RPKI invalids aren't gone yet

1. RPKI invalids aren’t gone yet Md. Abdul Awal awal@nsrc.org

2. Routing Incidents in Bangladesh bdNOG12 2 Stats: observatory.manrs.org 0 5 10 15 20 25 Jul-19 Aug-19 Sep-19 Oct-19 Nov-19 Dec-19 Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20 Number of routing incidents in BD Incidents haven’t been reduced

3. RPKI Status of BGP Prefixes in Bangladesh bdNOG12 3 Stats: observatory.manrs.org 0 10 20 30 40 50 60 70 80 90 100 Jul-19 Aug-19 Sep-19 Oct-19 Nov-19 Dec-19 Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20 RPKI status of BGP announcements in BD Valid Not Found Invalid Invalids are not going away 1% of total BGP announcements in BD are still invalid, that’s about 50 prefixes in global BGP table

4. Prefix/Route Hijack: The Common Routing Incident bdNOG12 AS 65505 AS 64512 AS 64710 AS 65500 AS 64805 AS 64650 AS 65510 Prefix Hijacker 192.168.0.0/24 192.168.0.0/24 AS 65500 owns 192.168.0.0/24 AS 65510 does NOT own 192.168.0.0/24 AS 64805 takes wrong path to 192.168.0.0/24

5. RPKI could solve it bdNOG12 Signing prefixes a.k.a. creating ROA1 RIR CA RIR Resource DB Member Login Authentication 2001:db8::/32 192.0.2.0/24 AS 65000 ROA Validating ROAs a.k.a doing ROV2 RPKI Repository RPKI Validator BGP Router RTR Protocolrsync/RRDP

6. What makes a route RPKI Invalid?

7. Route Origin Authorization (ROA) bdNOG12 192.168.0.0/22 65500 /23 Prefix ASN Max Length 192.168.0.0/22 192.168.0.0/23 192.168.0.0/24 192.168.1.0/24 192.168.2.0/23 192.168.2.0/24 192.168.3.0/24 Prefixes covered by the ROA

8. Route Origin Validation (ROV) bdNOG12 192.168.0.0/22 65500 /23 192.168.0.0/24 ...65500 192.168.0.0/24 ...65520 192.168.0.0/23 ...65520 Max Length Invalid Max Length+Origin Invalid Origin Invalid VRP R1 BGP Routes

9. Let’s see some examples

10. Example: RPKI Invalids bdNOG12 10

11. Example: Invalid Origin bdNOG12 11

12. Example: Invalid Prefix Length bdNOG12 12

13. More Example: Invalid Prefix Length bdNOG12 13

14. So, why invalids exist in BD’s routing atmosphere?

15. Several reasons… • Incorrect ROAs § Mostly because of misconfigured Max Length § Sometimes because of wrong ASN § Lack of awareness? • Wrong BGP annoucements § Route advertised without checking its ROA § Old habit? • Most importantly, no origin validation § Transit providers and IXPs are missing this bit, any reason? bdNOG12 15

16. Fix it: Who and How bdNOG12 16 192.168.0.0/22 65500 /23 Create appropriate ROAs for your prefixes Announce only the correct prefix in BGP Implement origin validation i.e. drop RPKI Invalids

17. Route Origin Validation at NIX and IIG bdNOG12 17 AS 65505 AS 64512 AS 64710 AS 65500 Route Server NIX Switch No invalid routes towards peers Invalid routes droped by NIX AS 65505 AS 64512 AS 64710 International Transit IIG Router No invalid routes towards cliets Invalid routes droped by IIG AS 65530 AS 65500 Internet Exchange Point Transit Provider Network

18. Validation could make our routing table Invalid-free bdNOG12 18 International Transits Internet Routing Infrastructure of BD Without Validation International Transits Internet Routing Infrastructure of BD With Validation IIG NIX ISP IIGs can prevent Invalid route propagation to and from BD

19. Thanks! Questions? awal@nsrc.org

RPKI invalids aren't gone yet

RPKI invalids aren't gone yet

Recommended

More Related Content

What's hot

What's hot(20)

Similar to RPKI invalids aren't gone yet

Similar to RPKI invalids aren't gone yet(20)

More from Bangladesh Network Operators Group

More from Bangladesh Network Operators Group(20)

Recently uploaded

Recently uploaded(15)

RPKI invalids aren't gone yet