressing Plan? ā€¢ Mental health during implementation(!) ā€¢ Easier implementation of security policies ā€¢ Efļ¬cient addressing plans are scalable ā€¢ More efļ¬cient route aggregation 34
  • 36. Make an addressing plan (I) ā€¢ Number of hosts is irrelevant ā€¢ Multiple /48s per pop can be used - separate blocks for infrastructure and customers - document address needs for allocation criteria ā€¢ /64 for all subnets - autoconļ¬guration works - renumbering easier - less typo errors because of simplicity 36
  • 37. Make an addressing plan (II) ā€¢ Use one /64 block (per site) for loopbacks - One /128 per device - One /64 contains enough /128s for 18.446.744.073.709.551.616 devices 37
  • 38. More On Addressing Plans for ISPs ā€¢ For private networks, look at ULA ā€¢ For servers you want manual conļ¬guration ā€¢ Use port numbers for addresses - pop server 2001:db8:1::110 - dns server 2001:db8:1::53 - etc... 38
  • 39. Point-to-Point Connections ā€¢ How much space for point-to-point connections? - RFC4291: Interface IDs are required to be /64 - RFC3627: Use of /127 between routers considered harmful - RFC6547: RFC3627 to Historic Status - RFC6164: Using /127 on Inter-Router links ā€¢ Be safe: reserve a /64, assign a /127 per point-to-point connection 39
  • 40. Customer assignments ā€¢ Give your customers enough addresses - Up to a /48 ā€¢ For more addresses, send in request form - Alternatively, make a sub-allocation ā€¢ Every assignment must now be registered in the RIPE database 40
  • 41. Using AGGREGATED-BY-LIR ALLOCATED-BY-RIR ASSIGNED AGGREGATED-BY-LIR ALLOCATED-BY-LIR /36 /44 assignment-size: 56 /34 AGGREGATED-BY-LIR assignment-size: 48 /40 hint :) /48 /48 /48 /48 /48 41
  • 42. Group assignments in the RIPE DB inet6num: Ā Ā Ā Ā Ā Ā  2001:db8:1000::/36 netname: Ā Ā Ā Ā Ā Ā Ā  Bluelight descr: Ā Ā Ā Ā Ā Ā Ā Ā Ā  We want more Bluelight B.V. descr: Ā Ā Ā Ā  Colocation services country: Ā Ā Ā Ā Ā Ā  Ā  NL admin-c: Ā Ā Ā Ā Ā Ā Ā  BN649-RIPE tech-c: Ā Ā Ā Ā Ā Ā Ā Ā  BN649-RIPE status: Ā Ā Ā Ā Ā Ā Ā Ā  AGGREGATED-BY-LIR assignment-size: 48 mnt-by: Ā Ā Ā Ā Ā Ā Ā Ā  BLUELIGHT-MNT notify: Ā Ā Ā Ā Ā Ā Ā Ā  noc@example.net changed: Ā Ā Ā Ā Ā Ā  noc@example.net 20110218 source: Ā Ā Ā Ā Ā Ā Ā  RIPE 42
  • 43. Customers And Their /48 ā€¢ Customers have no idea how to handle 65536 subnets! ā€¢ Provide them with information ā€“ https://www.ripe.net/lir-services/training/material/IPv6- for-LIRs-Training-Course/IPv6_addr_plan4.pdf 43
  • 44. IPv6 Address Management ā€¢ Your Excel sheet might not scale ā€“ There are 65.536 /48s in a /32 ā€“ There are 65.536 /64s in a /48 ā€“ There are 16.777.216 /56s in a /32 ā€¢ Find a suitable IPAM solution 44
  • 45. Getting IPv6 PI address space ā€¢ To qualify, an organisation must: - Meet the contractual requirements for provider independent resources ā€¢ Minimum assignment size /48 45
  • 47. Reverse DNS 2001 db8 2001:0db8:003e:ef11:0000:0000 :c100: 004d . . . . . . . .ip6.arpa d.4.0.0.0.0.1.c.0.0.0.0.0.0.0.0.1.1.f.e.e. 3.0.0.8.b.d.0.1.0.0.2.ip6.arpa PTR yourname.domain.tld d.4.0.0.0.0.1.c.0.0.0.0.0.0.0.0.1.1.f.e.e.3.0.0.8.b.d.0.1.0.0.2.ip6.arpa PTR yourname.domain.tld 47
  • 51. Members with IPv6 and IPv4 7853 members with IP resources 3846 3918 89 IPv4 only IPv6 only IPv6 and IPv4 51
  • 52. IPv6 Ripeness ā€¢ Rating system: - One star if the LIR has an IPv6 allocation - Additional stars if: - IPv6 Preļ¬x is announced on router - A route6 object is in the RIPE Database - Reverse DNS is set up - A list of all 4 star LIRs: http://ripeness.ripe.net/ 52
  • 53. IPv6 RIPEness: 8097 LIRs (5 May 2012) 1 star 2 stars 3 stars 4 stars No IPv6 1 star 14% No IPv6 51% 2 stars 6% 3 stars 11% 4 stars 18%
  • 54. 0 225 450 675 900 Slovenia (47 LIRs) Netherlands (418 LIRs) 1star Czech Republic (221 LIRs) Germany (821 LIRs) 2star Switzerland ( 260 LIRs) Poland (214 LIRs) 3star Austria (155 LIRs) Portugal (37 LIRs) 4star Norway (163 LIRs) IPv6 RIPEness ā€“ countries (5 May 2012) Denmark (123 LIRs) 0star 54
  • 55. 0% 25% 50% 75% 100% Slovenia (47 LIRs) Netherlands (418 LIRs) 1star Czech Republic (221 LIRs) Germany (821 LIRs) 2star Switzerland (260 LIRs) Poland (214 LIRs) 3star Austria (155 LIRs) Portugal (37 LIRs) 4star Norway (163 LIRs) IPv6 RIPEness ā€“ relative (5 May 2012) Denmark (123 LIRs) 0star 55
  • 56. IPv6 enabled ASes in global routing All Germany Belgium France Netherlands 50% http://v6ASNs.ripe.net 42% 33% 25% 17% 8% 0% 2004 2005 2006 2007 2008 2009 2010 2011 2012 56
  • 57. World IPv6 Launch ā€¢ http://www.worldipv6launch.org/ 57
  • 58. Useful information Websites ā€¢ http://www.getipv6.info/ ā€¢ http://www.ipv6actnow.org ā€¢ http://datatracker.ietf.org/wg/v6ops/ ā€¢ http://www.ripe.net/ripe/docs/ripe-501.html Mailing lists ā€¢ http://lists.cluenet.de/mailman/listinfo/ipv6-ops ā€¢ http://www.ripe.net/mailman/listinfo/ipv6-wg 58
  • 60. Scenario 1: LIR = PA allocation + ASN ISP 1 ISP 2 x AS3 AS7 AS4 AS5 AS6 ā€¢ Can make assignments to End Users 60
  • 61. Scenario 2: End User = PI + ASN ISP 1 ISP 2 x ā€¢ Can NOT sub-assign further!!! - (in IPv4 can still use PI for xDSL, broadband...) 61
  • 62. Scenario 3: LIR = PI + ASN ISP 1 ISP 2 x ā€¢ Can NOT sub-assign further!!! - (in IPv4 can still use PI for xDSL, broadband...) 62
  • 63. Scenario 4: PI End User, not multihomed ISP 1 ISP 2 x ā€¢ Part of LIRā€™s AS number - does not want to / can not run BGP - still wants ā€œportableā€ addresses 63
  • 64. How to get an AS Number ā€¢ Assignment requirements - Address space - Multihoming - One AS Number per network ā€¢ For LIR itself ā€¢ For End User - Sponsoring LIR requests it for End User - Direct Assignment User requests it for themselves 64
  • 65. 32-bit AS Numbers and you ā€¢ New format: ā€œAS4192351863ā€ ā€¢ Act now! ā€¢ Prepare for 32-bit ASNs in your organisation: - Check if hardware is compatible; if not, contact hardware vendor - Check if upstream uses compatible hardware; if not, they should upgrade! 65
  • 67. RIPE Database ā€¢ Public Internet resource and routing registry database 67
  • 68. RIPE Database objects ā€¢ Resources ā€“ inetnum, inet6num, aut-num, domain ā€¢ Routing ā€“ route, route6, aut-num ā€¢ Security ā€“ mntner ā€¢ Contact ā€“ organisation, person, role 68
  • 69. Protection mntner: LIR-MNT person: John Smith admin-c: JS123-RIPE nic-hdl: JS123-RIPE tech-c: JS123-RIPE address: sesamestreet 1 mnt-by: LIR-MNT phone: +1 555 0101 notify: noc@example.org e-mail: john@example.org mnt-nfy: list@example.org mnt-by: LIR-MNT abuse-mailbox: abuse@example.org auth: MD5-PW $1$xT9SJ 69
  • 70. Protection inetnum: 85.11.186.0/25 descr: My Assignment status: ASSIGNED PA mnt-by: LIR-MNT admin-c: LA789-RIPE tech-c: LA789-RIPE mntner: LIR-MNT admin-c: LA789-RIPE person: John Smith tech-c: LA789-RIPE nic-hdl: JS123-RIPE mnt-by: LIR-MNT mnt-by: LIR-MNT notify: noc@example.org address: sesamestreet 1 mnt-nfy: list@example.org phone: +1 555 0101 abuse-mailbox: abuse@example.org e-mail: john@example.org auth: MD5-PW $1$xT9SJ aut-num: 64551 descr: My AS Number mnt-by: RIPE-NCC-END-MNT mnt-by: LIR-MNT org: ORG-BB2-RIPE admin-c: LA789-RIPE tech-c: LA789-RIPE 70
  • 72. What is ā€œInternet Routing Registryā€ ā€¢ Distributed databases with public routing policy information, mirroring each other: irr.net - APNIC, RADB, Level3, SAVVIS... ā€¢ RIPE NCC operates ā€œRIPE Routing Registryā€ ā€¢ Big operators make use of it - AS286 (KPN), AS5400 (BT), AS1299 (Telia), AS8918 (Carrier1), AS2764 (Connect), AS3561 (Savvis), AS3356 (Level 3)... 72
  • 73. Publishing routing policy in IRR ā€¢ Required by some Transit Providers & IXPs - they use it for preļ¬x-based ļ¬ltering ā€¢ Allows for automated generation of preļ¬x ļ¬lters - and router conļ¬guration commands, based on RR ā€¢ Contributes to routing security - preļ¬x ļ¬ltering based on IRR registered routes prevents accidental leaks and route hijacking ā€¢ Good housekeeping 73
  • 74. RIPE RR is part of the RIPE Database ā€¢ route[6] object creation is responsibility of LIR - every time you receive a new allocation, do create a route or route6 object ā€¢ route and route6 objects represent routed preļ¬x - address space being announced by an AS number 74
  • 75. Route and route6 object organisation: ORG-BB2-RIPE route6: 2001:db8::/32 origin: AS2 tech-c: LA789-RIPE admin-c: JD1-RIPE mnt-by: RIPE-NCC-HM-MNT inet6num: 2001:db8::/32 aut-num: AS2 tech-c: LA789-RIPE tech-c: LA789-RIPE admin-c: JD1-RIPE admin-c: JD1-RIPE mnt-by: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT 75
  • 76. IPv6 in the Routing Registry Route6 object: route6: 2001:DB8::/32 origin: AS65550 Aut-num object: aut-num: AS65550 mp-import: aļ¬ ipv6.unicast from AS64496 accept ANY mp-export: aļ¬ ipv6.unicast to AS64496 announce AS65550 76
  • 77. Automation of router configuration ā€¢ Describing routing policy in aut-num enables generation of route-maps for policy routing ā€¢ Tools can read your policy towards peers - translation from RPSL to router conļ¬guration commands ā€¢ Tools collect the data your peers have in RR - if their data changes, you only have to periodically run your scripts to collect updates 77
  • 79. Limitations of the Routing Registry ā€¢ Many registries exist, operated by different parties: ā€“ Not all of them mirror each other ā€“ Do you trust the information they provide? ā€¢ The IRR system is far from complete ā€¢ Resulting ļ¬lters are hard to maintain and can take a lot of router memory 79
  • 80. The RIPE NCC involvement in RPKI ā€¢ The authority who is the holder of an Internet Number Resource in our region ā€“ IPv4 and IPv6 address ranges ā€“ Autonomous System Numbers ā€¢ Information is kept in the registry ā€¢ Accuracy and completeness are key 80
  • 81. Digital resource certificates ā€¢ Issue digital certiļ¬cates along with the registration of Internet Resources ā€¢ Two main purposes: ā€“ Make the registry more robust ā€“ Making Internet Routing more secure ā€¢ Validation is the added value 81
  • 82. Using certificates ā€¢ Certiļ¬cation is a free, opt-in service ā€“ Your choice to request a certiļ¬cate ā€“ Linked to your membership ā€“ Renewed every 12 months ā€¢ Certiļ¬cate does not list any identity information ā€¢ Digital proof you are the holder of a resource 82
  • 83. The PKI system ā€¢ The RIRs hold a self-signed root certiļ¬cate for all the resources that they have in the registry ā€“ They are the trust anchor for the system ā€¢ That root certiļ¬cate is used to sign a certiļ¬cate that lists your resources ā€¢ You can issue child certiļ¬cates for those resources to your customers ā€“ When making assignments or sub allocations 83
  • 84. Certificate Authority (CA) Structure Root CA (RIPE NCC) Member CA (LIR) Customer CA 84
  • 85. Which resources are certified? ā€¢ Provider Aggregatable (PA) IP addresses ā€¢ Provider Independent (PI) addresses marked as ā€œInfrastructureā€ ā€¢ Other resources will be added over time: ā€“ PI addresses for which we have a contract ā€“ ERX resources 85
  • 86. Route Origination Authorisation (ROA) ā€¢ Next to the preļ¬x and the ASN which is allowed to announce it, the ROA contains: ā€“A minimum preļ¬x length ā€“A maximum preļ¬x length ā€“ An expiry date ā€¢ Multiple ROAs can exist for the same preļ¬x ā€¢ ROAs can overlap 86
  • 87. Publication and validation ā€¢ ROAs are published in the same repositories as the certiļ¬cates and their keys ā€¢ You can download them and use software to verify all the cryptographic signatures are valid ā€“ Was this really the owner of the preļ¬x? ā€¢ You will end up with a list of preļ¬xes and the ASN that is expected to originate them ā€“ And you can be sure the information comes from the holder of the resources 87
  • 89. ROA Validation ā€¢ You can download all the certiļ¬cates, public keys and ROAs which form the RPKI ā€¢ Software running on your own machine can retrieve and then verify the information ā€“ Cryptographic tools can check all the signatures ā€¢ The result is a list of all valid combinations of ASN and preļ¬x, the ā€œvalidated cacheā€ 89
  • 90. Reasons for a ROA to be invalid ā€¢ The start date is in the future ā€“ Actually this is ļ¬‚agged as an error ā€¢ The end date is in the past ā€“ It is expired and the ROA will be ignored ā€¢ The signing certiļ¬cate or key pair has expired or has been revoked ā€¢ It does not validate back to a conļ¬gured trust anchor 90
  • 91. The Decision Process ā€¢ When you receive a BGP announcement from one of your neighbors you can compare this to the validated cache ā€¢ There are three possible outcomes: ā€“ Unknown: there is no covering ROA for this preļ¬x ā€“ Valid: a ROA matching the preļ¬x and ASN is found ā€“ Invalid: There is a ROA but it does not match the ASN or the preļ¬x length 91
  • 92. Modifying the Validated Cache ā€¢ The RIPE NCC Validator allows you to manually override the validation process ā€¢ Adding an ignore ļ¬lter will ignore all ROAs for a given preļ¬x ā€“ The end result is the validation state will be ā€œunknownā€ ā€¢ Creating a whitelist entry for a preļ¬x and ASN will locally create a valid ROA ā€“ The end result is the validation state becomes ā€œvalidā€ 92
  • 93. The Decision is Yours ā€¢ The Validator is a tool which can help you making informed decisions about routing ā€¢ Using it properly can enhance the security and stability of the Internet ā€¢ It is your network and you make the ļ¬nal decision 93
  • 94. Public Testbeds ā€¢ A few people allow access to routers that run RPKI and allow you to have a look at it ā€¢ RIPE NCC has a Cisco: ā€“ Telnet to rpki-rtr.ripe.net ā€“ User: ripe, no password ā€¢ Eurotransit has a Juniper: ā€“ Telnet to 193.34.50.25 or 193.34.50.26 ā€“ Username: rpki, password: testbed (http://www.ripe.net/lir-services/resource-management/certiļ¬cation/tools-and-resources) 94
  • 95. Roadmap ā€¢ Support for non-hosted is still under development by the RIPE NCC ā€“ Expected release will be third quarter 2012 ā€¢ We can give you access to beta test ā€“ Mail certiļ¬cation@ripe.net if you are interested ā€¢ More information will be published on the certiļ¬cation website ā€“ http://www.ripe.net/certiļ¬cation 95
  • 96. Follow us! @TrainingRIPENCC 96
  • 98. The End! KрŠ°Š¹ Y Diwedd FĆ­ Š”Š¾Ņ£Ń‹ Finis LiĆ°ugt Ende Finvezh KiŠ½ŠµŃ†ŃŒ Konec Kraj Ƌnn Fund LƵpp Beigas VĆ©ge Son Kpaj An CrĆ­och ā€«×”×”וףā€¬ Endir Fine SfĆ¢rşit Fin Ī¤Ī­Ī»ĪæĻ‚ Einde ŠšŠ¾Š½eц Slut Slutt Pabaiga Amaia Loppu Tmiem Koniec Fim