SlideShare a Scribd company logo

4th ICANN APAC-TWNIC Engagement Forum and 39th TWNIC OPM: RPKI Updates - RSCs and ASPAs

APNIC
APNIC

APNIC Product Manager Tom Harrison presents on RPKI RSCs and ASPAs at the 4th ICANN APAC-TWNIC Engagement Forum and 39th TWNIC OPM, held from 22 to 24 May 2023 in Taipei.

1 of 28
Download to read offline
1 4th ICANN APAC-TWNIC Engagement Forum RPKI Updates: RSCs and ASPAs
2 2 What is an RSC? • RPKI Signed Checklist • Defined in RFC 9323 • The specification provides for: • signing one or more arbitrary files using an RPKI certificate • packaging the signature, filenames, and hashes into an object (the RSC itself) • verifying the signature (i.e. “these files were signed by somebody with authority to route 192.0.2.0/24”)
3 3 Why is it useful? • Arbitrary files can be signed – More flexible than existing RPKI functions – Supports ad hoc/people-driven processes • No need to publish in a public repository – Associated business operations can remain private
4 4 Use cases • BYOIP services • Third-party databases • Custom RPKI applications
5 5 BYOIP services • Support use of RIR-delegated IP addresses for BGP announcements in cloud infrastructure • RSCs can help to streamline the registration process
6 6 Third-party databases • Acting as cross-RIR interfaces for specific use cases (e.g. peering) • RSCs can be used to prove resource holdership
7 7 Custom RPKI applications • Define new object type and use RSCs for signing/packaging • Useful for testing/prototyping, or for use within a closed group of participants • No need to go through IETF process
8 8 Current status • Specification published in November 2022 – https://www.rfc-editor.org/rfc/rfc9323.txt • Production code – https://www.rpki-client.org • Proof-of-concept code – https://github.com/APNIC-net/rpki-rsc-demo – https://github.com/job/draft-rpki-checklists – https://github.com/benmaddison/rpkimancer • APNIC implementing in early 2024 – Deferred from Q2 of this year – In-principle support from other RIRs
9 9 What is an ASPA? • Autonomous System Provider Authorization • Defined in two documents: • draft-ietf-sidrops-aspa-profile • draft-ietf-sidrops-aspa-verification • The specifications provide for: • an ASN holder signing an object that defines its upstream ASes • a network operator using that data to verify the AS_PATH of a received route
10 10 Why is it useful? • Detect and mitigate route leaks – Compare ROV, which is about the origin only • Protect against certain types of forged-origin/forged-path attacks – Attacker must resort to longer AS paths for route to be accepted
11 11 Upstream validation • 1. If AS path has single entry • 2. If AS path contains hop from provider to customer • 3. If AS path contains hop without ASPA • 4. Otherwise, all hops are from customer to provider
12 12 Upstream validation examples (1) • Single-element AS path • No ASPAs • Not possible for it to be a route leak AS1 AS This AS is the upstream, receiving the route This is the route: only the AS path is relevant to ASPA validation, so the prefix is omitted
13 13 Upstream validation examples (2) • Two-element AS path • No ASPAs • Unable to determine validity AS1 AS AS2 Arrows indicate AS path, from origin through peers
14 14 Upstream validation examples (3) • Two-element AS path • ASPA exists for AS1 (origin) • Able to determine validity AS1 AS AS2 AS Providers 1 2 AS path moves upwards from AS to ASPA provider
15 15 Upstream validation examples (4) AS • Two-element AS path • ASPA exists for AS1 (origin), but disclaims AS2 as provider • Able to determine validity AS1 AS2 AS Providers 1 3
16 16 Downstream validation • 1. If AS path has: – Up-ramp, customer(s) through provider(s) – Down-ramp, provider(s) through customer(s) – No hops in the middle, or single lateral hop • 2. If AS path contains ‘valley’ (hop from provider to customer, then from customer to provider) • 3. Otherwise, unable to determine validity
17 17 Downstream validation examples (1) • Single-element AS path • No ASPAs • Not possible for it to be a route leak AS1 AS This AS is the downstream, receiving the route
18 18 Downstream validation examples (2) • Two-element AS path • No ASPAs • Not possible for it to be a route leak AS1 AS AS2
19 19 Downstream validation examples (3) • Three-element AS path • No ASPAs • Unable to determine validity AS1 AS AS2 AS3
20 20 Downstream validation examples (4) • Three-element AS path • ASPA exists for AS1 (origin) • Route leak not possible AS1 AS AS2 AS3 AS Providers 1 2
21 21 Downstream validation examples (5) • Three-element AS path • ASPA exists for AS3 (neighbour) • Route leak not possible AS1 AS AS2 AS3 AS Providers 3 2 AS path moves downwards from ASPA provider to AS
22 22 Downstream validation examples (6) • Three-element AS path • ASPAs exist for AS1 and AS3 • Route leak not possible AS1 AS AS2 AS3 AS Providers 1 2 3 2
23 23 Downstream validation examples (7) • Three-element AS path • AS0 ASPA now exists for AS2, to indicate absence of providers • Route leak not possible AS1 AS AS2 AS3 AS Providers 1 2 2 0 3 2
24 24 Downstream validation examples (8) • Three-element AS path • Up-ramp and down- ramp ASPAs do not include AS2 • Route leak AS1 AS AS2 AS3 AS Providers 1 4 2 0 3 5
25 25 Downstream validation examples (9) • Four-element AS path • Valley from AS2 to AS3 (customer) to AS4 indicates route leak AS1 AS AS2 AS3 AS Providers 1 2 2 0 3 2, 4 4 0 AS4
26 26 Forged-origin/path attacks • Attacker uses correct origin (AS1), but inserts own ASN into the AS path immediately after the origin – If AS1 has registered an ASPA, and AS2 (target recipient) receives route over lateral peer, AS2 will classify the route as invalid • Attacker can evade this by adding a valid upstream ASN after the origin and before its own ASN – But if the ASN that is added also has an ASPA, then the attacker needs to add more ASNs until it reaches an ASN without an ASPA – Plus, this all makes the path longer, and the route less likely to be used/preferred
27 27 Current status • Specifications currently in IETF Working Group Last Call • Production code – Krill (CA) – Routinator (RP) – rpki-client (RP) – OpenBGPD (router) – NIST BGP-SRx (router) • RIPE provide API for creating ASPA objects in the localcert.ripe.net environment (test) • APNIC planning to implement hosted CA functionality in 2024
28 Questions?

Recommended

AusNOG 2023: RPKI and whois updates
AusNOG 2023: RPKI and whois updatesAusNOG 2023: RPKI and whois updates
AusNOG 2023: RPKI and whois updates
APNIC
 
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
APNIC
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI Demo
APNIC
 
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
APNIC
 
Part 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPPart 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGP
Olivier Bonaventure
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
APNIC
 
Routing Security Workshop
Routing Security WorkshopRouting Security Workshop
Routing Security Workshop
RIPE NCC
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
Olle E Johansson
 

Recommended

AusNOG 2023: RPKI and whois updates
AusNOG 2023: RPKI and whois updatesAusNOG 2023: RPKI and whois updates
AusNOG 2023: RPKI and whois updates
APNIC
 
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
APNIC
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI Demo
APNIC
 
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
APNIC
 
Part 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPPart 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGP
Olivier Bonaventure
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
APNIC
 
Routing Security Workshop
Routing Security WorkshopRouting Security Workshop
Routing Security Workshop
RIPE NCC
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
Olle E Johansson
 
Part 11 : Interdomain routing with BGP
Part 11 : Interdomain routing with BGPPart 11 : Interdomain routing with BGP
Part 11 : Interdomain routing with BGP
Olivier Bonaventure
 
Navigate Data Service using AWS
Navigate Data Service using AWSNavigate Data Service using AWS
Navigate Data Service using AWS
Arno Broekhof
 
Ad hoc
Ad hocAd hoc
Ad hoc
Ali Forooghie
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocol
Olle E Johansson
 
Wrou01
Wrou01Wrou01
Wrou01tanawan44
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
Bangladesh Network Operators Group
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet Routing
APNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
APNIC
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
APNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
APNIC
 
OSPF Configuration
OSPF ConfigurationOSPF Configuration
OSPF Configuration
Hafiz Muhammad Attaullah
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet Routing
APNIC
 
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3 Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Akana
 
RPKI
RPKIRPKI
RPKI
RIPE NCC
 
AWSome Day Intro
AWSome Day IntroAWSome Day Intro
AWSome Day Intro
Amazon Web Services
 
AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...
AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...
AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...
Amazon Web Services
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 

More Related Content

Similar to 4th ICANN APAC-TWNIC Engagement Forum and 39th TWNIC OPM: RPKI Updates - RSCs and ASPAs

Part 11 : Interdomain routing with BGP
Part 11 : Interdomain routing with BGPPart 11 : Interdomain routing with BGP
Part 11 : Interdomain routing with BGP
Olivier Bonaventure
 
Navigate Data Service using AWS
Navigate Data Service using AWSNavigate Data Service using AWS
Navigate Data Service using AWS
Arno Broekhof
 
Ad hoc
Ad hocAd hoc
Ad hoc
Ali Forooghie
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocol
Olle E Johansson
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
Bangladesh Network Operators Group
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet Routing
APNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
APNIC
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
APNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
APNIC
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet Routing
APNIC
 
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3 Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Akana
 
RPKI
RPKIRPKI
RPKI
RIPE NCC
 
AWSome Day Intro
AWSome Day IntroAWSome Day Intro
AWSome Day Intro
Amazon Web Services
 
AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...
AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...
AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...
Amazon Web Services
 

Similar to 4th ICANN APAC-TWNIC Engagement Forum and 39th TWNIC OPM: RPKI Updates - RSCs and ASPAs (17)

Part 11 : Interdomain routing with BGP
Part 11 : Interdomain routing with BGPPart 11 : Interdomain routing with BGP
Part 11 : Interdomain routing with BGP
 
Navigate Data Service using AWS
Navigate Data Service using AWSNavigate Data Service using AWS
Navigate Data Service using AWS
 
Ad hoc
Ad hocAd hoc
Ad hoc
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocol
 
Wrou01
Wrou01Wrou01
Wrou01
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet Routing
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
OSPF Configuration
OSPF ConfigurationOSPF Configuration
OSPF Configuration
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet Routing
 
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3 Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
 
RPKI
RPKIRPKI
RPKI
 
AWSome Day Intro
AWSome Day IntroAWSome Day Intro
AWSome Day Intro
 
AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...
AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...
AWS re:Invent 2016: Serverless Architectural Patterns and Best Practices (ARC...
 

More from APNIC

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
 

More from APNIC (20)

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 

Recently uploaded

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
JeyaPerumal1
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 

Recently uploaded (20)

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 

4th ICANN APAC-TWNIC Engagement Forum and 39th TWNIC OPM: RPKI Updates - RSCs and ASPAs

  • 1. 1 4th ICANN APAC-TWNIC Engagement Forum RPKI Updates: RSCs and ASPAs
  • 2. 2 2 What is an RSC? • RPKI Signed Checklist • Defined in RFC 9323 • The specification provides for: • signing one or more arbitrary files using an RPKI certificate • packaging the signature, filenames, and hashes into an object (the RSC itself) • verifying the signature (i.e. “these files were signed by somebody with authority to route 192.0.2.0/24”)
  • 3. 3 3 Why is it useful? • Arbitrary files can be signed – More flexible than existing RPKI functions – Supports ad hoc/people-driven processes • No need to publish in a public repository – Associated business operations can remain private
  • 4. 4 4 Use cases • BYOIP services • Third-party databases • Custom RPKI applications
  • 5. 5 5 BYOIP services • Support use of RIR-delegated IP addresses for BGP announcements in cloud infrastructure • RSCs can help to streamline the registration process
  • 6. 6 6 Third-party databases • Acting as cross-RIR interfaces for specific use cases (e.g. peering) • RSCs can be used to prove resource holdership
  • 7. 7 7 Custom RPKI applications • Define new object type and use RSCs for signing/packaging • Useful for testing/prototyping, or for use within a closed group of participants • No need to go through IETF process
  • 8. 8 8 Current status • Specification published in November 2022 – https://www.rfc-editor.org/rfc/rfc9323.txt • Production code – https://www.rpki-client.org • Proof-of-concept code – https://github.com/APNIC-net/rpki-rsc-demo – https://github.com/job/draft-rpki-checklists – https://github.com/benmaddison/rpkimancer • APNIC implementing in early 2024 – Deferred from Q2 of this year – In-principle support from other RIRs
  • 9. 9 9 What is an ASPA? • Autonomous System Provider Authorization • Defined in two documents: • draft-ietf-sidrops-aspa-profile • draft-ietf-sidrops-aspa-verification • The specifications provide for: • an ASN holder signing an object that defines its upstream ASes • a network operator using that data to verify the AS_PATH of a received route
  • 10. 10 10 Why is it useful? • Detect and mitigate route leaks – Compare ROV, which is about the origin only • Protect against certain types of forged-origin/forged-path attacks – Attacker must resort to longer AS paths for route to be accepted
  • 11. 11 11 Upstream validation • 1. If AS path has single entry • 2. If AS path contains hop from provider to customer • 3. If AS path contains hop without ASPA • 4. Otherwise, all hops are from customer to provider
  • 12. 12 12 Upstream validation examples (1) • Single-element AS path • No ASPAs • Not possible for it to be a route leak AS1 AS This AS is the upstream, receiving the route This is the route: only the AS path is relevant to ASPA validation, so the prefix is omitted
  • 13. 13 13 Upstream validation examples (2) • Two-element AS path • No ASPAs • Unable to determine validity AS1 AS AS2 Arrows indicate AS path, from origin through peers
  • 14. 14 14 Upstream validation examples (3) • Two-element AS path • ASPA exists for AS1 (origin) • Able to determine validity AS1 AS AS2 AS Providers 1 2 AS path moves upwards from AS to ASPA provider
  • 15. 15 15 Upstream validation examples (4) AS • Two-element AS path • ASPA exists for AS1 (origin), but disclaims AS2 as provider • Able to determine validity AS1 AS2 AS Providers 1 3
  • 16. 16 16 Downstream validation • 1. If AS path has: – Up-ramp, customer(s) through provider(s) – Down-ramp, provider(s) through customer(s) – No hops in the middle, or single lateral hop • 2. If AS path contains ‘valley’ (hop from provider to customer, then from customer to provider) • 3. Otherwise, unable to determine validity
  • 17. 17 17 Downstream validation examples (1) • Single-element AS path • No ASPAs • Not possible for it to be a route leak AS1 AS This AS is the downstream, receiving the route
  • 18. 18 18 Downstream validation examples (2) • Two-element AS path • No ASPAs • Not possible for it to be a route leak AS1 AS AS2
  • 19. 19 19 Downstream validation examples (3) • Three-element AS path • No ASPAs • Unable to determine validity AS1 AS AS2 AS3
  • 20. 20 20 Downstream validation examples (4) • Three-element AS path • ASPA exists for AS1 (origin) • Route leak not possible AS1 AS AS2 AS3 AS Providers 1 2
  • 21. 21 21 Downstream validation examples (5) • Three-element AS path • ASPA exists for AS3 (neighbour) • Route leak not possible AS1 AS AS2 AS3 AS Providers 3 2 AS path moves downwards from ASPA provider to AS
  • 22. 22 22 Downstream validation examples (6) • Three-element AS path • ASPAs exist for AS1 and AS3 • Route leak not possible AS1 AS AS2 AS3 AS Providers 1 2 3 2
  • 23. 23 23 Downstream validation examples (7) • Three-element AS path • AS0 ASPA now exists for AS2, to indicate absence of providers • Route leak not possible AS1 AS AS2 AS3 AS Providers 1 2 2 0 3 2
  • 24. 24 24 Downstream validation examples (8) • Three-element AS path • Up-ramp and down- ramp ASPAs do not include AS2 • Route leak AS1 AS AS2 AS3 AS Providers 1 4 2 0 3 5
  • 25. 25 25 Downstream validation examples (9) • Four-element AS path • Valley from AS2 to AS3 (customer) to AS4 indicates route leak AS1 AS AS2 AS3 AS Providers 1 2 2 0 3 2, 4 4 0 AS4
  • 26. 26 26 Forged-origin/path attacks • Attacker uses correct origin (AS1), but inserts own ASN into the AS path immediately after the origin – If AS1 has registered an ASPA, and AS2 (target recipient) receives route over lateral peer, AS2 will classify the route as invalid • Attacker can evade this by adding a valid upstream ASN after the origin and before its own ASN – But if the ASN that is added also has an ASPA, then the attacker needs to add more ASNs until it reaches an ASN without an ASPA – Plus, this all makes the path longer, and the route less likely to be used/preferred
  • 27. 27 27 Current status • Specifications currently in IETF Working Group Last Call • Production code – Krill (CA) – Routinator (RP) – rpki-client (RP) – OpenBGPD (router) – NIST BGP-SRx (router) • RIPE provide API for creating ASPA objects in the localcert.ripe.net environment (test) • APNIC planning to implement hosted CA functionality in 2024