APNIC Training Delivery Manager Shane Hermoso presents on the status of RPKI deployment in the Asia Pacific and the importance of cleaning up invalids at VNIX-NOG 2023, Da Lat, Viet Nam from 5 to 6 October 2023.
5. 5 v1.1
What is RPKI?
RPKI
robust security framework for verifying
the association between resource holders
and their Internet number resources
ROA
digitally signed, cryptographic
object that contains IP prefixes
mapped to an ASN
Image source: Cloudflare
Image source: Internet
6. 6 v1.1
Route Origin Authorization
What is contained in a ROA?
ü The AS number you have authorized
ü The prefix that is being originated from it
ü The most specific prefix (maximum length) that the AS may announce
For example:
“ISP A permits AS65551 to originate a route for the prefix198.51.100.0/24”
Who should create a ROA?
q Resource holders
7. 7 v1.1
• Hosted Model is where APNIC performs the CA functions
o Setup in MyAPNIC, then register ROAs
• Delegated model is where members operate the RPKI CA and
syncs with APNIC via the RPKI provisioning protocol (RFC 6492).
o Download/install a CA software, register CA via MyAPNIC
o Useful when:
- There’s a need to script or automate RPKI operations
- Have resources in multiple RIRs
RPKI Hosted vs Delegated Model
8. 8 v1.1
Step 1 – Create ROAs
If you are a resource holder of an IP address block,
create your ROAs now!
From APNIC or VNNIC portal:
9. 9 v1.1
Route Origin Validation
Valid
The prefix (prefix length) and AS pair
found in the database
Invalid
Prefix is found, but origin-AS is wrong,
OR
The prefix length is longer than the
maximum length
Not Found / Unknown
Neither valid nor invalid (perhaps not
created)
There are 3 validation states: Ex: This ROA is created
ASN Prefix Max Length
17862 203.176.189.0/22 23
With Origin Validation, these BGP routes
will have an RPKI state as follows:
ASN Prefix RPKI State
17862 203.176.189.0/22 VALID
17862 203.176.189.0/23 VALID
17862 203.176.189.0/24 INVALID
17861 203.176.189.0/22 INVALID
17862 203.176.189.0/21 NOT FOUND
10. 10 v1.1
• Many options to choose from:
o Routinator
o Rpki-client
o Fort
o OctoRPKI/GoRTR
• More mature – easier to install, better
documentation
• Considerations:
o Which validator to use?
o Do I need multiple validators?
o What happens when RTR session fails?
RPKI Validators
11. 11 v1.1
• Enable RTR on the router
• Make sure to understand the platform defaults
RPKI to Router Protocol (RTR)
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
12. 12 v1.1
Step 2 – Implement ROV
Configure router to get validated routes from an RPKI cache (RTR session)
Apply rules/filters based on RPKI states
Setup your own RPKI validator
13. 13 v1.1
• Tag
o If you have downstream customers or run a route server (IXP)
• Modify preference values – RFC7115
• Drop Invalids
ROV – Acting on Validation states
[Valid > Not Found > Invalid]
[Valid (ASN:65XX0), Not Found (ASN:65XX1), Invalid (ASN:65XX2)]
14. 14 v1.1
Step 3 – ROV Filtering
Many providers are already
dropping invalid routes.
Are network operators in
Vietnam already doing this?
This example is from my hotel network J
https://isbgpsafeyet.com/
36. 36 v1.1
• Fixing Invalids
o Common issue: Invalid AS & Max Length
o Especially for large providers, when they change size of prefix
announcements it needs to be updated in MyAPNIC
• Concerns about causing outage
o Sub-delegation causing invalid ASN, where delegated blocks to customers
are not updated
• Leased IP address blocks
o Mostly from another region
o Process to update the ROA
• Account-related issues
o Who can create ROA in the organization?
Common Challenges
37. 37 v1.1
• Max-length
o Make sure the max-length value covers your BGP announcements
• Minimal ROAs
o Reduce spoofed origin-AS attack surface
- ROAs should cover only those prefixes announced in BGP
Fixing Invalids – ROA Considerations
https://www.ietf.org/archive/id/draft-ietf-sidrops-rpkimaxlen-08.html
39. 39 v1.1
Always check your ROA!
https://rpki-validator.ripe.net/ui/ https://rpki.cloudflare.com
40. 40 v1.1
• Or run a script that checks the validation state for your advertised
prefixes
Always check your ROA!
whois -h rr.ntt.net 2001:df2:ee00::/48
route6: 2001:df2:ee00::/47
descr: v6 aggregate
origin: AS45192
mnt-by: MAINT-AU-APNICTRAINING
last-modified: 2022-02-25T06:32:53Z
source: APNIC
rpki-ov-state: valid
41. 41 v1.1
• ROA with origin AS0 instead of a
real ASN
o Routes will be RPKI-invalid when
they would otherwise be RPKI-
unknown.
• Why use it?
o Prevent unused delegations from
being hijacked
o Mitigate leakage of private-use
public address space
• AS0 will never appear as a
functional origin in a ROA (see
RFC7607)
AS0 ROAs
Ex: For the following VRPs
VRPs
2.0.0.0/16-16, AS0
3.0.0.0/22-24, AS0
4.0.0.0/24-24, AS0
4.0.0.0/24-24, AS1234
With Origin Validation, these BGP routes
will have an RPKI state as follows:
ASN Prefix RPKI State
1234 1.0.0.0/24 NOT FOUND
1234 2.0.0.0/16 INVALID
1234 2.0.0.0/24 INVALID
1234 3.0.0.0/16 NOT FOUND
1234 4.0.0.0/24 VALID
42. 42 v1.1
• ASPA - Autonomous System Provider Authorisation
o https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/16/
• ASPA indicates the ASNs allowed/authorized to propagate their
routes
• Supported in:
o Validators rpki-client and Routinator
o RPKI to Router Protocol (RTRv2)
o OpenBGPD
What’s next? AS Path Validation
43. 43 v1.1
• RIPE NCC starts ASPA pilot
• aspa-objects on test:
o AS 970
o AS 21957
o AS 15562
What’s next? AS Path Validation