Bangladesh Network Operators Group, profile picture
Uploaded byBangladesh Network Operators Group
PDF, PPTX49 views

RPKI ROA updates

This document discusses validating RPKI (Resource Public Key Infrastructure) data for countries. The author built tools to map ASNs (Autonomous System Numbers) to IP prefixes by country and check them against a RPKI validator. This allows tracking RPKI validation status over time for entire countries. The tools were used to analyze RPKI validation status in Asia, showing growth in valid prefixes for countries like Bangladesh. Results are stored in a database and visualized using Grafana for others to view. Feedback on the tools and approach is welcomed.

Embed presentation

Download as PDF, PPTX
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates RPKI ROA updates Anurag Bhatia, Hurricane Electric (AS6939)
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Starts with tweet from my friend Awal
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Thoughts after looking at the tweet... ● Is Awal correct? ● How can I cross validate his claim? ● India has highest number of ASNs & IP prefixes in South Asia. Can that impact these results? ● If true and nothing done more of this will show up!
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Thoughts after looking at the tweet... ● Is Awal correct? <- Unfortunately he was correct ● How can I cross validate his claim? <- I actually did, more on this soon... ● India has highest number of ASNs & IP prefixes in South Asia. Can that impact these results? <- That can reflect in absolute numbers but not in relative percentage numbers ● If true and nothing done more of this will show up! <- No, and here I am to talk about it! :-)
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Validating the claim that India was lacking behind...
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates How to do RPKI validation of a country? Find all prefixes originated by that country with origin ASNs and run them against a validator. Simple right?
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Challenges with RPKI validation at country level 1. How do you map prefixes to a given country? What should be the starting point? 2. Running check sequentially against a RPKI validator is slow. When done for thousands of prefixes it’s actually very slow. 3. How to store the output and track it over time?
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Challenges Solutions with RPKI validation at country level 1. How do you map prefixes to a given country? What should be the starting point? <- Instead of prefixes, start with ASN from RIR delegation file. And do ASN -> Prefix mapping 2. Running check sequentially against a RPKI validator is slow. When done for thousands of prefixes it’s actually very slow. <- Used rpki api binary from Louis Poinsignon (Cloudflare) - https://github.com/lspgn/rpki-api 3. How to store the output and track it over time? <- Store data in a MySQL database & analyse output using Grafana
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates More details on RPKI validator lookup ● RIPE RIS is used for raw data to map ASNs to prefixes. ● Data is formatted in csv & queries in a GraphQL format to RPKI API. ● Can scan entire global routing table in 3-4mins! (IN table takes a few seconds) ● Lookup is triggered using Ansible AWX instance. Gives cron like capability but with notification & more. ● Fair amount of code was re-used which I put internally @work to keep an eye on our own routing table as we were deploying RPKI validation across Hurricane Electric’s AS6939 backbone. ● Everything is containerized with Docker
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates If it takes a few seconds on IN, why not scan entire South Asia?
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Presenting rpki.anuragbhatia.com !!!
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Asian stats from July 2020 Warning: 6 months old data!
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Asian stats now!
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Growth of RPKI Valids in Asia
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Bangladesh RPKI signed growth - absolute signed prefixes
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Bangladesh RPKI signed growth - % signed prefixes
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Indian RPKI invalids
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Bangladesh RPKI ROA public data Public data specific to Bangladesh - https://rpki.anuragbhatia.com/d/F2f3geu7k/bangladesh-rpki-public-data?orgId=1
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Some more details about Grafana ● Used it as frontend for this data. Essentially supports showing data in any form like graphs, table, time data etc. ● Supports different set of data sources including InfluxDB, MySQL, and lot more. ● Open source and free to use in self hosted format. Besides RPKI tool, also used it on RIPE Atlas data export. ● Supports authentication to give restricted access as well as making data available out in public without any authentication.
Anurag Bhatia - Hurricane Electric - RPKI ROA Updates Questions/Feedback/Suggestions? Anurag Bhatia anurag@he.net he.net

More Related Content

PDF
Cleaning up your RPKI invalids
byMyNOG
 
PDF
RPKI Deployment Status in Bangladesh
byBangladesh Network Operators Group
 
PDF
KHNOG 5: RPKI Status Update
byAPNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
PDF
MyNOG 10: Cleaning up your RPKI invalids
byAPNIC
 
PDF
RPKI Deployment Status in Bangladesh, presentation by Md Abdul Awal for bdNOG 15
byAPNIC
 
PDF
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
byAPNIC
 
PDF
Securing global routing system and operators approach
byAPNIC
 
Cleaning up your RPKI invalids
byMyNOG
 
RPKI Deployment Status in Bangladesh
byBangladesh Network Operators Group
 
KHNOG 5: RPKI Status Update
byAPNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
MyNOG 10: Cleaning up your RPKI invalids
byAPNIC
 
RPKI Deployment Status in Bangladesh, presentation by Md Abdul Awal for bdNOG 15
byAPNIC
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
byAPNIC
 
Securing global routing system and operators approach
byAPNIC
 

Similar to RPKI ROA updates

PDF
Secure Inter-domain Routing with RPKI
byAPNIC
 
PPTX
HKNOG 7.0: RPKI - it's time to start deploying it
byAPNIC
 
PDF
PhNOG 2020: ROA and RPKI in the Philippines
byAPNIC
 
PDF
Presentation on the State of RPKI in HK and East Asia by Shane Hermoso
byAPNIC
 
PDF
Peering Asia 2.0: RPKI for Peering
byAPNIC
 
PDF
Routing Security and RPKI: South Korea Focus
byAPNIC
 
PDF
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
byAPNIC
 
PDF
Why ROV? RPKI Deployment Status in Japan
byAPNIC
 
PDF
Introduction to RPKI
byAPNIC
 
PDF
APNIC Updates: RPKI, what we’ve learned and what we’ve been doing by Zen Chuan
byMyNOG
 
PDF
RPKI Overview, Case Studies, Deployment and Operations
byAPNIC
 
PDF
IDNOG 6: RQC and RPKI
byAPNIC
 
PDF
NANOG 80: Measuring RPKI Effectiveness
byAPNIC
 
PPTX
Resource Public Key Infrastructure presentation, Mynog5
byAPNIC
 
PDF
State of RPKI in Cambodia and SEA, presentation by Shane Hermoso for KHNOG
byAPNIC
 
PDF
Securing the Global Routing System and the Approach of Operators
byAPNIC
 
PDF
PacNOG 23: Secure routing with RPKI
byAPNIC
 
PDF
SANOG 40: RPKI in South Asia
byAPNIC
 
PDF
A week with analysing RPKI status
byAPNIC
 
PDF
MyNOG 9: RPKI, lessons learned
byAPNIC
 
Secure Inter-domain Routing with RPKI
byAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
byAPNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
byAPNIC
 
Presentation on the State of RPKI in HK and East Asia by Shane Hermoso
byAPNIC
 
Peering Asia 2.0: RPKI for Peering
byAPNIC
 
Routing Security and RPKI: South Korea Focus
byAPNIC
 
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
byAPNIC
 
Why ROV? RPKI Deployment Status in Japan
byAPNIC
 
Introduction to RPKI
byAPNIC
 
APNIC Updates: RPKI, what we’ve learned and what we’ve been doing by Zen Chuan
byMyNOG
 
RPKI Overview, Case Studies, Deployment and Operations
byAPNIC
 
IDNOG 6: RQC and RPKI
byAPNIC
 
NANOG 80: Measuring RPKI Effectiveness
byAPNIC
 
Resource Public Key Infrastructure presentation, Mynog5
byAPNIC
 
State of RPKI in Cambodia and SEA, presentation by Shane Hermoso for KHNOG
byAPNIC
 
Securing the Global Routing System and the Approach of Operators
byAPNIC
 
PacNOG 23: Secure routing with RPKI
byAPNIC
 
SANOG 40: RPKI in South Asia
byAPNIC
 
A week with analysing RPKI status
byAPNIC
 
MyNOG 9: RPKI, lessons learned
byAPNIC
 

More from Bangladesh Network Operators Group

PDF
Fast Reroute in SR-MPLS by Md Abdullah Al Naser
byBangladesh Network Operators Group
 
PDF
DDoS Mitigation Strategies by Md. Abdul Awal
byBangladesh Network Operators Group
 
PDF
A Day in the Life of IPv6 Scanning by Matsuzaki ʻmazʼ
byBangladesh Network Operators Group
 
PDF
IPv6 Mostly Experience at APRICOT by Yoshinobu Matsuzaki (IIJ)
byBangladesh Network Operators Group
 
PDF
DNSSEC Implementation Journey at Prime Bank’s Domain
byBangladesh Network Operators Group
 
PPTX
The Internet Service Providers and Connectivity Providers of ICANN
byBangladesh Network Operators Group
 
PDF
Taming the Tide: Autoscaling Kubernetes for Cost-Effective Load Balancing
byBangladesh Network Operators Group
 
PDF
Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]
byBangladesh Network Operators Group
 
PDF
Optimizing DNS Performance in Kubernetes: Challenges and Best Practices
byBangladesh Network Operators Group
 
PDF
DNSSEC Deployment for .BD SLDs by Abdul Awal
byBangladesh Network Operators Group
 
PPTX
Understanding Universal Acceptance (UA) and Technical Challenges
byBangladesh Network Operators Group
 
PDF
Mental Health and Workplace Culture in Tech:A Personal Perspective
byBangladesh Network Operators Group
 
PDF
Hybrid Mesh Firewall: Network firewall revolution
byBangladesh Network Operators Group
 
PDF
DNS & DNSSEC operational best practices - Sleep better at night with KINDNS i...
byBangladesh Network Operators Group
 
PDF
DNS & DNSSEC operational best practices - Sleep better at night with KINDNS i...
byBangladesh Network Operators Group
 
PDF
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
byBangladesh Network Operators Group
 
PDF
Optics101 for non-Optical (IP) folks by Tashi Phuntsho
byBangladesh Network Operators Group
 
PDF
Network Efficiency:The LLM Advantage on network infrastructures
byBangladesh Network Operators Group
 
PPTX
Strengthening Cyber Security with Tools and Human Expertise
byBangladesh Network Operators Group
 
PPTX
Integration of AI and GenAI in Education and beyond
byBangladesh Network Operators Group
 
Fast Reroute in SR-MPLS by Md Abdullah Al Naser
byBangladesh Network Operators Group
 
DDoS Mitigation Strategies by Md. Abdul Awal
byBangladesh Network Operators Group
 
A Day in the Life of IPv6 Scanning by Matsuzaki ʻmazʼ
byBangladesh Network Operators Group
 
IPv6 Mostly Experience at APRICOT by Yoshinobu Matsuzaki (IIJ)
byBangladesh Network Operators Group
 
DNSSEC Implementation Journey at Prime Bank’s Domain
byBangladesh Network Operators Group
 
The Internet Service Providers and Connectivity Providers of ICANN
byBangladesh Network Operators Group
 
Taming the Tide: Autoscaling Kubernetes for Cost-Effective Load Balancing
byBangladesh Network Operators Group
 
Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]
byBangladesh Network Operators Group
 
Optimizing DNS Performance in Kubernetes: Challenges and Best Practices
byBangladesh Network Operators Group
 
DNSSEC Deployment for .BD SLDs by Abdul Awal
byBangladesh Network Operators Group
 
Understanding Universal Acceptance (UA) and Technical Challenges
byBangladesh Network Operators Group
 
Mental Health and Workplace Culture in Tech:A Personal Perspective
byBangladesh Network Operators Group
 
Hybrid Mesh Firewall: Network firewall revolution
byBangladesh Network Operators Group
 
DNS & DNSSEC operational best practices - Sleep better at night with KINDNS i...
byBangladesh Network Operators Group
 
DNS & DNSSEC operational best practices - Sleep better at night with KINDNS i...
byBangladesh Network Operators Group
 
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
byBangladesh Network Operators Group
 
Optics101 for non-Optical (IP) folks by Tashi Phuntsho
byBangladesh Network Operators Group
 
Network Efficiency:The LLM Advantage on network infrastructures
byBangladesh Network Operators Group
 
Strengthening Cyber Security with Tools and Human Expertise
byBangladesh Network Operators Group
 
Integration of AI and GenAI in Education and beyond
byBangladesh Network Operators Group
 

Recently uploaded

PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PDF
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
PDF
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
Accelerate Innovation with Engineering R&D Services
byChetu
 

RPKI ROA updates

  • 1.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates RPKI ROA updates Anurag Bhatia, Hurricane Electric (AS6939)
  • 2.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Starts with tweet from my friend Awal
  • 3.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Thoughts after looking at the tweet... ● Is Awal correct? ● How can I cross validate his claim? ● India has highest number of ASNs & IP prefixes in South Asia. Can that impact these results? ● If true and nothing done more of this will show up!
  • 4.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Thoughts after looking at the tweet... ● Is Awal correct? <- Unfortunately he was correct ● How can I cross validate his claim? <- I actually did, more on this soon... ● India has highest number of ASNs & IP prefixes in South Asia. Can that impact these results? <- That can reflect in absolute numbers but not in relative percentage numbers ● If true and nothing done more of this will show up! <- No, and here I am to talk about it! :-)
  • 5.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Validating the claim that India was lacking behind...
  • 6.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates How to do RPKI validation of a country? Find all prefixes originated by that country with origin ASNs and run them against a validator. Simple right?
  • 7.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Challenges with RPKI validation at country level 1. How do you map prefixes to a given country? What should be the starting point? 2. Running check sequentially against a RPKI validator is slow. When done for thousands of prefixes it’s actually very slow. 3. How to store the output and track it over time?
  • 8.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Challenges Solutions with RPKI validation at country level 1. How do you map prefixes to a given country? What should be the starting point? <- Instead of prefixes, start with ASN from RIR delegation file. And do ASN -> Prefix mapping 2. Running check sequentially against a RPKI validator is slow. When done for thousands of prefixes it’s actually very slow. <- Used rpki api binary from Louis Poinsignon (Cloudflare) - https://github.com/lspgn/rpki-api 3. How to store the output and track it over time? <- Store data in a MySQL database & analyse output using Grafana
  • 9.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates More details on RPKI validator lookup ● RIPE RIS is used for raw data to map ASNs to prefixes. ● Data is formatted in csv & queries in a GraphQL format to RPKI API. ● Can scan entire global routing table in 3-4mins! (IN table takes a few seconds) ● Lookup is triggered using Ansible AWX instance. Gives cron like capability but with notification & more. ● Fair amount of code was re-used which I put internally @work to keep an eye on our own routing table as we were deploying RPKI validation across Hurricane Electric’s AS6939 backbone. ● Everything is containerized with Docker
  • 10.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates If it takes a few seconds on IN, why not scan entire South Asia?
  • 11.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Presenting rpki.anuragbhatia.com !!!
  • 12.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Asian stats from July 2020 Warning: 6 months old data!
  • 13.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Asian stats now!
  • 14.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Growth of RPKI Valids in Asia
  • 15.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Bangladesh RPKI signed growth - absolute signed prefixes
  • 16.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Bangladesh RPKI signed growth - % signed prefixes
  • 17.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Indian RPKI invalids
  • 18.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Bangladesh RPKI ROA public data Public data specific to Bangladesh - https://rpki.anuragbhatia.com/d/F2f3geu7k/bangladesh-rpki-public-data?orgId=1
  • 19.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Some more details about Grafana ● Used it as frontend for this data. Essentially supports showing data in any form like graphs, table, time data etc. ● Supports different set of data sources including InfluxDB, MySQL, and lot more. ● Open source and free to use in self hosted format. Besides RPKI tool, also used it on RIPE Atlas data export. ● Supports authentication to give restricted access as well as making data available out in public without any authentication.
  • 20.
    Anurag Bhatia -Hurricane Electric - RPKI ROA Updates Questions/Feedback/Suggestions? Anurag Bhatia anurag@he.net he.net