5. Background
42015/3/3
• In Asia (incl. Japan), the speed of RPKI deployment seems
MUCH slower than RIPE region....
http://certification-stats.ripe.net/
RIPE
APNIC
We want to accelarate the deployment of RPKI in Japan!
Fig. Number of ROAs
6. RPKI hands-on in Jul. 2014
2015/3/3 5
• RPKI Hands-on seminar with JPNIC
• Made a survey of RPKI trend
9. Seminar participants’ voice
2015/3/3 8
• “I can understand how important RPKI is.”
• “But, it is difficult to make my bosses and/or
managers understand the cost of introducing it.”
• “I felt it is a bit difficult for small ISPs/networks to
manage ROA cache server, both technically and
operationally. We want a public one.”
10. JPNAP/JPNIC launched RPKI ROA Public cache
9
Internet
Multifeed
(JPNAP)
JPNIC
RPKI
ROA
cache
RPKI
ROA
cache
RPKI ROA Service Segment
AS
BGP
Router
Prefix-Maxlen: 192.0.2.0/24-24
OriginAS: 64500
ROA Information
Using rpki-rtr Protocol you can receive
RPKI ROA cache Information from those
Servers.
ROA cache server
15. Issues
2015/3/3 14
• We cannot provide RPKI information from ARIN
• ARIN RPA (Relying Party Agreement) prohibits to provide their
data to a third party now.
• TLS encryption of RPKI-RTR(tcp:323) is not supported well
for now
• In case of using public cache, it is important to encrypt the
transferred data.
• Currently, Cisco, Juniper and Alcatel doesn't support rpki-rtr-tls
protocol
• Strange behavior on JUNOS devices
• When you enable validation on JUNOS routers it unexpectedly
starts listening on tcp:2222.
• It’s intended for router internal use only(?)
• Be sure to filter out access to above port from the Internet.
Otherwise your router will suffer from scans/attacks targeting ssh
port 2222, and may crash in the worst case. Horrible.
16. Issues
2015/3/3 15
• Strange behavior on Cisco CSRs
• “show ip bgp/show ip bgp ipv6 unicast” shows that all routes are
VALID (which should be NOT FOUND) when
• 1. your router has one ore more BGP routes, and
• 2. you first enable RPKI, and
• 3. no ROA record received from ROA cache server.
• Once ANY ROA is received, all validation states are correctly shown as
expected.
• Cf. JUNOS shows those routes as “Unverified”
• Weird. May be a bug?
• Observed on Cisco CSR/IOS-XE version 03.12.00.S
• Workarounds:
• Router reload
• BGP reset
• Shutdown BGP before configuring RPKI
17. Step by Step RPKI deployment on JPNAP
2015/3/3 16
16
1-2 . At initial stage, ISP use
JPNAP ROA cache ( for people
who think it’s difficult to
operate by themselves)
Internet
ISPISP
JPNAP
ISPISP
RFEED route-server
ARIN
RIPE
APNIC
LACNIC
AFRINIC
AS7521
RPKI testbed segment
JuniperCisco ROA cache server
2-1. How to see our routes at RPKI router?
2-2. How to see our
routes at Juniper RPKI
validated router?
1-1. Main : ISP’s ROA cache
Secondary : JPNAP ROA cache
for backup
STEP1STEP2 STEP2
STEP1
STEP2
STEP3
STEP3
3. RPKI validation at
JPNAP route-server