The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
Presented by Paul Wilson, Director General of APNIC and Chair of APrIGF Multistakeholder Steering Group at the Asia Pacific Internet Leadership Program as part of 2016 APrIGF Taipei
Tuan Nguyen presented an update on the IPv4 address pool, IPv4 transfers and new features in MyAPNIC at btNOG 3 in Thimpu, Bhutan from 14 to 18 November 2016.
Presented by Paul Wilson, Director General of APNIC and Chair of APrIGF Multistakeholder Steering Group at the Asia Pacific Internet Leadership Program as part of 2016 APrIGF Taipei
Tuan Nguyen presented an update on the IPv4 address pool, IPv4 transfers and new features in MyAPNIC at btNOG 3 in Thimpu, Bhutan from 14 to 18 November 2016.
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
Community Engagement Specialist, Sunny Chendi, provides an update of APNIC's service initiatives and activities at the second Nepal Network Operators Group meeting in Kathmandu.
CNNIC OPM: Global IP address allocation updateAPNIC
An update on the status of IPv4, IPv6 and AS numbers worldwide and regionally at the Chinese Internet Network Information Center (CNNIC) Open Policy Meeting (OPM) in Dalian, China on 19 August 2015.
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
Community Engagement Specialist, Sunny Chendi, provides an update of APNIC's service initiatives and activities at the second Nepal Network Operators Group meeting in Kathmandu.
CNNIC OPM: Global IP address allocation updateAPNIC
An update on the status of IPv4, IPv6 and AS numbers worldwide and regionally at the Chinese Internet Network Information Center (CNNIC) Open Policy Meeting (OPM) in Dalian, China on 19 August 2015.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
APNIC Director General Paul Wilson gives a presentation on Internet number registry services - the next generation at ThaiNOG 2019, held with BKNIX 2019 in Bangkok, Thailand from 7 to 8 May 2019.
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and their importance to Internet stability and security at the ICANN APAC-TWNIC Engagement Forum in Taipei, Taiwan from 16 to 17 April. 2019
APAN 50: RPKI industry trends and initiatives APNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of the RPKI, why it is important, and how to create ROAs and ROVs to secure routing announcements.
APNIC Product Manager, Registry Services George Michaelson present on why RPKI really matters at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of RPKI as another security consideration for peering at Peering Asia 2.0, held in Hong Kong from 24 to 25 October 2018.
APNIC Network Operations Engineer and Senior Training Officer Sheryl Hermoso gives an update on ROA and RPKI deployment in the Philippines at PhNOG 2020 in Manila, Philippines, on 24 February 2020.
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
Similar to Introduction to RPKI by Sheryl (Shane) Hermoso (20)
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
2. Overview
• Routing “incidents”
• RPKI Technical Details
• RPKI and BGPsec
• Components and Implementation
• Deployment Status in the RIRs
• APNIC Resource Certification
2
3. Misdirection / Hijacking Incidents
• YouTube Incident
– Occurred 24 Feb 2008 (for about 2 hours)
– Pakistan Telecom announced YT block
• Google (AS15169) services downed
– Occurred 5 Nov 2012 (for 30 minutes)
– Moratel Indonesia (AS23947)
3
How frequent do these hijacking incidents happen?
4. How we address this…
• A network should only originate his own prefix
– How do we verify?
– How do we avoid false advertisement?
• A provider should filter prefixes they propagate from
customers
– Check the legitimacy of address (LoA)
– Transitive trust; BGP is a trust-based system
4
6. What is RPKI?
• Resource Public Key Infrastructure (RPKI)
• A robust security framework for verifying the association
between resource holder and their Internet resources
• Created to address the issues in RFC 4593 “Generic
Threats to Routing Protocols”
• Helps to secure Internet routing by validating routes
– Proof that prefix announcements are coming from the legitimate
holder of the resource
RFC 6480 – An Infrastructure to Support
Secure Internet Routing (Feb 2012)
6
7. Benefits of RPKI - Routing
• Prevents route hijacking
– A prefix originated by an AS without authorization
– Reason: malicious intent
• Prevents mis-origination
– A prefix that is mistakenly originated by an AS which does not own it
– Also route leakage
– Reason: configuration mistake / fat finger
7
8. BGP Security (BGPsec)
• Extension to BGP that provides improved security for BGP
routing
• Currently an IETF Internet draft
• Implemented via a new optional non-transitive BGP path
attribute that contains a digital signature
• Two things:
– BGP Prefix Origin Validation (using RPKI)
– BGP Path Validation
• Similar efforts in the early days – IDR working group, S-
BGP
8
9. “Right” to Resources
• ISP gets their resources from the RIR
• ISP notifies its upstream of the prefixes to be announced
• Upstream must check the WHOIS database if resource has
been delegated to customer ISP
We need to be able to authoritatively prove who owns an IP Prefix and
what AS(s) may announce it.
9
10. RPKI Infrastructure
• A system to manage the creation and storage of digital
certificates and the associated Route Origin Authorization
documents
• Main Components:
– Certificate Authority (CA)
– Relying Party (RP)
– Routers with RPKI support
10
11. Issuing Party
• Internet Registries (RIR, NIR, Large LIRs)
• Acts as a Certificate Authority and issues certificates for
customers
• Provides a web interface to issue ROAs for customer prefixes
• Publishes the ROA records
APNIC
RPKI
Engine
publication
MyAPNIC GUI
rpki.apnic.net
Repository
11
12. Route Origin Authorization (ROA)
• A digital object that contains a list of address prefixes and
one AS number
• It is an authority created by a prefix holder to authorize an
AS Number to originate one or more specific route
advertisements
• Publish an ROA using MyAPNIC
12
13. X.509 Certificate with 3779 Extension
• Resource certificates are based
on the X.509 v3 certificate format
(RFC 5280)
• Extended by RFC 3779 – binds a
list of resources (IP, ASN) to the
subject of the certificate
• SIA – Subject Information Access;
contains a URI that references
the directory
X.509 Certificate
RFC 3779
Extension
SIA
Owner's Public Key
13
16. Router Origin Validation
• Router must support RPKI
• Checks an RP cache / validator
• Validation returns 3 states:
– Valid = when authorization is found for prefix X
– Invalid = when authorization is found for prefix X but not from ASN Y
– Unknown = when no authorization data is found
• Vendor support:
– Cisco IOS – solid in 15.2
– Cisco IOS/XR – shipped in 4.3.2
– Juniper – shipped in 12.2
– Alcatel Lucent – in development
16
19. APNIC RPKI Service
• Enhancement to the RIRs
– Offers verifiable proof of resource holdings
• Resource certification is an opt-in service
– Resource holders choose to request a certificate and profice their
public key to be certified
• APNIC has integrated the RPKI management service into
MyAPNIC for APNIC Member use
19
20. What you need to know
• You are encouraged to experiment, test, play and develop
• RPKI standards are still being developed, and the operating
environment for RPKI use is still fragile
• It’s ready for testing and prototyping, but is probably not
ready for production use just yet
• Please tell us what you find but don’t rely on it in your
network yet
20
21. What You Can Do Now?
• Create ROA records in MyAPNIC
• Build an RP cache
• Configure your router to use the cache (or a public one)
• Create BGP policies
Best to do it in a test environment for now! J
21
22. Build an RP Cache
• Download and install from rpki.net
– Instructions here: https://trac.rpki.net/wiki/doc/RPKI/Installation/
UbuntuPackages
22
The RP cache has a web interface
23. Configure Router to Use Cache
router bgp 651nn
…
bgp rpki server tcp 10.0.0.3 port 43779
refresh 60
bgp rpki server tcp 147.28.0.84 port 93920
refresh 60
…
23
RPKI Lab – Randy Bush
24. BGP Table
r0.sea#sh ip bgp
Network Next Hop Metric LocPrf Weight
Path
* i I198.180.150.0 144.232.9.61 100 0 1239 3927 i
*> I 199.238.113.9 0 2914 3927 i
* I 129.250.11.41 0 2914 3927 i
*> V198.180.152.0 199.238.113.9 0 2914 4128 i
* V 129.250.11.41 0 2914 4128 i
*> N198.180.155.0 199.238.113.9 0 2914 22773 i
* N 129.250.11.41 0 2914 22773 i
*> N198.180.160.0 199.238.113.9 0 2914 23308 13408
5752 i
* N 129.250.11.41 0 2914 23308 13408
5752 i
RPKI Lab – Randy Bush
24
25. More References
• Securing BGP
– The Internet Protocol Journal, Volume 14, No. 2
• An Infrastructure to Support Secure Internet Routing
– RFC6480
• A Reappraisal of Validation in the RPKI
– Labs.apnic.net/blabs
• An Introduction to Routing Security (and RPKI Tools)
• MyAPNIC Resource Certification Guide
25