APNIC Training Delivery Manager Tashi Phuntsho explains why it is important to secure Internet routing at HKNOG 9.0, held online on 25 September 2020.

1. 1
(the trouble with)
Securing the Internet Routing
Tashi Phuntsho (tashi@apnic.net)
Senior Network Analyst/Technical Trainer

2. 22
Headlines
https://bgpstream.com/event/245265
• AS10990 (Tulix) hijacks/leaks 200+
more specifics
• Mostly North American ASNs
• > 2 hours
– AS1299 (Telia)
• accepted and propagated the leak
• ** No prefix filters/no ROAs for any of the prefixes
104.230.0.0/18 206313 6724 1299 7219 10990
104.230.64.0/18 206313 6724 1299 7219 10990
107.184.0.0/16 206313 6724 1299 7219 10990
107.185.0.0/16 206313 6724 1299 7219 10990
107.189.192.0/19 206313 6724 1299 7219 10990
107.189.224.0/19 206313 6724 1299 7219 10990
BGP Optimizer Strikes (again) – 30 July 2020
https://radar.qrator.net/blog/as10990-routing-optimization-tale

3. 33
Headlines
https://blog.qrator.net/en/how-you-deal-route-leaks_69/
https://twitter.com/bgpmon/status/1246842916502302723?s=21

4. 44
Headlines
https://twitter.com/atoonk/status/1143143943531454464/photo/1 https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/amp/

5. 55
Headlines
https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies

6. 66
Headlines
After (JP->JP)
https://dyn.com/blog/large-bgp-leak-by-google-disrupts-internet-in-japan/
Before (JP->JP)

7. 77
Headlines

8. 88
Why do we keep seeing these?
• As always, there is no Evil bit (RFC3514)
– a bad routing update does not identify itself as BAD

9. 99
Current Practice
Peering/Transit
Request
LOA Check
Filters (in/out)
LOA Check
Whois
(manual)
Letter of
Authority
IRR (RPSL)

10. 1010
Tools & Techniques
• Look up whois
– verify holder of a resource

11. 1111
Tools & Techniques
• Ask for a Letter of Authority
– Absolve from any liabilities

12. 1212
Tools & Techniques
• Look up/ask to enter
details in IRR
– describes route origination
and inter-AS routing policies

13. 1313
Tools & Techniques
• IRR
– Helps generate network (prefix & as-path) filters using RPSL
tools
• Filter out route advertisements not described in the registry

14. 14
IRR Issues
• No single authority model
• How do I know an RR entry is
genuine/correct?
• Too many RRs
• If two RRs have conflicting data, which
one do I trust?
• Incomplete data
– If a route is not in a RR, is the
route
• Invalid, or
• Is the RR just missing data?

15. 1515
Enter the RPKI framework
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
RPKI
Repo
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator

16. 1616
Implementation
• Sign your route origins (create your ROAs)
Prefix 2406:6400::/32
Max-length /36
Origin ASN AS45192

17. 1717
ROA considerations
• Max length attribute
– Minimal ROA
• ROAs to cover only those prefixes announced in BGP
• https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-03
– Reduces spoofed origin-AS attack surface
0
1000
2000
3000
4000
5000
6000
Dec'19 Jan'20 Feb'20 May'20 July'20 Aug'20
Invalids (Max Length)
IPv4 IPv6

18. 1818
ROA considerations
• Know your network (origin AS)
– Do you have multiple ASes?
• Are they independent ASes? or
• Transit AS + multiple Access ASes?
https://blog.apnic.net/2020/04/10/rise-of-the-invalids/
0
500
1000
1500
2000
2500
Dec'19 Jan'20 Feb'20 May'20 July'20 Aug'20
Invalids (Origin AS)
IPv4 IPv6

19. 1919
Implementation
• Run your own RPKI validator:
– Dragon Research RPKI toolkit - https://github.com/dragonresearch/rpki.net
– RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3
– Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.7.1
– OctoRPKI/GoRTR (Cloudflare’s toolkit) - https://github.com/cloudflare/cfrpki
– Fort (NIC Mexico’s Validator) - https://nicmx.github.io/FORT-validator/
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/

20. 2020
Validator considerations
• Securing the RTR session
– Plain text (TCP)
• run within your routing domain
– Other auth options
• SSH (v2)
• MD5 auth
• IPsec
• TLS
• TCP-AO

21. 2121
Validator considerations
• When RTR session fails
– Based on the expire interval of ROA cache
• JunOS/SR-OS: 3600s, IOS-XE: 300s (RFC min ~ 600s)
– Defaults to NOT FOUND
• Including Invalids
– Hence, at least 2 x Validators (RTR sessions)

22. 2222
Validator considerations
• VRP output

23. 2323
Implementation
• Enable RTR on your routers
• eBGP speakers (border/peering/transit)
– Know your platform defaults and knobs
• Example: IOS-XE wont use Invalids for best path selection
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>

24. 2424
Implementation
• Acting on the Validation states
– Tag & do nothing~ You have downstream/route server @IXPs
[Valid (ASN:65XX1), Not Found (ASN:65XX2), Invalid (ASN:65XX3)]
– RFC7115
• Prefer “Valid > Not Found > Invalid”
– Drop Invalids
• ~6K IPv4 and ~3K IPv6 routes

25. 2525
Operational Considerations
• Default routes?
– Will match anything ~ Invalids

26. 2626
Other developments
• ROA with AS-0 origin (RFC6483/RFC7607)
– Negative attestation
• No valid ASN has been granted authority
• Not to be routed (Ex - IXP LAN prefixes)
– Overridden by another ROA
• with an origin AS other than AS-0
– Prop-132: unallocated/unassigned APNIC space
• Similar to RFC6491 for special-use/reserved/unallocated

27. 2727
So, what can we all do?
• Basic BGP OpSec hygiene – RFC7454/RFC8212
– RFC8212: BGP default reject or something similar
– Filter your customers and peers
• Prefix filters, Prefix limit
• AS-PATH filters, AS-PATH limit
• Use IRR objects (source option) or ROA-to-IRR
– Filter your upstream(s)
– Create ROAs for your resources
– Filter inbound routes based on ROAs à ROV
• Join industry initiatives like MANRS
• https://www.manrs.org/

28. 2828
HK focus
NOT FOUND
AFRINIC APNIC ARIN RIPE CNNIC IDNIC JPNIC KRNIC TWNIC VNNIC
IPv4 3824 9205 569 435 509 4 3 8 26 1
IPv6 1 389 21 13 25
~15K
INVALIDS
AFRINIC APNIC ARIN LACNIC RIPE CNNIC TWNIC
IPv4 5 34 1 1 24 3 7
IPv6 5
~500

29. 2929
Acknowledgement
• Geoff Huston, APNIC
• Randy Bush, IIJ Labs/Arrcus

30. 30
THANK YOU