SlideShare a Scribd company logo
1 of 20
Download to read offline
1
RPKI In 30 Minutes Or Less
A short introduction to the technology and
operations of Resource Public Key
Infrastructure for Routing Security
https://academy.apnic.net/
2
The Problem?
• BGP since inception has not been secure.
• Increasingly leakage of routes have caused outages.
• These incidents are not always accidents.
• Where to start?
https://blog.apnic.net/2021/07/13/readthedocs/
4
4
Demo: BGP Hijack
5
5
Demo: BGP Hijack
6
IP Route Lookup
R6
You
R1
135536
R3
135538
61.45.248.0/22
R5
135540
61.45.248.0/22 135540 135538 135536 i
R4
135539
R3
135538
61.45.248.0/24
61.45.248.0/24 135538 135539 i
7
7
RPKI
• Resource Public Key Infrastructure
• Real assignment data from the five (5) Regional Internet
Registries
• Attestation of the ORIGIN Autonomous System Number for
internet addresses.
• RSA Cryptography.
https://blog.apnic.net/2020/04/21/rpki-and-trust-anchors/
8
Certificates, Authorities and Routes: OH MY!
Key Concept 1:
ROUTE
ORIGIN
AUTHORISATION
https://blog.apnic.net/2019/09/11/how-to-creating-rpki-roas-in-myapnic/
9
9
Check ROA Progress
https://observatory.manrs.org/#/overview
10
10
There is more to do …
Key Concept 2:
ROUTE
ORIGIN
VALIDATION
https://rpki.readthedocs.io/en/latest/index.html#sec-rpki-ops
11
v1.0
11
Are ROAs enough?
• What if I forge the origin AS in the AS path?
q Would be accepted as good – pass origin validation!
• Which means, we need to secure the AS path as well
q AS path validation (per-prefix)
• We can use RPKI certificates for this
• What if the IP address (IP spoofing) is forged?
q Requires other methods, like ingress filtering refer to BCP38
12
What is missing from Routing Security?
Origins
Pathways
ASN to ASN
RPKI
ASPA
BGPSEC
https://www.rfc-editor.org/rfc/rfc8205.html
https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/
https://www.rfc-editor.org/rfc/rfc8210
13
Deployment Considerations
“The Basics”
• RFC7115+RFC9319 / BCP185
• https://datatracker.ietf.org/doc/html/rfc7115
• https://datatracker.ietf.org/doc/html/rfc9319
“The Three”
Distribution
of RPKI data
Network
Placement
Routing
Policy
https://www.google.com/search?q=rpki+deployment
14
14
Routing Policy?
Photo
by
Markus
Spiske
on
Unsplash
15
15
RPKI Uptake?
Stats.Labs.APNIC.Net
• RPKI RoV Drop-Invalid
• RPKI ROA Publication
Are your routes signed and have you
started to drop invalid routes?
16
Which RFC to read?
• Must read
• Should read
• May read
https://rpki-rfc.routingsecurity.net
17
17
Source IP spoofing – Mitigation
• BCP38 (RFC2827)
– Since 1998!
– https://tools.ietf.org/html/bcp38
• Only allow traffic with valid source addresses to
– Leave your network
• Only from your own address space
– To enter/transit your network
• Only from downstream customer address space
18
uRPF – Unicast Reverse Path
• Modes of Operation
(IOS):
– Strict: verifies both
source address and
incoming interface with
entries in the forwarding
table
– Loose: verifies existence
of route to source
address
pos0/0
ge0/0
Src = 2406:6400:100::1
Src = 2406:6400:200::1
Forwarding Table:
2406:6400:100::/48 ge0/0
2406:6400:200::/48 fa0/0
pos0/0
ge0/0
Src = 2406:6400:100::1
Src = 2406:6400:200::1
Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
19
19
Enterprise B
IP address block
10.2.1.0/24
RFC2827 (BCP38) – Ingress Filtering
ISP A
IP address block
10.0.0.0/8
Drop
Source IP: 10.2.1.20
Source IP: 192.168.0.4
Source IP: 10.2.1.3
20
20
MANRS
• Mutually Agreed Norms of Routing Security
– An ISOC led initiative to implement industry best practices
to ensure security of routing system
• https://www.manrs.org/
– Inbound/outbound filtering – prefix/as-path
– Source address validation – BCP38
– Coordination – correct & up to date contacts
– Validation – ROAs/IRR objects
21
Discussion
Questions and Answers
Photo
by
Simone
Secci
on
Unsplash

More Related Content

Similar to PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less

Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityAPNIC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)Fakrul Alam
 
RPKI Introduction by Randy Bush
RPKI Introduction by Randy BushRPKI Introduction by Randy Bush
RPKI Introduction by Randy BushMyNOG
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringAPNIC
 
Rpki -manrs_(7_september)
Rpki  -manrs_(7_september)Rpki  -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...akg1330
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security RoadmapAPNIC
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs APNIC
 
Deployment factors and Current status
Deployment factors and Current statusDeployment factors and Current status
Deployment factors and Current statusAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
APNIC Update
APNIC Update APNIC Update
APNIC Update APNIC
 

Similar to PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less (20)

RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route Validity
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
RPKI Introduction by Randy Bush
RPKI Introduction by Randy BushRPKI Introduction by Randy Bush
RPKI Introduction by Randy Bush
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
Rpki -manrs_(7_september)
Rpki  -manrs_(7_september)Rpki  -manrs_(7_september)
Rpki -manrs_(7_september)
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 
Deployment factors and Current status
Deployment factors and Current statusDeployment factors and Current status
Deployment factors and Current status
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
 
RPKI
RPKIRPKI
RPKI
 

More from APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 

More from APNIC (20)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 

Recently uploaded

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 

Recently uploaded (20)

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 

PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less

  • 1. 1 RPKI In 30 Minutes Or Less A short introduction to the technology and operations of Resource Public Key Infrastructure for Routing Security https://academy.apnic.net/
  • 2. 2 The Problem? • BGP since inception has not been secure. • Increasingly leakage of routes have caused outages. • These incidents are not always accidents. • Where to start? https://blog.apnic.net/2021/07/13/readthedocs/
  • 5. 6 IP Route Lookup R6 You R1 135536 R3 135538 61.45.248.0/22 R5 135540 61.45.248.0/22 135540 135538 135536 i R4 135539 R3 135538 61.45.248.0/24 61.45.248.0/24 135538 135539 i
  • 6. 7 7 RPKI • Resource Public Key Infrastructure • Real assignment data from the five (5) Regional Internet Registries • Attestation of the ORIGIN Autonomous System Number for internet addresses. • RSA Cryptography. https://blog.apnic.net/2020/04/21/rpki-and-trust-anchors/
  • 7. 8 Certificates, Authorities and Routes: OH MY! Key Concept 1: ROUTE ORIGIN AUTHORISATION https://blog.apnic.net/2019/09/11/how-to-creating-rpki-roas-in-myapnic/
  • 9. 10 10 There is more to do … Key Concept 2: ROUTE ORIGIN VALIDATION https://rpki.readthedocs.io/en/latest/index.html#sec-rpki-ops
  • 10. 11 v1.0 11 Are ROAs enough? • What if I forge the origin AS in the AS path? q Would be accepted as good – pass origin validation! • Which means, we need to secure the AS path as well q AS path validation (per-prefix) • We can use RPKI certificates for this • What if the IP address (IP spoofing) is forged? q Requires other methods, like ingress filtering refer to BCP38
  • 11. 12 What is missing from Routing Security? Origins Pathways ASN to ASN RPKI ASPA BGPSEC https://www.rfc-editor.org/rfc/rfc8205.html https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/ https://www.rfc-editor.org/rfc/rfc8210
  • 12. 13 Deployment Considerations “The Basics” • RFC7115+RFC9319 / BCP185 • https://datatracker.ietf.org/doc/html/rfc7115 • https://datatracker.ietf.org/doc/html/rfc9319 “The Three” Distribution of RPKI data Network Placement Routing Policy https://www.google.com/search?q=rpki+deployment
  • 14. 15 15 RPKI Uptake? Stats.Labs.APNIC.Net • RPKI RoV Drop-Invalid • RPKI ROA Publication Are your routes signed and have you started to drop invalid routes?
  • 15. 16 Which RFC to read? • Must read • Should read • May read https://rpki-rfc.routingsecurity.net
  • 16. 17 17 Source IP spoofing – Mitigation • BCP38 (RFC2827) – Since 1998! – https://tools.ietf.org/html/bcp38 • Only allow traffic with valid source addresses to – Leave your network • Only from your own address space – To enter/transit your network • Only from downstream customer address space
  • 17. 18 uRPF – Unicast Reverse Path • Modes of Operation (IOS): – Strict: verifies both source address and incoming interface with entries in the forwarding table – Loose: verifies existence of route to source address pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 Forwarding Table: 2406:6400:100::/48 ge0/0 2406:6400:200::/48 fa0/0 pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
  • 18. 19 19 Enterprise B IP address block 10.2.1.0/24 RFC2827 (BCP38) – Ingress Filtering ISP A IP address block 10.0.0.0/8 Drop Source IP: 10.2.1.20 Source IP: 192.168.0.4 Source IP: 10.2.1.3
  • 19. 20 20 MANRS • Mutually Agreed Norms of Routing Security – An ISOC led initiative to implement industry best practices to ensure security of routing system • https://www.manrs.org/ – Inbound/outbound filtering – prefix/as-path – Source address validation – BCP38 – Coordination – correct & up to date contacts – Validation – ROAs/IRR objects