Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RPKI: An Operator’s Implementation

688 views

Published on

RPKI: An Operator’s Implementation
Mark Tinka
Head of Engineering (SEACOM)

Published in: Internet
  • Be the first to comment

RPKI: An Operator’s Implementation

  1. 1. COMMERCIAL–IN-CO NFI DENCECOMMERCIAL–IN-CO NFI DENCE SEACOM’s Experience Deploying RPKI
  2. 2. COMMERCIAL–IN-CO NFI DENCE RPKI • Resource Public Key Infrastructure. • Certify IP resources. • Validate route origination. • Phase 2 is to validate path. • Let’s talk about the steps (AFRINIC region).
  3. 3. COMMERCIAL–IN-CO NFI DENCE Create BPKI
  4. 4. COMMERCIAL–IN-CO NFI DENCE AuthorizedBPKI Profiles
  5. 5. COMMERCIAL–IN-CO NFI DENCE Resource Certification
  6. 6. COMMERCIAL–IN-CO NFI DENCE Create ROA’s
  7. 7. COMMERCIAL–IN-CO NFI DENCE View CreatedROA’s
  8. 8. COMMERCIAL–IN-CO NFI DENCE Download& Install RPKI Project (… was our choice) http://rpki.net/wiki/doc/RPKI/Installation
  9. 9. COMMERCIAL–IN-CO NFI DENCE Router Setup – IOS & IOS XE router bgp ASN bgp rpki server tcp 2001:DB8::1 port 43779 refresh 300 bgp rpki server tcp 2001:DB8::2 port 43779 refresh 300 bgp rpki server tcp 192.0.2.1 port 43779 refresh 300 bgp rpki server tcp 192.0.2.2 port 43779 refresh 300
  10. 10. COMMERCIAL–IN-CO NFI DENCE Router Setup – IOS XR router bgp ASN rpki server 192.0.2.1 transport tcp port 43779 refresh-time 300 ! rpki server 192.0.2.2 transport tcp port 43779 refresh-time 300 ! rpki server 2001:db8::1 transport tcp port 43779 refresh-time 300 ! rpki server 2001:db8::2 transport tcp port 43779 refresh-time 300 !
  11. 11. COMMERCIAL–IN-CO NFI DENCE Router Setup – Junos tinka@lab# show routing-options validation group rpki-validation-caches { session 192.0.2.1 { refresh-time 300; port 43779; local-address 192.0.2.254; } session 192.0.2.2 { refresh-time 300; port 43779; local-address 192.0.2.254; } } group rpki-validation-caches6 { session 2001:db8::1 { refresh-time 300; port 43779; local-address 2001:db8::254; } session 2001:db8::2 { refresh-time 300; port 43779; local-address 2001:db8::254; } } {master}[edit] tinka@lab#
  12. 12. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za>sh ip bgp 105.16.0.0 BGP routing table entry for 105.16.0.0/12, version 70256714 Paths: (2 available, best #2, table default) Not advertised to any peer Refresh Epoch 1 37100 105.22.32.1 from 105.22.32.1 (105.16.0.163) Origin IGP, metric 0, localpref 100, valid, external Community: 37100:1000 path 0F87C714 RPKI State valid rx pathid: 0, tx pathid: 0 Refresh Epoch 1 37100 105.22.40.1 from 105.22.40.1 (105.16.0.162) Origin IGP, metric 0, localpref 100, valid, external, best Community: 37100:1000 path 1B430634 RPKI State valid rx pathid: 0, tx pathid: 0x0 lg-01-jnb.za>
  13. 13. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za>sh bgp ipv6 unicast 2c0f:feb0::/32 BGP routing table entry for 2C0F:FEB0::/32, version 19272326 Paths: (2 available, best #2, table default) Not advertised to any peer Refresh Epoch 1 37100 2C0F:FEB0:B:2::1 (FE80::86B5:9C00:15FC:2400) from 2C0F:FEB0:B:2::1 (105.16.0.163) Origin IGP, metric 0, localpref 100, valid, external Community: 37100:1000 path 2BEDB1FC RPKI State valid rx pathid: 0, tx pathid: 0 Refresh Epoch 1 37100 2C0F:FEB0:B:3::1 (FE80::86B5:9C00:15F5:7C00) from 2C0F:FEB0:B:3::1 (105.16.0.162) Origin IGP, metric 0, localpref 100, valid, external, best Community: 37100:1000 path 2A2AC60C RPKI State valid rx pathid: 0, tx pathid: 0x0 lg-01-jnb.za>
  14. 14. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za#sh ip bgp rpki table 14946 BGP sovc network entries using 1315248 bytes of memory 15543 BGP sovc record entries using 310860 bytes of memory Network Maxlen Origin-AS Source Neighbor 2.0.0.0/16 16 3215 0 105.16.160.2/43779 2.0.0.0/16 16 3215 0 2C0F:FEB0:B:1::2/43779 2.0.0.0/16 16 3215 0 2C0F:FEB0:2:1::2/43779 2.0.0.0/16 16 3215 0 105.16.112.2/43779 2.0.0.0/12 16 3215 0 105.16.160.2/43779 2.0.0.0/12 16 3215 0 2C0F:FEB0:B:1::2/43779 2.1.0.0/16 16 3215 0 105.16.160.2/43779 2.1.0.0/16 16 3215 0 2C0F:FEB0:B:1::2/43779 2.1.0.0/16 16 3215 0 2C0F:FEB0:2:1::2/43779 2.1.0.0/16 16 3215 0 105.16.112.2/43779 <snip> … lg-01-jnb.za#
  15. 15. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za#sh bgp ipv6 unicast rpki table 2217 BGP sovc network entries using 248304 bytes of memory 2309 BGP sovc record entries using 46180 bytes of memory Network Maxlen Origin-AS Source Neighbor 2001:500:4::/48 48 10745 0 105.16.160.2/43779 2001:500:4::/48 48 10745 0 2C0F:FEB0:B:1::2/43779 2001:500:4::/48 48 10745 0 2C0F:FEB0:2:1::2/43779 2001:500:4::/48 48 10745 0 105.16.112.2/43779 2001:500:13::/48 48 393225 0 105.16.160.2/43779 2001:500:13::/48 48 393225 0 2C0F:FEB0:B:1::2/43779 2001:500:13::/48 48 393225 0 2C0F:FEB0:2:1::2/43779 2001:500:13::/48 48 393225 0 105.16.112.2/43779 2001:500:30::/48 48 10745 0 105.16.160.2/43779 2001:500:30::/48 48 10745 0 2C0F:FEB0:B:1::2/43779 <snip> … lg-01-jnb.za#
  16. 16. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za#sh ip bgp BGP table version is 100925789, local router ID is 105.22.40.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path N* 1.0.0.0/24 105.22.32.1 0 0 37100 15169 i N*> 105.22.40.1 0 0 37100 15169 i N* 1.0.4.0/24 105.22.32.1 0 0 37100 6939 4826 38803 56203 i N*> 105.22.40.1 0 0 37100 6939 4826 38803 56203 i N* 1.0.5.0/24 105.22.32.1 0 0 37100 6939 4826 38803 56203 i N*> 105.22.40.1 0 0 37100 6939 4826 38803 56203 i N* 1.0.6.0/24 105.22.32.1 0 0 37100 6939 4826 38803 56203 56203 56203 i N*> 105.22.40.1 0 0 37100 6939 4826 38803 56203 56203 56203 i N* 1.0.64.0/18 105.22.32.1 0 0 37100 2497 7670 7670 18144 i N*> 105.22.40.1 0 0 37100 2497 7670 7670 18144 i N*> 1.0.128.0/18 105.22.32.1 0 0 37100 2914 38040 9737 i N* 105.22.40.1 0 0 37100 2914 38040 9737 i N*> 1.0.128.0/17 105.22.32.1 0 0 37100 2914 38040 9737 i N* 105.22.40.1 0 0 37100 2914 38040 9737 i N* 1.0.129.0/24 105.22.32.1 0 0 37100 4651 9737 23969 i N*> 105.22.40.1 0 0 37100 4651 9737 23969 i N* 1.0.130.0/24 105.22.32.1 0 0 37100 4651 9737 23969 I <snip> … lg-01-jnb.za#
  17. 17. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za#sh bgp ipv6 unicast BGP table version is 22720683, local router ID is 105.22.40.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path N* 2001::/32 2C0F:FEB0:B:2::1 0 0 37100 6939 i N*> 2C0F:FEB0:B:3::1 0 0 37100 6939 i N*> 2001:4:112::/48 2C0F:FEB0:B:3::1 0 0 37100 112 i N* 2C0F:FEB0:B:2::1 0 0 37100 112 i N*> 2001:200::/32 2C0F:FEB0:B:3::1 0 0 37100 2914 2500 i N* 2C0F:FEB0:B:2::1 0 0 37100 2914 2500 i N* 2001:200:900::/40 2C0F:FEB0:B:2::1 0 0 37100 6939 2516 7660 i N*> 2C0F:FEB0:B:3::1 0 0 37100 6939 2516 7660 i <snip> … lg-01-jnb.za#
  18. 18. COMMERCIAL–IN-CO NFI DENCE Verifying(… pretty GUI’s,HE example)
  19. 19. COMMERCIAL–IN-CO NFI DENCE Verifying(… pretty GUI’s,HE example)
  20. 20. COMMERCIAL–IN-CO NFI DENCE Issues – Bad IOS XE Bug!
  21. 21. COMMERCIAL–IN-CO NFI DENCE Issues – Bad IOS XE Bug!
  22. 22. COMMERCIAL–IN-CO NFI DENCE Issues – IOS & IOS XE RFC 6811 Violation!
  23. 23. COMMERCIAL–IN-CO NFI DENCE Issues – IOS & IOS XE RFC 6811 Violation!
  24. 24. COMMERCIAL–IN-CO NFI DENCE MyNOG-6 • For MyNOG-6, will report on CA services for downstream customers.
  25. 25. COMMERCIAL–IN-CO NFI DENCE Thank You Q&A mark.tinka@seacom.mu 25

×