RIPE NCC, profile picture
Uploaded byRIPE NCC
PDF, PPTX142 views

RPKI

This document provides information on resource public key infrastructure (RPKI) and route origin authorization (ROA). It discusses problems with relying solely on Internet routing registries (IRRs), and how RPKI addresses these issues by tying IP addresses and autonomous system numbers (ASNs) to public keys. It describes the RPKI certificate structure and chain of trust, as well as the roles of signing ROAs, validating others, hosted RPKI systems, and relying parties. Examples of incidents from inaccurate or incomplete IRR data are given. The status of major transit and cloud providers in supporting RPKI is listed.

Technology
Related topics:
RIPE NCC

Embed presentation

Download as PDF, PPTX
Name | Date | Event Presentation Subtitle Presentation Title
Section Title Section subtitle
3
4 RIRs are responsible for: • Keeping the registry up to date, correct, and secur e • Using hierarchical allocation s • Maintaining neutrality towards all members
Section Title Section subtitle
6 Internet building blocks ASN (Autonomous System Number)
7 ASN (Autonomous System Number) Internet building blocks ASN Addresses Interconnect Autonomous System
RPKI Webinar 8 Routing on the Internet “BGP protocol” Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x”
9 Route Propagation AS15 AS756 R1 AS33 AS164 66.2.9.0/24 M ED=700 MED=500 LP=100 LP=50 AS25 AS5 R2 LP=40 tra ffi c route
RPKI Webinar 10 Accidents Happen • Fat Fingers - 2 and 3 are really close on our keyboards…. • Policy Violations (leaks) - Oops, we did not want this to go on the public Internet - Infamous incident with Pakistan Telecom and YouTube
RPKI Webinar 11 Incidents Are Common • 2019 Routing Security Review - 12,600 incidents - 4,4% of all ASNs affected - 3,000 ASNs are victims of at least one incident - 1,300 ASNs caused at least one incident Source: https://bgpstream.com
RPKI Webinar 12 Routing on the Internet Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” “Internet Routing Registry”
BGP Operations and Security 13 Problem Statement • Some IRR data can not be fully trusted - Accuracy - Incomplete data - Lack of maintenance • Not every RIR has an IRR - Third party databases need to be used - No verification of who holds IPs/ASNs
• Problem Statement 14
Section Title Section subtitle
BGP Operations and Security 16 Resource Public Key Infrastructure • Ties IP addresses and ASNs to public keys • Follows the hierarchy of the registries • Authorised statements from resource holders - “ASN X is authorised to announce my Prefix Y” - Signed, holder of Y
BGP Operations and Security 17 RPKI Certificate Structure Member Member Member ROA ROA ROA Certificate hierarchy follows allocation hierarchy ARIN APNIC RIPE LACNIC AFRINIC
BGP Operations and Security 18 RPKI Chain of Trust ALL Resources LIR’s Resources Root’s private key signature signature public key public key
BGP Operations and Security 19 Two elements of RPKI Signing Create your ROAs Validating Verifying others
BGP Operations and Security 20 RPKI Chain of Trust LIR’s Resources signature public key ALL Resources signature public key ROA signature
BGP Operations and Security 21 Hosted RPKI • RIR hosts a CA and signs all ROAs • Automate signing and key rollovers • Allows you focus on creating and publishing ROAs
BGP Operations and Security 22 Route Origin Authorisation Prefix is authorised to be announced by AS Number LIR’s private key ROA signature
Presenter name | Event | Date 23 • Source: https://stat.ripe.net/NL#tabId=routing
Presenter name | Event | Date 24 • Source: https://stat.ripe.net/NL#tabId=routing
BGP Operations and Security 25 Hosted or Delegated RPKI RIPE ROA ROA ROA ROA ROA Member Member Member ROA Member-X CA Member-Y CA RIPE NCC Hosted System
Section Title Section subtitle
BGP Operations and Security 27 Two elements of RPKI Signing Create your ROAs Validating Verifying others
BGP Operations and Security 28 Trust Anchor Locator (TAL) RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository • Location of RIR repositories • Root’s public key TAL TAL TAL TAL List of ROAs Cerfificates
BGP Operations and Security 29 Relying Party RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository List of ROAs Cerfificates
BGP Operations and Security 30 Relying Party ROA AS111 10.0.8.0/22 AS222 10.0.6.0/24 AS333 10.4.16.0/20 AS111 10.0.12.0/22 AS111 10.0.16.0/22 AS111 10.0.20.0/22 BGP Announcements BETTER ROUTING DECISIONS
RPKI Webinar 31 Routing on the Internet Is A correct? A 
 192.0.2.0/24 B 
 193.0.24.0/21 A: “I have 192.0.2.0/24” 1. Create route authorisation record (ROA) 2. Validate route RPKI Repository A is authorised to announce 192.0.2.0/24 BGP
Status of Transit and Cloud 32 Name Type Details Status Telia Transit Signed & Filtering Safe Cogent Transit Signed & Filtering Safe GTT Transit Signed & Filtering Safe NTT Transit Signed & Filtering Safe Hurricane Electric Transit Signed & Filtering Safe Tata Transit Signed & Filtering Safe PCCW Transit Signed & Filtering Safe RETN Transit Partially Signed & Filtering Safe Cloud fl are Cloud Signed & Filtering Safe Amazon Cloud Signed & Filtering Safe Net fl ix Cloud Signed & Filtering Safe Wikimedia Foundation Cloud Signed & Filtering Safe Scaleway Cloud Signed & Filtering Safe • Source: isbgpsafeyet.com
Presenter name | Event | Date 33 What We’re Working On • Repository Resiliency: Cloud • Security: Audit Framework, different security assessments • Improving Q&A • Reporting on our findings • Doing RPKI ourselves!
Questions

More Related Content

PDF
3 g call flow
byAmit Kumar Saini
 
PDF
WAN SDN meet Segment Routing
byAPNIC
 
PPTX
Wireshark
bySourav Roy
 
PDF
Star Topology Design with Cisco Packet Tracer
byMaksudujjaman
 
PDF
Introduction to RPKI
byAPNIC
 
PDF
Wireless Technologies For The Internet Of Things
byGeek Girls Carrots Switzerland
 
PDF
volte ims network architecture
byVikas Shokeen
 
PPT
Multicasting and multicast routing protocols
byAbhishek Kesharwani
 
3 g call flow
byAmit Kumar Saini
 
WAN SDN meet Segment Routing
byAPNIC
 
Wireshark
bySourav Roy
 
Star Topology Design with Cisco Packet Tracer
byMaksudujjaman
 
Introduction to RPKI
byAPNIC
 
Wireless Technologies For The Internet Of Things
byGeek Girls Carrots Switzerland
 
volte ims network architecture
byVikas Shokeen
 
Multicasting and multicast routing protocols
byAbhishek Kesharwani
 

What's hot

PPTX
IoT security compliance checklist
byPriyaNemade
 
PPTX
SOMEIP-protocol.pptx
byPushkarBaheti1
 
PPT
Network layer tanenbaum
byMahesh Kumar Chelimilla
 
DOCX
Standard & Extended ACL Configuration
byMdAlAmin187
 
PDF
Ryu sdn framework
byIsaku Yamahata
 
PDF
Linux Networking Explained
byThomas Graf
 
PDF
GPRS KPIs based on network performance
byMehmet Beyaz
 
PPT
Lte outbound roaming_session
bySamir Mohanty
 
PDF
VoLTE Interfaces , Protocols & IMS Stack
byVikas Shokeen
 
PDF
Ccnp presentation [Day 1-3] Class
bySagarR24
 
PDF
Tuto ToIP (Trunk SIP, IAX, Trunk CME - Asterisk)
byDimitri LEMBOKOLO
 
PDF
IMS ENUM & DNS Mechanism
byHouman Sadeghi Kaji
 
PPTX
IP Address
bytishko18
 
PDF
Ccnp workbook network bulls
bySwapnil Kapate
 
PDF
Cv gulam rasool
byGulam Rasool
 
PDF
3GPP_Overall_Architecture_and_Specifications.pdf
byAbubakar416712
 
PPTX
Performance analysis of AODV And OLSR
byMitesh Thakore
 
PDF
How to Speak Intel DPDK KNI for Web Services.
byNaoto MATSUMOTO
 
PPT
Dynamic Routing IGRP
byKishore Kumar
 
PDF
IPv6
byPeter R. Egli
 
IoT security compliance checklist
byPriyaNemade
 
SOMEIP-protocol.pptx
byPushkarBaheti1
 
Network layer tanenbaum
byMahesh Kumar Chelimilla
 
Standard & Extended ACL Configuration
byMdAlAmin187
 
Ryu sdn framework
byIsaku Yamahata
 
Linux Networking Explained
byThomas Graf
 
GPRS KPIs based on network performance
byMehmet Beyaz
 
Lte outbound roaming_session
bySamir Mohanty
 
VoLTE Interfaces , Protocols & IMS Stack
byVikas Shokeen
 
Ccnp presentation [Day 1-3] Class
bySagarR24
 
Tuto ToIP (Trunk SIP, IAX, Trunk CME - Asterisk)
byDimitri LEMBOKOLO
 
IMS ENUM & DNS Mechanism
byHouman Sadeghi Kaji
 
IP Address
bytishko18
 
Ccnp workbook network bulls
bySwapnil Kapate
 
Cv gulam rasool
byGulam Rasool
 
3GPP_Overall_Architecture_and_Specifications.pdf
byAbubakar416712
 
Performance analysis of AODV And OLSR
byMitesh Thakore
 
How to Speak Intel DPDK KNI for Web Services.
byNaoto MATSUMOTO
 
Dynamic Routing IGRP
byKishore Kumar
 
IPv6
byPeter R. Egli
 

Similar to RPKI

PDF
Routing Security
byRIPE NCC
 
PDF
npNOG 5: Securing Internet Routing
byAPNIC
 
PPTX
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
byakg1330
 
PDF
Securing BGP with RPKI - Ondřej Caletka, RIPE NCC
byRIPE NCC
 
PDF
Securing BGP
byRIPE NCC
 
PDF
Introduction to RPKI by Sheryl (Shane) Hermoso
byMyNOG
 
PDF
Introduction to RPKI - MyNOG
bySiena Perry
 
PDF
mnNOG 1: Securing internet Routing
byAPNIC
 
PDF
Routing Security, Another Elephant in the Room
byRIPE NCC
 
PDF
NZNOG 2019: The State of Routing (In)Security
byAPNIC
 
PDF
Resource Public Key Infrastructure (RPKI)
byBangladesh Network Operators Group
 
PDF
btNOG 6: Securing Internet Routing
byAPNIC
 
PDF
LkNOG 3: Securing Internet Routing
byAPNIC
 
PDF
SANOG 34: Securing Internet Routing
byAPNIC
 
PDF
MMIX Peering Forum: Securing Internet Routing
byAPNIC
 
PDF
Developments in Routing Security
byRIPE NCC
 
PDF
BKNIX Peering Forum 2019: Securing Internet Routing
byAPNIC
 
PDF
VNIXNOG 2019: Securing Internet Routing
byAPNIC
 
PDF
RPKI (Resource Public Key Infrastructure)
byFakrul Alam
 
PDF
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
byRIPE NCC
 
Routing Security
byRIPE NCC
 
npNOG 5: Securing Internet Routing
byAPNIC
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
byakg1330
 
Securing BGP with RPKI - Ondřej Caletka, RIPE NCC
byRIPE NCC
 
Securing BGP
byRIPE NCC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
byMyNOG
 
Introduction to RPKI - MyNOG
bySiena Perry
 
mnNOG 1: Securing internet Routing
byAPNIC
 
Routing Security, Another Elephant in the Room
byRIPE NCC
 
NZNOG 2019: The State of Routing (In)Security
byAPNIC
 
Resource Public Key Infrastructure (RPKI)
byBangladesh Network Operators Group
 
btNOG 6: Securing Internet Routing
byAPNIC
 
LkNOG 3: Securing Internet Routing
byAPNIC
 
SANOG 34: Securing Internet Routing
byAPNIC
 
MMIX Peering Forum: Securing Internet Routing
byAPNIC
 
Developments in Routing Security
byRIPE NCC
 
BKNIX Peering Forum 2019: Securing Internet Routing
byAPNIC
 
VNIXNOG 2019: Securing Internet Routing
byAPNIC
 
RPKI (Resource Public Key Infrastructure)
byFakrul Alam
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
byRIPE NCC
 

More from RIPE NCC

PDF
A Look at a Root Cause for DNS Latency - APRICOT 2025
byRIPE NCC
 
PDF
Internet Landscape and Network Resiliency in South East Europe
byRIPE NCC
 
PDF
ondrej-caletka-INEX-Deploying_IPv6_mostly.pdf
byRIPE NCC
 
PDF
jelena-cosic-internet-landscape-and-network-resiliency-in-south-east-europe.pdf
byRIPE NCC
 
PDF
RIPE Atlas & other RIPE NCC Internet Measurement Tools
byRIPE NCC
 
PDF
Minimising Impact before incidents occur with RIPE Atlas
byRIPE NCC
 
PDF
Know Your Network: Utilising RIS and RIPE Atlas to your advantage
byRIPE NCC
 
PDF
Know Your Network: Why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
PDF
Know Your Network; why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
PDF
Taiwan's Digital Landscape with RIPE NCC Tools
byRIPE NCC
 
PDF
Navigating IP Addresses: Insights from your Regional Internet Registry
byRIPE NCC
 
PDF
Traces of Power: Internet Governance and Climate Action
byRIPE NCC
 
PDF
Governing Environmental Sustainability in Tech
byRIPE NCC
 
PDF
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
byRIPE NCC
 
PDF
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
byRIPE NCC
 
PDF
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
byRIPE NCC
 
PDF
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
byRIPE NCC
 
PDF
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
byRIPE NCC
 
PDF
RIPE NCC Internet Measurement Tools
byRIPE NCC
 
PDF
IPv6 in Central Europe and the Baltics
byRIPE NCC
 
A Look at a Root Cause for DNS Latency - APRICOT 2025
byRIPE NCC
 
Internet Landscape and Network Resiliency in South East Europe
byRIPE NCC
 
ondrej-caletka-INEX-Deploying_IPv6_mostly.pdf
byRIPE NCC
 
jelena-cosic-internet-landscape-and-network-resiliency-in-south-east-europe.pdf
byRIPE NCC
 
RIPE Atlas & other RIPE NCC Internet Measurement Tools
byRIPE NCC
 
Minimising Impact before incidents occur with RIPE Atlas
byRIPE NCC
 
Know Your Network: Utilising RIS and RIPE Atlas to your advantage
byRIPE NCC
 
Know Your Network: Why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
Know Your Network; why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
Taiwan's Digital Landscape with RIPE NCC Tools
byRIPE NCC
 
Navigating IP Addresses: Insights from your Regional Internet Registry
byRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
byRIPE NCC
 
Governing Environmental Sustainability in Tech
byRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
byRIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
byRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
byRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
byRIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
byRIPE NCC
 
RIPE NCC Internet Measurement Tools
byRIPE NCC
 
IPv6 in Central Europe and the Baltics
byRIPE NCC
 

Recently uploaded

PDF
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PDF
MAD (1).pdf Mobile application develipment
byprathiT1
 
PDF
Groq Series A Investment Memo - Chamath Palihapitiya
byRazin Mustafiz
 
PDF
Uplers' Wrapped | Talent Edition | Year 2025
byUplers
 
PDF
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
PDF
RaaS™ — Research as a Service | Sovereign-Grade Energy & Infrastructure
byTheRDE GROUP
 
PDF
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
PDF
Advent of Cyber 2025 TryHackMe Certificate
byVICTOR MAESTRE RAMIREZ
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PDF
What Cybersecurity Threats Are Rising for Australian Firms in 2025?
byElevate
 
PDF
The Multiverse of Artificial Intelligence
byGWLikithBK
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PDF
Huawei Datacom – How To Pass H12-892 On Your First Try
by591lab
 
PPT
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
PDF
Measuring Fidelity Decay: How Meaning Collapses in Generative AI Systems
bySemantic Fidelity Lab
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PDF
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
PPTX
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
PDF
How Azure DevOps Consultants Dubai Reduce Release Delays.pdf
byLogicEra
 
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
MAD (1).pdf Mobile application develipment
byprathiT1
 
Groq Series A Investment Memo - Chamath Palihapitiya
byRazin Mustafiz
 
Uplers' Wrapped | Talent Edition | Year 2025
byUplers
 
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
RaaS™ — Research as a Service | Sovereign-Grade Energy & Infrastructure
byTheRDE GROUP
 
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
Advent of Cyber 2025 TryHackMe Certificate
byVICTOR MAESTRE RAMIREZ
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
What Cybersecurity Threats Are Rising for Australian Firms in 2025?
byElevate
 
The Multiverse of Artificial Intelligence
byGWLikithBK
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
Huawei Datacom – How To Pass H12-892 On Your First Try
by591lab
 
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
Measuring Fidelity Decay: How Meaning Collapses in Generative AI Systems
bySemantic Fidelity Lab
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
How Azure DevOps Consultants Dubai Reduce Release Delays.pdf
byLogicEra
 

RPKI

  • 1.
    Name | Date| Event Presentation Subtitle Presentation Title
  • 2.
  • 3.
  • 4.
    4 RIRs are responsiblefor: • Keeping the registry up to date, correct, and secur e • Using hierarchical allocation s • Maintaining neutrality towards all members
  • 5.
  • 6.
    6 Internet building blocks ASN(Autonomous System Number)
  • 7.
    7 ASN (Autonomous SystemNumber) Internet building blocks ASN Addresses Interconnect Autonomous System
  • 8.
    RPKI Webinar 8 Routingon the Internet “BGP protocol” Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x”
  • 9.
  • 10.
    RPKI Webinar 10 AccidentsHappen • Fat Fingers - 2 and 3 are really close on our keyboards…. • Policy Violations (leaks) - Oops, we did not want this to go on the public Internet - Infamous incident with Pakistan Telecom and YouTube
  • 11.
    RPKI Webinar 11 IncidentsAre Common • 2019 Routing Security Review - 12,600 incidents - 4,4% of all ASNs affected - 3,000 ASNs are victims of at least one incident - 1,300 ASNs caused at least one incident Source: https://bgpstream.com
  • 12.
    RPKI Webinar 12 Routingon the Internet Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” “Internet Routing Registry”
  • 13.
    BGP Operations andSecurity 13 Problem Statement • Some IRR data can not be fully trusted - Accuracy - Incomplete data - Lack of maintenance • Not every RIR has an IRR - Third party databases need to be used - No verification of who holds IPs/ASNs
  • 14.
  • 15.
  • 16.
    BGP Operations andSecurity 16 Resource Public Key Infrastructure • Ties IP addresses and ASNs to public keys • Follows the hierarchy of the registries • Authorised statements from resource holders - “ASN X is authorised to announce my Prefix Y” - Signed, holder of Y
  • 17.
    BGP Operations andSecurity 17 RPKI Certificate Structure Member Member Member ROA ROA ROA Certificate hierarchy follows allocation hierarchy ARIN APNIC RIPE LACNIC AFRINIC
  • 18.
    BGP Operations andSecurity 18 RPKI Chain of Trust ALL Resources LIR’s Resources Root’s private key signature signature public key public key
  • 19.
    BGP Operations andSecurity 19 Two elements of RPKI Signing Create your ROAs Validating Verifying others
  • 20.
    BGP Operations andSecurity 20 RPKI Chain of Trust LIR’s Resources signature public key ALL Resources signature public key ROA signature
  • 21.
    BGP Operations andSecurity 21 Hosted RPKI • RIR hosts a CA and signs all ROAs • Automate signing and key rollovers • Allows you focus on creating and publishing ROAs
  • 22.
    BGP Operations andSecurity 22 Route Origin Authorisation Prefix is authorised to be announced by AS Number LIR’s private key ROA signature
  • 23.
    Presenter name |Event | Date 23 • Source: https://stat.ripe.net/NL#tabId=routing
  • 24.
    Presenter name |Event | Date 24 • Source: https://stat.ripe.net/NL#tabId=routing
  • 25.
    BGP Operations andSecurity 25 Hosted or Delegated RPKI RIPE ROA ROA ROA ROA ROA Member Member Member ROA Member-X CA Member-Y CA RIPE NCC Hosted System
  • 26.
  • 27.
    BGP Operations andSecurity 27 Two elements of RPKI Signing Create your ROAs Validating Verifying others
  • 28.
    BGP Operations andSecurity 28 Trust Anchor Locator (TAL) RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository • Location of RIR repositories • Root’s public key TAL TAL TAL TAL List of ROAs Cerfificates
  • 29.
    BGP Operations andSecurity 29 Relying Party RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository List of ROAs Cerfificates
  • 30.
    BGP Operations andSecurity 30 Relying Party ROA AS111 10.0.8.0/22 AS222 10.0.6.0/24 AS333 10.4.16.0/20 AS111 10.0.12.0/22 AS111 10.0.16.0/22 AS111 10.0.20.0/22 BGP Announcements BETTER ROUTING DECISIONS
  • 31.
    RPKI Webinar 31 Routingon the Internet Is A correct? A 
 192.0.2.0/24 B 
 193.0.24.0/21 A: “I have 192.0.2.0/24” 1. Create route authorisation record (ROA) 2. Validate route RPKI Repository A is authorised to announce 192.0.2.0/24 BGP
  • 32.
    Status of Transitand Cloud 32 Name Type Details Status Telia Transit Signed & Filtering Safe Cogent Transit Signed & Filtering Safe GTT Transit Signed & Filtering Safe NTT Transit Signed & Filtering Safe Hurricane Electric Transit Signed & Filtering Safe Tata Transit Signed & Filtering Safe PCCW Transit Signed & Filtering Safe RETN Transit Partially Signed & Filtering Safe Cloud fl are Cloud Signed & Filtering Safe Amazon Cloud Signed & Filtering Safe Net fl ix Cloud Signed & Filtering Safe Wikimedia Foundation Cloud Signed & Filtering Safe Scaleway Cloud Signed & Filtering Safe • Source: isbgpsafeyet.com
  • 33.
    Presenter name |Event | Date 33 What We’re Working On • Repository Resiliency: Cloud • Security: Audit Framework, different security assessments • Improving Q&A • Reporting on our findings • Doing RPKI ourselves!
  • 34.