SlideShare a Scribd company logo

The impact of deploying an RPKI validator in Bangladesh and lessons learned

Bangladesh Network Operators Group
Bangladesh Network Operators Group

The impact of an RPKI validator in Bangladesh and Lessons Learned

Technology
1 of 50
Download to read offline
The impact of an RPKI validator in Bangladesh and Lessons Learned Image source: Internet Md. Abdul Awal awal@nsrc.org #bdNOG11
Disclaimer • We are talking about ROUTING SECURITY; it is NOT CYBERSECURITY or HOST VULNERABILITY or DATA LEAKAGE or any such concepts... • Doing RPKI validation does not mean that without validation NDC was very vulnerable. Doing it provides additional routing security. • The slide has information visible publicly. No confidential information of the NDC or any other organizations has been exposed here. • The slides have screenshots that are not intended to promote or demote any ASN. It is used to show some real cases. #bdNOG11 2
Starting with some routing incidents… #bdNOG11 3
Source: https://observatory.manrs.org #bdNOG11 4
• A Prefix is announced by both AS 134599 and AS 133957 (might be unintentional) • Either AS cloud be closest to different geographic locations • Legitimate traffic might get blackholed #bdNOG11 5
• Issue informed to the IP owner. • They removed one announcement • Created ROA for valid ASN • Valid announcement visible in the global routing table #bdNOG11 6
• Client AS didn’t update APNIC membership • Shouldn’t have valid prefix allocation with revoked membership • Transit still announces client’s prefixes • Prefixes marked as BOGON in global routing table #bdNOG11 7
• The issue has been informed to the transit provider • Then, they dropped it • The announcement was removed from global table • Later on, the AS got membership renewed and has its allocated prefixes back for use #bdNOG11 8
• AS 64075 delegated its prefix 103.204.210.0/24 to AS 137842 • AS 137842 announced the prefix • AS 64075 is also announcing its delegated prefixes as AS 137842 (AS Hijack) • It’s upstream accepting it and further announcing it globally #bdNOG11 9
• A /64 IPv6 prefix announced in global routing table • Most specific announcement in global table is /48 • A /64 should never be in global routing table #bdNOG11 10
• The issue was informed to the AS • The announcement has been removed #bdNOG11 11
Somebody is announcing non-routable prefixes in the global BGP table. #bdNOG11 12 The announcement has been removed once the issue was informed to them
• Previously, AS 136909 used transit from AS 24342 using static routing. • AS 24342 announced prefixes of AS 136909 in global BGP table on their behalf. • Later, AS 136909 stated doing BGP but AS 24342 still didn’t stop the announcement. #bdNOG11 13
• AS 24342 has been informed to stop announcing client’s prefixes • Client AS 136909 has signed their prefixes • Issue resolved. #bdNOG11 14
• AS 136901 got an allocation of /22. • They announce part of its prefix (not the whole), e.g. /23 is announced but the other /23 is not. • Opportunists can try to use the unannounced /23 for unauthorized activities. #bdNOG11 15
• AS 137515 announced BCC’s prefix 103.48.17.0/24 in a NIX (Prefix hijack) • Important government services became unavailable to the citizens • Cost our time to fix. #bdNOG11 16
• We mistakenly announced the prefix • We do not manually check our clients’ APNIC membership status • The client is very close to us and well trustworthy, so we never required to check their announcements • We don’t do prefix or AS filtering for our clients • Forgot to stop announcing the prefix after it’s delegated to another AS What they reply about it? Funny but they really did #bdNOG11 Image source: Internet 17
#bdNOG11 How we ensure the routing hygiene manually? Nightmare… Image source: Internet 18
#bdNOG11 Image source: Internet 19
RPKI is about 2 things: ROA and ROV Signing prefixes a.k.a. creating ROAs 1 #bdNOG11 20
RPKI is about 2 things: ROA and ROV #bdNOG11 RIR CA RIR Resource DB Member Login Authentication 2001:db8::/32 192.0.2.0/24 AS 65000 ROA 21
RPKI is about 2 things: ROA and ROV Validating ROAs a.k.a Route Origin Validation 2 #bdNOG11 22
RPKI is about 2 things: ROA and ROV #bdNOG11 RPKI Repository RPKI Validator BGP Router RTR Protocolrsync/RRDP 23
Why Create ROA? #bdNOG11 So that your IP resources are not knowingly or unknowingly used or abused by anyone To ensure the authenticity of your IP resources and help others verify it if requires 24
Why Deploy ROV? #bdNOG11 To build and maintain a secure and trustworthy global routing infrastructure To validate BGP routes and identify the authorized originator of the prefix 25 Imagesource:Internet
RPKI Validation in NDC and subsequent impact #bdNOG11 26
RPKI Validation at National Data Center • NDC declared to drop invalids since Dec 1, 2019 • Bangladesh has more than 700 active ASN • BD ROA stats in Sep 2019: • Valid – 29% • Unknown – 69% • Invalid – 2% • Need to find out ASNs who are getting impact • BD ASNs are easy to reach for obvious reason • How about the global ASNs? #bdNOG11 27
Awareness Before the ROV #bdNOG11 28
Awareness Before the ROV • We helped others to create and/or fix their ROAs • LEAs, Police, Special forces • Govt. Organizations • IXPs • Banks and Financial Organizations • Transit providers • ISPs • Data Centers #bdNOG11 29
The impact of awareness campaign #bdNOG11 Source: https://bgp.he.net 30
The impact of awareness campaign #bdNOG11 31
The impact of awareness campaign #bdNOG11 Source: https://observatory.manrs.org Oct 2019 Nov 2019 Dec 2019 32
The impact of awareness campaign #bdNOG11 Source: https://stat.ripe.net/BD#tabId=routing 33
The impact of awareness campaign #bdNOG11 Source: https://stat.ripe.net/BD#tabId=routing 34
And, finally NDC drops invalids since Dec 1, 2020 #bdNOG11 35
More organizations to start ROV • BdREN (AS 63961) - Jan, 2020 • Summit Communications (AS 58717) – Jan 2019 • BD Link (AS 58668) – Jan, 2020 • Link3 Technologies (AS 23688) - TBD • Cybergate (AS 58599) - TBD #bdNOG11 36
RPKI Status in Bangladesh #bdNOG11 37
#bdNOG11 • Bangladesh has 1-2 % INVALID ROAs • We need to eliminate it completely • Also, need to reduce UNKNOWNs • Sign the unsigned And, think about doing Route Origin Validation (ROV) 38
Considerations about ROA and ROV #bdNOG11 39
#bdNOG11 VS Creating ROA • Not a good idea to create ROAs up to /24 if not announced in BGP • Better to create ROAs for specific prefixes that are announced in BGP 40
Creating ROA #bdNOG11 VS 41
#bdNOG11 Creating ROA VS You may sign same prefix with multiple ASNs but do if you really really have to 42
Doing ROV #bdNOG11 VS Validation with allowing invalids for BGP best path selection Validation without allowing invalids for BGP best path selection 43
ROA for Small ISPs and Enterprises • Have own Internet resources? • Creating ROA is straightforward using RIR’s resource management portal • Got assignment for LIR? • Have public ASN? • Ask the LIR to create ROA with your ASN and verify • Don’t have public ASN? • Ask the LIR to create ROA for the assigned prefix and verify #bdNOG11 44
ROV for Small ISPs and Enterprises • Have BGP with transits and peers? • Receive full routes from neighbors? • Implementing ROV using validator cache is straightforward • Receive partial routes with default from neighbors? • Ask transits to do ROV for you • And, implement ROV using validator cache to validate peer and IX routes • Receive default route only • ROV wouldn’t fit, however, you may ask transits to do ROV in their routers J • Have static routing with transits? • ROV wouldn’t fit, however, you may ask transits to do ROV in their routers J #bdNOG11 45
Still thinking why we need ROA and ROV? • Check the issues discussed in first couple slides • Reduce the opportunity of routing incidents, prefix hijacks, route leaks, DDoS, outages • You wouldn’t want to be a target of those incidents • Help improve global routing infrastructure security • Help each other to maintain routing hygiene • We are engineers working hard to make Internet better, remember? #bdNOG11 46
We all can help improve global routing security • Create/fix ROAs for your prefixes • If you are a transit provider, ask you clients to do the same • If you’re receiving BGP full route, implement ROV • Share this among other colleagues in the community • Help others fix their ROAs #bdNOG11 47 Imagesource:Internet
• Go to https://bgp.he.net , search for your AS number and check v4 and v6 prefixes Or, • Use whois on unix terminal: whois -h whois.bgpmon.net " --roa ASN Prefix" • If you find issues with ROA, please fix it https://blog.apnic.net/2019/09/11/how-to-creating-rpki-roas-in-myapnic/ Let’s check your own ASN #bdNOG11 48
References 1. https://learn.nsrc.org/bgp/MANRS4_RPKI_and_ROA 2. https://nsrc.org/workshops/2019/mnnog1/riso/networking/routing- security/en/presentations/BGP-Origin-Validation.pdf 3. https://www.manrs.org/manrs 4. https://blog.cloudflare.com/rpki-details/ 5. https://www.apnic.net/get-ip/faqs/rpki/ 6. https://www.apnic.net/community/security/resource-certification/ 7. https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/ 8. https://blog.apnic.net/2019/09/11/how-to-creating-rpki-roas-in-myapnic/ 9. https://www.apnic.net/wp-content/uploads/2017/12/ROUTE_MANAGEMENT_GUIDE.pdf 10. https://www.cirt.gov.bd/জাতীয়-ডাটা-েস+াের-আরিপ/ #bdNOG11 49
Questions? #bdNOG11 50

Recommended

Ip addressing 2014
Ip addressing 2014Ip addressing 2014
Ip addressing 2014Anandita
 
BUILD THE NEW GENERATION OF REAL-TIME STREAMING SOLUTIONS
BUILD THE NEW GENERATION OF REAL-TIME STREAMING SOLUTIONSBUILD THE NEW GENERATION OF REAL-TIME STREAMING SOLUTIONS
BUILD THE NEW GENERATION OF REAL-TIME STREAMING SOLUTIONSRyan Jespersen
 
Defrag X Keynote: Deploying and managing Global Blockchain Network
Defrag X Keynote: Deploying and managing Global Blockchain NetworkDefrag X Keynote: Deploying and managing Global Blockchain Network
Defrag X Keynote: Deploying and managing Global Blockchain NetworkDuncan Johnston-Watt
 
Blockchain - HyperLedger Fabric
Blockchain - HyperLedger FabricBlockchain - HyperLedger Fabric
Blockchain - HyperLedger FabricAraf Karsh Hamid
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshBangladesh Network Operators Group
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
Securing BGP
Securing BGPSecuring BGP
Securing BGPRIPE NCC
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingAPNIC
 

Recommended

Ip addressing 2014
Ip addressing 2014Ip addressing 2014
Ip addressing 2014Anandita
 
BUILD THE NEW GENERATION OF REAL-TIME STREAMING SOLUTIONS
BUILD THE NEW GENERATION OF REAL-TIME STREAMING SOLUTIONSBUILD THE NEW GENERATION OF REAL-TIME STREAMING SOLUTIONS
BUILD THE NEW GENERATION OF REAL-TIME STREAMING SOLUTIONSRyan Jespersen
 
Defrag X Keynote: Deploying and managing Global Blockchain Network
Defrag X Keynote: Deploying and managing Global Blockchain NetworkDefrag X Keynote: Deploying and managing Global Blockchain Network
Defrag X Keynote: Deploying and managing Global Blockchain NetworkDuncan Johnston-Watt
 
Blockchain - HyperLedger Fabric
Blockchain - HyperLedger FabricBlockchain - HyperLedger Fabric
Blockchain - HyperLedger FabricAraf Karsh Hamid
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshBangladesh Network Operators Group
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
Securing BGP
Securing BGPSecuring BGP
Securing BGPRIPE NCC
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingAPNIC
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingAPNIC
 
Running BGP with Mikrotik
Running BGP with MikrotikRunning BGP with Mikrotik
Running BGP with MikrotikGLC Networks
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
RPKI invalids aren't gone yet
RPKI invalids aren't gone yetRPKI invalids aren't gone yet
RPKI invalids aren't gone yetBangladesh Network Operators Group
 
Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
Routing Security Considerations
Routing Security ConsiderationsRouting Security Considerations
Routing Security ConsiderationsCSUC - Consorci de Serveis Universitaris de Catalunya
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshFakrul Alam
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security RoadmapAPNIC
 
Deployment factors and Current status
Deployment factors and Current statusDeployment factors and Current status
Deployment factors and Current statusAPNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)Deploy360 Programme (Internet Society)
 
Selective blackholing - how to use & implement
Selective blackholing - how to use & implementSelective blackholing - how to use & implement
Selective blackholing - how to use & implementAPNIC
 
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJBangladesh Network Operators Group
 

More Related Content

Similar to The impact of deploying an RPKI validator in Bangladesh and lessons learned

HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingAPNIC
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingAPNIC
 
Running BGP with Mikrotik
Running BGP with MikrotikRunning BGP with Mikrotik
Running BGP with MikrotikGLC Networks
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshFakrul Alam
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security RoadmapAPNIC
 
Deployment factors and Current status
Deployment factors and Current statusDeployment factors and Current status
Deployment factors and Current statusAPNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Selective blackholing - how to use & implement
Selective blackholing - how to use & implementSelective blackholing - how to use & implement
Selective blackholing - how to use & implementAPNIC
 

Similar to The impact of deploying an RPKI validator in Bangladesh and lessons learned (20)

HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh Phokeer
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet Routing
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
 
Running BGP with Mikrotik
Running BGP with MikrotikRunning BGP with Mikrotik
Running BGP with Mikrotik
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
RPKI invalids aren't gone yet
RPKI invalids aren't gone yetRPKI invalids aren't gone yet
RPKI invalids aren't gone yet
 
Routing Security
Routing SecurityRouting Security
Routing Security
 
Routing Security Considerations
Routing Security ConsiderationsRouting Security Considerations
Routing Security Considerations
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
 
Deployment factors and Current status
Deployment factors and Current statusDeployment factors and Current status
Deployment factors and Current status
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
Selective blackholing - how to use & implement
Selective blackholing - how to use & implementSelective blackholing - how to use & implement
Selective blackholing - how to use & implement
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 

Recently uploaded

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

The impact of deploying an RPKI validator in Bangladesh and lessons learned

  • 1. The impact of an RPKI validator in Bangladesh and Lessons Learned Image source: Internet Md. Abdul Awal awal@nsrc.org #bdNOG11
  • 2. Disclaimer • We are talking about ROUTING SECURITY; it is NOT CYBERSECURITY or HOST VULNERABILITY or DATA LEAKAGE or any such concepts... • Doing RPKI validation does not mean that without validation NDC was very vulnerable. Doing it provides additional routing security. • The slide has information visible publicly. No confidential information of the NDC or any other organizations has been exposed here. • The slides have screenshots that are not intended to promote or demote any ASN. It is used to show some real cases. #bdNOG11 2
  • 3. Starting with some routing incidents… #bdNOG11 3
  • 5. • A Prefix is announced by both AS 134599 and AS 133957 (might be unintentional) • Either AS cloud be closest to different geographic locations • Legitimate traffic might get blackholed #bdNOG11 5
  • 6. • Issue informed to the IP owner. • They removed one announcement • Created ROA for valid ASN • Valid announcement visible in the global routing table #bdNOG11 6
  • 7. • Client AS didn’t update APNIC membership • Shouldn’t have valid prefix allocation with revoked membership • Transit still announces client’s prefixes • Prefixes marked as BOGON in global routing table #bdNOG11 7
  • 8. • The issue has been informed to the transit provider • Then, they dropped it • The announcement was removed from global table • Later on, the AS got membership renewed and has its allocated prefixes back for use #bdNOG11 8
  • 9. • AS 64075 delegated its prefix 103.204.210.0/24 to AS 137842 • AS 137842 announced the prefix • AS 64075 is also announcing its delegated prefixes as AS 137842 (AS Hijack) • It’s upstream accepting it and further announcing it globally #bdNOG11 9
  • 10. • A /64 IPv6 prefix announced in global routing table • Most specific announcement in global table is /48 • A /64 should never be in global routing table #bdNOG11 10
  • 11. • The issue was informed to the AS • The announcement has been removed #bdNOG11 11
  • 12. Somebody is announcing non-routable prefixes in the global BGP table. #bdNOG11 12 The announcement has been removed once the issue was informed to them
  • 13. • Previously, AS 136909 used transit from AS 24342 using static routing. • AS 24342 announced prefixes of AS 136909 in global BGP table on their behalf. • Later, AS 136909 stated doing BGP but AS 24342 still didn’t stop the announcement. #bdNOG11 13
  • 14. • AS 24342 has been informed to stop announcing client’s prefixes • Client AS 136909 has signed their prefixes • Issue resolved. #bdNOG11 14
  • 15. • AS 136901 got an allocation of /22. • They announce part of its prefix (not the whole), e.g. /23 is announced but the other /23 is not. • Opportunists can try to use the unannounced /23 for unauthorized activities. #bdNOG11 15
  • 16. • AS 137515 announced BCC’s prefix 103.48.17.0/24 in a NIX (Prefix hijack) • Important government services became unavailable to the citizens • Cost our time to fix. #bdNOG11 16
  • 17. • We mistakenly announced the prefix • We do not manually check our clients’ APNIC membership status • The client is very close to us and well trustworthy, so we never required to check their announcements • We don’t do prefix or AS filtering for our clients • Forgot to stop announcing the prefix after it’s delegated to another AS What they reply about it? Funny but they really did #bdNOG11 Image source: Internet 17
  • 18. #bdNOG11 How we ensure the routing hygiene manually? Nightmare… Image source: Internet 18
  • 20. RPKI is about 2 things: ROA and ROV Signing prefixes a.k.a. creating ROAs 1 #bdNOG11 20
  • 21. RPKI is about 2 things: ROA and ROV #bdNOG11 RIR CA RIR Resource DB Member Login Authentication 2001:db8::/32 192.0.2.0/24 AS 65000 ROA 21
  • 22. RPKI is about 2 things: ROA and ROV Validating ROAs a.k.a Route Origin Validation 2 #bdNOG11 22
  • 23. RPKI is about 2 things: ROA and ROV #bdNOG11 RPKI Repository RPKI Validator BGP Router RTR Protocolrsync/RRDP 23
  • 24. Why Create ROA? #bdNOG11 So that your IP resources are not knowingly or unknowingly used or abused by anyone To ensure the authenticity of your IP resources and help others verify it if requires 24
  • 25. Why Deploy ROV? #bdNOG11 To build and maintain a secure and trustworthy global routing infrastructure To validate BGP routes and identify the authorized originator of the prefix 25 Imagesource:Internet
  • 26. RPKI Validation in NDC and subsequent impact #bdNOG11 26
  • 27. RPKI Validation at National Data Center • NDC declared to drop invalids since Dec 1, 2019 • Bangladesh has more than 700 active ASN • BD ROA stats in Sep 2019: • Valid – 29% • Unknown – 69% • Invalid – 2% • Need to find out ASNs who are getting impact • BD ASNs are easy to reach for obvious reason • How about the global ASNs? #bdNOG11 27
  • 28. Awareness Before the ROV #bdNOG11 28
  • 29. Awareness Before the ROV • We helped others to create and/or fix their ROAs • LEAs, Police, Special forces • Govt. Organizations • IXPs • Banks and Financial Organizations • Transit providers • ISPs • Data Centers #bdNOG11 29
  • 30. The impact of awareness campaign #bdNOG11 Source: https://bgp.he.net 30
  • 31. The impact of awareness campaign #bdNOG11 31
  • 32. The impact of awareness campaign #bdNOG11 Source: https://observatory.manrs.org Oct 2019 Nov 2019 Dec 2019 32
  • 33. The impact of awareness campaign #bdNOG11 Source: https://stat.ripe.net/BD#tabId=routing 33
  • 34. The impact of awareness campaign #bdNOG11 Source: https://stat.ripe.net/BD#tabId=routing 34
  • 35. And, finally NDC drops invalids since Dec 1, 2020 #bdNOG11 35
  • 36. More organizations to start ROV • BdREN (AS 63961) - Jan, 2020 • Summit Communications (AS 58717) – Jan 2019 • BD Link (AS 58668) – Jan, 2020 • Link3 Technologies (AS 23688) - TBD • Cybergate (AS 58599) - TBD #bdNOG11 36
  • 37. RPKI Status in Bangladesh #bdNOG11 37
  • 38. #bdNOG11 • Bangladesh has 1-2 % INVALID ROAs • We need to eliminate it completely • Also, need to reduce UNKNOWNs • Sign the unsigned And, think about doing Route Origin Validation (ROV) 38
  • 39. Considerations about ROA and ROV #bdNOG11 39
  • 40. #bdNOG11 VS Creating ROA • Not a good idea to create ROAs up to /24 if not announced in BGP • Better to create ROAs for specific prefixes that are announced in BGP 40
  • 42. #bdNOG11 Creating ROA VS You may sign same prefix with multiple ASNs but do if you really really have to 42
  • 43. Doing ROV #bdNOG11 VS Validation with allowing invalids for BGP best path selection Validation without allowing invalids for BGP best path selection 43
  • 44. ROA for Small ISPs and Enterprises • Have own Internet resources? • Creating ROA is straightforward using RIR’s resource management portal • Got assignment for LIR? • Have public ASN? • Ask the LIR to create ROA with your ASN and verify • Don’t have public ASN? • Ask the LIR to create ROA for the assigned prefix and verify #bdNOG11 44
  • 45. ROV for Small ISPs and Enterprises • Have BGP with transits and peers? • Receive full routes from neighbors? • Implementing ROV using validator cache is straightforward • Receive partial routes with default from neighbors? • Ask transits to do ROV for you • And, implement ROV using validator cache to validate peer and IX routes • Receive default route only • ROV wouldn’t fit, however, you may ask transits to do ROV in their routers J • Have static routing with transits? • ROV wouldn’t fit, however, you may ask transits to do ROV in their routers J #bdNOG11 45
  • 46. Still thinking why we need ROA and ROV? • Check the issues discussed in first couple slides • Reduce the opportunity of routing incidents, prefix hijacks, route leaks, DDoS, outages • You wouldn’t want to be a target of those incidents • Help improve global routing infrastructure security • Help each other to maintain routing hygiene • We are engineers working hard to make Internet better, remember? #bdNOG11 46
  • 47. We all can help improve global routing security • Create/fix ROAs for your prefixes • If you are a transit provider, ask you clients to do the same • If you’re receiving BGP full route, implement ROV • Share this among other colleagues in the community • Help others fix their ROAs #bdNOG11 47 Imagesource:Internet
  • 48. • Go to https://bgp.he.net , search for your AS number and check v4 and v6 prefixes Or, • Use whois on unix terminal: whois -h whois.bgpmon.net " --roa ASN Prefix" • If you find issues with ROA, please fix it https://blog.apnic.net/2019/09/11/how-to-creating-rpki-roas-in-myapnic/ Let’s check your own ASN #bdNOG11 48
  • 49. References 1. https://learn.nsrc.org/bgp/MANRS4_RPKI_and_ROA 2. https://nsrc.org/workshops/2019/mnnog1/riso/networking/routing- security/en/presentations/BGP-Origin-Validation.pdf 3. https://www.manrs.org/manrs 4. https://blog.cloudflare.com/rpki-details/ 5. https://www.apnic.net/get-ip/faqs/rpki/ 6. https://www.apnic.net/community/security/resource-certification/ 7. https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/ 8. https://blog.apnic.net/2019/09/11/how-to-creating-rpki-roas-in-myapnic/ 9. https://www.apnic.net/wp-content/uploads/2017/12/ROUTE_MANAGEMENT_GUIDE.pdf 10. https://www.cirt.gov.bd/জাতীয়-ডাটা-েস+াের-আরিপ/ #bdNOG11 49