Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

APNIC Updates

668 views

Published on

APNIC Updates
Anna Mulingbayan
Internet Resource Analyst, APNIC

Published in: Internet
  • Be the first to comment

  • Be the first to like this

APNIC Updates

  1. 1. Issue  Date: Revision: Resource  Public  Key   Infrastructure  (RPKI) Anna  Mulingbayan MYNOG  5 21  August  2015 31/12/2014 1
  2. 2. Why  use  RPKI? 2 • Prevent  route  hijacking – Only  the  rightful  custodian  can  originate  the  prefix  announcement   – ISPs  filter  prefixes  they  propagate • Minimize  common  routing  errors – Limits  human  errors – Prioritize  routes  with  certificates
  3. 3. Real  life  routing  incidents 3 • June  2015  -­ Telecom  Malaysia  causes  large-­scale  routing  issues   due  to  route  leak • April  2014  -­ Indosat  leaked  32,000  routes   • April  2010  -­ China  Telecom    advertisement  causes  15%  of   Internet  traffic  to  passed  through  Chinese  servers   • February  2008  -­ Pakistan  Telecom  announces  208.65.153.0/24   (YouTube  prefix)  
  4. 4. What  is  RPKI? Resource  Public  Key  Infrastructure(RPKI) • A  robust  security  framework  for  verifying  the  association   between  resource  holders and  their  Internet  resources • Uses  x.509  certificates  with  RFC3779  extensions • Collaborative  effort  by  all  RIRs  to  help  secure  Internet   routing  by  validating  routes 4
  5. 5. How  to  use  RPKI? 5 • Create  Route  Origin  Authorization  (ROA)  objects • What’s  contained  in  a  ROA – The  AS  number  you  have  authorized – The  prefix  that  is  being  originated  from  it – The  most  specific  prefix  (maximum  length)  that  the  AS  may   announce For  example:  “AS64496 originates  a  route  for  the   prefix  2001:DB8::/32  with  a  maximum  prefix  length   of  /40)”
  6. 6. Creating  ROA  in  MyAPNIC 6 • What  you  need  to  have  before  creating  a  ROA – Must  be  an  APNIC  Member – Have  access  to  MyAPNIC  with  2  factor  authentication • Takes  only  5  minutes  to  create,  and  10  minutes  to  be   visible  to  the  public
  7. 7. Activate  RPKI  Engine 7
  8. 8. Creating  your  ROA  (Using  suggestions) 8
  9. 9. Creating  your  ROA  (Manual) 9
  10. 10. Created  your  ROA,  what’s  next? 10 • Maintain  your  ROAs   -­ Changed  BGP  announcement -­ New  delegation -­ Transferred  resources • RPKI  validator -­ https://trac.rpki.net/wiki/doc/RPKI -­ Valid -­ Invalid   -­ Unknown
  11. 11. Success  Story • May  2015:  APNIC  Outreach  in  Bangladesh – 13  organizations  visited – Onsite  support  to  create  ROA  objects 11 561  valid   prefixes  (24%)   http://rpki.surfnet.nl/bd.html      
  12. 12. World  Leaderboard  (economy)   12 http://rpki.surfnet.nl/country.html As  of  June  10,  2015
  13. 13. ROA  in  South  East  Asia 13 Economy Roa IPv4  total IPv4  Roa IPv4  % IPv6  total IPv6  roa IPv6  pctcount ID 1 17666560 65536 0.37096073 3204484864 0 0 MY 2 6490880 35840 0.55215933 7 1476404224 0 0 PH 18 5352704 185088 3.45784112 1 872419840 256 0.000029344 SG 14 5165568 78080 1.51154723 2315278848 67109376 2.898543994 *As  at  5  Aug  2015
  14. 14. Issue  Date: Revision: IPv4  Transfers
  15. 15. Who  can  do  the  transfer?   15 • Transfer  of  IPv4  between  you  and – Other  APNIC  Members – Members  from  other  RIR’s  eg.  ARIN • Transfer  between  APNIC  Members -­ So  far  MY  has  a  total  of  11 transfers -­ Transfer  logs  http://ftp.apnic.net/transfers/apnic/ • Transfer  between  APNIC  and  RIR – Transfer  from  RIR  Member  to  APNIC  Member,  or  vice  versa – Source  account  to  initiate  transfer  request – Registry  of  the  recipient  account  to  evaluate  transfer  request – More  information  on:  www.apnic.net/transfer
  16. 16. How  many  transfers   are  we  doing?   16 0 20 40 60 80 100 120 140 160 180 2010 2011 2012 2013 2014 2015 APNIC  total 2 35 83 98 165 88 MY 4 7 0 0 0
  17. 17. How  to  do  the  transfer  in  MyAPNIC?   (source  account) 17
  18. 18. MyAPNIC   (source  account) 18
  19. 19. MyAPNIC (recipient  account) 19
  20. 20. Tips 20 • Pre-­approval – allows  you  to  demonstrate  your  need  for  the  IPv4  block  in  advance – process  is  faster  as  the  evaluation  is  done  beforehand – complete  the  “Transfer  pre-­approval”  form  via  MyAPNIC – more  information  at  http://www.apnic.net/pre-­approval • IPv4  Transfer  listing  service – list  Members  who  have  received  pre-­approval  on  APNIC  website  to   allow  others  with  excess  IPv4  to  contact  you – More  information  at  http://www.apnic.net/pre-­approval-­listing • APNIC  Transfers  Mailing  List – facilitate  discussion  on  topics  related  to  IPv4  transfer – to  subscribe  please  go  to  www.apnic.net/mailing-­lists
  21. 21. You’re  Invited! • APNIC  40:  Jakarta,  Indonesia  from  3  -­ 10  Sept  2015 21
  22. 22. THANK  YOU 22

×