Why Teams call analytics are critical to your entire business
Ā
Getting IPv6 & Securing your Routing
1. Getting IPv6 &
Securing your Routing
IPv6 Kongress
May 2012, Frankfurt
Sandra BrƔs & Ferenc Csorba, RIPE NCC
2. Schedule
ā¢ IPv4 exhaustion
ā¢ IPv6 address space
ā¢ European IPv6 deployment statistics
ā¢ BGP multihoming
ā¢ Routing Registry and the RIPE Database
ā¢ Resource Certiļ¬cation
2
3. RIPE / RIPE NCC
RIPE
Open community
Develops addressing policies
Working group mailing lists
RIPE NCC
Located in Amsterdam
Not for proļ¬t membership organisation
One of ļ¬ve RIRs
3
5. Internet Number Resources
ā¢ IP addresses
- IPv4 eg. 193.0.0.203
- IPv6 eg. 2001:610:240:11::c100:1319
ā¢ Autonomous System Numbers (ASN)
ā¢ Other public services
- Training Services - RIPE Labs
- RIPE Database - RIPE Stat
- K-root name server - RIPE Atlas
- Measurement tools
- E-learning
5
9. Who makes policies?
ICANN / IANA
ASO
AfriNIC Reach consensusARIN
RIPE NCC across communities
APNIC LACNIC
AfriNIC RIPE ARIN APNIC LACNIC
community community community community community
proposal proposal Global proposal
Policy Proposal proposal proposal
9
10. Why would you want to participate?
ā¢ Policy determines how you run your business
ā¢ Over 8000 LIRs
ā¢ Only a fraction are active participants in the PDP
10
11. How can you participate?
ā¢ Working Group mailing lists
- RIPE website ā RIPE ā Mailing Lists
ā¢ Come to the RIPE Meetings
- Two free tickets for new LIRs
- Remote participation is also possible
11
14. IPv4 address distribution
/0 IANA
/8 RIR
/21 LIR
/23 /25 /25 End User
Allocation PA Assignment PI Assignment
14
15. IANA and RIRs IPv4 pool
IANA Pool RIR Allocations Advertised RIR Pool
Today
256
Data
192
128
64
0
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
15
16. Our slice of the IPv4 pie
Legacy
Other IANA
AfriNIC
LACNIC
RIPE NCC
ARIN
APNIC
16
17. IPv4 exhaustion phases
IPv4 still available. RIPE NCCās allocation
RIPE NCC can only
RIPE NCC continues policy from last /8
distribute IPv6
distributing it applies
?
now time
IANA pool RIPE NCC RIPE NCC
exhausted reaches pool
ļ¬nal /8 exhausted
Each of
the 5 RIRs
given a /8
17
18. Run Out Fairly (of IPv4)
ā¢ Gradually reduced allocation / assignment periods
ā¢ Needs for āEntire Periodā of up to...
- 12 months (January 2010)
- 9 months (July 2010)
- 6 months (January 2011)
- 3 months (July 2011)
ā¢ 50% has to be used up by half-period
18
19. RIPE NCCās last /8
ā¢ We do things differently!
ā¢ Ensures IPv4 access for all members
- 16000+ /22s in a /8
- members can get one /22 (=1024 addresses)
- must already hold IPv6
- must qualify for allocation
ā¢ /16 set aside for unforeseen situations
- if unused, will be distributed
ā¢ No PI
19
20. Transfer of IPv4 Allocations
ā¢ Policy 2007-08: Allocation Transfer Policy
- Donāt buy your IPv4 on eBay!
- Transfer unused allocations to another LIR
- Minimum allocation size /21
- Evaluated by RIPE NCC
- Update in RIPE Database
http://www.ripe.net/lir-services/resource-management/listing
20
21. IPv4 Depletion in the RIPE NCCās Region
- https://www.ripe.net/internet-coordination/ipv4-exhaustion
21
25. Where do all the addresses come from?
IETF
IANA
AfriNIC ARIN RIPE NCC APNIC LACNIC
8000 LIRs
End Users
25
26. IPv6 address distribution
/3 IANA
/12 RIR
/32 LIR
/48 /56 /48 End User
PA Allocation Provider Aggregatable PI Assignment
Assignment 26
27. IPv6 basics
ā¢ IPv6 address: 128 bits
- 32 bits in IPv4
ā¢ Every subnet should be a /64
ā¢ Customer assignments (sites) between:
- /64 (1 subnet)
- /48 (65536 subnets)
ā¢ Minimum allocation size /32
- 65536 /48ās
- 16777216 /56ās
27
28. IPv4 vs IPv6 (rounded off)
IPv4 IPv6
addresses 4x109 2x1019 subnets
allocations
2x106 4x109
to members
in each allocation: in each allocation:
subnets
addresses 2048 4x109
28
31. Getting an IPv6 allocation
ā¢ To qualify, an organisation must:
- Be an LIR
- Have a plan for making assignments within two years
ā¢ Minimum allocation size /32
ā¢ Announcement as a single preļ¬x recommended
31
32. RIPE Policy Proposal 2011-04
ā¢ Extension of the Minimum Size for IPv6
Initial Allocation
- Proposes initial allocation up to a /29
- For example, for small LIRs to deploy IPv6 via 6RD
(RFC 5969)
DER DISCUSSION
UN
ā¢ Proposal currently in Review Phase
- The RIPE NCC is working on impact analysis
32
33. What does the first IPv6 allocation cost?
- for all
- pending General Meeting decision
or:
- for approximately 97% of the LIRs
- more points, but not higher category!
33
34. Why Create an IPv6 Addressing Plan?
ā¢ Mental health during implementation(!)
ā¢ Easier implementation of security policies
ā¢ Efļ¬cient addressing plans are scalable
ā¢ More efļ¬cient route aggregation
34
36. Make an addressing plan (I)
ā¢ Number of hosts is irrelevant
ā¢ Multiple /48s per pop can be used
- separate blocks for infrastructure and customers
- document address needs for allocation criteria
ā¢ /64 for all subnets
- autoconļ¬guration works
- renumbering easier
- less typo errors because of simplicity
36
37. Make an addressing plan (II)
ā¢ Use one /64 block (per site) for loopbacks
- One /128 per device
- One /64 contains enough /128s for
18.446.744.073.709.551.616 devices
37
38. More On Addressing Plans for ISPs
ā¢ For private networks, look at ULA
ā¢ For servers you want manual conļ¬guration
ā¢ Use port numbers for addresses
- pop server 2001:db8:1::110
- dns server 2001:db8:1::53
- etc...
38
39. Point-to-Point Connections
ā¢ How much space for point-to-point connections?
- RFC4291: Interface IDs are required to be /64
- RFC3627: Use of /127 between routers considered
harmful
- RFC6547: RFC3627 to Historic Status
- RFC6164: Using /127 on Inter-Router links
ā¢ Be safe: reserve a /64, assign a /127 per
point-to-point connection
39
40. Customer assignments
ā¢ Give your customers enough addresses
- Up to a /48
ā¢ For more addresses, send in request form
- Alternatively, make a sub-allocation
ā¢ Every assignment must now be registered in the
RIPE database
40
43. Customers And Their /48
ā¢ Customers have no idea how to handle 65536
subnets!
ā¢ Provide them with information
ā https://www.ripe.net/lir-services/training/material/IPv6-
for-LIRs-Training-Course/IPv6_addr_plan4.pdf
43
44. IPv6 Address Management
ā¢ Your Excel sheet might not scale
ā There are 65.536 /48s in a /32
ā There are 65.536 /64s in a /48
ā There are 16.777.216 /56s in a /32
ā¢ Find a suitable IPAM solution
44
45. Getting IPv6 PI address space
ā¢ To qualify, an organisation must:
- Meet the contractual requirements for
provider independent resources
ā¢ Minimum assignment size /48
45
51. Members with IPv6 and IPv4
7853 members with IP resources
3846 3918
89
IPv4 only IPv6 only IPv6 and IPv4
51
52. IPv6 Ripeness
ā¢ Rating system:
- One star if the LIR has an IPv6 allocation
- Additional stars if:
- IPv6 Preļ¬x is announced on router
- A route6 object is in the RIPE Database
- Reverse DNS is set up
- A list of all 4 star LIRs: http://ripeness.ripe.net/
52
53. IPv6 RIPEness: 8097 LIRs (5 May 2012)
1 star 2 stars 3 stars 4 stars No IPv6
1 star
14%
No IPv6
51%
2 stars
6%
3 stars
11%
4 stars
18%
60. Scenario 1: LIR = PA allocation + ASN
ISP 1 ISP 2
x
AS3 AS7
AS4
AS5
AS6
ā¢ Can make assignments to End Users
60
61. Scenario 2: End User = PI + ASN
ISP 1 ISP 2
x
ā¢ Can NOT sub-assign further!!!
- (in IPv4 can still use PI for xDSL, broadband...)
61
62. Scenario 3: LIR = PI + ASN
ISP 1 ISP 2
x
ā¢ Can NOT sub-assign further!!!
- (in IPv4 can still use PI for xDSL, broadband...)
62
63. Scenario 4: PI End User, not multihomed
ISP 1 ISP 2
x
ā¢ Part of LIRās AS number
- does not want to / can not run BGP
- still wants āportableā addresses
63
64. How to get an AS Number
ā¢ Assignment requirements
- Address space
- Multihoming
- One AS Number per network
ā¢ For LIR itself
ā¢ For End User
- Sponsoring LIR requests it for End User
- Direct Assignment User requests it for themselves
64
65. 32-bit AS Numbers and you
ā¢ New format: āAS4192351863ā
ā¢ Act now!
ā¢ Prepare for 32-bit ASNs in your organisation:
- Check if hardware is compatible;
if not, contact hardware vendor
- Check if upstream uses compatible hardware;
if not, they should upgrade!
65
72. What is āInternet Routing Registryā
ā¢ Distributed databases with public routing policy
information, mirroring each other: irr.net
- APNIC, RADB, Level3, SAVVIS...
ā¢ RIPE NCC operates āRIPE Routing Registryā
ā¢ Big operators make use of it
- AS286 (KPN), AS5400 (BT), AS1299 (Telia), AS8918
(Carrier1), AS2764 (Connect), AS3561 (Savvis),
AS3356 (Level 3)...
72
73. Publishing routing policy in IRR
ā¢ Required by some Transit Providers & IXPs
- they use it for preļ¬x-based ļ¬ltering
ā¢ Allows for automated generation of preļ¬x ļ¬lters
- and router conļ¬guration commands, based on RR
ā¢ Contributes to routing security
- preļ¬x ļ¬ltering based on IRR registered routes
prevents accidental leaks and route hijacking
ā¢ Good housekeeping
73
74. RIPE RR is part of the RIPE Database
ā¢ route[6] object creation is responsibility of LIR
- every time you receive a new allocation, do create a
route or route6 object
ā¢ route and route6 objects represent routed preļ¬x
- address space being announced by an AS number
74
76. IPv6 in the Routing Registry
Route6 object:
route6: 2001:DB8::/32
origin: AS65550
Aut-num object:
aut-num: AS65550
mp-import: aļ¬ ipv6.unicast from AS64496 accept ANY
mp-export: aļ¬ ipv6.unicast to AS64496 announce AS65550
76
77. Automation of router configuration
ā¢ Describing routing policy in aut-num enables
generation of route-maps for policy routing
ā¢ Tools can read your policy towards peers
- translation from RPSL to router conļ¬guration
commands
ā¢ Tools collect the data your peers have in RR
- if their data changes, you only have to periodically run
your scripts to collect updates
77
79. Limitations of the Routing Registry
ā¢ Many registries exist, operated by different
parties:
ā Not all of them mirror each other
ā Do you trust the information they provide?
ā¢ The IRR system is far from complete
ā¢ Resulting ļ¬lters are hard to maintain and can
take a lot of router memory
79
80. The RIPE NCC involvement in RPKI
ā¢ The authority who is the holder of an Internet
Number Resource in our region
ā IPv4 and IPv6 address ranges
ā Autonomous System Numbers
ā¢ Information is kept in the registry
ā¢ Accuracy and completeness are key
80
81. Digital resource certificates
ā¢ Issue digital certiļ¬cates along with the
registration of Internet Resources
ā¢ Two main purposes:
ā Make the registry more robust
ā Making Internet Routing more secure
ā¢ Validation is the added value
81
82. Using certificates
ā¢ Certiļ¬cation is a free, opt-in service
ā Your choice to request a certiļ¬cate
ā Linked to your membership
ā Renewed every 12 months
ā¢ Certiļ¬cate does not list any identity information
ā¢ Digital proof you are the holder of a resource
82
83. The PKI system
ā¢ The RIRs hold a self-signed root certiļ¬cate for all
the resources that they have in the registry
ā They are the trust anchor for the system
ā¢ That root certiļ¬cate is used to sign a certiļ¬cate
that lists your resources
ā¢ You can issue child certiļ¬cates for those
resources to your customers
ā When making assignments or sub allocations
83
85. Which resources are certified?
ā¢ Provider Aggregatable (PA) IP addresses
ā¢ Provider Independent (PI) addresses marked as
āInfrastructureā
ā¢ Other resources will be added over time:
ā PI addresses for which we have a contract
ā ERX resources
85
86. Route Origination Authorisation (ROA)
ā¢ Next to the preļ¬x and the ASN which is allowed
to announce it, the ROA contains:
āA minimum preļ¬x length
āA maximum preļ¬x length
ā An expiry date
ā¢ Multiple ROAs can exist for the same preļ¬x
ā¢ ROAs can overlap
86
87. Publication and validation
ā¢ ROAs are published in the same repositories as
the certiļ¬cates and their keys
ā¢ You can download them and use software to
verify all the cryptographic signatures are valid
ā Was this really the owner of the preļ¬x?
ā¢ You will end up with a list of preļ¬xes and the
ASN that is expected to originate them
ā And you can be sure the information comes from the
holder of the resources
87
89. ROA Validation
ā¢ You can download all the certiļ¬cates, public keys
and ROAs which form the RPKI
ā¢ Software running on your own machine can
retrieve and then verify the information
ā Cryptographic tools can check all the signatures
ā¢ The result is a list of all valid combinations of
ASN and preļ¬x, the āvalidated cacheā
89
90. Reasons for a ROA to be invalid
ā¢ The start date is in the future
ā Actually this is ļ¬agged as an error
ā¢ The end date is in the past
ā It is expired and the ROA will be ignored
ā¢ The signing certiļ¬cate or key pair has expired or
has been revoked
ā¢ It does not validate back to a conļ¬gured trust
anchor
90
91. The Decision Process
ā¢ When you receive a BGP announcement from
one of your neighbors you can compare this to
the validated cache
ā¢ There are three possible outcomes:
ā Unknown: there is no covering ROA for this preļ¬x
ā Valid: a ROA matching the preļ¬x and ASN is found
ā Invalid:
There is a ROA but it does not match the
ASN or the preļ¬x length
91
92. Modifying the Validated Cache
ā¢ The RIPE NCC Validator allows you to manually
override the validation process
ā¢ Adding an ignore ļ¬lter will ignore all ROAs for a
given preļ¬x
ā The end result is the validation state will be āunknownā
ā¢ Creating a whitelist entry for a preļ¬x and ASN will
locally create a valid ROA
ā The end result is the validation state becomes āvalidā
92
93. The Decision is Yours
ā¢ The Validator is a tool which can help you
making informed decisions about routing
ā¢ Using it properly can enhance the security and
stability of the Internet
ā¢ It is your network and you make the ļ¬nal
decision
93
94. Public Testbeds
ā¢ A few people allow access to routers that run
RPKI and allow you to have a look at it
ā¢ RIPE NCC has a Cisco:
ā Telnet to rpki-rtr.ripe.net
ā User: ripe, no password
ā¢ Eurotransit has a Juniper:
ā Telnet to 193.34.50.25 or 193.34.50.26
ā Username: rpki, password: testbed
(http://www.ripe.net/lir-services/resource-management/certiļ¬cation/tools-and-resources)
94
95. Roadmap
ā¢ Support for non-hosted is still under
development by the RIPE NCC
ā Expected release will be third quarter 2012
ā¢ We can give you access to beta test
ā Mail certiļ¬cation@ripe.net if you are interested
ā¢ More information will be published on the
certiļ¬cation website
ā http://www.ripe.net/certiļ¬cation
95