SlideShare a Scribd company logo

KHNOG 5: RPKI Status Update

APNIC
APNIC

APNIC Technical Trainer Makito Lay presents an update on the status of RPKI in Cambodia and in South East Asia at KHNOG 5, held in Phnom Penh, Cambodia on 22 October 2023.

1 of 25
Download to read offline
v1.2
1
RPKI Status Updates
Presented by: Makito Lay
Phnom Penh, Cambodia | 22 October 2023
KHNOG 5 Conference
v1.2
2
Agenda
• Internet Routing and BGP Hijack
• What is RPKI?
• ROA Coverage in Asia / South-Eastern Asia / Cambodia
• Common Issues after ROA Creation
• ROV Adoption in Cambodia
• Recommendations
v1.2
3
Internet Routing
Source: Screenshot taken from “3.5.3.4 Packet Tracer - Configure and Verify eBGP.pka”
example from Connecting Networks Cisco Networking Academy course
v1.2
4
Internet Routing
v1.2
5
Internet Routing
v1.2
6
BGP Hijack
• Announcing a more
specific path.
• Announcing an address
space that is owned by
someone else.
Source: Williams, R. (2015). street signs being stolen [Image].
https://media.apnarm.net.au/media/images/2015/02/06/IQT_06-02-
2015_NEWS_05_STOLENSIGNS1_t1880.jpg

Recommended

HKNOG 12.0: RPKI Actions Required by HK Networks
HKNOG 12.0: RPKI Actions Required by HK NetworksHKNOG 12.0: RPKI Actions Required by HK Networks
HKNOG 12.0: RPKI Actions Required by HK NetworksAPNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTAPNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
 
Communicasia2017: IPv6 measurements
Communicasia2017: IPv6 measurementsCommunicasia2017: IPv6 measurements
Communicasia2017: IPv6 measurementsAPNIC
 
IETF 103: Measuring the KSK Roll
IETF 103: Measuring the KSK RollIETF 103: Measuring the KSK Roll
IETF 103: Measuring the KSK RollAPNIC
 

More Related Content

Similar to KHNOG 5: RPKI Status Update

An IPv6 Update
An IPv6 UpdateAn IPv6 Update
An IPv6 UpdateAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
Securing the Global Routing System and the Approach of Operators
Securing the Global Routing System and the Approach of OperatorsSecuring the Global Routing System and the Approach of Operators
Securing the Global Routing System and the Approach of OperatorsAPNIC
 
mnNOG 2023: State of IPv6 in Mongolia
mnNOG 2023: State of IPv6 in MongoliamnNOG 2023: State of IPv6 in Mongolia
mnNOG 2023: State of IPv6 in MongoliaAPNIC
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring SystemRofiq Fauzi
 
IPv6 Deployment in South East Asia, presentation by Chimi Dorji for bdNOG 15
IPv6 Deployment in South East Asia, presentation by Chimi Dorji for bdNOG 15IPv6 Deployment in South East Asia, presentation by Chimi Dorji for bdNOG 15
IPv6 Deployment in South East Asia, presentation by Chimi Dorji for bdNOG 15APNIC
 
Advanced_Cellular_Network_Planning_and_Optimization.pdf
Advanced_Cellular_Network_Planning_and_Optimization.pdfAdvanced_Cellular_Network_Planning_and_Optimization.pdf
Advanced_Cellular_Network_Planning_and_Optimization.pdfGusangoBesweri
 
A review of current worldwide IPv6 deployment - HKNOG Edition
A review of current worldwide IPv6 deployment - HKNOG EditionA review of current worldwide IPv6 deployment - HKNOG Edition
A review of current worldwide IPv6 deployment - HKNOG EditionAPNIC
 
A Bhutanese story of ROAs, ROVs and IPs presentation for btNOG 9
A Bhutanese story of ROAs, ROVs and IPs presentation for btNOG 9 A Bhutanese story of ROAs, ROVs and IPs presentation for btNOG 9
A Bhutanese story of ROAs, ROVs and IPs presentation for btNOG 9 APNIC
 
VNNIC OPM 2017: IPV6 Measurements and Trends
VNNIC OPM 2017: IPV6 Measurements and TrendsVNNIC OPM 2017: IPV6 Measurements and Trends
VNNIC OPM 2017: IPV6 Measurements and TrendsAPNIC
 
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]APNIC
 
A review of current worldwide IPv6 deployment - SANOG Edition
A review of current worldwide IPv6 deployment - SANOG EditionA review of current worldwide IPv6 deployment - SANOG Edition
A review of current worldwide IPv6 deployment - SANOG EditionAPNIC
 
RIPE 76: Is IPv6 on for the rich?
RIPE 76: Is IPv6 on for the rich?RIPE 76: Is IPv6 on for the rich?
RIPE 76: Is IPv6 on for the rich?APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
IPv6 status among ASEAN Member States
IPv6 status among ASEAN Member StatesIPv6 status among ASEAN Member States
IPv6 status among ASEAN Member StatesAPNIC
 

Similar to KHNOG 5: RPKI Status Update (20)

An IPv6 Update
An IPv6 UpdateAn IPv6 Update
An IPv6 Update
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
Securing the Global Routing System and the Approach of Operators
Securing the Global Routing System and the Approach of OperatorsSecuring the Global Routing System and the Approach of Operators
Securing the Global Routing System and the Approach of Operators
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
 
mnNOG 2023: State of IPv6 in Mongolia
mnNOG 2023: State of IPv6 in MongoliamnNOG 2023: State of IPv6 in Mongolia
mnNOG 2023: State of IPv6 in Mongolia
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring System
 
UPDATED_CV_
UPDATED_CV_UPDATED_CV_
UPDATED_CV_
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
 
IPv6 Deployment in South East Asia, presentation by Chimi Dorji for bdNOG 15
IPv6 Deployment in South East Asia, presentation by Chimi Dorji for bdNOG 15IPv6 Deployment in South East Asia, presentation by Chimi Dorji for bdNOG 15
IPv6 Deployment in South East Asia, presentation by Chimi Dorji for bdNOG 15
 
IP Transit : Simple Math - Simple Calculation
IP Transit : Simple Math - Simple CalculationIP Transit : Simple Math - Simple Calculation
IP Transit : Simple Math - Simple Calculation
 
Advanced_Cellular_Network_Planning_and_Optimization.pdf
Advanced_Cellular_Network_Planning_and_Optimization.pdfAdvanced_Cellular_Network_Planning_and_Optimization.pdf
Advanced_Cellular_Network_Planning_and_Optimization.pdf
 
A review of current worldwide IPv6 deployment - HKNOG Edition
A review of current worldwide IPv6 deployment - HKNOG EditionA review of current worldwide IPv6 deployment - HKNOG Edition
A review of current worldwide IPv6 deployment - HKNOG Edition
 
A Bhutanese story of ROAs, ROVs and IPs presentation for btNOG 9
A Bhutanese story of ROAs, ROVs and IPs presentation for btNOG 9 A Bhutanese story of ROAs, ROVs and IPs presentation for btNOG 9
A Bhutanese story of ROAs, ROVs and IPs presentation for btNOG 9
 
VNNIC OPM 2017: IPV6 Measurements and Trends
VNNIC OPM 2017: IPV6 Measurements and TrendsVNNIC OPM 2017: IPV6 Measurements and Trends
VNNIC OPM 2017: IPV6 Measurements and Trends
 
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
 
A review of current worldwide IPv6 deployment - SANOG Edition
A review of current worldwide IPv6 deployment - SANOG EditionA review of current worldwide IPv6 deployment - SANOG Edition
A review of current worldwide IPv6 deployment - SANOG Edition
 
RIPE 76: Is IPv6 on for the rich?
RIPE 76: Is IPv6 on for the rich?RIPE 76: Is IPv6 on for the rich?
RIPE 76: Is IPv6 on for the rich?
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
IPv6 status among ASEAN Member States
IPv6 status among ASEAN Member StatesIPv6 status among ASEAN Member States
IPv6 status among ASEAN Member States
 

More from APNIC

APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkRIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkAPNIC
 
VNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkVNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkAPNIC
 
40th TWNIC Open Policy Meeting: APNIC PDP update
40th TWNIC Open Policy Meeting: APNIC PDP update40th TWNIC Open Policy Meeting: APNIC PDP update
40th TWNIC Open Policy Meeting: APNIC PDP updateAPNIC
 
40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUIC40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUICAPNIC
 
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink DownloadAPNIC
 
IETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceAPNIC
 
KHNOG 5: APNIC Services
KHNOG 5: APNIC ServicesKHNOG 5: APNIC Services
KHNOG 5: APNIC ServicesAPNIC
 
PITA Strategy Forum 2023: Internet resilience
PITA Strategy Forum 2023: Internet resiliencePITA Strategy Forum 2023: Internet resilience
PITA Strategy Forum 2023: Internet resilienceAPNIC
 
SANOG 40: DDoS in South Asia
SANOG 40: DDoS in South AsiaSANOG 40: DDoS in South Asia
SANOG 40: DDoS in South AsiaAPNIC
 
SANOG 40: RPKI in South Asia
SANOG 40: RPKI in South AsiaSANOG 40: RPKI in South Asia
SANOG 40: RPKI in South AsiaAPNIC
 

More from APNIC (20)

APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkRIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
 
VNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkVNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and Starlink
 
40th TWNIC Open Policy Meeting: APNIC PDP update
40th TWNIC Open Policy Meeting: APNIC PDP update40th TWNIC Open Policy Meeting: APNIC PDP update
40th TWNIC Open Policy Meeting: APNIC PDP update
 
40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUIC40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUIC
 
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
 
IETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
 
KHNOG 5: APNIC Services
KHNOG 5: APNIC ServicesKHNOG 5: APNIC Services
KHNOG 5: APNIC Services
 
PITA Strategy Forum 2023: Internet resilience
PITA Strategy Forum 2023: Internet resiliencePITA Strategy Forum 2023: Internet resilience
PITA Strategy Forum 2023: Internet resilience
 
SANOG 40: DDoS in South Asia
SANOG 40: DDoS in South AsiaSANOG 40: DDoS in South Asia
SANOG 40: DDoS in South Asia
 
SANOG 40: RPKI in South Asia
SANOG 40: RPKI in South AsiaSANOG 40: RPKI in South Asia
SANOG 40: RPKI in South Asia
 

Recently uploaded

Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...ssuser7b7f4e
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionalsthirdeyegen65
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetmatt806068
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....josephiigo
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfgalfinprihardiputra0
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Damar Juniarto
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspacesttyk
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter TuningVarun Garg
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxRitesh Sahu
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defensethirdeyegen65
 

Recently uploaded (10)

Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budget
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdf
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspace
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defense
 

KHNOG 5: RPKI Status Update

  • 1. v1.2 1 RPKI Status Updates Presented by: Makito Lay Phnom Penh, Cambodia | 22 October 2023 KHNOG 5 Conference
  • 2. v1.2 2 Agenda • Internet Routing and BGP Hijack • What is RPKI? • ROA Coverage in Asia / South-Eastern Asia / Cambodia • Common Issues after ROA Creation • ROV Adoption in Cambodia • Recommendations
  • 3. v1.2 3 Internet Routing Source: Screenshot taken from “3.5.3.4 Packet Tracer - Configure and Verify eBGP.pka” example from Connecting Networks Cisco Networking Academy course
  • 6. v1.2 6 BGP Hijack • Announcing a more specific path. • Announcing an address space that is owned by someone else. Source: Williams, R. (2015). street signs being stolen [Image]. https://media.apnarm.net.au/media/images/2015/02/06/IQT_06-02- 2015_NEWS_05_STOLENSIGNS1_t1880.jpg
  • 7. v1.2 7 What is RPKI? • Resource Public Key Infrastructure. • For mitigating BGP route leaks and hijacks. • ROA and ROV are done cryptographically. – Resource holders use private key to sign authorisations – Other networks use public key to validate the signatures Route Origin Validation (ROV) Other networks check whether the received prefixes are originated by the permitted AS Route Origin Authorisation (ROA) Resource holders permit specific AS to originate their prefixes
  • 8. v1.2 8 Route Origin Authorisation (ROA) • To be done by resource holder: – Creating ROA for prefixes belong to own address space • Prefix • Origin AS • Max. Length – Also known as “Most Specific Announcement (MSA)” – APNIC members can create ROA in MyAPNIC portal • APNIC Help Centre: ROA objects – https://help.apnic.net/s/article/roa-objects • Route Management – Guide to manage your routes and (RPKI) ROA – https://www.apnic.net/wp-content/uploads/2017/01/route-roa-management-guide.pdf • How to Create ROAs in MyAPNIC – https://www.youtube.com/watch?v=NLG2siznuu4
  • 9. v1.2 9 ROA Coverage in Asia Source: https://stats.labs.apnic.net/roa/XD (11 Oct 2023)
  • 10. v1.2 10 ROA Coverage in Asia Code Region IPv4 Valid IPv4 Invalid IPv4 Unknown IPv4 Total BT Bhutan, Southern Asia 36,864 98.60% 0 0.00% 512 1.40% 37,376 NP Nepal, Southern Asia 568,064 98.50% 0 0.00% 8,448 1.50% 576,512 LB Lebanon, Western Asia 522,496 96.80% 256 0.00% 17,152 3.20% 539,904 IQ Iraq, Western Asia 700,160 95.60% 2,816 0.40% 29,440 4.00% 732,416 BD Bangladesh, Southern Asia 1,690,553 95.50% 11,596 0.70% 67,840 3.80% 1,769,989 … KP Democratic People's Republic of Korea, Eastern Asia 512 28.60% 0 0.00% 1,280 71.40% 1,792 KZ Kazakhstan, Central Asia 400,639 12.40% 1 0.00% 2,823,936 87.60% 3,224,576 TJ Tajikistan, Central Asia 10,240 12.40% 256 0.30% 72,192 87.30% 82,688 CN China, Eastern Asia 6,642,723 2.20% 441,821 0.10% 293,069,122 97.60% 300,153,666 KR Republic of Korea, Eastern Asia 1,869,346 1.70% 1,246 0.00% 106,616,870 98.30% 108,487,462 XD Asia 317,547,608 38.40% 3,244,556 0.40% 507,154,555 61.30% 827,946,719 Source: https://stats.labs.apnic.net/roa/XD (11 Oct 2023)
  • 11. v1.2 11 ROA Coverage in South-Eastern Asia Source: https://stats.labs.apnic.net/roa/XU?o=v4tadpl1 (11 Oct 2023)
  • 12. v1.2 12 ROA Coverage in South-Eastern Asia Code Region IPv4 Valid IPv4 Invalid IPv4 Unknown IPv4 Total LA Lao People's Democratic Republic 76,032 93.40% 512 0.60% 4,864 6.00% 81,408 PH Philippines 5,746,856 93.40% 37,204 0.60% 369,668 6.00% 6,153,728 KH Cambodia 393,211 90.70% 2,565 0.60% 37,632 8.70% 433,408 VN Vietnam 14,055,297 87.70% 86,143 0.50% 1,879,040 11.70% 16,020,480 MM Myanmar 175,872 87.60% 3,072 1.50% 21,760 10.80% 200,704 SG Singapore 9,214,823 76.10% 124,856 1.00% 2,761,407 22.80% 12,101,086 MY Malaysia 4,200,082 67.40% 20,339 0.30% 2,011,393 32.30% 6,231,814 TH Thailand 5,679,029 63.10% 95,307 1.10% 3,232,512 35.90% 9,006,848 TL Timor-Leste 9,216 53.70% 256 1.50% 7,680 44.80% 17,152 ID Indonesia 7,509,802 41.50% 95,702 0.50% 10,487,552 58.00% 18,093,056 BN Brunei Darussalam 57,088 38.90% 0 0.00% 89,856 61.10% 146,944 XU South-Eastern Asia 47,117,308 68.80% 465,956 0.70% 20,903,364 30.50% 68,486,628 Source: https://stats.labs.apnic.net/roa/XU?o=v4tadpl1 (11 Oct 2023)
  • 13. v1.2 13 ROA Coverage in Cambodia Source: https://stats.labs.apnic.net/roa/KH (11 Oct 2023) Currently (Oct 2023) 90.70% of Cambodia’s IPv4 addresses have VALID ROA. Was 55.92% at the beginning of May 2022.
  • 14. v1.2 14 Online RPKI Sessions & Technical Assistance • APNIC delivered monthly online RPKI sessions to targeted networks from June 2022 to January 2023. • One-to-one technical assistance provided by APNIC’s Retained Community Trainer in Khmer.
  • 15. v1.2 15 Face-to-face RPKI Session • In November 2022, ROA coverage significantly improved following APNIC’s face-to-face RPKI session in Phnom Penh. • Thanks to local community for your cooperation and support!
  • 16. v1.2 16 Common Issues after ROA Creation • Invalid Origin AS – Multiple origin ASes in Anycast scenario • Solution: Create ROA for each and every origin AS – Prefixes are originated by a different AS • Solution: Create ROA with the actual origin AS • Invalid Prefix Length – Announcing /24s, but ROA covers only up to /23 • Solution: Set Max. Length of the ROA to “/24”
  • 17. v1.2 17 What’s Next after Having ROA? • ROA is an authorisation that permits a specific AS to originate a specific prefix. • ROAs are created for other networks to perform ROV. • The authorisation is meaningless if no one validates it. • All networks should eventually implement ROV.
  • 18. v1.2 18 Route Origin Validation (ROV) • Should be done by all networks on the Internet: – Setting up RPKI Validators – Configuring Border Routers to validate received prefixes • VALID – ROA exists, both prefix length and origin AS match with the record • INVALID – ROA exists, but prefix length or/and origin AS mismatch with the record • UNKNOWN / NOT FOUND – ROA does not exist – Implementing routing policies based on validation state • Prefer VALID over UNKNOWN over INVALID; or • Drop INVALID
  • 19. v1.2 19 ROV Adoption in Cambodia ASN AS Name RPKI Validates Samples 55636 TPLC-KH TPLC Holding Ltd. 98.88% 179 17726 CAMNET-AS Telecom Cambodia 1.65% 121 138606 SUGAPTELTD-AS-AP Suga Pte. Ltd 0.78% 129 9902 NEOCOMISP-KH-AP NEOCOMISP LIMITED, IPTX Transit and Network Service Provider in Cambodia. 0.75% 536 131207 SINET-KH SINET, Cambodias specialist Internet and Telecom Service Provider. 0.71% 1,545 45498 SMART-AXIATA-KH SMART AXIATA Co., Ltd. 0.68% 19,127 17976 CAMGSM-CELLCARD-AS-AP CAMGSM Company Ltd 0.59% 6,480 58424 XINWEITELECOM-KH # 3BEo, Sangkat Beoun Prolit, Khan 7Makara, Phnom Penh. 0.55% 182 38235 MEKONGNET-ADC-AS-AP ANGKOR DATA COMMUNICATION 0.40% 2,725 38209 CAMINTEL-AS CAMINTEL, National Telecommunication Provider, Phnom Penh, Cambodia 0.39% 259 38901 EZECOM-AS-AP EZECOM limited 0.20% 1,961 131178 EZECOM-AS-AP EZECOM limited 0.20% 4,055 23673 ONLINE-AS Cogetel Online, Cambodia, ISP 0.17% 1,171 38623 VIETTELCAMBODIA-AS-AP ISPIXP IN CAMBODIA WITH THE BEST VERVICE IN THERE. 0.17% 35,404 24492 IIT-WICAM-AS-AP WiCAM Corporation Ltd. 0.10% 1,002 … Source: https://stats.labs.apnic.net/rpki/KH (11 Oct 2023)
  • 20. v1.2 20 ROV Adoption in Cambodia • Cambodia Network eXchange (CNX) is dropping INVALID prefixes and hosting public RPKI Validators. Source: https://lg.sabay.com/routeservers/rs01/protocols/AS55329_1/routes (11 Oct 2023)
  • 21. v1.2 21 Major Networks Dropping INVALID ASN Name Source 1221 Telstra https://lists.ausnog.net/pipermail/ausnog/2020-July/044367.html 4637 https://www.zdnet.com/article/telstra-to-roll-out-rpki-routing-security-from-june-2020/ 1239 Sprint / T-Mobile https://www.sprint.net/policies/bgp-aggregation-and-filtering 1299 Telia https://www.teliacarrier.com/Our-Network/BGP-Routing/Routing-Security.html 2497 IIJ https://www.iij.ad.jp/en/dev/iir/pdf/iir 2914 NTT https://www.gin.ntt.net/support/policy/rr.cfm#RPKI 3356 Level3 https://twitter.com/lumentechco/status/1374035675742412800 4826 Vocus https://blog.apnic.net/2021/05/13/vocus-rpki-implementation/ 6939 Hurricane Electric https://mailman.nanog.org/pipermail/nanog/2020-June/108277.html 7018 AT&T https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html 7922 Comcast https://corporate.comcast.com/stories/improved-bgp-routing-security-adds-another-layer-of-protection-to-network 9002 RETN https://twitter.com/RETNnet/status/1333735456408793089 16509 Amazon https://aws.amazon.com/blogs/networking-and-content-delivery/how-aws-is-helping-to-secure-internet-routing/ 37100 Seacom https://www.ripe.net/participate/mail/forum/routing- wg/PDZlMzAzMzhhLWVhOTAtNzIxOC1lMzI0LTBjZjMyOGI1Y2NkM0BzZWFjb20ubXU+ … Source: https://taejoong.github.io/pubs/publications/li-2023-rov.pdf (11 Oct 2023)
  • 22. v1.2 22 Recommendations • Create ROAs for all your prefixes. – Origin AS and Max. Length must match actual BGP announcements • Ensure ROAs are up-to-date upon sub-assignments – Multiple ROAs with different Origin ASes for Anycast prefixes – For networks using leased IPv4 address space, request your lease provider to create relevant ROAs • Regardless whether the address space is in APNIC region • Advise your customers and peers to sign their prefixes. – Unlike Internet Routing Registry (IRR), ROA cannot be proxy-registered • Monitor whether your network is announcing INVALID.
  • 23. v1.2 23 Recommendations • Implement ROV in your network. – Employ at least two RPKI Validators for redundancy purpose • Ensure consistency across all RPKI Validators – Establish and secure RPKI-to-Router (RTR) sessions – Update routing policies to support ROV • Set LOCAL_PREF based on validation state, or drop INVALID (preferred) • Use BGP Communities to propagate validation state (optional) – For Internet Transit, receive full routing table and drop default route
  • 24. v1.2 24 Need Help? ROV Implementation & Technical Discussions APNIC Technical Assistance Platform https://academy.apnic.net/technical-assistance ROA Creation & General Enquiries APNIC Help Centre https://help.apnic.net/s Training Resources APNIC Academy https://academy.apnic.net Online Courses: q RPKI Deployment q RPKI Deployment Status: 2022 in Review q Historical Resource Management and the Benefits of RPKI q Hosted vs. Delegated RPKI q Demystifying AS0 q How to set up Router/OS 7 and ROV Virtual Labs: q RPKI Lab with Routinator q RPKI Lab with FORT q RPKI Lab with RPKI-Prover q RPKI Lab (Sandbox)