12. 1212
Tools & Techniques
• Look up/ask to enter
details in IRR
– describes route origination
and inter-AS routing policies
13. 1313
Tools & Techniques
• IRR
– Helps generate network (prefix & as-path) filters using RPSL
tools
• Filter out route advertisements not described in the registry
14. 14
IRR Issues
• No single authority model
• How do I know an RR entry is
genuine/correct?
• Too many RRs
• If two RRs have conflicting data, which
one do I trust?
• Incomplete data
– If a route is not in a RR, is the
route
• Invalid, or
• Is the RR just missing data?
15. 1515
Enter the RPKI framework
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
RPKI
Repo
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator
17. 1717
ROA considerations
• Max length attribute
– Minimal ROA
• ROAs to cover only those prefixes announced in BGP
• https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-03
– Reduces spoofed origin-AS attack surface
0
1000
2000
3000
4000
5000
6000
Dec'19 Jan'20 Feb'20 May'20 July'20 Aug'20
Invalids (Max Length)
IPv4 IPv6
18. 1818
ROA considerations
• Know your network (origin AS)
– Do you have multiple ASes?
• Are they independent ASes? or
• Transit AS + multiple Access ASes?
https://blog.apnic.net/2020/04/10/rise-of-the-invalids/
0
500
1000
1500
2000
2500
Dec'19 Jan'20 Feb'20 May'20 July'20 Aug'20
Invalids (Origin AS)
IPv4 IPv6
19. 1919
Implementation
• Run your own RPKI validator:
– Dragon Research RPKI toolkit - https://github.com/dragonresearch/rpki.net
– RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3
– Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.7.1
– OctoRPKI/GoRTR (Cloudflare’s toolkit) - https://github.com/cloudflare/cfrpki
– Fort (NIC Mexico’s Validator) - https://nicmx.github.io/FORT-validator/
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/
20. 2020
Validator considerations
• Securing the RTR session
– Plain text (TCP)
• run within your routing domain
– Other auth options
• SSH (v2)
• MD5 auth
• IPsec
• TLS
• TCP-AO
21. 2121
Validator considerations
• When RTR session fails
– Based on the expire interval of ROA cache
• JunOS/SR-OS: 3600s, IOS-XE: 300s (RFC min ~ 600s)
– Defaults to NOT FOUND
• Including Invalids
– Hence, at least 2 x Validators (RTR sessions)
23. 2323
Implementation
• Enable RTR on your routers
• eBGP speakers (border/peering/transit)
– Know your platform defaults and knobs
• Example: IOS-XE wont use Invalids for best path selection
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>
24. 2424
Implementation
• Acting on the Validation states
– Tag & do nothing~ You have downstream/route server @IXPs
[Valid (ASN:65XX1), Not Found (ASN:65XX2), Invalid (ASN:65XX3)]
– RFC7115
• Prefer “Valid > Not Found > Invalid”
– Drop Invalids
• ~6K IPv4 and ~3K IPv6 routes
26. 2626
Other developments
• ROA with AS-0 origin (RFC6483/RFC7607)
– Negative attestation
• No valid ASN has been granted authority
• Not to be routed (Ex - IXP LAN prefixes)
– Overridden by another ROA
• with an origin AS other than AS-0
– Prop-132: unallocated/unassigned APNIC space
• Similar to RFC6491 for special-use/reserved/unallocated
27. 2727
So, what can we all do?
• Basic BGP OpSec hygiene – RFC7454/RFC8212
– RFC8212: BGP default reject or something similar
– Filter your customers and peers
• Prefix filters, Prefix limit
• AS-PATH filters, AS-PATH limit
• Use IRR objects (source option) or ROA-to-IRR
– Filter your upstream(s)
– Create ROAs for your resources
– Filter inbound routes based on ROAs à ROV
• Join industry initiatives like MANRS
• https://www.manrs.org/