This document provides an overview and update on BGP routing security from Alvaro Vives of the RIPE NCC. It discusses origin hijacking incidents, the Resource Public Key Infrastructure (RPKI) for validating BGP announcements, and statistics on RPKI adoption. It encourages using RPKI to secure routing and validating announcements with tools like Routinator. Overall RPKI adoption and number of ROAs have steadily increased in recent years according to the presented statistics.
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of RPKI as another security consideration for peering at Peering Asia 2.0, held in Hong Kong from 24 to 25 October 2018.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
APNIC Product Manager, Registry Services George Michaelson present on why RPKI really matters at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
APAN 50: RPKI industry trends and initiatives APNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of the RPKI, why it is important, and how to create ROAs and ROVs to secure routing announcements.
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of RPKI as another security consideration for peering at Peering Asia 2.0, held in Hong Kong from 24 to 25 October 2018.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
APNIC Product Manager, Registry Services George Michaelson present on why RPKI really matters at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
APAN 50: RPKI industry trends and initiatives APNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of the RPKI, why it is important, and how to create ROAs and ROVs to secure routing announcements.
ARIN 35 Tutorial: How to certify your ARIN resources with RPKIARIN
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI by Andy Newton. Presentation at: https://www.arin.net/participate/meetings/reports/ARIN_35/premeeting.html
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
APNIC Director General Paul Wilson gives a presentation on Internet number registry services - the next generation at ThaiNOG 2019, held with BKNIX 2019 in Bangkok, Thailand from 7 to 8 May 2019.
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and their importance to Internet stability and security at the ICANN APAC-TWNIC Engagement Forum in Taipei, Taiwan from 16 to 17 April. 2019
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
APNIC Service Team Lead Anna Mulingbayan gives an introduction to APNIC at the PCTA Convention 2023, held in Boracay, Philippines from 10 to 14 April 2023.
APNIC Service Team Lead Anna Mulingbayan gives an introduction to APNIC at the PCTA Convention 2023, held in Boracay, Philippines from 10 to 14 April 2023.
Andrzej Wolski - RIPE
Language: English
Securing BGP has been on the todo list of the the community at large for many years. Resource Public Key Infrastructure (RPKI) is the latest and most successful initiative. RPKI solves one of the most fundamental problems, it allows to verify whether an Autonomous System (AS) is authorized to announce a specific IP address range. We will look at closely at the state of the RPKI deployment. Successes and failures globally, define areas for improvement and quickly zoom in into our region.
Register to the next PLNOG edition: krakow.plnog.pl
ARIN 35 Tutorial: How to certify your ARIN resources with RPKIARIN
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI by Andy Newton. Presentation at: https://www.arin.net/participate/meetings/reports/ARIN_35/premeeting.html
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
APNIC Director General Paul Wilson gives a presentation on Internet number registry services - the next generation at ThaiNOG 2019, held with BKNIX 2019 in Bangkok, Thailand from 7 to 8 May 2019.
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and their importance to Internet stability and security at the ICANN APAC-TWNIC Engagement Forum in Taipei, Taiwan from 16 to 17 April. 2019
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
APNIC Service Team Lead Anna Mulingbayan gives an introduction to APNIC at the PCTA Convention 2023, held in Boracay, Philippines from 10 to 14 April 2023.
APNIC Service Team Lead Anna Mulingbayan gives an introduction to APNIC at the PCTA Convention 2023, held in Boracay, Philippines from 10 to 14 April 2023.
Andrzej Wolski - RIPE
Language: English
Securing BGP has been on the todo list of the the community at large for many years. Resource Public Key Infrastructure (RPKI) is the latest and most successful initiative. RPKI solves one of the most fundamental problems, it allows to verify whether an Autonomous System (AS) is authorized to announce a specific IP address range. We will look at closely at the state of the RPKI deployment. Successes and failures globally, define areas for improvement and quickly zoom in into our region.
Register to the next PLNOG edition: krakow.plnog.pl
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
1. ESNOG 29 | 19 May 2023
Alvaro Vives
RIPE NCC
BGP Routing Security:
Update and Stats
2. 2
What is the RIPE NCC?
RIR = Regional Internet Registry
• Not-for-pro
fi
t organisation
• Funded by membership fees
• Policies developed by regional communities
• Neutral, impartial, open, and transparent
4. ACADEMY
BGP Security E-learning Course
academy.ripe.net/bgp-security/
Free online course
Interactive, you can study at your own pace
Practical lab environment and activities
5. 5
April 2018: Amazon-MyEtherWallet
• BGP hijack of Amazon DNS
• How did it happen?
• Why? To steal cryptocurrency
5
BGP hijack
What is
myetherwallet.com?
root
.com
myetherwallet.com is now
in eastern Ukraine
Imposter website
Recursive
DNS server
Legitimate
Authoritative
DNS server
Imposter
Authoritative
DNS server
6. 6
Origin Hijack: Same Pre
fi
x
AS3
AS5
AS2
AS1
AS6
AS4
P/32, AS1
Pre
fi
x-P, 2001:db8::/32
P/32, AS2 AS1
P/32, AS3 AS2 AS1
P/32, AS5
P/32, AS6 AS5
This is a local hijack!
Only some networks are affected based on BGP path selection process.
7. 7
Origin Hijack: More Speci
fi
c Pre
fi
x
AS3
AS5
AS2
AS1
AS6
AS4
P/32, AS1
Pre
fi
x-P, 2001:db8::/32
P/32, AS2 AS1
P/32, AS3 AS2 AS1
P/48, AS5
P/48, AS6 AS5
This is a global hijack!
All traf
fi
c for more speci
fi
c will be forwarded to the attacker’s network network.
9. Resource
Public
Key
Infrastructure
9
What is RPKI?
• A security framework using Public Key Infrastructure and Resource
certi
fi
cation (X.509 PKI certi
fi
cates) for BGP route origin validation
(ROV)
• Allows resource (IPs) holders to prove ownership, and create
authorisations (ROAs)
• ASNs can use ROAs to validate the origin of BGP announcements
- Is the originating ASN authorised to originate a particular pre
fi
x?
10. 10
How does it work?
You create an authorised
statement for your pre
fi
x
I have pre
fi
x Y!
BGP announcement
Authorised statement
Sign
Others use those statements to make better routing decisions!
Pre
fi
x Y, AS300 AS300
Pre
fi
x Y
Publish
4
Prefix Y
ASN 300 is
authorised to
announce my
prefix Y
ASN 300 is
authorised to
announce my
prefix Y
RPKI Repository
AS100
AS200
AS300
1 2
3
4
11. +
SIGNING VALIDATION
Create ROAs for your prefixes
in the RPKI system
Verify the information
provided by others
11
Elements of RPKI
• RPKI system consists of two parts…
12. 12
Trust in RPKI
• RPKI relies on
fi
ve RIRs as Trust Anchors
• Certi
fi
cate structure follows the RIR hierarchy
• RIRs issue certi
fi
cates to resource holders
ARIN APNIC RIPE NCC AFRINIC
LACNIC
LIR LIR LIR
ROA ROA
RIR Root CA
Member CA
Authorised
Statements
IANA RIRs LIRs
End
Users
End
Users
13. RPKI Chain of Trust
ROA
LIR Certificate
Digital Signature
Root Certificate
Public Key
All Resources
LIR’s Resources
Self-sign
Root’s private key
Signed by Root’s private key
Signed by LIR’s private key
Sign
Sign
Digital Signature
Digital Signature
Public Key
14. ROA
2001:db8::/48
/48
AS65536
Prefix
Origin ASN
Max Length
14
What are ROAs?
• An authorised statement created by the resource holder
• States that a certain pre
fi
x can be originated by a certain AS
• LIRs can create ROAs for their resources
• Multiple ROAs can exist for the same pre
fi
x
• ROAs can overlap
15. 15
How to create a ROA?
• Login to LIR Portal (my.ripe.net)
• Go to the RPKI Dashboard
• Choose which RPKI model to use
Hosted
Delegated
16. 16
Hosted RPKI
RIPE NCC Hosted System
RIPE NCC
ROA
ROA
LIR
ROA
• ROAs are created and published using the
RIR’s member portal
• RIR hosts a CA (Certi
fi
cation Authority) for
LIRs and signs all ROAs
• Automated signing and key rollovers
17. 17
Delegated RPKI
ROA ROA
LIR
LIR CA
RIPE NCC Hosted System
RIPE NCC
ROA
ROA
LIR
ROA
• Each LIR manages its part of the
RPKI system
- Runs its own CA as a child of the RIR
- Manages keys/key rollovers
- Creates, signs and publishes ROAs
• Certi
fi
cate Authority (CA) Software
- Krill (NLnet Labs)
- rpkid (Dragon Research Labs)
18. 18
Publication as a Service
ROA
ROA
LIR
LIR CA
ROA
ROA
RIPE NCC Hosted System
RIPE NCC
ROA
ROA
LIR
ROA
• In-between Hosted and Delegated
- Runs its own CA as a child of the RIR
- Manages keys/key rollovers and ROAs
- Maintain key pairs and objects and
send them to RIR
- RIR publishes ROAs on behalf of LIR
• Also APNIC, ARIN, RIPE NCC,
NIRs
• AKA “Publication in parent” or
“Hybrid RPKI”
19. +
SIGNING VALIDATION
Create ROAs for your prefixes
in the RPKI system
Verify the information
provided by others
19
Elements of RPKI
• RPKI system consists of two parts…
20. 20
RPKI Validation
• Verifying the information provided by others
- Proves holdership through a public key and certi
fi
cate infrastructure
• In order to validate RPKI data, you need to …
- install a validator software locally in your network
• Goal is to validate the “origin of BGP announcements”
- Known as BGP Origin Validation (BGP OV) or Route Origin Validation (ROV)
21. • Connects to RPKI repositories via rsync or RRDP protocol
• Uses TALs to connect to the repositories and download ROAs
• Validates chain of trust for all ROAs and associated CAs
• Creates a local “validated cache” with all the valid ROAs
RPKI Validator
22. 22
ROA Validation Process
ELSE validation is unsuccessful, ROA is INVALID!
IF chain is complete, it means ROA is VALID!
ROA
LIR Certificate
Digital Signature
Root Certificate
Public Key
Self-signed
Digital Signature
Digital Signature
Public Key
23. 23
Valid ROAs Are Sent to the Router!
Router uses this information to make better routing decisions!
External
Repositories
RIPE NCC ARIN APNIC
Validator
RPKI Repositories
Validated Cache
rsync/RRDP
RPKI-RTR
LACNIC AFRINIC
ROAs
AS65500
BGP Update
2001:db8:1000::/48, AS65500
VALID
OR
INVALID
25. 25
RPKI Validators are Mature
• Much better than 5 years ago
• Installation, con
fi
guration, documentation is way better
• Big research work on vulnerabilities in 2021
- Multiple
fi
xes in all validators, mostly addressing potential DoS attacks
- Source: https://arxiv.org/pdf/2203.00993.pdf
26. 26
Run Different Validators
RIPE NCC RPKI Validator: STOP USING IT IF YOU STILL DO
Source (13/5/23): https://rov-measurements.nlnetlabs.net/stats/
Validator Number (13/5/23) %
Routinator 2297 79%
rpki-client 253 9%
OctoRPKI 181 6%
FORT 91 3%
Validator 87 3%
Other 6 0%
27. 27
RPKI Validator Options
• Routinator
- Built by NLNetlabs
• OctoRPKI
- Cloud
fl
are’s relying party software
• FORT
- Open source RPKI validator
• rpki-client
- Integrated in OpenBsd
Links for RPKI Validators
https://github.com/NLnetLabs/routinator.git
https://github.com/cloud
fl
are/cfrpki#octorpki
https://github.com/NICMx/FORT-validator/
https://www.rpki-client.org/
https://rpki.readthedocs.io
For more info…