Cleaning up your RPKI invalids
Jun. 15, 2023•0 likes•28 views
Download to read offline
Report
Technology
Cleaning up your RPKI invalids by Zen Chuan Ng, APNIC
MyNOGFollow
Recommended
INNOG 6: Cleaning up your RPKI invalidesAPNIC
PhNOG 2020: Securing your resources with RPKI and IRTAPNIC
Securing global routing system and operators approachAPNIC
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
MMIX Peering Forum and MMNOG 2020: Securing your resources with RPKI and IRTAPNIC
Secure Inter-domain Routing with RPKIAPNIC
More Related Content
Similar to Cleaning up your RPKI invalids
State of RPKI in Cambodia and SEA, presentation by Shane Hermoso for KHNOG APNIC
PacNOG 31: Cleaning up your RPKI invalidsAPNIC
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...Indonesia Network Operators Group
Securing the Global Routing System and the Approach of OperatorsAPNIC
APNIC RPKI Service Update: MyIX/MyNOG 2017APNIC
More from MyNOG
Peering Personal MyNOG-10MyNOG
Embedded CDNs in 2023MyNOG
Edge virtualisation for Carrier NetworksMyNOG
Equinix: New Markets, New FrontiersMyNOG
Securing the Onion: 5G Cloud Native InfrastructureMyNOG
Hierarchical Network ControllerMyNOG
Recently uploaded
V3Cube Gojek Clone - Rebrand With SuperiorityV3cube
How to reduce expenses on monitoringRomanKhavronenko
"From Orchestration to Choreography and Back", Yevhen Bobrov Fwdays
CamundaCon NYC 2023 Keynote - Shifting into overdrive with process orchestrationBernd Ruecker
Product Research Presentation-Maidy Veloso.pptxMaidyVeloso
Navigating the FutureOnBoard
Cleaning up your RPKI invalids
- 1. 1 Cleaning up your RPKI invalids Zen Ng Senior Internet Resource Analyst APNIC
- 2. 2 What has been discussed previously? • ROA adoption rate in SEA and Malaysia. • It was great! Thanks to all! • Currently 95.74%. So far yet so close! • While ROA stats are increasing, RPKI invalids still persists • What should we do next? To clean up and reduce RPKI invalids
- 3. 3 ROA adoption in SEA 3 Economy ROA adoption rate (%) Philippines 96.73% Malaysia 95.74% Cambodia 93.43% Myanmar 91.02% Vietnam 88.73% Singapore 83.50% Lao PDR 77.81% Thailand 66.86%
- 4. 4 4 Lets re-visit….What is RPKI? A robust security framework for verifying the association between resource holders and their Internet number resources. 4
- 5. 5 5 Route Origin Authorization What is contained in a ROA? – The AS number you have authorized – The prefix that is being originated from it – The most specific prefix (maximum length) that the AS may announce For example: “ISP 4 permits AS65551 to originate a route for the prefix 198.51.100.0/24" 5
- 6. 6 6 Route Origin Validation • Valid – The prefix (prefix length) and AS pair found in the database • Invalid – Prefix is found, but origin-AS is wrong, OR – The prefix length is longer than the maximum length 6
- 9. 9 9 RPKI invalids 9 Validation result IPv4 count Invalid origin ASN 338 Invalid origin ASN and Max Length 192 Invalid Max Length 1694 Routeviews collector SG and Routunator
- 10. 10 Comparing to other countries Validation result IPv4 count MY ID SG Invalid origin ASN 338 3 11 55 Invalid origin ASN and Max Length 192 0 0 12 Invalid Max Length 1694 25 142 167
- 12. 12 12 ROA Prevalidation 12 • Validate changes submitted via MyAPNIC to ensure that they won’t cause problems in BGP • Allows Members to override if necessary
- 16. 16 IPv4 ROA coverage in Malaysia https://stats.labs.apnic.net/roas Around 20% 79.15%
- 17. 17 17 Creating your ROAs 17 Request a Digital Certificate (2FA) Corporate Contact approves request Install Digital Certificate Corporate Contact gives RPKI update permission Enable RPKI in MyAPNIC Create ROA Simplified … Register for MyAPNIC Set up 2FA Enable RPKI in MyAPNIC Create ROA
- 18. 18 18 Summary • ROA Pre-validation feature • Routing Status Alerts in Dash • ROA Alert Filters in Dash • Registry API – https://blog.apnic.net/2022/03/22/apnic-registry-api/ • Continuos improvement on ROA guides and Help Centre articles
- 19. 19 Questions?