This document discusses securing internet routing by validating route origins and paths. It describes some of the issues with the current routing system, including that there is no single authority and routing works based on rumors. It then introduces the Resource Public Key Infrastructure (RPKI) system, which uses digital signatures and certificates to validate route origins by tying IP addresses and autonomous system numbers to their legitimate holders. This allows for route origin validation using Route Origin Authorizations (ROAs). It notes that AS path validation is also needed to fully secure routing, but faces challenges in terms of resources and adoption. Basic routing security practices and industry initiatives are recommended in the meantime.
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
APNIC Director General Paul Wilson gives a presentation on Internet number registry services - the next generation at ThaiNOG 2019, held with BKNIX 2019 in Bangkok, Thailand from 7 to 8 May 2019.
RPKI is a system that provides validation of IP address and AS number ownership through the use of digital certificates. It aims to reduce routing leaks and hijacking by allowing routers to verify that the origin AS of a route matches what is published in the RPKI database. The key components of RPKI are trust anchors maintained by Regional Internet Registries, Route Origin Authorizations (ROA) that are published by network operators, and validators that check BGP routes against the ROA database.
The document provides an overview of the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents like hijacking and misdirection. It discusses how RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that an Autonomous System is authorized to originate routes for specific IP address blocks. The key components of RPKI include Certificate Authorities, Relying Parties, and routers configured with RPKI support to filter routes based on validation of origin AS authorization. Deployment status at the Regional Internet Registries and an APNIC RPKI service are also covered.
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of RPKI as another security consideration for peering at Peering Asia 2.0, held in Hong Kong from 24 to 25 October 2018.
The document discusses trust anchors and public key infrastructure (PKI) in the context of the Resource Public Key Infrastructure (RPKI). It presents several models for establishing trust anchors for the RPKI, including:
1) A single IANA-issued trust anchor with subordinate certificates issued by each Regional Internet Registry (RIR) matching their number resource allocations. This would not support transferred resources.
2) An interim APNIC trust anchor structure containing self-signed certificates from each RIR to allow migration to a single IANA trust anchor.
3) Individual per-RIR self-signed trust anchors, a simpler interim model but requiring more work to transition to a single IANA trust anchor.
This document discusses securing internet routing by validating route origins and paths. It describes some of the issues with the current routing system, including that there is no single authority and routing works based on rumors. It then introduces the Resource Public Key Infrastructure (RPKI) system, which uses digital signatures and certificates to validate route origins by tying IP addresses and autonomous system numbers to their legitimate holders. This allows for route origin validation using Route Origin Authorizations (ROAs). It notes that AS path validation is also needed to fully secure routing, but faces challenges in terms of resources and adoption. Basic routing security practices and industry initiatives are recommended in the meantime.
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
APNIC Director General Paul Wilson gives a presentation on Internet number registry services - the next generation at ThaiNOG 2019, held with BKNIX 2019 in Bangkok, Thailand from 7 to 8 May 2019.
RPKI is a system that provides validation of IP address and AS number ownership through the use of digital certificates. It aims to reduce routing leaks and hijacking by allowing routers to verify that the origin AS of a route matches what is published in the RPKI database. The key components of RPKI are trust anchors maintained by Regional Internet Registries, Route Origin Authorizations (ROA) that are published by network operators, and validators that check BGP routes against the ROA database.
The document provides an overview of the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents like hijacking and misdirection. It discusses how RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that an Autonomous System is authorized to originate routes for specific IP address blocks. The key components of RPKI include Certificate Authorities, Relying Parties, and routers configured with RPKI support to filter routes based on validation of origin AS authorization. Deployment status at the Regional Internet Registries and an APNIC RPKI service are also covered.
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of RPKI as another security consideration for peering at Peering Asia 2.0, held in Hong Kong from 24 to 25 October 2018.
The document discusses trust anchors and public key infrastructure (PKI) in the context of the Resource Public Key Infrastructure (RPKI). It presents several models for establishing trust anchors for the RPKI, including:
1) A single IANA-issued trust anchor with subordinate certificates issued by each Regional Internet Registry (RIR) matching their number resource allocations. This would not support transferred resources.
2) An interim APNIC trust anchor structure containing self-signed certificates from each RIR to allow migration to a single IANA trust anchor.
3) Individual per-RIR self-signed trust anchors, a simpler interim model but requiring more work to transition to a single IANA trust anchor.
This document discusses Internet routing certification and the use of digital resource certificates to secure inter-domain routing. It provides an overview of some key issues with the current non-hierarchical routing system, including route leaks and hijacking. The document then introduces a new system using Resource Public Key Infrastructure (RPKI) certificates issued by Regional Internet Registries to validate route origin authorization (ROA) and prove holdership of Internet number resources. Software and hardware methods for validating these certificates and ROAs are presented. Early adoption statistics are also provided, along with a discussion of future plans to improve the system.
This document discusses Resource Public Key Infrastructure (RPKI) and how it can be used to secure Internet routing by validating the origin of IP prefixes and autonomous system numbers (ASNs) in the Border Gateway Protocol (BGP). The RIPE NCC issues free digital certificates as part of RPKI that validate an organization's registration of IP address blocks and ASNs. Route Origin Authorizations (ROAs) allow organizations to authorize which ASNs can originate which IP prefixes. Software runs periodic checks on the RPKI repository to determine the validity of BGP route announcements. Router vendors are adding support for RPKI validation which can influence routing decisions based on a route's validity status.
This document discusses resource certification and secure inter-domain routing. It describes how digital resource certificates issued by Regional Internet Registries (RIRs) can provide proof of resource holdership and enable route origin authorization to help secure routing and validate route announcements. The system uses X.509 certificates linked to registry information. Software and hardware tools allow validating route origins using the RPKI-RTR protocol to query a validated cache of certificates and route origin authorizations. Early adoption rates and next steps are outlined.
APAN 50: RPKI industry trends and initiatives APNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of the RPKI, why it is important, and how to create ROAs and ROVs to secure routing announcements.
The document discusses best practices for BGP filtering and securing Internet routing. It recommends prefix filtering over AS path filtering due to risks of accidental or malicious hijacking with AS path rules. Maintaining prefix filters can be difficult so many IXPs still use AS path rules. The document outlines how the Resource Public Key Infrastructure (RPKI) system of cryptographically signing routing data with regional Internet registries can help automate and validate prefix filters. However, RPKI adoption is still limited as not all network operators have signed their prefix objects or enforced validation of received routes. The document proposes methods to automate RPKI in network configurations to improve routing security.
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
Network Operations Engineer Sheryl Hermoso presens an overview of ‘RPKI for secure Internet routing infrastructure’ at PacNOG 23 in the Marshall Islands from 3 to 7 December 2018.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
This document discusses improvements to APNIC's routing registry and RPKI services. It suggests:
1) Enhancing MyAPNIC to improve visibility of portable and non-portable ASNs and help members keep ROAs up to date.
2) Setting up an rr.apnic.net server to support IRRd syntax queries and separating delegation and routing registry functions.
3) Partnering with NTT to provide an IRRd-based service covering APNIC's region and offering RPKI validation as a service.
The Next Generation Internet Number Registry ServicesMyNOG
This document provides an overview of registry services, including the Registration Data Access Protocol (RDAP) and the Resource Public Key Infrastructure (RPKI). RDAP is designed to replace the aging WHOIS protocol by providing structured query and response formats to enable automation. RDAP also supports access control, internationalization, redirection and extensibility. RPKI is a PKI framework that adds Internet number resource information to certificates to cryptographically validate resource ownership and authorization of routing announcements. It enables applications like route origin validation to secure the routing system. The document discusses how RDAP and RPKI work and provide benefits like improved security, automation and verification of registry data.
APNIC Director General Paul Wilson presents on the next generation of Internet number registry services, namely RDAP and RPKI at the 31st TWNIC OPM and TWNOG in Taipei, Taiwan from 27 to 28 November 2018.
Andrzej Wolski - RIPE
Language: English
Securing BGP has been on the todo list of the the community at large for many years. Resource Public Key Infrastructure (RPKI) is the latest and most successful initiative. RPKI solves one of the most fundamental problems, it allows to verify whether an Autonomous System (AS) is authorized to announce a specific IP address range. We will look at closely at the state of the RPKI deployment. Successes and failures globally, define areas for improvement and quickly zoom in into our region.
Register to the next PLNOG edition: krakow.plnog.pl
btNOG 6: Next Generation Internet Registry Services - RDAPAPNIC
RDAP (Registration Data Access Protocol) is a new protocol that improves on the legacy WHOIS protocol by standardizing query and response formats. It allows for querying via RESTful JSON responses rather than simple text-based formats. RDAP also enables features like querying redirection, multilingual content, and viewing historical records. APNIC has implemented an RDAP-based web client and application called WHOWAS. Future work includes a full-featured RDAP client, incorporating additional languages, and working with the IETF and others on further RDAP standards and adoption.
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and their importance to Internet stability and security at the ICANN APAC-TWNIC Engagement Forum in Taipei, Taiwan from 16 to 17 April. 2019
Google operates 13 global data centers that require massive bandwidth for data replication and storage. Google faced challenges with the inflexible and inefficient architecture of traditional networks. Google implemented a Software Defined Wide Area Network (SDWAN) using OpenFlow and a centralized control approach. The SDWAN includes a global bandwidth broker, traffic engineering server, SDN gateways, and integration with existing routing protocols. This provides optimized traffic routing, faster convergence on failures, and 95% link utilization while connecting all data centers as a single logical network.
The document discusses best practices for prefix filtering design when receiving routes from other networks. It outlines four options for customer prefix scenarios: single-homed with non-portable prefix, single-homed with portable prefix, multi-homed with non-portable prefix, and multi-homed with portable prefix. For each option, it describes considerations for route filtering at the internet service provider and customer networks to ensure optimal routing and security.
This presentation outlines a routing security roadmap to address issues in the current routing ecosystem. It identifies specific problems such as inaccurate data in IRR databases and lack of filtering at IXPs. The presentation proposes solutions to these problems, such as validating data in IRR databases, implementing RPKI filtering at internet aggregators to suppress conflicting IRR data, and encouraging more IXPs and route servers to filter invalid routes. It argues that implementing these changes would help secure the routing system and eliminate many of the existing hurdles.
APNIC Training Manager Tashi Phuntsho presents on why it is important to secure Internet routing at npNOG 5 in Kathmandu, Nepal, from 8 to 13 December 2019.
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
This document discusses Internet routing certification and the use of digital resource certificates to secure inter-domain routing. It provides an overview of some key issues with the current non-hierarchical routing system, including route leaks and hijacking. The document then introduces a new system using Resource Public Key Infrastructure (RPKI) certificates issued by Regional Internet Registries to validate route origin authorization (ROA) and prove holdership of Internet number resources. Software and hardware methods for validating these certificates and ROAs are presented. Early adoption statistics are also provided, along with a discussion of future plans to improve the system.
This document discusses Resource Public Key Infrastructure (RPKI) and how it can be used to secure Internet routing by validating the origin of IP prefixes and autonomous system numbers (ASNs) in the Border Gateway Protocol (BGP). The RIPE NCC issues free digital certificates as part of RPKI that validate an organization's registration of IP address blocks and ASNs. Route Origin Authorizations (ROAs) allow organizations to authorize which ASNs can originate which IP prefixes. Software runs periodic checks on the RPKI repository to determine the validity of BGP route announcements. Router vendors are adding support for RPKI validation which can influence routing decisions based on a route's validity status.
This document discusses resource certification and secure inter-domain routing. It describes how digital resource certificates issued by Regional Internet Registries (RIRs) can provide proof of resource holdership and enable route origin authorization to help secure routing and validate route announcements. The system uses X.509 certificates linked to registry information. Software and hardware tools allow validating route origins using the RPKI-RTR protocol to query a validated cache of certificates and route origin authorizations. Early adoption rates and next steps are outlined.
APAN 50: RPKI industry trends and initiatives APNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of the RPKI, why it is important, and how to create ROAs and ROVs to secure routing announcements.
The document discusses best practices for BGP filtering and securing Internet routing. It recommends prefix filtering over AS path filtering due to risks of accidental or malicious hijacking with AS path rules. Maintaining prefix filters can be difficult so many IXPs still use AS path rules. The document outlines how the Resource Public Key Infrastructure (RPKI) system of cryptographically signing routing data with regional Internet registries can help automate and validate prefix filters. However, RPKI adoption is still limited as not all network operators have signed their prefix objects or enforced validation of received routes. The document proposes methods to automate RPKI in network configurations to improve routing security.
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
Network Operations Engineer Sheryl Hermoso presens an overview of ‘RPKI for secure Internet routing infrastructure’ at PacNOG 23 in the Marshall Islands from 3 to 7 December 2018.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
This document discusses improvements to APNIC's routing registry and RPKI services. It suggests:
1) Enhancing MyAPNIC to improve visibility of portable and non-portable ASNs and help members keep ROAs up to date.
2) Setting up an rr.apnic.net server to support IRRd syntax queries and separating delegation and routing registry functions.
3) Partnering with NTT to provide an IRRd-based service covering APNIC's region and offering RPKI validation as a service.
The Next Generation Internet Number Registry ServicesMyNOG
This document provides an overview of registry services, including the Registration Data Access Protocol (RDAP) and the Resource Public Key Infrastructure (RPKI). RDAP is designed to replace the aging WHOIS protocol by providing structured query and response formats to enable automation. RDAP also supports access control, internationalization, redirection and extensibility. RPKI is a PKI framework that adds Internet number resource information to certificates to cryptographically validate resource ownership and authorization of routing announcements. It enables applications like route origin validation to secure the routing system. The document discusses how RDAP and RPKI work and provide benefits like improved security, automation and verification of registry data.
APNIC Director General Paul Wilson presents on the next generation of Internet number registry services, namely RDAP and RPKI at the 31st TWNIC OPM and TWNOG in Taipei, Taiwan from 27 to 28 November 2018.
Andrzej Wolski - RIPE
Language: English
Securing BGP has been on the todo list of the the community at large for many years. Resource Public Key Infrastructure (RPKI) is the latest and most successful initiative. RPKI solves one of the most fundamental problems, it allows to verify whether an Autonomous System (AS) is authorized to announce a specific IP address range. We will look at closely at the state of the RPKI deployment. Successes and failures globally, define areas for improvement and quickly zoom in into our region.
Register to the next PLNOG edition: krakow.plnog.pl
btNOG 6: Next Generation Internet Registry Services - RDAPAPNIC
RDAP (Registration Data Access Protocol) is a new protocol that improves on the legacy WHOIS protocol by standardizing query and response formats. It allows for querying via RESTful JSON responses rather than simple text-based formats. RDAP also enables features like querying redirection, multilingual content, and viewing historical records. APNIC has implemented an RDAP-based web client and application called WHOWAS. Future work includes a full-featured RDAP client, incorporating additional languages, and working with the IETF and others on further RDAP standards and adoption.
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and their importance to Internet stability and security at the ICANN APAC-TWNIC Engagement Forum in Taipei, Taiwan from 16 to 17 April. 2019
Google operates 13 global data centers that require massive bandwidth for data replication and storage. Google faced challenges with the inflexible and inefficient architecture of traditional networks. Google implemented a Software Defined Wide Area Network (SDWAN) using OpenFlow and a centralized control approach. The SDWAN includes a global bandwidth broker, traffic engineering server, SDN gateways, and integration with existing routing protocols. This provides optimized traffic routing, faster convergence on failures, and 95% link utilization while connecting all data centers as a single logical network.
The document discusses best practices for prefix filtering design when receiving routes from other networks. It outlines four options for customer prefix scenarios: single-homed with non-portable prefix, single-homed with portable prefix, multi-homed with non-portable prefix, and multi-homed with portable prefix. For each option, it describes considerations for route filtering at the internet service provider and customer networks to ensure optimal routing and security.
This presentation outlines a routing security roadmap to address issues in the current routing ecosystem. It identifies specific problems such as inaccurate data in IRR databases and lack of filtering at IXPs. The presentation proposes solutions to these problems, such as validating data in IRR databases, implementing RPKI filtering at internet aggregators to suppress conflicting IRR data, and encouraging more IXPs and route servers to filter invalid routes. It argues that implementing these changes would help secure the routing system and eliminate many of the existing hurdles.
APNIC Training Manager Tashi Phuntsho presents on why it is important to secure Internet routing at npNOG 5 in Kathmandu, Nepal, from 8 to 13 December 2019.
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
Global routing validation involves facilitating the validation of routing information on a global scale through two main systems - the Internet Routing Registries (IRR) and the Resource Public Key Infrastructure (RPKI). Routing information such as routing policies, autonomous system numbers, and IP prefixes should be publicly available in a common format to allow for global validation. The RPKI system uses digital certificates to authoritatively associate network resources like IP addresses and autonomous system numbers to their legitimate owners and allows identification of which autonomous systems have permission to originate those addresses. Implementing RPKI and origin validation helps secure routing and prevent route hijacking.
This document provides an overview and update on BGP routing security from Alvaro Vives of the RIPE NCC. It discusses origin hijacking incidents, the Resource Public Key Infrastructure (RPKI) for validating BGP announcements, and statistics on RPKI adoption. It encourages using RPKI to secure routing and validating announcements with tools like Routinator. Overall RPKI adoption and number of ROAs have steadily increased in recent years according to the presented statistics.
APNIC Product Manager, Registry Services George Michaelson present on why RPKI really matters at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
Should I run my own RPKI Certificate Authority?APNIC
This document discusses the Resource Public Key Infrastructure (RPKI) and whether an organization should run their own RPKI Certificate Authority or use a hosted service. It provides an overview of RPKI and how it enables route origin validation. It then covers the different components, hosted vs delegated models, and factors to consider in choosing an approach. Key points include software and hardware requirements for running your own CA, the hybrid option of a hosted publication server, and that delegated RPKI is not inherently more secure but provides better access control and integration with an organization's systems.
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
The document discusses Route Origin Validation (ROV) using Resource Public Key Infrastructure (RPKI) as outlined by the Mutually Agreed Norms for Routing Security (MANRS) initiative. It describes how RPKI uses digitally signed certificates and Route Origin Authorizations (ROAs) to validate the origin AS of IP prefixes in BGP routing announcements. The validation status can be used to filter or modify routes. Instructions are provided on setting up various open-source RPKI validators like Routinator, OctoRPKI, and FORT to perform ROV and feed the validated ROA cache into BGP routers.
1. The document provides an introduction and tutorial on RPKI (Resource Public Key Infrastructure) and how it can be used to secure Internet routing and validate route origins using digital certificates and public key cryptography.
2. It describes the goals of RPKI to reduce routing leaks and hijacks by allowing ISPs to validate the authenticity of route announcements based on IP and ASN ownership.
3. The presentation demonstrates how to create ROAs (Route Origin Authorizations) and configure routers to validate route origins and make routing decisions based on the RPKI validation results.
This document discusses IPv4 transfers and the Resource Public Key Infrastructure (RPKI). It provides information on who can transfer IPv4 addresses between APNIC members and other RIRs, and shows statistics on IPv4 transfers from Singapore. It describes what RPKI is and how it helps secure internet routing by validating routes. It provides instructions on how to create Route Origin Authorization (ROA) objects in MyAPNIC to participate in RPKI and the benefits of maintaining ROAs. Statistics on ROA adoption in several Asian countries are also presented, along with an example of a successful ROA deployment campaign in Bangladesh.
This document provides information on resource public key infrastructure (RPKI) and route origin authorization (ROA). It discusses problems with relying solely on Internet routing registries (IRRs), and how RPKI addresses these issues by tying IP addresses and autonomous system numbers (ASNs) to public keys. It describes the RPKI certificate structure and chain of trust, as well as the roles of signing ROAs, validating others, hosted RPKI systems, and relying parties. Examples of incidents from inaccurate or incomplete IRR data are given. The status of major transit and cloud providers in supporting RPKI is listed.
This document provides an introduction to RPKI (Resource Public Key Infrastructure) including its history, goals, and how it works. It discusses how RPKI uses public key cryptography and digital certificates to validate route origins and reduce routing leaks. It also covers how RPKI is implemented in practice through certificate authorities, repositories, route collectors, and router integration to filter BGP routes.
This document discusses Route Origin Authorization (ROA) using the Resource Public Key Infrastructure (RPKI). It provides an overview of RPKI and how it uses digital certificates to validate the association between network resources and their holders. It describes APNIC's involvement in promoting RPKI adoption in the Asia Pacific region. It outlines the benefits of ROA, such as preventing route hijacking, and minimizing routing errors. It provides step-by-step instructions on creating ROAs using the MyAPNIC portal. Finally, it shares statistics on ROA adoption rates in South Asia and details APNIC's outreach efforts to encourage more networks to validate and filter routes using RPKI.
This document provides an introduction to BGP routing security and the Resource Public Key Infrastructure (RPKI). It explains that RPKI ties IP addresses and autonomous system numbers (ASNs) to public keys to validate route origination. It details how RPKI uses certificates signed by regional internet registries to establish a chain of trust from root certificates to route origin authorization (ROA) files created by network operators. It also discusses tools for validating ROAs and using the results to make routing decisions, as well as ongoing efforts to fully validate the security of inter-domain routing.
This document discusses RPKI deployment status in Bangladesh. It provides an overview of RPKI and why route validation is important. It shows statistics on ROA adoption and route validation in Bangladesh, including types of invalid routes and top contributors. The document concludes with recommendations for RPKI deployment, including signing only announced prefixes, deploying multiple validator caches, and dropping invalid routes. It also provides guidance for RPKI deployment by small ISPs and enterprises.
APNIC Chief Scientist Geoff Huston gives a keynote presentation on measuring Route Origin Validation (ROV) from the perspective of the end user at btNOG 7, held online on 16 October 2020.
APNIC Chief Scientist Geoff Huston presents on the effectiveness of Route Origin Validation (ROV) filtering from the perspective of the end user at mnNOG 2, held online on 28 October 2020.
RPKI (Resource Public Key Infrastructure) is a framework that helps secure Internet routing by validating route origins and paths. It works by (1) having certificate authorities like regional internet registries issue certificates binding IP addresses and ASNs, (2) having address holders issue Route Origin Authorizations specifying which ASNs are authorized to originate which address ranges, and (3) having routers perform validation of routes based on this published data. While adoption is still in early stages, RPKI deployment is gradually increasing and provides benefits like preventing route hijacking and misorigination.
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsAPNIC
APNIC Training Delivery Manager Shane Hermoso presents on the status of RPKI deployment in the Asia Pacific and the importance of cleaning up invalids at VNIX-NOG 2023, Da Lat, Viet Nam from 5 to 6 October 2023.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE Febless Hernane
Cici AI simplifies tasks like writing and research with its user-friendly platform. Users sign up, input queries, customize responses, and edit content as needed. It offers efficient saving and exporting options, making it ideal for enhancing productivity through AI assistance.
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. ITSarthak Sobti
Network Security and Cyber Laws
Detailed Course Content
Unit 1: Introduction to Network Security
- Introduction to Network Security
- Goals of Network Security
- ISO Security Architecture
- Attacks and Categories of Attacks
- Network Security Services & Mechanisms
- Authentication Applications: Kerberos, X.509 Directory Authentication Service
Unit 2: Application Layer Security
- Security Threats and Countermeasures
- SET Protocol
- Electronic Mail Security
- Pretty Good Privacy (PGP)
- S/MIME
- Transport Layer Security: Secure Socket Layer & Transport Layer Security
- Wireless Transport Layer Security
Unit 3: IP Security and System Security
- Authentication Header
- Encapsulating Security Payloads
- System Security: Intruders, Intrusion Detection System, Viruses
- Firewall Design Principles
- Trusted Systems
- OS Security
- Program Security
Unit 4: Introduction to Cyber Law
- Cyber Crime, Cyber Criminals, Cyber Law
- Object and Scope of the IT Act: Genesis, Object, Scope of the Act
- E-Governance and IT Act 2000
- Legal Recognition of Electronic Records
- Legal Recognition of Digital Signatures
- Use of Electronic Records and Digital Signatures in Government and its Agencies
- IT Act in Detail
- Basics of Network Security: IP Addresses, Port Numbers, and Sockets
- Hiding and Tracing IP Addresses
- Scanning: Traceroute, Ping Sweeping, Port Scanning, ICMP Scanning
- Fingerprinting: Active and Passive Email
Unit 5: Advanced Attacks
- Different Kinds of Buffer Overflow Attacks: Stack Overflows, String Overflows, Heap and Integer Overflows
- Internal Attacks: Emails, Mobile Phones, Instant Messengers, FTP Uploads, Dumpster Diving, Shoulder Surfing
- DOS Attacks: Ping of Death, Teardrop, SYN Flooding, Land Attacks, Smurf Attacks, UDP Flooding
- Hybrid DOS Attacks
- Application-Specific Distributed DOS Attacks
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...Web Inspire
What is CRO?
Conversion Rate Optimization, or CRO, is the process of enhancing your website to increase the percentage of visitors who take a desired action. This could be anything from purchasing a product to signing up for a newsletter. Essentially, CRO is about making your website more effective in turning visitors into customers.
Why is CRO Important?
CRO is crucial because it directly impacts your bottom line. A higher conversion rate means more customers and revenue without needing to increase your website traffic. Plus, a well-optimized site improves user experience, which can lead to higher customer satisfaction and loyalty.
Decentralized Justice in Gaming and EsportsFederico Ast
Discover how Kleros is transforming the landscape of dispute resolution in the gaming and eSports industry through the power of decentralized justice.
This presentation, delivered by Federico Ast, CEO of Kleros, explores the innovative application of blockchain technology, crowdsourcing, and incentivized mechanisms to create fair and efficient arbitration processes.
Key Highlights:
- Introduction to Decentralized Justice: Learn about the foundational principles of Kleros and how it combines blockchain with crowdsourcing to develop a novel justice system.
- Challenges in Traditional Arbitration: Understand the limitations of conventional arbitration methods, such as high costs and long resolution times, particularly for small claims in the gaming sector.
- How Kleros Works: A step-by-step guide on the functioning of Kleros, from the initiation of a smart contract to the final decision by a jury of peers.
- Case Studies in eSports: Explore real-world scenarios where Kleros has been applied to resolve disputes in eSports, including issues like cheating, governance, player behavior, and contractual disagreements.
- Practical Implementation: Detailed walkthroughs of how disputes are handled in eSports tournaments, emphasizing speed, cost-efficiency, and fairness.
- Enhanced Transparency: The role of blockchain in providing an immutable and transparent record of proceedings, ensuring trust in the resolution process.
- Future Prospects: The potential expansion of decentralized justice mechanisms across various sectors within the gaming industry.
For more information, visit kleros.io or follow Federico Ast and Kleros on social media:
• Twitter: @federicoast
• Twitter: @kleros_io
3. RQC
In response to the APNIC 2018 Member Survey, the Resource
Quality Check provides different widgets that assist in assessing
the quality of internet number resources delegated from APNIC, i.e.
• Routing Status and Routing History
• Geolocation History
• WHOIS current data
• Information of the past delegations and custodianship history
• Blacklist entries
6. RPKI
• RPKI is a public key infrastructure (PKI) framework,
originally designed to secure BGP routing
⎯ Based on X.509 PKI standards
• RPKI adds INR information to X.509 certificates issued to
resource holders
⎯ Representing INR custodianship and other status
⎯ Certification hierarchy follows INR delegation hierarchy
IANA ➔ RIR ➔ NIR ➔ ISP ➔ …
7. RPKI hierarchy
ISP ISP ISP ISP
IANA
CA
APNIC
CA
LACNIC
CA
RIPE- NCC
CA
ARIN
CA
AFRINIC
CA
NIR
ISP
8. RPKI applications
• Route Origin Validation (ROV)
⎯ Validation of Route Origin Authorisations (ROA) to make BGP routing
decisions
• Resources Tagged Attestations (RTA)
⎯ Allows an arbitrary digital object to be signed by the holder of the IP
address/ASN mentioned in the digital object, using RPKI
• Other future applications
8
11. ROA
• Route Origin Authorization (ROA)
⎯ Giving an ASN authority to route specific IP blocks
⎯ Contains a list of prefixes with ASN authorized to announce
⎯ Signed by IP resource holder
• RPKI validates the integrity of the ROA
⎯ It is provably created by the holder of the prefix
⎯ Can now be used to construct route filters for prefix-OriginAS pair in BGP
11
Prefix 203.176.32.0/19
Max-length /24
Origin ASN AS17821
12. RPKI Validator
• Gathers and validates ROAs from the distributed RPKI databases
⎯ Using rsync or RRDP (preferable)
⎯ Maintains a validated cache representing complete global state
• Can then perform ROV for routers using RPKI-Router (RTR) protocol
rpki.apnic.net
IANA
APNIC RIPE
ISP ISP
rsync
RRDP
Validated
cache
Validator
14. Route validation states
• Not Found (Unknown)
⎯ No ROA found, probably not created yet
⎯ This will be “default” for some time
• Valid
⎯ ROA exists
⎯ Prefix, Origin ASN and prefix-length match those found in validated cache
• Invalid
⎯ ROA exists
⎯ Prefix found, but Origin ASN is wrong, Prefix-length longer than Max-length, or
certificates are expired or otherwise invalid.
⎯ Some action needed
15. Action for invalid routes
• For inbound routes from upstreams/peers
⎯ Drop them
⎯ Give them lower LOCAL_PREF
⎯ Do nothing (not recommended)
• For outbound routes to customers
⎯ Tag them before re-distributing them to customers
⎯ Allow customers to make their own choices
• Tagging (eg at IXPs)
⎯ Apply community tags based on the validation state
§ Not Found (ASN:65XX1)
§ Valid (ASN:65XX2)
§ Invalid (ASN:65XX3)
16. RPKI application: RTA
• Take existing “letter of authority” practice
⎯ Typically a scanned/signed PDF under company letterhead
⎯ Unverifiable without more information
• Generate “detached signature” using RPKI
⎯ Signing certificate contains IP address range listed in the letter of
authority document
⎯ This is now a cryptographically verifiable letter of authority
• Pilot implementation
⎯ In development at APNIC (via MyAPNIC)
⎯ IETF draft in progress
17. RPKI benefits
• Improved in-band verification of resource custodianship
⎯ Much safer than manually checking whois or IRR database
⎯ Ease of automation
• Secure Origin is the first step to preventing many attacks on BGP
integrity
⎯ BGP Path remains a problem which is under development
⎯ Related information such as IRR Policy can now leverage strong proofs
of validity (end the maintainer-authority problem in RADB/IRR)
• Instruction/information from the resource custodian can be
cryptographically verified (e.g. LOA signing)
19. How do I start?
• Use MyAPNIC:
⎯ Create ROAs to better protect your own routes
§ Encourage your peers/customers to do the same
§ Encourage your IXP to implement Route Origin Validation (ROV) in their Route
Server
⎯ Then
§ Set up route validation at your own border routers
§ Use public or IXP validator, or your own
22. APNIC New Policies Implementation
• Prop-125: Validation of “abuse-mailbox” and other IRT
emails
• Prop-127: Change maximum delegation size of 103/8 IPv4
address pool to a /23
• Prop-128: Multihoming not required for ASN
• Prop-129: Abolish waiting list for unmet IPv4 requests
22