Successfully reported this slideshow.

RPKI Deployment Status in Bangladesh

0

Share

1 of 27
1 of 27

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

RPKI Deployment Status in Bangladesh

  1. 1. RPKI Deployment Status in Bangladesh Md. Abdul Awal Network Startup Resource Center https://nsrc.org
  2. 2. Why Should We Care About RPKI? 2 #bdNOG13
  3. 3. Long ago, people were living in peace • Network engineers were innocent and trustworthy • Global routing table only had valid prefixes • But the perfect world can’t exist: – Someone made mistake in BGP announcements – Someone hijacked other’s prefixes – Global routing table becomes vulnerable of incorrect routes • Internet operations get affected • The core of Internet can’t be left vulnerable like that #bdNOG13 3
  4. 4. A route is not bad unless proved guilty • How to prove it? – By validating • How can we validate? – Cross-match with VRPs • What makes the VRPs? – ROAs • How to collect all the ROAs? – Resource PKI (RPKI) • Who does what? – Resource holders create ROA – Network operators do ROV #bdNOG13 4
  5. 5. RPKI is about 2 things: ROA and ROV Signing prefixes a.k.a. creating ROAs 1 RIR CA RIR Resource DB Member Login Authentication 2001:db8::/32 192.0.2.0/24 AS 65000 ROA #bdNOG13 5
  6. 6. RPKI is about 2 things: ROA and ROV Validating ROAs a.k.a doing ROV 2 RPKI Repository RPKI Validator BGP Router RTR Protocol rsync/RRDP #bdNOG13 6
  7. 7. What Makes a Route RPKI Invalid? 192.168.0.0/24 ...65500 192.168.0.0/24 ...65520 192.168.0.0/23 ...65520 Max Length Invalid Max Length+Origin Invalid Origin Invalid R1 192.168.2.0/23 ...65500 100.100.0.0/24 ...65500 Valid Not Found 192.168.0.0/22 65500 /23 Prefix ASN Max Length 192.168.0.0/22 192.168.0.0/23 192.168.0.0/24 192.168.1.0/24 192.168.2.0/23 192.168.2.0/24 192.168.3.0/24 Prefixes covered by the ROA 7 VRP
  8. 8. RPKI deployment in Bangladesh 8 #bdNOG13
  9. 9. RPKI ROA Adoption Source: https://observatory.manrs.org/ #bdNOG13 9
  10. 10. RPKI Validation https://stats.labs.apnic.net/rpki/BD #bdNOG13 10
  11. 11. RPKI Validation https://stats.labs.apnic.net/rpki/BD #bdNOG13 11
  12. 12. RPKI Invalids Source: https://observatory.manrs.org/ Source: https://rpki.anuragbhatia.com/ #bdNOG13 12
  13. 13. RPKI Invalid Types #bdNOG13 13 Source: https://rpki.anuragbhatia.com/ (last updated on 8-Jun-2021) 15 101 Invalids per Address Family IPv4 IPv6 0 20 40 60 80 100 120 IPv4 IPv6 # of Invalid Routes RPKI Invalid Types Origin Invalid Max Length Invalid
  14. 14. Top Contributors of RPKI Invalids #bdNOG13 14 3 3 3 3 3 5 5 8 16 39 0 10 20 30 40 137823 137935 141439 131216 24342 63969 38071 136516 134204 58715 # of RPKI Invalid BGP Announcements AS Number Source: https://rpki.anuragbhatia.com/ (last updated on 8-Jun-2021) 0 5 10 15 20 25 IPv4 IPv6 # of ASN ASNs Announcing Invalid Routes Origin Invalid Max Length Invalid
  15. 15. What Goes Wrong? 15
  16. 16. Routing Incidents Source: https://observatory.manrs.org/ #bdNOG13 16
  17. 17. Invalid Routes are Getting Rejected • More and more operators are deploying RPKI and ROV – BCC/NDC – Telia – NTT – Cogent – HE – Cloudflare – Netflix – AMS-IX – DE-CIX and many more #bdNOG13 17
  18. 18. Considerations about ROA and ROV 18 #bdNOG13
  19. 19. Creating ROA Not a good idea to create ROAs up to /24 (v4) or /48 (v6). Better to create ROAs for specific prefixes that are announced in BGP 19 #bdNOG13 VS
  20. 20. Creating ROA VS You may sign same prefix with multiple ASNs but do if you really really have to 20 #bdNOG13
  21. 21. Doing ROV Validation without dropping RPKI Invalids Validation with dropping RPKI Invalids 21 #bdNOG13 VS
  22. 22. Recommendations on RPKI Deployment 22 #bdNOG13
  23. 23. General Recommendations • Only create ROAs for prefixes that are announced in BGP – Signing unannounced prefixes can lead to “validated hijack” – Add to standard operating procedure: if it is originated, sign it! • Check your ROAs and announcements from external sources • Deploy at least two reliable Validator Caches – Two different implementations, for software independence • Needs to avoid default route on the border routers #bdNOG13 23
  24. 24. General Recommendations • While validating: – If Valid: ALLOW – If Invalid: DROP – If Not Found: ALLOW with lower preference • For fully supported Route Origin Validation across the network – EBGP speaking routers need talk with a validator – IBGP speaking routers do not need to talk with a validator • Train the engineers with toolsets and debugging techniques #bdNOG13 24
  25. 25. ROA for Small ISPs and Enterprises • Have own Internet resources? – Creating ROA is straightforward using RIR’s resource management portal • Got assignment for LIR? – Have public ASN? • Ask the LIR to create ROA with your ASN and verify – Don’t have public ASN? • Ask the LIR to create ROA for the assigned prefix and verify #bdNOG13 25
  26. 26. ROV for Small ISPs and Enterprises • Have BGP with transits and peers? – Receive full routes from neighbors? • Implementing ROV using validator cache is straightforward – Receive partial routes with default from neighbors? • Ask transits to do ROV for you • Implement ROV using validator cache to validate peer and IX routes – Receive only the default route • ROV wouldn’t fit, however, you may ask transits to do ROV on their network J • Have static routing with transits? – ROV wouldn’t fit, however, you may ask transits to do ROV on their network #bdNOG13 26
  27. 27. Thanks awal@nsrc.org

×