Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RPKI and Me

78 views

Published on

RPKI and Me by Tom Paseka

Published in: Internet
  • Be the first to comment

  • Be the first to like this

RPKI and Me

  1. 1. RPKI and Me Tom Paseka MyNOG 8 July 2019
  2. 2. RPKI… but first, a preview!
  3. 3. RPKI… but first, a preview!
  4. 4. RPKI… but first, a preview! ■RPKI is self serving: It protects your network and your traffic flows even if its not your routes being hijacked
  5. 5. Introduction 5
  6. 6. Introduction ●RPKI (Resource Public Key Infrastructure) ●Cryptographically signs your route/prefix and ASN: ○Specifies what prefix length and which ASN can originate a prefix. ○These are created with ROAs (Route Origin Authorization)
  7. 7. But Why? 7
  8. 8. Why? ●1997 - AS7007 mistakenly (re)announces 72,000+ routes (becomes the poster-child for route filtering). ●2008 - ISP in Pakistan accidentally announces IP routes for YouTube by blackholing the video service internally to their network. ●2017 - Russian ISP leaks 36 prefixes for payments services owned by Mastercard, Visa, and major banks. ●2018 - BGP hijack of Amazon DNS to steal crypto currency. ●2019 - A BGP Route optimizer hijacks thousands of routes with global impact
  9. 9. Why? ●The web has moved forward with security first ●The Internet hasn’t. ●Let’s bring BGP forward!
  10. 10. Where are we today? 11
  11. 11. Where are we today? ●Looking at some ROAs that already exist ●Two great tools: ○http://localcert.ripe.net:8088/roas ○bgpmon whois ○https://rpki.cloudflare.com/rpki.json
  12. 12. Where are we today? ●RIPE’s tool, ability to search for any ROAs created.
  13. 13. Where are we today? ●Bgpmon’s whois tool: ●Providing the AS and prefix will confirm if its valid
  14. 14. How about in Malaysia 15
  15. 15. Malaysia and RPKI ●Good News! ●Three networks with some RPKI deployment TM / AS4788 84 ROAs IPv4 and IPv6 Not covering all IP space Mostly le /24 (or le /48) Extreme AS38182 143 ROAs IPv4 and IPv6 Not covering all IP space All exact matches (no le) MYREN / AS24514 32 ROAs IPv4 and IPv6 Nearly all IP space covered All exact matches (no le)
  16. 16. Malaysia and RPKI ●Bad News: ●Some networks with invalids!
  17. 17. Malaysia and RPKI ●Bad News: ●Some networks with invalids! Seen by #peers: 86
  18. 18. RPKI Invalids ●If you’ve created invalid’s, some networks wont be able to reach you. ●In the case of the previous ROA Invalid: ○It’s a more specific, or there are more specific routes covering it ○IP Addresses still reachable, but could indicate an error
  19. 19. RPKI Invalids ●Unreachable? ●https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html
  20. 20. RPKI Invalids ●Cloudflare (AS13335) and AT&T (AS7018) are dropping invalids from Peers ●Cloudflare still uses some default routes, so you might be reachable, but your prefix would be blackholed from AT&T https://twitter.com/Jerome_UZ/status/1067867076390346752
  21. 21. Rejection state? ●As of Dec 2018, no Malaysian networks were measured as rejecting invalids. ●While a few networks have taken good steps in signing their routes, more needs to be done. ●Congratulations to TM, Extreme Broadband, IPServerOne, Global Transit, GB Network, Modern One, BasketAsia, MyKris, VC telecoms, IX Telecom, and others I might have missed in singing your routes!
  22. 22. Rejection state? ●MyIX? ●Consider signing your routes and setting “AS0”. This means this route should never be announced on the Internet. ●See: https://blog.apnic.net/2018/11/09/myapnic-rpki-service- now-supports-as0-roa-creation/
  23. 23. Rejection state? ●BKNIX (Hi Nan~ J ) ●Their IX LAN is set with “AS0” ●This means it should never be announced to the internet. { "prefix": "203.159.68.0/23", "maxLength": 23, "asn": "AS0", "ta": "APNIC" },
  24. 24. Rest of the World? ●Netherlands leading the way! ●Tier-1’s? Sad state. All have few to none routes signed! AS7018 / AT&T AS701 / Verizon AS174 / Cogent AS3257 / GTT AS6762 / Sparkle AS3356 / Level3 AS7922 / Comcast AS1239 / Sprint
  25. 25. Rest of the World? AS2914 / NTT, AS1299 / Telia, and AS6453 / Tata All have limited deployments. Please continue!
  26. 26. Invalids in the wild!
  27. 27. Invalids in the wild! ●Invalids growing. ●Will soon become reachability issues. ●Feels like the early days of DNSSEC (or still now..)
  28. 28. How to get yourself setup for RPKI 29
  29. 29. Get Setup? 1. Sign your routes. APNIC created a great guide for MyAPNIC https://youtu.be/hzCVvnjo6V8
  30. 30. Get Setup? 2. Validate This is more complicated, but I hope we’re making it easier for everyone J
  31. 31. Get Setup? Collect and sync certificates from RIRs (eg APNIC) Speak RTR protocol to your routers (for validation)
  32. 32. Get Setup? Guide to getting started: https://blog.cloudflare.com/cloudflares-rpki-toolkit/
  33. 33. Some cool graphics 34
  34. 34. https://twitter.com/vastur/status/1063514435543719936
  35. 35. https:// http://sg-pub.ripe.net/jasper/rpki-web-test/
  36. 36. Final Thoughts 37
  37. 37. Final Thoughts Don’t be scared of RPKI. Just start. Sign your routes. Protect your network. Don’t forget about other route security (eg: IRR) Look MANRS and become MANRS compliant!
  38. 38. Questions? 39
  39. 39. More Resources https://www.manrs.org/ https://blog.cloudflare.com/rpki/ http://localcert.ripe.net:8088/roas https://bgp.he.net/ https://youtu.be/hzCVvnjo6V8

×