SlideShare a Scribd company logo

Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]

Download as PPTX, PDF
APNIC
APNIC

Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman. A tutorial given at APNIC 38.

Internet
1 of 81
Internet Routing Registry & RPKI Tutorial Nurul Islam Roman, APNIC
Objectives • To provide an introduction to the APNIC Routing Registry – Explain concepts of the global RR – Outline the benefits of the APNIC Routing Registry – Discuss Routing Policy Specification Language (RPSL) • New Initiative RPKI
Overview • What is IRR? • Whois DB Recap • APNIC database and the IRR • Using the Routing Registry • Using RPSL in practice • Benefit of using IRR
What is IRR?
Prefix Advertise to Internet • Ingress prefix from downstream: – Option 1: Customer single home and non portable prefix • Customer is not APNIC member prefix received from upstream ISP – Option 2: Customer single home and portable prefix • Customer is APNIC member receive allocation as service provider but no AS number yet – Option 3: Customer multihome and non portable prefix • Customer is not APNIC member both prefix and ASN received from upstream ISP – Option 4: Customer multihome and portable prefix • Customer is APNIC member both prefix and ASN received from APNIC
Prefix Filtering BCP [Single home] • Option 1: Customer single home and non portable prefix Internet AS17821 Static 3fff:ffff:dcdc::/48 to customer WAN Interface No LoA Check of Cust prefix upstream downstream ISP Prefix 3fff:ffff::/32 Customer Prefix 3fff:ffff:dcdc::/48 NO BGP Static Default to ISP WAN Interface
Prefix Filtering BCP [Single home] • Option 2: : Customer single home and portable prefix Internet AS17821 Static 2001:0DB8::/32 to customer WAN Interface BGP network 2001:0DB8::/32 AS17821 i Check LoA of Cust prefix upstream downstream ISP Prefix 3fff:ffff::/32 Customer Prefix 2001:0DB8::/32 NO BGP Static Default to ISP WAN Interface Static 2001:0DB8::/32 null0
Prefix Filtering [Multihome] • Option 3: Customer multihome and non portable prefix Internet ISP Prefix 3fff:ffff::/32 AS17821 eBGP peering with customer WAN interface No LoA Check of Cust prefix upstream can not change Customer Prefix 3fff:ffff:dcdc::/48 AS131107 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI Nearly same filter requirement as other ISP AS64500 eBGP peering with both ISP WAN Interface upstream can change BGP network 3fff:ffff:dcdc::/48 AS64500 i or aggregate address from gateway router
Prefix Filtering [Multihome] • Option 4: Customer multihome and portable prefix Internet ISP Prefix 3fff:ffff::/32 AS17821 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI upstream can change Customer Prefix 2001:0DB8::/32 AS131107 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI Nearly same filter requirement as other ISP AS64500 eBGP peering with both ISP WAN Interface upstream can change BGP network 2001:0DB8::/32 AS64500 i or aggregate address from gateway router
What is a Routing Registry? • A repository (database) of Internet routing policy information • Autonomous Systems exchanges routing information via BGP • Exterior routing decisions are based on policy based rules • However BGP does not provides a mechanism to publish/communicate the policies themselves • RR provides this functionality • Routing policy information is expressed in a series of objects • Stability and consistency of routing • Network operators share information
What is a Routing Registry? RIPE RADB CW APNIC Connect ARIN, ArcStar, FGC, Verio, Bconnex, Optus, Telstra, ... IRR = APNIC RR + RIPE DB + RADB + C&W + ARIN + …
What is Routing Policy? • Description of the routing relationship between autonomous systems – Who are my BGP peers? • Customer, peers, upstream – What routes are: • Originated by each neighbour? • Imported from each neighbour? • Exported to each neighbour? • Preferred when multiple routes exist? – What to do if no route exists? – What routes to aggregate?
Representation of Routing Policy AS1 AS2 NET1 NET2 In order for traffic to flow from NET2 to NET1 between AS1 and AS2: AS1 has to announce NET1 to AS2 via BGP And AS2 has to accept this information and use it Resulting in packet flow from NET2 to NET1
Representation of Routing Policy AS1 AS2 NET1 NET2 In order for traffic to flow towards from NET1 to NET2: AS2 must announce NET2 to AS1 And AS1 has to accept this information and use it Resulting in packet flow from NET 1 to NET2
RPSL • Routing Policy Specification Language – Object oriented language • Based on RIPE-181 – Structured whois objects • Higher level of abstraction than access lists • Describes things interesting to routing policy: – Routes, AS Numbers … – Relationships between BGP peers – Management responsibility RFC 2622 RFC 2725 RFC 2650
Routing Policy - Examples Basic concept AS 1 AS 2 aut-num: AS1 … import: from AS2 action pref= 100; accept AS2 export: to AS2 announce AS1 “action pref” - the lower the value, the preferred the route aut-num: AS2 … import: from AS1 action pref=100; accept AS1 export: to AS1 announce AS2
Routing Policy - Examples AS 123 AS4 AASS55 More complex example • AS4 gives transit to AS5, AS10 • AS4 gives local routes to AS123 AS10
Routing Policy - Examples AS 123 AS4 AASS55 aut-num: AS4 import: from AS123 action pref=100; accept AS123 import: from AS5 action pref=100; accept AS5 import: from AS10 action pref=100; accept AS10 export: to AS123 announce AS4 export: to AS5 announce AS4 AS10 export: to AS10 announce AS4 AS5 Not a path AS10
Routing Policy - Examples transit traffic over link2 AS123 AS4 More complex example AS6 private link1 link3 • AS4 and AS6 private link1 • AS4 and AS123 main transit link2 • backup all traffic over link1 and link3 in event of link2 failure
Routing Policy - Examples AS123 AS4 AS6 private link1 link3 AS representation transit traffic over link2 aut-num: AS4 import: from AS123 action pref=100; accept ANY import: from AS6 action pref=50; accept AS6 import: from AS6 action pref=200; accept ANY export: to AS6 announce AS4 export: to AS123 announce AS4 full routing received higher cost for backup route
Whois Database Recap
APNIC Database • Public network management database – APNIC whois database contains: • Internet resource information and contact details – APNIC Routing Registry (RR) contains: • routing information • APNIC RR is part of IRR – Distributed databases that mirror each other
Database Object • An object is a set of attributes and values • Each attribute of an object... • Has a value • Has a specific syntax • Is mandatory or optional • Is single- or multi-valued • Some attributes ... • Are primary (unique) keys • Are lookup keys for queries • Are inverse keys for queries – Object “templates” illustrate this structure
Person Object Example – Person objects contain contact information Attributes Values person: address: address: address: country: phone: fax-no: e-mail: nic-hdl: mnt-by: changed: source: Test Person ExampleNet Service Provider 2 Pandora St Boxville Wallis and Futuna Islands TC +680-368-0844 +680-367-1797 tperson@example.com TP17-AP MAINT-ENET-TC tperson@example.com 20090731 APNIC
Database Queries – Flags used for inetnum queries None find exact match - l find one level less specific matches - L find all less specific matches - m find first level more specific matches - M find all More specific matches - x find exact match (if no match, nothing) - d enables use of flags for reverse domains - r turn off recursive lookups
Database Protection • Authorisation – “mnt-by” references a mntner object • Can be found in all database objects • “mnt-by” should be used with every object! • Authentication – Updates to an object must pass authentication rule specified by its maintainer object
Prerequisite for Updating Objects • Create person objects for contacts • To provide contact info in other objects • Create a mntner object • To provide protection of objects • Protect your person object
APNIC Database and the IRR
APNIC Database & the IRR • APNIC whois Database – Two databases in one • Public Network Management Database – “whois” info about networks & contact persons • IP addresses, AS numbers etc • Routing Registry – contains routing information • routing policy, routes, filters, peers etc. – APNIC RR is part of the global IRR
Integration of Whois and IRR • Integrated APNIC Whois Database & Internet Routing Registry APNIC Whois IRR IP, ASNs, reverse domains, contacts, maintainers etc routes, routing policy, filters, peers etc inetnum, aut-num, domain, person, role, maintainer route, aut-num, as-set, inet-rtr, peering-set etc. Internet resources & routing information
Inter-related IRR Objects inetnum: 202.0.16.0 - 202.0.16.255 … tech-c: KX17-AP mnt-by: MAINT-EX aut-num: AS1 … tech-c: KX17-AP mnt-by: MAINT-EX … route: origin: … mnt-by: MAINT-EX person: … nic-hdl: KX17-AP … mntner: MAINT-EX … 202.0.16/24 AS1
Inter-related IRR Objects inetnum: 202.0.16.0-202.0.31.255 … aut-num: AS2 … aut-num: AS10 … route: 202.0.16/20 … origin: AS2 … as-set: AS1:AS-customers members: AS10, AS11 route-set: AS2:RS-routes members: 218.2/20, 202.0.16/20 route: 218.2/20 … origin: AS2 … inetnum: 218.2.0.0 - 218.2.15.255 … aut-num: AS2 … aut-num: AS11 … , AS2
Hierarchical Authorisation • mnt-routes – authenticates creation of route objects • creation of route objects must pass authentication of mntner referenced in the mnt-routes attribute – Format: • mnt-routes: <mntner> In: inetnum aut-num route
Authorisation Mechanism inetnum: 202.137.181.0 – 202.137.196.255 netname: SPARKYNET-TC descr: SparkyNet Service Provider … mnt-by: APNIC-HM mnt-lower: MAINT-SPARKYNET1-TC mnt-routes: MAINT-SPARKYNET2-TC This object can only be modified by APNIC Creation of more specific objects within this range has to pass the authentication of MAINT-SPARKYNET1-TC Creation of route objects matching/within this range has to pass the authentication of MAINT-SPARKYNET2-TC
Creating Route Objects • Multiple authentication checks: – Originating ASN • mntner in the mnt-routes is checked • If no mnt-routes, mnt-lower is checked • If no mnt-lower, mnt-by is checked – AND the address space • Exact match & less specific route – mnt-routes etc – AND the route object mntner itself • The mntner in the mnt-by attribute aut-num inetnum route route
Creating Route Objects IP address range 4 inetnum: 202.137.240.0 – 202.137.255.255 mnt-routes: MAINT-WF-EXNET 1 route aut-num: AS1 mnt-routes: MAINT-WF-EXNET maintainer 5 3 mntner: MAINT-WF-EXNET auth: CRYPT-PW klsdfji9234 AS number route: 202.137.240/20 origin: AS1 1. Create route object and submit to APNIC RR database 2. DB checks aut-num obj corresponding to the ASN in route obj 2 3. Route obj creation must pass auth of mntner specified in aut-num mnt-routes attribute. 4. DB checks inetnum obj matching/encompassing IP range in route obj 5. Route obj creation must pass auth of mntner specified in inetnum mnt-routes attribute.
Using RPSL in practice
Overview • Review examples of routing policies expression – Peering policies – Filtering policies – Backup connection – Multihoming policies
RPSL - review • Purpose of RPSL – Allows specification of your routing configuration in the public IRR • Allows you to check “Consistency” of policies and announcements – Gives opportunities to consider the policies and configuration of others
Address Prefix Range Operator Operator Meanings ^- Exclusive more specifics of the address prefix: E.g. 128.9.0.0/16^- contains all more specifics of 128.9.0.0/16 excluding 128.9.0.0/16 ^+ Inclusive more specific of the address prefix: E.g. 5.0.0.0/8^+ contains all more specifics of 5.0.0.0/8 including 5.0.0.0/8
Address Prefix Operator (cont.) Operator Meanings ^n n = integer, stands for all the length “n” specifics of the address prefix: E.g. 30.0.0.0/8^16 contains all the more specifics of 30.0.0.0/8 which are length of 16 such as 30.9.0.0/16 ^n-m m = integer, stands for all the length “n” to length “m” specifics of the address prefix: E.g. 30.0.0.0/8^24-32 contains all the more specifics of 30.0.0.0/8 which are length of 24 to 32 such as 30.9.9.96/28
AS-path regular expressions • Regular expressions – A context-independent syntax that can represent a wide variety of character sets and character set orderings – These character sets are interpreted according to the current The Open Group Base Specifications (IEEE) • Can be used as a policy filter by enclosing the expression in “<“ and “>”.
Filter List- Regular Expression • Like Unix regular expressions . Match one character * Match any number of preceding expression + Match at least one of preceding expression ^ Beginning of line $ End of line Escape a regular expression character _ Beginning, end, white-space, brace | Or () Brackets to contain expression [ ] Brackets to contain number ranges Source: www.cisco.com
AS-path Regular Expression Operator Meanings <AS3> Route whose AS-path contains AS3 <^AS1> Routes whose AS-path starts with AS1 <AS2$> Routes whose AS-path end with AS2 <^AS1 AS2 AS3$> Routes whose AS-path is exactly “1 2 3” <^AS1 . * AS2$> AS-path starts with AS1 and ends in AS2 with any number ASN in between <^AS3+$> AS-path starts with AS3 and ends in AS3 and AS3 is the first member of the path and AS3 occurs one or more times in the path and no other AS can be present in the path after AS3
AS-path Regular Expression (cont.) Operator Meanings <AS3|AS4> Routes whose AS-path is with AS3 or AS4 <AS3 AS4> Routes whose AS-path with AS3 followed by AS4
Common Peering Policies Internet AS 1 AS 2 AS 3 • Peering policies of an AS – Registered in an aut-num object ISP (Transit provider) Customer AS 4 AS 5
Common Peering Policies • Policy for AS3 in the AS2 aut-num object aut-num: AS2 as-name: SAMPLE-NET dsescr: Sample AS import: from AS1 accept ANY import: from AS3 accept <^AS3+$> export: to AS3 announce AS2 export: to AS1 announce AS2 AS3 admin-c: TP1-AP tech-c: TP2-AP mtn-by: MAINT-SAMPLE-AP changed: sample@sample.net
Transit Provider Policies Internet AS 1 AS 2 AS 3 • Peering policies of an AS – Registered in an aut-num object ISP (Transit provider) Customer AS 4 AS 5
ISP Customer – Transit Provider Policies • Policy for AS3 and AS4 in the AS2 aut-num object aut-num: AS2 import: from AS1 accept ANY import: from AS3 accept <^AS3+$> import: from AS4 accept <^AS4+$> export: to AS3 announce ANY export: to AS4 announce ANY export: to AS1 announce AS2 AS3 AS4
AS-set Object • Describe the customers of AS2 as-set: AS2:AS-CUSTOMERS members: AS3 AS4 changed: sample@sample.net source: APNIC
Aut-num Object referring as-set Object aut-num: AS2 import: from AS1 accept ANY import: from AS2:AS-CUSTOMERS accept <^AS2:AS-CUSTOMERS+$> export: to AS2:AS-CUSTOMERS announce ANY export: to AS1 announce AS2 AS2:AS-CUSTOMERS aut-num: AS1 import: from AS2 accept <^AS2+AS2:AS-CUSTOMERS+$> export: ………
Express Filtering Policy • To limit the routes one accepts from a peer – To prevent the improper use of unassigned address space – To prevent malicious use of another organisation’s address space
Filtering Policy 7.7.0.0/20 allocated by RIR AS 2 AS 3 Internet AS3 wants to announce part or all of 7.7.0.0/20 on the global Internet. AS2 wants to be certain that it only accepts announcements from AS3 for address space that has been properly allocated to AS3.
Aut-num Object with Filtering Policy aut-num: AS2 import: from AS3 accept { 7.7.0.0/20^20-24 } ……. For an ISP with a growing or changing customer base, this mechanism will not scale well. Route-set object can be used.
IRRToolSet • Set of tools developed for using the Internet Routing Registry (IRR) • Work with Internet routing policies – These policies are stored in IRR in the Routing Policy Specification Language (RPSL) • The goal of the IRRToolSet is to make routing information more convenient and useful for network engineers – Tools for automated router configuration, – Routing policy analysis – On-going maintenance etc.
IRRToolSet • Download: ftp://ftp.isc.org/isc/IRRToolSet/ • Installation needs: lex, yacc and C++ compiler root@bofh:~ #wget ftp://ftp.isc.org/isc/IRRToolSet/IRRToolSet- 5.0.1/irrtoolset-5.0.1.tar.gz root@bofh:~ # tar –zxvf irrtoolset-5.0.1.tar.gz root@bofh:~ # cd irrtoolset-5.0.1 root@bofh:~irrtoolset-5.0.1# ./configure root@bofh:~irrtoolset-5.0.1# make root@bofh:~irrtoolset-5.0.1# make install
IRRToolSet root@bofh:~ whois –h whois.apnic.net AS17821 #####snipped###### mp-import: afi any.unicast { from AS-ANY accept ANY AND NOT RS-MARTIANS; } refine { from AS-ANY action pref = 50; accept community.contains(17821:50); from AS-ANY action pref = 30; accept community.contains(17821:70); from AS-ANY action pref = 10; accept community.contains(17821:90); from AS-ANY action pref = 0; accept ANY; } refine afi ipv4.unicast {
IRR Toolset, RPSL: rtconfig(Contd) Cisco Specific @rtconfig set cisco_map_name = <map-name> @rtconfig set cisco_map_first_no = <no> @rtconfig set cisco_map_increment_by = <no> @rtconfig set cisco_prefix_acl_no = <no> @rtconfig set cisco_aspath_acl_no = <no> @rtconfig set cisco_pktfilter_acl_no = <no> @rtconfig set cisco_community_acl_no = <no> @rtconfig set cisco_access_list_no = <no> @rtconfig set cisco_max_preference = <no> @rtconfig networks <ASN-1> @rtconfig inbound_pkt_filter <if-name> <ASN-1> <rtr-1> <ASN- 2> <rtr-2>
IRR Toolset, RPSL: rtconfig(Contd) Junos Specific @rtconfig set junos_policy_name = <policy-name> @rtconfig networks <ASN-1>
IRR Toolset, RPSL: rtconfig Input File(Provision) router bgp 17821 neighbor 103.4.108.54 remote-as 131107 neighbor 103.4.108.54 version 4 ! # X Communication Ltd @RtConfig set cisco_access_list_no = 500 @RtConfig set cisco_map_name = "AS58715-IN" @RtConfig import AS131208 103.4.108.62 AS58715 103.4.108.61 @RtConfig set cisco_access_list_no = 599 @RtConfig set cisco_map_name = "ANY" @RtConfig export AS131208 103.4.108.62 AS58715 103.4.108.61 ! # xyz Ltd @RtConfig set cisco_access_list_no = 501 @RtConfig set cisco_map_name = "AS58656-IN" @RtConfig import AS131208 103.4.108.94 AS58656 103.4.108.93 @RtConfig set cisco_access_list_no = 599 @RtConfig set cisco_map_name = "ANY" @RtConfig export AS131208 103.4.108.94 AS58656 103.4.108.93 ! end
Use of RPSL - RtConfig • RtConfig • part of IRRToolSet • Reads policy from IRR (aut-num, route & -set objects) and generates router configuration – vendor specific: • Cisco, Bay's BCC, Juniper's Junos and Gated/RSd – Creates route-map and AS path filters – Can also create ingress / egress filters
IRR Toolset, RPSL: Uploading Configuration Various ways to upload configuration: – SNMP Write – NETCONF XML Based – Automated Script using expect
Why use IRR and RtConfig? • Benefits of RtConfig – Avoid filter errors (typos) – Expertise encoded in the tools that generate the policy rather than engineer configuring peering session – Filters consistent with documented policy • (need to get policy correct though)
New Initiative RPKI
What is RPKI? • Resource Public Key Infrastructure (RPKI) • A robust security framework for verifying the association between resource holder and their Internet resources • Created to address the issues in RFC 4593 “Generic Threats to Routing Protocols” • Helps to secure Internet routing by validating routes – Proof that prefix announcements are coming from the legitimate holder of the resource 65
Benefits of RPKI - Routing • Similar objective as IRR but in a robust and scalable way • Prevents route hijacking – A prefix originated by an AS without authorization – Reason: malicious intent • Prevents mis-origination – A prefix that is mistakenly originated by an AS which does not own it – Also route leakage – Reason: configuration mistake / fat finger 66
BGP Security (BGPsec) • Extension to BGP that provides improved security for BGP routing • Currently an IETF Internet draft • Implemented via a new optional non-transitive BGP path attribute that contains a digital signature • Two things: – BGP Prefix Origin Validation (using RPKI) – BGP Path Validation • Similar efforts in the early days – IDR working group, S-BGP 67
RPKI Infrastructure • A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents • Main Components – Certificate Authority (CA) – Relying Party (RP) – Routers with RPKI support 68
Issuing Party • Internet Registries (RIR, NIR, Large LIRs) • Acts as a Certificate Authority and issues certificates for customers • Provides a web interface to issue ROAs for customer prefixes • Publishes the ROA records 69 APNIC RPKI Engine publication MyAPNIC GUI Repository rpki.apnic.net
Route Origin Authorization (ROA) • A digital object that contains a list of address prefixes and one AS number • It is an authority created by a prefix holder to authorize an AS Number to originate one or more specific route advertisements • Publish an ROA using MyAPNIC 70
X.509 Certificate with 3779 Extension 71 • Resource certificates are based on the X.509 v3 certificate format (RFC 5280) • Extended by RFC 3779 – binds a list of resources (IP, ASN) to the subject of the certificate • SIA – Subject Information Access; contains a URI that references the directory X.509 Certificate RFC 3779 Extension SIA Owner's Public Key
Relying Party (RP) 72
RPKI Components 73
Router Origin Validation • Router must support RPKI • Checks an RP cache / validator • Validation returns 3 states: – Valid = when authorization is found for prefix X – Invalid = when authorization is found for prefix X but not from ASN Y – Unknown = when no authorization data is found • Vendor support: – Cisco IOS – solid in 15.2 – Cisco IOS/XR – shipped in 4.3.2 – Juniper – shipped in 12.2 – Alcatel Lucent – in development 74
How to start? • Create ROA records in MyAPNIC • Build an RP cache • Configure your router to use the cache (or a public one) • Create BGP policies 75
How to build RP Cache • Download and install from rpki.net • Instructions here: https://trac.rpki.net/wiki/doc/RPKI/Installation/UbuntuPacka ges 76
Configure Router to Use Cache router bgp 17821 … bgp rpki server tcp 10.0.0.3 port 43779 refresh 60 Bgp rpki server tcp 147.28.0.84 port 93920 refresh 60 77
How does it look in BGP Table 78 Network Next Hop Metric LocPrf Weight Path * i I198.180.150.0 144.232.9.61 100 0 1239 3927 i *> * *> * *> * I I V198.180.152.0 V N198.180.155.0 N 199.238.113.9 129.250.11.41 199.238.113.9 129.250.11.41 199.238.113.9 129.250.11.41 0 2914 3927 i 0 2914 3927 i 0 2914 4128 i 0 2914 4128 i 0 2914 22773 i 0 2914 22773 i 199.238.113.9 129.250.11.41 *> N198.180.160.0 5752 i * N 5752 i 0 2914 23308 13408 0 2914 23308 13408 RPKI Lab – Randy Bush 24 r0.sea#sh ip bgp
Member Services Helpdesk -One point of contact for all member enquiries -Online chat services Helpdesk hours 9:00 am - 9:00 pm (AU EST, UTC + 10 hrs) ph: +61 7 3858 3188 fax: 61 7 3858 3199 • More personalised service – Range of languages: Bahasa Indonesia, Bengali, Cantonese, English, Hindi, Mandarin, Thai, etc. • Faster response and resolution of queries – IP resource applications, status of requests, obtaining help in completing application forms, membership enquiries, billing issues & database enquiries
80
Thank You 

Recommended

Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]APNIC
 
IRR Toolset, RPSL
IRR Toolset, RPSL IRR Toolset, RPSL
IRR Toolset, RPSL Bangladesh Network Operators Group
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoAPNIC
 
IPv6 introduction
IPv6 introductionIPv6 introduction
IPv6 introductionGuider Lee
 
Brkrst 3123 previdi-final
Brkrst 3123 previdi-finalBrkrst 3123 previdi-final
Brkrst 3123 previdi-finalStefano Previdi
 
IPV6 Introduction
IPV6 Introduction IPV6 Introduction
IPV6 Introduction Heba_a
 
IPv6 address
IPv6 addressIPv6 address
IPv6 addressPina Parmar
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address PlanningAPNIC
 

Recommended

Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]APNIC
 
IRR Toolset, RPSL
IRR Toolset, RPSL IRR Toolset, RPSL
IRR Toolset, RPSL Bangladesh Network Operators Group
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoAPNIC
 
IPv6 introduction
IPv6 introductionIPv6 introduction
IPv6 introductionGuider Lee
 
Brkrst 3123 previdi-final
Brkrst 3123 previdi-finalBrkrst 3123 previdi-final
Brkrst 3123 previdi-finalStefano Previdi
 
IPV6 Introduction
IPV6 Introduction IPV6 Introduction
IPV6 Introduction Heba_a
 
IPv6 address
IPv6 addressIPv6 address
IPv6 addressPina Parmar
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address PlanningAPNIC
 
About IPv6
About IPv6About IPv6
About IPv6Marco Antonio
 
1 bonica tutorial_segment_routing
1 bonica tutorial_segment_routing1 bonica tutorial_segment_routing
1 bonica tutorial_segment_routinghptoga
 
I pv6(internet protocol version 6)
I pv6(internet protocol version 6)I pv6(internet protocol version 6)
I pv6(internet protocol version 6)Subrata Kumer Paul
 
Ipv6 packet fomat
Ipv6 packet fomatIpv6 packet fomat
Ipv6 packet fomatDeena Siva
 
IPv6 .pdf
IPv6 .pdfIPv6 .pdf
IPv6 .pdfniran10
 
DCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsDCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsrajshreemuthiah
 
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]APNIC
 
Internet Protocol version 6
Internet Protocol version 6Internet Protocol version 6
Internet Protocol version 6Rekha Yadav
 
Ipv6up
Ipv6upIpv6up
Ipv6upasimnawaz54
 
Unit v
Unit v Unit v
Unit v APARNA P
 
Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...
Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...
Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...APNIC
 
A very good introduction to IPv6
A very good introduction to IPv6A very good introduction to IPv6
A very good introduction to IPv6Syed Arshad
 
IPV6 ADDRESS
IPV6 ADDRESSIPV6 ADDRESS
IPV6 ADDRESSJothi Lakshmi
 
I pv6
I pv6I pv6
I pv6Varsha Kumar
 
INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6Chaitanya Ram
 
Ipv6 presentation
Ipv6 presentation Ipv6 presentation
Ipv6 presentation Alee Hassan
 
IPv6 Entreprise Multihoming
IPv6 Entreprise MultihomingIPv6 Entreprise Multihoming
IPv6 Entreprise MultihomingOlivier Bonaventure
 
IPv4 vs IPv6
IPv4 vs IPv6IPv4 vs IPv6
IPv4 vs IPv6NetProtocol Xpert
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
Why we need ipv6...
Why we need ipv6...Why we need ipv6...
Why we need ipv6...Adii Shah
 
Prefix Filtering BCP
Prefix Filtering BCP Prefix Filtering BCP
Prefix Filtering BCP Bangladesh Network Operators Group
 
Prefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul IslamPrefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul IslamMyNOG
 

More Related Content

What's hot

1 bonica tutorial_segment_routing
1 bonica tutorial_segment_routing1 bonica tutorial_segment_routing
1 bonica tutorial_segment_routinghptoga
 
I pv6(internet protocol version 6)
I pv6(internet protocol version 6)I pv6(internet protocol version 6)
I pv6(internet protocol version 6)Subrata Kumer Paul
 
Ipv6 packet fomat
Ipv6 packet fomatIpv6 packet fomat
Ipv6 packet fomatDeena Siva
 
IPv6 .pdf
IPv6 .pdfIPv6 .pdf
IPv6 .pdfniran10
 
DCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsDCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsrajshreemuthiah
 
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]APNIC
 
Internet Protocol version 6
Internet Protocol version 6Internet Protocol version 6
Internet Protocol version 6Rekha Yadav
 
Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...
Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...
Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...APNIC
 
A very good introduction to IPv6
A very good introduction to IPv6A very good introduction to IPv6
A very good introduction to IPv6Syed Arshad
 
INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6Chaitanya Ram
 
Ipv6 presentation
Ipv6 presentation Ipv6 presentation
Ipv6 presentation Alee Hassan
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
Why we need ipv6...
Why we need ipv6...Why we need ipv6...
Why we need ipv6...Adii Shah
 

What's hot (20)

About IPv6
About IPv6About IPv6
About IPv6
 
1 bonica tutorial_segment_routing
1 bonica tutorial_segment_routing1 bonica tutorial_segment_routing
1 bonica tutorial_segment_routing
 
I pv6(internet protocol version 6)
I pv6(internet protocol version 6)I pv6(internet protocol version 6)
I pv6(internet protocol version 6)
 
Ipv6 packet fomat
Ipv6 packet fomatIpv6 packet fomat
Ipv6 packet fomat
 
IPv6 .pdf
IPv6 .pdfIPv6 .pdf
IPv6 .pdf
 
DCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsDCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packets
 
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
 
Internet Protocol version 6
Internet Protocol version 6Internet Protocol version 6
Internet Protocol version 6
 
Ipv6up
Ipv6upIpv6up
Ipv6up
 
Unit v
Unit v Unit v
Unit v
 
Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...
Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...
Leveraging IPv6 extension header for traffic engineering, by Eric Vyncke [APN...
 
A very good introduction to IPv6
A very good introduction to IPv6A very good introduction to IPv6
A very good introduction to IPv6
 
IPV6 ADDRESS
IPV6 ADDRESSIPV6 ADDRESS
IPV6 ADDRESS
 
I pv6
I pv6I pv6
I pv6
 
INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6
 
Ipv6 presentation
Ipv6 presentation Ipv6 presentation
Ipv6 presentation
 
IPv6 Entreprise Multihoming
IPv6 Entreprise MultihomingIPv6 Entreprise Multihoming
IPv6 Entreprise Multihoming
 
IPv4 vs IPv6
IPv4 vs IPv6IPv4 vs IPv6
IPv4 vs IPv6
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3
 
Why we need ipv6...
Why we need ipv6...Why we need ipv6...
Why we need ipv6...
 

Similar to Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]

Prefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul IslamPrefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul IslamMyNOG
 
Routing Registry Function Automation using RPKI & RPSL
Routing Registry Function Automation using RPKI & RPSLRouting Registry Function Automation using RPKI & RPSL
Routing Registry Function Automation using RPKI & RPSLAPNIC
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs APNIC
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basicstanawan44
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 
IDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaIDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Part 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPPart 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPOlivier Bonaventure
 
Routing Security Workshop
Routing Security WorkshopRouting Security Workshop
Routing Security WorkshopRIPE NCC
 
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya 01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya Indonesia Network Operators Group
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
AusNOG 2023: RPKI and whois updates
AusNOG 2023: RPKI and whois updatesAusNOG 2023: RPKI and whois updates
AusNOG 2023: RPKI and whois updatesAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
Securing Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKISecuring Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKIAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 

Similar to Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38] (20)

Prefix Filtering BCP
Prefix Filtering BCP Prefix Filtering BCP
Prefix Filtering BCP
 
Prefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul IslamPrefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul Islam
 
Routing Registry Function Automation using RPKI & RPSL
Routing Registry Function Automation using RPKI & RPSLRouting Registry Function Automation using RPKI & RPSL
Routing Registry Function Automation using RPKI & RPSL
 
Wrou01
Wrou01Wrou01
Wrou01
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 
IDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaIDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesia
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
Part 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPPart 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGP
 
Routing Security Workshop
Routing Security WorkshopRouting Security Workshop
Routing Security Workshop
 
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya 01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practice
 
10 routing-bgp
10 routing-bgp10 routing-bgp
10 routing-bgp
 
AusNOG 2023: RPKI and whois updates
AusNOG 2023: RPKI and whois updatesAusNOG 2023: RPKI and whois updates
AusNOG 2023: RPKI and whois updates
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
ICE basic
ICE basicICE basic
ICE basic
 
Securing Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKISecuring Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKI
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 

More from APNIC

Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 

More from APNIC (20)

Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 

Recently uploaded

一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理aagad
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxGal Baras
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyDamar Juniarto
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shoplaozhuseo02
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfSiskaFitrianingrum
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxabhinandnam9997
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxlaozhuseo02
 

Recently uploaded (12)

The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
Stay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design TrendsStay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design Trends
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 

Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]

  • 1. Internet Routing Registry & RPKI Tutorial Nurul Islam Roman, APNIC
  • 2. Objectives • To provide an introduction to the APNIC Routing Registry – Explain concepts of the global RR – Outline the benefits of the APNIC Routing Registry – Discuss Routing Policy Specification Language (RPSL) • New Initiative RPKI
  • 3. Overview • What is IRR? • Whois DB Recap • APNIC database and the IRR • Using the Routing Registry • Using RPSL in practice • Benefit of using IRR
  • 5. Prefix Advertise to Internet • Ingress prefix from downstream: – Option 1: Customer single home and non portable prefix • Customer is not APNIC member prefix received from upstream ISP – Option 2: Customer single home and portable prefix • Customer is APNIC member receive allocation as service provider but no AS number yet – Option 3: Customer multihome and non portable prefix • Customer is not APNIC member both prefix and ASN received from upstream ISP – Option 4: Customer multihome and portable prefix • Customer is APNIC member both prefix and ASN received from APNIC
  • 6. Prefix Filtering BCP [Single home] • Option 1: Customer single home and non portable prefix Internet AS17821 Static 3fff:ffff:dcdc::/48 to customer WAN Interface No LoA Check of Cust prefix upstream downstream ISP Prefix 3fff:ffff::/32 Customer Prefix 3fff:ffff:dcdc::/48 NO BGP Static Default to ISP WAN Interface
  • 7. Prefix Filtering BCP [Single home] • Option 2: : Customer single home and portable prefix Internet AS17821 Static 2001:0DB8::/32 to customer WAN Interface BGP network 2001:0DB8::/32 AS17821 i Check LoA of Cust prefix upstream downstream ISP Prefix 3fff:ffff::/32 Customer Prefix 2001:0DB8::/32 NO BGP Static Default to ISP WAN Interface Static 2001:0DB8::/32 null0
  • 8. Prefix Filtering [Multihome] • Option 3: Customer multihome and non portable prefix Internet ISP Prefix 3fff:ffff::/32 AS17821 eBGP peering with customer WAN interface No LoA Check of Cust prefix upstream can not change Customer Prefix 3fff:ffff:dcdc::/48 AS131107 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI Nearly same filter requirement as other ISP AS64500 eBGP peering with both ISP WAN Interface upstream can change BGP network 3fff:ffff:dcdc::/48 AS64500 i or aggregate address from gateway router
  • 9. Prefix Filtering [Multihome] • Option 4: Customer multihome and portable prefix Internet ISP Prefix 3fff:ffff::/32 AS17821 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI upstream can change Customer Prefix 2001:0DB8::/32 AS131107 Check LoA of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI Nearly same filter requirement as other ISP AS64500 eBGP peering with both ISP WAN Interface upstream can change BGP network 2001:0DB8::/32 AS64500 i or aggregate address from gateway router
  • 10. What is a Routing Registry? • A repository (database) of Internet routing policy information • Autonomous Systems exchanges routing information via BGP • Exterior routing decisions are based on policy based rules • However BGP does not provides a mechanism to publish/communicate the policies themselves • RR provides this functionality • Routing policy information is expressed in a series of objects • Stability and consistency of routing • Network operators share information
  • 11. What is a Routing Registry? RIPE RADB CW APNIC Connect ARIN, ArcStar, FGC, Verio, Bconnex, Optus, Telstra, ... IRR = APNIC RR + RIPE DB + RADB + C&W + ARIN + …
  • 12. What is Routing Policy? • Description of the routing relationship between autonomous systems – Who are my BGP peers? • Customer, peers, upstream – What routes are: • Originated by each neighbour? • Imported from each neighbour? • Exported to each neighbour? • Preferred when multiple routes exist? – What to do if no route exists? – What routes to aggregate?
  • 13. Representation of Routing Policy AS1 AS2 NET1 NET2 In order for traffic to flow from NET2 to NET1 between AS1 and AS2: AS1 has to announce NET1 to AS2 via BGP And AS2 has to accept this information and use it Resulting in packet flow from NET2 to NET1
  • 14. Representation of Routing Policy AS1 AS2 NET1 NET2 In order for traffic to flow towards from NET1 to NET2: AS2 must announce NET2 to AS1 And AS1 has to accept this information and use it Resulting in packet flow from NET 1 to NET2
  • 15. RPSL • Routing Policy Specification Language – Object oriented language • Based on RIPE-181 – Structured whois objects • Higher level of abstraction than access lists • Describes things interesting to routing policy: – Routes, AS Numbers … – Relationships between BGP peers – Management responsibility RFC 2622 RFC 2725 RFC 2650
  • 16. Routing Policy - Examples Basic concept AS 1 AS 2 aut-num: AS1 … import: from AS2 action pref= 100; accept AS2 export: to AS2 announce AS1 “action pref” - the lower the value, the preferred the route aut-num: AS2 … import: from AS1 action pref=100; accept AS1 export: to AS1 announce AS2
  • 17. Routing Policy - Examples AS 123 AS4 AASS55 More complex example • AS4 gives transit to AS5, AS10 • AS4 gives local routes to AS123 AS10
  • 18. Routing Policy - Examples AS 123 AS4 AASS55 aut-num: AS4 import: from AS123 action pref=100; accept AS123 import: from AS5 action pref=100; accept AS5 import: from AS10 action pref=100; accept AS10 export: to AS123 announce AS4 export: to AS5 announce AS4 AS10 export: to AS10 announce AS4 AS5 Not a path AS10
  • 19. Routing Policy - Examples transit traffic over link2 AS123 AS4 More complex example AS6 private link1 link3 • AS4 and AS6 private link1 • AS4 and AS123 main transit link2 • backup all traffic over link1 and link3 in event of link2 failure
  • 20. Routing Policy - Examples AS123 AS4 AS6 private link1 link3 AS representation transit traffic over link2 aut-num: AS4 import: from AS123 action pref=100; accept ANY import: from AS6 action pref=50; accept AS6 import: from AS6 action pref=200; accept ANY export: to AS6 announce AS4 export: to AS123 announce AS4 full routing received higher cost for backup route
  • 22. APNIC Database • Public network management database – APNIC whois database contains: • Internet resource information and contact details – APNIC Routing Registry (RR) contains: • routing information • APNIC RR is part of IRR – Distributed databases that mirror each other
  • 23. Database Object • An object is a set of attributes and values • Each attribute of an object... • Has a value • Has a specific syntax • Is mandatory or optional • Is single- or multi-valued • Some attributes ... • Are primary (unique) keys • Are lookup keys for queries • Are inverse keys for queries – Object “templates” illustrate this structure
  • 24. Person Object Example – Person objects contain contact information Attributes Values person: address: address: address: country: phone: fax-no: e-mail: nic-hdl: mnt-by: changed: source: Test Person ExampleNet Service Provider 2 Pandora St Boxville Wallis and Futuna Islands TC +680-368-0844 +680-367-1797 tperson@example.com TP17-AP MAINT-ENET-TC tperson@example.com 20090731 APNIC
  • 25. Database Queries – Flags used for inetnum queries None find exact match - l find one level less specific matches - L find all less specific matches - m find first level more specific matches - M find all More specific matches - x find exact match (if no match, nothing) - d enables use of flags for reverse domains - r turn off recursive lookups
  • 26. Database Protection • Authorisation – “mnt-by” references a mntner object • Can be found in all database objects • “mnt-by” should be used with every object! • Authentication – Updates to an object must pass authentication rule specified by its maintainer object
  • 27. Prerequisite for Updating Objects • Create person objects for contacts • To provide contact info in other objects • Create a mntner object • To provide protection of objects • Protect your person object
  • 29. APNIC Database & the IRR • APNIC whois Database – Two databases in one • Public Network Management Database – “whois” info about networks & contact persons • IP addresses, AS numbers etc • Routing Registry – contains routing information • routing policy, routes, filters, peers etc. – APNIC RR is part of the global IRR
  • 30. Integration of Whois and IRR • Integrated APNIC Whois Database & Internet Routing Registry APNIC Whois IRR IP, ASNs, reverse domains, contacts, maintainers etc routes, routing policy, filters, peers etc inetnum, aut-num, domain, person, role, maintainer route, aut-num, as-set, inet-rtr, peering-set etc. Internet resources & routing information
  • 31. Inter-related IRR Objects inetnum: 202.0.16.0 - 202.0.16.255 … tech-c: KX17-AP mnt-by: MAINT-EX aut-num: AS1 … tech-c: KX17-AP mnt-by: MAINT-EX … route: origin: … mnt-by: MAINT-EX person: … nic-hdl: KX17-AP … mntner: MAINT-EX … 202.0.16/24 AS1
  • 32. Inter-related IRR Objects inetnum: 202.0.16.0-202.0.31.255 … aut-num: AS2 … aut-num: AS10 … route: 202.0.16/20 … origin: AS2 … as-set: AS1:AS-customers members: AS10, AS11 route-set: AS2:RS-routes members: 218.2/20, 202.0.16/20 route: 218.2/20 … origin: AS2 … inetnum: 218.2.0.0 - 218.2.15.255 … aut-num: AS2 … aut-num: AS11 … , AS2
  • 33. Hierarchical Authorisation • mnt-routes – authenticates creation of route objects • creation of route objects must pass authentication of mntner referenced in the mnt-routes attribute – Format: • mnt-routes: <mntner> In: inetnum aut-num route
  • 34. Authorisation Mechanism inetnum: 202.137.181.0 – 202.137.196.255 netname: SPARKYNET-TC descr: SparkyNet Service Provider … mnt-by: APNIC-HM mnt-lower: MAINT-SPARKYNET1-TC mnt-routes: MAINT-SPARKYNET2-TC This object can only be modified by APNIC Creation of more specific objects within this range has to pass the authentication of MAINT-SPARKYNET1-TC Creation of route objects matching/within this range has to pass the authentication of MAINT-SPARKYNET2-TC
  • 35. Creating Route Objects • Multiple authentication checks: – Originating ASN • mntner in the mnt-routes is checked • If no mnt-routes, mnt-lower is checked • If no mnt-lower, mnt-by is checked – AND the address space • Exact match & less specific route – mnt-routes etc – AND the route object mntner itself • The mntner in the mnt-by attribute aut-num inetnum route route
  • 36. Creating Route Objects IP address range 4 inetnum: 202.137.240.0 – 202.137.255.255 mnt-routes: MAINT-WF-EXNET 1 route aut-num: AS1 mnt-routes: MAINT-WF-EXNET maintainer 5 3 mntner: MAINT-WF-EXNET auth: CRYPT-PW klsdfji9234 AS number route: 202.137.240/20 origin: AS1 1. Create route object and submit to APNIC RR database 2. DB checks aut-num obj corresponding to the ASN in route obj 2 3. Route obj creation must pass auth of mntner specified in aut-num mnt-routes attribute. 4. DB checks inetnum obj matching/encompassing IP range in route obj 5. Route obj creation must pass auth of mntner specified in inetnum mnt-routes attribute.
  • 37. Using RPSL in practice
  • 38. Overview • Review examples of routing policies expression – Peering policies – Filtering policies – Backup connection – Multihoming policies
  • 39. RPSL - review • Purpose of RPSL – Allows specification of your routing configuration in the public IRR • Allows you to check “Consistency” of policies and announcements – Gives opportunities to consider the policies and configuration of others
  • 40. Address Prefix Range Operator Operator Meanings ^- Exclusive more specifics of the address prefix: E.g. 128.9.0.0/16^- contains all more specifics of 128.9.0.0/16 excluding 128.9.0.0/16 ^+ Inclusive more specific of the address prefix: E.g. 5.0.0.0/8^+ contains all more specifics of 5.0.0.0/8 including 5.0.0.0/8
  • 41. Address Prefix Operator (cont.) Operator Meanings ^n n = integer, stands for all the length “n” specifics of the address prefix: E.g. 30.0.0.0/8^16 contains all the more specifics of 30.0.0.0/8 which are length of 16 such as 30.9.0.0/16 ^n-m m = integer, stands for all the length “n” to length “m” specifics of the address prefix: E.g. 30.0.0.0/8^24-32 contains all the more specifics of 30.0.0.0/8 which are length of 24 to 32 such as 30.9.9.96/28
  • 42. AS-path regular expressions • Regular expressions – A context-independent syntax that can represent a wide variety of character sets and character set orderings – These character sets are interpreted according to the current The Open Group Base Specifications (IEEE) • Can be used as a policy filter by enclosing the expression in “<“ and “>”.
  • 43. Filter List- Regular Expression • Like Unix regular expressions . Match one character * Match any number of preceding expression + Match at least one of preceding expression ^ Beginning of line $ End of line Escape a regular expression character _ Beginning, end, white-space, brace | Or () Brackets to contain expression [ ] Brackets to contain number ranges Source: www.cisco.com
  • 44. AS-path Regular Expression Operator Meanings <AS3> Route whose AS-path contains AS3 <^AS1> Routes whose AS-path starts with AS1 <AS2$> Routes whose AS-path end with AS2 <^AS1 AS2 AS3$> Routes whose AS-path is exactly “1 2 3” <^AS1 . * AS2$> AS-path starts with AS1 and ends in AS2 with any number ASN in between <^AS3+$> AS-path starts with AS3 and ends in AS3 and AS3 is the first member of the path and AS3 occurs one or more times in the path and no other AS can be present in the path after AS3
  • 45. AS-path Regular Expression (cont.) Operator Meanings <AS3|AS4> Routes whose AS-path is with AS3 or AS4 <AS3 AS4> Routes whose AS-path with AS3 followed by AS4
  • 46. Common Peering Policies Internet AS 1 AS 2 AS 3 • Peering policies of an AS – Registered in an aut-num object ISP (Transit provider) Customer AS 4 AS 5
  • 47. Common Peering Policies • Policy for AS3 in the AS2 aut-num object aut-num: AS2 as-name: SAMPLE-NET dsescr: Sample AS import: from AS1 accept ANY import: from AS3 accept <^AS3+$> export: to AS3 announce AS2 export: to AS1 announce AS2 AS3 admin-c: TP1-AP tech-c: TP2-AP mtn-by: MAINT-SAMPLE-AP changed: sample@sample.net
  • 48. Transit Provider Policies Internet AS 1 AS 2 AS 3 • Peering policies of an AS – Registered in an aut-num object ISP (Transit provider) Customer AS 4 AS 5
  • 49. ISP Customer – Transit Provider Policies • Policy for AS3 and AS4 in the AS2 aut-num object aut-num: AS2 import: from AS1 accept ANY import: from AS3 accept <^AS3+$> import: from AS4 accept <^AS4+$> export: to AS3 announce ANY export: to AS4 announce ANY export: to AS1 announce AS2 AS3 AS4
  • 50. AS-set Object • Describe the customers of AS2 as-set: AS2:AS-CUSTOMERS members: AS3 AS4 changed: sample@sample.net source: APNIC
  • 51. Aut-num Object referring as-set Object aut-num: AS2 import: from AS1 accept ANY import: from AS2:AS-CUSTOMERS accept <^AS2:AS-CUSTOMERS+$> export: to AS2:AS-CUSTOMERS announce ANY export: to AS1 announce AS2 AS2:AS-CUSTOMERS aut-num: AS1 import: from AS2 accept <^AS2+AS2:AS-CUSTOMERS+$> export: ………
  • 52. Express Filtering Policy • To limit the routes one accepts from a peer – To prevent the improper use of unassigned address space – To prevent malicious use of another organisation’s address space
  • 53. Filtering Policy 7.7.0.0/20 allocated by RIR AS 2 AS 3 Internet AS3 wants to announce part or all of 7.7.0.0/20 on the global Internet. AS2 wants to be certain that it only accepts announcements from AS3 for address space that has been properly allocated to AS3.
  • 54. Aut-num Object with Filtering Policy aut-num: AS2 import: from AS3 accept { 7.7.0.0/20^20-24 } ……. For an ISP with a growing or changing customer base, this mechanism will not scale well. Route-set object can be used.
  • 55. IRRToolSet • Set of tools developed for using the Internet Routing Registry (IRR) • Work with Internet routing policies – These policies are stored in IRR in the Routing Policy Specification Language (RPSL) • The goal of the IRRToolSet is to make routing information more convenient and useful for network engineers – Tools for automated router configuration, – Routing policy analysis – On-going maintenance etc.
  • 56. IRRToolSet • Download: ftp://ftp.isc.org/isc/IRRToolSet/ • Installation needs: lex, yacc and C++ compiler root@bofh:~ #wget ftp://ftp.isc.org/isc/IRRToolSet/IRRToolSet- 5.0.1/irrtoolset-5.0.1.tar.gz root@bofh:~ # tar –zxvf irrtoolset-5.0.1.tar.gz root@bofh:~ # cd irrtoolset-5.0.1 root@bofh:~irrtoolset-5.0.1# ./configure root@bofh:~irrtoolset-5.0.1# make root@bofh:~irrtoolset-5.0.1# make install
  • 57. IRRToolSet root@bofh:~ whois –h whois.apnic.net AS17821 #####snipped###### mp-import: afi any.unicast { from AS-ANY accept ANY AND NOT RS-MARTIANS; } refine { from AS-ANY action pref = 50; accept community.contains(17821:50); from AS-ANY action pref = 30; accept community.contains(17821:70); from AS-ANY action pref = 10; accept community.contains(17821:90); from AS-ANY action pref = 0; accept ANY; } refine afi ipv4.unicast {
  • 58. IRR Toolset, RPSL: rtconfig(Contd) Cisco Specific @rtconfig set cisco_map_name = <map-name> @rtconfig set cisco_map_first_no = <no> @rtconfig set cisco_map_increment_by = <no> @rtconfig set cisco_prefix_acl_no = <no> @rtconfig set cisco_aspath_acl_no = <no> @rtconfig set cisco_pktfilter_acl_no = <no> @rtconfig set cisco_community_acl_no = <no> @rtconfig set cisco_access_list_no = <no> @rtconfig set cisco_max_preference = <no> @rtconfig networks <ASN-1> @rtconfig inbound_pkt_filter <if-name> <ASN-1> <rtr-1> <ASN- 2> <rtr-2>
  • 59. IRR Toolset, RPSL: rtconfig(Contd) Junos Specific @rtconfig set junos_policy_name = <policy-name> @rtconfig networks <ASN-1>
  • 60. IRR Toolset, RPSL: rtconfig Input File(Provision) router bgp 17821 neighbor 103.4.108.54 remote-as 131107 neighbor 103.4.108.54 version 4 ! # X Communication Ltd @RtConfig set cisco_access_list_no = 500 @RtConfig set cisco_map_name = "AS58715-IN" @RtConfig import AS131208 103.4.108.62 AS58715 103.4.108.61 @RtConfig set cisco_access_list_no = 599 @RtConfig set cisco_map_name = "ANY" @RtConfig export AS131208 103.4.108.62 AS58715 103.4.108.61 ! # xyz Ltd @RtConfig set cisco_access_list_no = 501 @RtConfig set cisco_map_name = "AS58656-IN" @RtConfig import AS131208 103.4.108.94 AS58656 103.4.108.93 @RtConfig set cisco_access_list_no = 599 @RtConfig set cisco_map_name = "ANY" @RtConfig export AS131208 103.4.108.94 AS58656 103.4.108.93 ! end
  • 61. Use of RPSL - RtConfig • RtConfig • part of IRRToolSet • Reads policy from IRR (aut-num, route & -set objects) and generates router configuration – vendor specific: • Cisco, Bay's BCC, Juniper's Junos and Gated/RSd – Creates route-map and AS path filters – Can also create ingress / egress filters
  • 62. IRR Toolset, RPSL: Uploading Configuration Various ways to upload configuration: – SNMP Write – NETCONF XML Based – Automated Script using expect
  • 63. Why use IRR and RtConfig? • Benefits of RtConfig – Avoid filter errors (typos) – Expertise encoded in the tools that generate the policy rather than engineer configuring peering session – Filters consistent with documented policy • (need to get policy correct though)
  • 65. What is RPKI? • Resource Public Key Infrastructure (RPKI) • A robust security framework for verifying the association between resource holder and their Internet resources • Created to address the issues in RFC 4593 “Generic Threats to Routing Protocols” • Helps to secure Internet routing by validating routes – Proof that prefix announcements are coming from the legitimate holder of the resource 65
  • 66. Benefits of RPKI - Routing • Similar objective as IRR but in a robust and scalable way • Prevents route hijacking – A prefix originated by an AS without authorization – Reason: malicious intent • Prevents mis-origination – A prefix that is mistakenly originated by an AS which does not own it – Also route leakage – Reason: configuration mistake / fat finger 66
  • 67. BGP Security (BGPsec) • Extension to BGP that provides improved security for BGP routing • Currently an IETF Internet draft • Implemented via a new optional non-transitive BGP path attribute that contains a digital signature • Two things: – BGP Prefix Origin Validation (using RPKI) – BGP Path Validation • Similar efforts in the early days – IDR working group, S-BGP 67
  • 68. RPKI Infrastructure • A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents • Main Components – Certificate Authority (CA) – Relying Party (RP) – Routers with RPKI support 68
  • 69. Issuing Party • Internet Registries (RIR, NIR, Large LIRs) • Acts as a Certificate Authority and issues certificates for customers • Provides a web interface to issue ROAs for customer prefixes • Publishes the ROA records 69 APNIC RPKI Engine publication MyAPNIC GUI Repository rpki.apnic.net
  • 70. Route Origin Authorization (ROA) • A digital object that contains a list of address prefixes and one AS number • It is an authority created by a prefix holder to authorize an AS Number to originate one or more specific route advertisements • Publish an ROA using MyAPNIC 70
  • 71. X.509 Certificate with 3779 Extension 71 • Resource certificates are based on the X.509 v3 certificate format (RFC 5280) • Extended by RFC 3779 – binds a list of resources (IP, ASN) to the subject of the certificate • SIA – Subject Information Access; contains a URI that references the directory X.509 Certificate RFC 3779 Extension SIA Owner's Public Key
  • 74. Router Origin Validation • Router must support RPKI • Checks an RP cache / validator • Validation returns 3 states: – Valid = when authorization is found for prefix X – Invalid = when authorization is found for prefix X but not from ASN Y – Unknown = when no authorization data is found • Vendor support: – Cisco IOS – solid in 15.2 – Cisco IOS/XR – shipped in 4.3.2 – Juniper – shipped in 12.2 – Alcatel Lucent – in development 74
  • 75. How to start? • Create ROA records in MyAPNIC • Build an RP cache • Configure your router to use the cache (or a public one) • Create BGP policies 75
  • 76. How to build RP Cache • Download and install from rpki.net • Instructions here: https://trac.rpki.net/wiki/doc/RPKI/Installation/UbuntuPacka ges 76
  • 77. Configure Router to Use Cache router bgp 17821 … bgp rpki server tcp 10.0.0.3 port 43779 refresh 60 Bgp rpki server tcp 147.28.0.84 port 93920 refresh 60 77
  • 78. How does it look in BGP Table 78 Network Next Hop Metric LocPrf Weight Path * i I198.180.150.0 144.232.9.61 100 0 1239 3927 i *> * *> * *> * I I V198.180.152.0 V N198.180.155.0 N 199.238.113.9 129.250.11.41 199.238.113.9 129.250.11.41 199.238.113.9 129.250.11.41 0 2914 3927 i 0 2914 3927 i 0 2914 4128 i 0 2914 4128 i 0 2914 22773 i 0 2914 22773 i 199.238.113.9 129.250.11.41 *> N198.180.160.0 5752 i * N 5752 i 0 2914 23308 13408 0 2914 23308 13408 RPKI Lab – Randy Bush 24 r0.sea#sh ip bgp
  • 79. Member Services Helpdesk -One point of contact for all member enquiries -Online chat services Helpdesk hours 9:00 am - 9:00 pm (AU EST, UTC + 10 hrs) ph: +61 7 3858 3188 fax: 61 7 3858 3199 • More personalised service – Range of languages: Bahasa Indonesia, Bengali, Cantonese, English, Hindi, Mandarin, Thai, etc. • Faster response and resolution of queries – IP resource applications, status of requests, obtaining help in completing application forms, membership enquiries, billing issues & database enquiries
  • 80. 80