SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
1.
Route Origin Validation With Routinator
- A MANRS Approach for Operators
Md. Zobair Khan
Fiber@Home Limited
2.
Acknowledgement
• This paper is made taking notes, diagram, configurations from
MANRS, APNIC training materials, NLnet Labs & Dr. Philip
Smith along with the operational experience of the author.
3.
MANRS
• Mutually Agreed Norms for Routing Security (MANRS) is a
global initiative, supported by the Internet Society, that
provides crucial fixes to reduce the most common routing
threats.
4.
MANRS
• MANRS outlines four simple but concrete actions that network
operators should take:
• Filtering
• Anti-spoofing
• Coordination
• Global Validation
5.
Global Validation
• Publish your data, so others can validate routing information on
a global scale
• Automated information validation needs arrangements
• Securing global routing information is done by RPKI
6.
Resource Public Key Infrastructure (RPKI)
• RPKI allows holders of Internet number resources to make
verifiable statements about how they intend to use their
resources.
• RPKI is a way to define data in an out-of-band system such
that the information that are exchanged by BGP can be
validated to be correct.
• RPKI is used to make Internet routing more secure.
7.
Importance of RPKI
• Secured Routing Table
• Dynamic LOA checking
• Maintaining a Dynamic Chain of Trust
• Digitally Signed Resources Certificate (X.509 Certificates-RFC5280)
• Helps to Stop Route Hijack
8.
Route Origin Authorizations (ROA)
• Using the RPKI system, the legitimate holder of a block of IP
addresses can use their resource certificate to make an
authoritative, signed statement about which autonomous
system is authorized to originate their prefix in BGP.
• These statements are called Route Origin Authorizations
(ROAs).
9.
Route Origin Validation (ROV)
• RPKI system tries to closely mimic what route objects in the
IRR intend to do, but then in a more trustworthy manner.
• This process is called route origin validation (ROV)
10.
Validity
• Valid - Resources found in database which is called Validated
ROA Payload (VRP).
• Invalid – Resources found but partial/whole information
doesn’t match with database.
• Not Found - The prefix in this announcement is not covered
by a VRP.
13.
Working Steps
• Creating ROA for owned resources for RPKI
• Implementing Validator relying software for ROV
• Enforcing policies for based on Validation
14.
Creating ROA
• Go to Resources > Route Management and select Create route
https://www.apnic.net/wp-content/uploads/2017/12/ROUTE_MANAGEMENT_GUIDE.pdf
15.
Creating ROA
• Mention your prefix with ASN & desired subnet & Submit
https://www.apnic.net/wp-content/uploads/2017/12/ROUTE_MANAGEMENT_GUIDE.pdf
17.
Routinator
• Routinator is free, open source RPKI Relying Party software written by NLnet Labs in the
Rust programming language.
• Routinator connects to the Trust Anchors of the five Regional Internet Registries (RIRs) —
APNIC, AFRINIC, ARIN, LACNIC and RIPE NCC — downloads all of the certificates and
ROAs in the various repositories, verifies the signatures and makes the result available
for use in the BGP workflow.
• The validated cache can be fed directly into RPKI-capable routers via the RPKI to Router
Protocol (RPKI-RTR), described in RFC 8210.
https://rpki.readthedocs.io/en/latest/routinator/index.html
18.
Why Routinator?
• Designed to have a small footprint and great portability
• Can run on any Unix-like operating system, but also works on Microsoft Windows via API
• Have a mailing list for general discussion and exchanging operational experiences
(https://nlnetlabs.nl/mailman/listinfo/rpki)
• Problem report & feature request is possible
(https://github.com/NLnetLabs/routinator/issues)
• Used in production by AT&T, NTT, AMS-IX, DECIX and many more
https://rpki.readthedocs.io/en/latest/routinator/index.html
21.
Allow In Iptables
• -A INPUT -i ens18 -p tcp -m tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
• -A INPUT -i ens18 -p tcp -m tcp --sport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
• -A INPUT -i ens18 -p tcp -m tcp --dport 9556 -m state --state NEW,ESTABLISHED -j ACCEPT
• -A INPUT -i ens18 -p tcp -m tcp --sport 9556 -m state --state NEW,ESTABLISHED -j ACCEPT
• -A INPUT -i ens18 -p tcp -m tcp --dport 3323 -m state --state NEW,ESTABLISHED -j ACCEPT
• -A INPUT -i ens18 -p tcp -m tcp --sport 3323 -m state --state NEW,ESTABLISHED -j ACCEPT
• -A INPUT -i ens18 -p tcp -m tcp --dport 9100 -m state --state NEW,ESTABLISHED -j ACCEPT
• -A INPUT -i ens18 -p tcp -m tcp --sport 9100 -m state --state NEW,ESTABLISHED -j ACCEPT
• -A INPUT -i ens18 -p tcp -m tcp --dport 9090 -m state --state NEW,ESTABLISHED -j ACCEPT
• -A INPUT -i ens18 -p tcp -m tcp --sport 9090 -m state --state NEW,ESTABLISHED -j ACCEPT
22.
Router Configuration
router bgp [ASN]
rpki server [SERVER IP]
transport tcp port 3323
refresh-time 120
address-family ipv4 unicast
bgp origin-as validation signal ibgp
address-family ipv6 unicast
bgp origin-as validation signal ibgp
Configuration of IOS-XR
23.
Router Configuration
• routing-options {
autonomous-system [ASN];
validation {
group rpki-validator {
Session [Server IP] {
refresh-time 120;
Port 3323;
local-address X.X.X.253;
}
}
}
}
Configuration of Junos
24.
Checking
• ps ax| grep routinator
1369 ? Sl 124:05 /home/[USER]/.cargo/bin/routinator server --rtr [SERVER IP]:3323 --http [SERVER IP]:9556 -d
7487 pts/0 S+ 0:00 grep --color=auto routinator
• sh bgp rpki server summary
Sun Nov 3 12:27:37.333 UTC
Hostname/Address Transport State Time ROAs (IPv4/IPv6)
[SERVER IP] TCP:3323 ESTAB 6d19h 97473/16440
25.
Monitoring
• apt install prometheus
• nano /etc/prometheus/prometheus.yml
- job_name: 'Routinator'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
scrape_timeout: 10s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
target_groups:
- targets: ['[SERVER IP]:9556']
service prometheus stop
service prometheus start
https://prometheus.io/docs/introduction/overview/
26.
Monitoring
# HELP routinator_valid_roas number of valid ROAs seen
# HELP routinator_vrps_total total number of VRPs seen
# HELP routinator_last_update_start seconds since last update started
# HELP routinator_last_update_duration duration in seconds of last update
# HELP routinator_last_update_done seconds since last update finished
# HELP routinator_serial current RTR serial number
# HELP routinator_rsync_status exit status of rsync command
# HELP routinator_rsync_duration duration of rsync in seconds
# HELP routinator_rrdp_status status code for getting notification file
# HELP routinator_rrdp_duration duration of rsync in seconds
http://[server ip]:9556/metrics
29.
Decision
• Since now the validation states are visible to you, you can
decide what to do with invalids
• You can –
– Use them with low preference
– Or drop them
30.
Policy
route-policy RPKI
if validation-state is invalid then
set local-preference 50
else
if validation-state is valid then
set local-preference 200
else
pass
endif
endif
end-policy
route-policy RPKI
if validation-state is invalid then
drop
else
if validation-state is valid then
set local-preference 200
else
pass
endif
endif
end-policy Configuration of IOS-XR
31.
Observation
• sh bgp origin-as validity invalid | exclude 9498 | exclude 6453 | exclude 2914 | exclude 132602
Network Next Hop Metric LocPrf Weight Path
*>i103.206.228.0/24 103.7.251.241 450 0 137491 137491 137491
137491 134146 134146
132735 135037 i
*>i104.134.130.0/24 103.7.251.241 0 850 0 15169 395973 i
*> 119.30.36.0/24 163.47.157.86 450 0 24389 24389 64512 i
*> 120.50.24.0/21 163.47.157.82 0 450 0 38712 i
* 163.47.157.94 0 450 0 38712 38712 38712
38712 38712 i
*> 103.134.59.0/24 103.7.248.110 450 0 58689 58689 58689
58689 135615 139834 i
*> 103.139.9.0/24 103.7.248.110 450 0 58689 65507 i
32.
Observation - 1
• 103.206.228.0/24 - 135037 I
• Techno Asia BD
• Originated from 135037
• ROA created for parent block - /22
• Route Object ok
• Current Status : Issue Resolved by Owner after notification
33.
Observation - 2
• 104.134.130.0/24 - 395973 I
• Google
• Originated from 395973
• ROA created accordingly
• Route Object not updated
• Current Status : No response yet after sending notification
34.
Observation - 3
• 119.30.36.0/24 - 64512 I
• Grameenphone
• Originated from 64512 (Private ASN)
• ROA created for parent block not for /24 ( ROA shows public & private ASN)
• Route Object not updated
• Current Status : Issue Resolved by Owner after notification
35.
Observation - 4
• 120.50.24.0/21 - 38712 I
• Telnet Communication Limited
• Originated from 38712
• ROA created for parent block - /19
• Route Object ok
• Current Status : Issue Resolved by Owner after notification
36.
Observation - 5
• 103.134.59.0/24 - 139834 i
• Achiever Broadband Internet
• Originated from 139834
• ROA created for parent block - /22
• Route Object ok
• Current Status : Issue Resolved by Owner after notification
37.
Observation - 6
• 103.139.9.0/24 - 65507 i
• ICC COMMUNICATION LTD.
• Originated from 65507
• ROA created for parent block - /23
• Route Object ok
• Current Status : Issue Resolved by Owner after notification