SlideShare a Scribd company logo

btNOG 6: Securing Internet Routing

APNIC
APNIC

APNIC Senior Network Analyst and Training Manager Tashi Phuntsho presents on why securing Internet routing is important, and outlines some tools and techniques that can help network operators.

Internet
1 of 33
Download to read offline
1 v1.01 Securing Internet Routing Tashi Phuntsho (tashi@apnic.net) Senior Network Janitor/Technical Trainer
2 v1.02 Why should we bother? • As a Manager q I don’t want to be front page news of a IT paper, or an actual newspaper for routing errors
3 v1.03 Headlines https://blog.thousandeyes.com/internet-vulnerability-takes-down-google/
4 v1.04 Headlines https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies
5 v1.05 Headlines After leak (JP->JP) After leak (EU->EU) https://dyn.com/blog/large-bgp-leak-by-google-disrupts-internet-in-japan/
6 v1.06 Headlines
7 v1.07 Why do we keep seeing these? • Because NO ONE is in charge? q No single authority model for the Internet q No reference point for what’s right in routing
8 v1.08 Why do we keep seeing these? • Routing works by RUMOUR q Tell what you know to your neighbors, and Learn what your neighbors know q Assume everyone is correct (and honest) § Is the originating network the rightful owner?
9 v1.09 Why do we keep seeing these? • Routing is VARIABLE q The view of the network depends on where you are § Different routing outcomes at different locations q ~ no reference view to compare the local view L
10 v1.010 Why do we keep seeing these? • Routing works in REVERSE q Outbound advertisement affects inbound traffic q Inbound (Accepted) advertisement influence outbound traffic
11 v1.011 Why do we keep seeing these? • And as always, there is no E-bit q A bad routing update does not identify itself as BAD • So tools/techniques try to identify GOOD updates
12 v1.012 Why should we worry? • Because it’s just so easy to do bad in routing! By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=42515224
13 v1.013 Why should we bother? • As a Engineer q I don’t want to be told at 3AM my routing is broken q Or while on a holiday
14 v1.014 Current practice Peering/Transit Request LOA Check Filters (in/out)
15 v1.015 Tools & Techniques LOA Check Whois (manual) Letter of Authority IRR (RPSL)
16 v1.016 Tools & Techniques • Look up whois q verify holder of a resource
17 v1.017 Tools & Techniques • Ask for a Letter of Authority q Absolve from any liabilities
18 v1.018 Tools & Techniques • Look up/ask to enter details in internet routing registries (IRR) q describes route origination and inter-AS routing policies
19 v1.019 Tools & Techniques • IRR q Helps auto generate network (prefix/as-path) filters using RPSL tools § Filter out route advertisements not described in the registry
20 v1.020 Tools & Techniques • Problem(s) with IRR q No single authority model § How do I know if a RR entry is genuine and correct? § How do I differentiate between a current and a lapsed entry? q Many RRs § If two RRs contain conflicting data, which one do I trust and use? q Incomplete data - Not all resources are registered in an IRR § If a route is not in a RR, is the route invalid or is the RR just missing data? q Scaling § How do I apply IRR filters to upstream(s)?
21 v1.021 Back to basics – identifying GOOD • Using digital signatures to convey the “authority to use”? q A private key to sign the authority, and q the public key to validate that authority
22 v1.022 How about trust in this framework? • Follows the resource allocation/delegation hierarchy IANA à RIRs à NIRs/LIRs à End Holders | V End Holders
23 v1.023 RPKI Chain of Trust IANA RIPE-NCCLACNICARIN APNICAFRINIC NIR ISP ISP ISP ISP Allocation Hierarchy Trust Anchor Certificate Certificate chain mirrors the allocation hierarchy Cert (CA) Cert (EE) Cert (EE) Cert (EE) Cert (EE) Cert (CA) Cert (CA) Image 4
24 v1.024 Resource Certificates • When an address holder A (*IRs) allocates resources (IP address/ASN) to B (end holders) q A issues a resource certificate that binds the allocated address with B’s public key, all signed by A’s (CA) private key q proves the holder of the private key (B) is the legitimate holder of the resource!
25 v1.025 Route Origin Authorization (ROA) • B can now sign authorities using its private key, which can be validated by any third party against the TA • For routing, the address holder can authorize a network (ASN) to originate a route, and sign this permission with its private key (ROA) Prefix 203.176.32.0/19 Max-length /24 Origin ASN AS17821
26 v1.026 Route Origin Validation (ROV) RPKI-to-Router (RtR) rsync/RRDP RPKI Validator/ RPKI Cache server 2406:6400::/32-48 17821 .1/:1 .2/:2 AS17821 ASXXXX Global (RPKI) Repository ROA 2406:6400::/32-48 17821 TA TA TA 2406:6400::/48
27 v1.027 Are ROAs enough? • What if I forge the origin AS in the AS path? q Would be accepted as “good” – pass origin validation! • Which means, we need to secure the AS path as well q Need AS path validation (per-prefix)
28 v1.028 AS path validation - BGPsec AS1 AS2 AS3 AS4 AS1 -> AS2 (Signed AS1) AS1 -> AS2 (Signed AS1) AS2->AS3 (signed AS2) AS1 -> AS2 (Signed AS1) AS2->AS4 (signed AS2) q A BGPsec speaker validates the received update by checking: § If there is a ROA that describes the prefix and origin AS § If the received AS path can be validated as a chain of signatures (for each AS in the AS path) using the AS keys
29 v1.029 AS path validation issues… • More resources q CPU - high crypto overhead to validate signatures, and q Memory § Updates in BGPsec would be per prefix § New attributes carrying signatures and certs/key-id for every AS in the AS path • How do we distribute the certificates required? • Can we have partial adoption? • Given so much overhead, can it do more - Route leaks?
30 v1.030 What can we do? • Basic BGP OpSec hygiene – RFC7454/RFC8212 q RFC 8212 – BGP default reject or something similar q Filters with your customers and peers § Prefix filters, Prefix limit § AS-PATH filters, AS-PATH limit § Use IRR objects (source option) or ROA-to-IRR q Filter what you receive from your upstream(s) q Create ROAs for your resources q Filter inbound routes based on ROAs -> ROV • Join industry initiatives like MANRS § https://www.manrs.org/
31 v1.031 ROV – Industry trends dropping Invalids!
32 v1.032 Acknowledgement 5280 • Geoff Huston, APNIC • Randy Bush, IIJ Labs/Arrcus
33 v1.033 Any questions?

Recommended

MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingAPNIC
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingAPNIC
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingAPNIC
 
Routing Security Considerations
Routing Security ConsiderationsRouting Security Considerations
Routing Security ConsiderationsCSUC - Consorci de Serveis Universitaris de Catalunya
 
mnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKImnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKIAPNIC
 

Recommended

MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingAPNIC
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingAPNIC
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingAPNIC
 
Routing Security Considerations
Routing Security ConsiderationsRouting Security Considerations
Routing Security ConsiderationsCSUC - Consorci de Serveis Universitaris de Catalunya
 
mnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKImnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKIAPNIC
 
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej WolskiPLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej WolskiPROIDEA
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing APNIC
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI statusAPNIC
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)Fakrul Alam
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationAPNIC
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshFakrul Alam
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017APNIC
 
Bgp security 2
Bgp security 2Bgp security 2
Bgp security 2Manju Devaraj
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
VNIXNOG 2019: Securing Internet Routing
VNIXNOG 2019: Securing Internet RoutingVNIXNOG 2019: Securing Internet Routing
VNIXNOG 2019: Securing Internet RoutingAPNIC
 
Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
PacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingPacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingAPNIC
 
LkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingLkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingAPNIC
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshBangladesh Network Operators Group
 

More Related Content

What's hot

PLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej WolskiPLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej WolskiPROIDEA
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing APNIC
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI statusAPNIC
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)Fakrul Alam
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationAPNIC
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshFakrul Alam
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017APNIC
 

What's hot (15)

PLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej WolskiPLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI status
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generation
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental Website
 
APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017
 
Bgp security 2
Bgp security 2Bgp security 2
Bgp security 2
 

Similar to btNOG 6: Securing Internet Routing

APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
VNIXNOG 2019: Securing Internet Routing
VNIXNOG 2019: Securing Internet RoutingVNIXNOG 2019: Securing Internet Routing
VNIXNOG 2019: Securing Internet RoutingAPNIC
 
Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
PacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingPacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingAPNIC
 
LkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingLkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingAPNIC
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsAPNIC
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityAPNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs APNIC
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfRIPE NCC
 
Smart networking with service meshes
Smart networking with service meshes Smart networking with service meshes
Smart networking with service meshes Mitchell Pronschinske
 
RIPE 84: Revocation
RIPE 84: RevocationRIPE 84: Revocation
RIPE 84: RevocationAPNIC
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust AnchorAPNIC
 

Similar to btNOG 6: Securing Internet Routing (20)

APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
VNIXNOG 2019: Securing Internet Routing
VNIXNOG 2019: Securing Internet RoutingVNIXNOG 2019: Securing Internet Routing
VNIXNOG 2019: Securing Internet Routing
 
Routing Security
Routing SecurityRouting Security
Routing Security
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
PacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingPacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet Routing
 
LkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingLkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet Routing
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)Security
 
RPKI
RPKIRPKI
RPKI
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
 
Smart networking with service meshes
Smart networking with service meshes Smart networking with service meshes
Smart networking with service meshes
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
RIPE 84: Revocation
RIPE 84: RevocationRIPE 84: Revocation
RIPE 84: Revocation
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust Anchor
 

More from APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

More from APNIC (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Recently uploaded

How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 

Recently uploaded (20)

How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 

btNOG 6: Securing Internet Routing

  • 1. 1 v1.01 Securing Internet Routing Tashi Phuntsho (tashi@apnic.net) Senior Network Janitor/Technical Trainer
  • 2. 2 v1.02 Why should we bother? • As a Manager q I don’t want to be front page news of a IT paper, or an actual newspaper for routing errors
  • 5. 5 v1.05 Headlines After leak (JP->JP) After leak (EU->EU) https://dyn.com/blog/large-bgp-leak-by-google-disrupts-internet-in-japan/
  • 7. 7 v1.07 Why do we keep seeing these? • Because NO ONE is in charge? q No single authority model for the Internet q No reference point for what’s right in routing
  • 8. 8 v1.08 Why do we keep seeing these? • Routing works by RUMOUR q Tell what you know to your neighbors, and Learn what your neighbors know q Assume everyone is correct (and honest) § Is the originating network the rightful owner?
  • 9. 9 v1.09 Why do we keep seeing these? • Routing is VARIABLE q The view of the network depends on where you are § Different routing outcomes at different locations q ~ no reference view to compare the local view L
  • 10. 10 v1.010 Why do we keep seeing these? • Routing works in REVERSE q Outbound advertisement affects inbound traffic q Inbound (Accepted) advertisement influence outbound traffic
  • 11. 11 v1.011 Why do we keep seeing these? • And as always, there is no E-bit q A bad routing update does not identify itself as BAD • So tools/techniques try to identify GOOD updates
  • 12. 12 v1.012 Why should we worry? • Because it’s just so easy to do bad in routing! By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=42515224
  • 13. 13 v1.013 Why should we bother? • As a Engineer q I don’t want to be told at 3AM my routing is broken q Or while on a holiday
  • 15. 15 v1.015 Tools & Techniques LOA Check Whois (manual) Letter of Authority IRR (RPSL)
  • 16. 16 v1.016 Tools & Techniques • Look up whois q verify holder of a resource
  • 17. 17 v1.017 Tools & Techniques • Ask for a Letter of Authority q Absolve from any liabilities
  • 18. 18 v1.018 Tools & Techniques • Look up/ask to enter details in internet routing registries (IRR) q describes route origination and inter-AS routing policies
  • 19. 19 v1.019 Tools & Techniques • IRR q Helps auto generate network (prefix/as-path) filters using RPSL tools § Filter out route advertisements not described in the registry
  • 20. 20 v1.020 Tools & Techniques • Problem(s) with IRR q No single authority model § How do I know if a RR entry is genuine and correct? § How do I differentiate between a current and a lapsed entry? q Many RRs § If two RRs contain conflicting data, which one do I trust and use? q Incomplete data - Not all resources are registered in an IRR § If a route is not in a RR, is the route invalid or is the RR just missing data? q Scaling § How do I apply IRR filters to upstream(s)?
  • 21. 21 v1.021 Back to basics – identifying GOOD • Using digital signatures to convey the “authority to use”? q A private key to sign the authority, and q the public key to validate that authority
  • 22. 22 v1.022 How about trust in this framework? • Follows the resource allocation/delegation hierarchy IANA à RIRs à NIRs/LIRs à End Holders | V End Holders
  • 23. 23 v1.023 RPKI Chain of Trust IANA RIPE-NCCLACNICARIN APNICAFRINIC NIR ISP ISP ISP ISP Allocation Hierarchy Trust Anchor Certificate Certificate chain mirrors the allocation hierarchy Cert (CA) Cert (EE) Cert (EE) Cert (EE) Cert (EE) Cert (CA) Cert (CA) Image 4
  • 24. 24 v1.024 Resource Certificates • When an address holder A (*IRs) allocates resources (IP address/ASN) to B (end holders) q A issues a resource certificate that binds the allocated address with B’s public key, all signed by A’s (CA) private key q proves the holder of the private key (B) is the legitimate holder of the resource!
  • 25. 25 v1.025 Route Origin Authorization (ROA) • B can now sign authorities using its private key, which can be validated by any third party against the TA • For routing, the address holder can authorize a network (ASN) to originate a route, and sign this permission with its private key (ROA) Prefix 203.176.32.0/19 Max-length /24 Origin ASN AS17821
  • 26. 26 v1.026 Route Origin Validation (ROV) RPKI-to-Router (RtR) rsync/RRDP RPKI Validator/ RPKI Cache server 2406:6400::/32-48 17821 .1/:1 .2/:2 AS17821 ASXXXX Global (RPKI) Repository ROA 2406:6400::/32-48 17821 TA TA TA 2406:6400::/48
  • 27. 27 v1.027 Are ROAs enough? • What if I forge the origin AS in the AS path? q Would be accepted as “good” – pass origin validation! • Which means, we need to secure the AS path as well q Need AS path validation (per-prefix)
  • 28. 28 v1.028 AS path validation - BGPsec AS1 AS2 AS3 AS4 AS1 -> AS2 (Signed AS1) AS1 -> AS2 (Signed AS1) AS2->AS3 (signed AS2) AS1 -> AS2 (Signed AS1) AS2->AS4 (signed AS2) q A BGPsec speaker validates the received update by checking: § If there is a ROA that describes the prefix and origin AS § If the received AS path can be validated as a chain of signatures (for each AS in the AS path) using the AS keys
  • 29. 29 v1.029 AS path validation issues… • More resources q CPU - high crypto overhead to validate signatures, and q Memory § Updates in BGPsec would be per prefix § New attributes carrying signatures and certs/key-id for every AS in the AS path • How do we distribute the certificates required? • Can we have partial adoption? • Given so much overhead, can it do more - Route leaks?
  • 30. 30 v1.030 What can we do? • Basic BGP OpSec hygiene – RFC7454/RFC8212 q RFC 8212 – BGP default reject or something similar q Filters with your customers and peers § Prefix filters, Prefix limit § AS-PATH filters, AS-PATH limit § Use IRR objects (source option) or ROA-to-IRR q Filter what you receive from your upstream(s) q Create ROAs for your resources q Filter inbound routes based on ROAs -> ROV • Join industry initiatives like MANRS § https://www.manrs.org/
  • 31. 31 v1.031 ROV – Industry trends dropping Invalids!
  • 32. 32 v1.032 Acknowledgement 5280 • Geoff Huston, APNIC • Randy Bush, IIJ Labs/Arrcus