SlideShare a Scribd company logo

Let's talk about routing security, Anurag Bhatia, Hurricane Electric

Bangladesh Network Operators Group
Bangladesh Network Operators Group

This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.

Internet
1 of 39
Download to read offline
Let’s talk about routing security How secure is our routing infrastructure in 2019?
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Fundamentals of global routing... 2
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Internet - Network of ASNs... ● Internet is simply network of autonomous networks all connected together and speaking “BGP”. ● There are around 64k autonomous networks (known by their number called ASN) in IPv4 routing and 17k ASNs in IPv6 world. ● A set of around 15 networks stitch these ASNs together by forming a “default free / transit free zone” and essentially all ASNs in the world are direct/indirect customer of either of these ASNs. ● A large part of modern traffic flows from a limited set of ASNs (content networks) to eyeball networks via PNI’s and Internet Exchanges 3
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Internet - Network of ASNs... 4
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Internet - Network of ASNs...(+ DNS!) ● BGP ensures interconnection of networks and DNS ensures domain to IP mapping. ● DNS relies on set of 13 logical root DNS servers and practically as many as 980 instances across the world via anycast. ● These 13 root DNS addresses are hardcoded in DNS resolver software (like BIND, powerdns etc) and hence security of these 13 IPs is important. ● DNS resolver contacts either of 13 based on reply time and other factors in the resolution algorithm. 5
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh So how “trust” in the BGP works? 6
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Trust in the BGP... ● BGP supports filtering and networks can define in filter what they can accept or reject and the default action (accept/reject). ● Filters can be based on IP prefix, ASN or AS Path or other factors like BGP community. ● It’s quite easy to generate filters for networks near the edge but very hard as one goes near the core. ● Edge filtering - Filter the networks which connect to you based on static filter based on prefix and some other basic rules and full stop. ● Filtering beyond the edge - Allow prefixes of your downstream customer + their downstream + further their downstream and so on... 7
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Trust in the BGP... As per research data by Mr Geoff Huston (Scientist at APNIC) average AS path length in IPv4 world is around 5.7 and hence for a case like AS 1 <- AS2 <- AS3 <- AS4 <- AS5 it’s very hard for AS1 to what to allow for AS4 (learnt via AS2). 8
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Filtering chain... AS 1 AS 2 Upstream Provider Customer Provider I have 203.0.113.0/24! Accept 203.0.113.0/24 ip prefix-list Customer-AS2 permit 203.0.113.0/24 9
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Filtering chain... AS 1 AS 2 I have 203.0.113.0/24! Accept 203.0.113.0/24 + 203.0.114.0/24 AS 3 I have 203.0.114.0/24! ip prefix-list Customer-AS2 permit 203.0.113.0/24 ip prefix-list Customer-AS2 permit 203.0.114.0/24 10
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh How does filtering works at the “Internet scale” ? 11
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh IRR - Internet Routing Registries ● IRRs are the public “registers” where one can log what they want to do and then just do it. ● IRRs use RPSL (Routing Policy Specific Language) to define “route object” where one defines prefix, origin AS, description etc and upstream can generate filters based on that. ● IRRs use “AS SETs” which define ASNs in a set (for instance a set of customer ASNs) and that is used to define customers ASNs. ● AS SETs can further have AS Sets of customer and that helps to generate downstream’s downstream’s downstream filter. 12
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh IRR - Route Object Example whois -h whois.radb.net 216.218.128.0/17 route: 216.218.128.0/17 descr: Hurricane Electric 55 South Market St San Jose, CA origin: AS6939 notify: noc@he.net changed: noc@he.net 20170407 mnt-by: HE-NOC source: RADB 13
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh IRR - Route Object Example whois -h whois.radb.net 216.218.128.0/17 route: 216.218.128.0/17 <- Prefix descr: Hurricane Electric 55 South Market St San Jose, CA origin: AS6939 <- Origin AS notify: noc@he.net changed: noc@he.net 20170407 mnt-by: HE-NOC source: RADB 14
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh IRR - AS SET Example whois -h whois.radb.net AS-Google as-set: AS-GOOGLE descr: Google members: AS11344 members: AS13949 members: AS15169 members: AS15276 members: AS19425 members: AS22577 members: AS26910 members: AS36040 members: AS36384 members: AS36492 members: AS36561 members: AS394725 members: AS40873 members: AS41264 members: AS43515 members: AS55023 members: AS6432 members: AS19527 members: AS26684 members: AS395973 members: AS36039 members: AS24424 members: AS-GOOGLE-IT members: AS-MEEBO members: AS-METAWEB-2 mnt-by: MAINT-AS15169 changed: raybennett@google.com 20180614 #14:42:00Z source: RADB 15
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh IRR - AS SET Example whois -h whois.radb.net AS-Google as-set: AS-GOOGLE <- Name of AS Set descr: Google members: AS11344 <- Member ASN in the AS SET members: AS13949 members: AS15169 members: AS15276 members: AS19425 members: AS22577 members: AS26910 members: AS36040 members: AS36384 members: AS36492 members: AS36561 members: AS394725 members: AS40873 members: AS41264 members: AS43515 members: AS55023 members: AS6432 members: AS19527 members: AS26684 members: AS395973 members: AS36039 members: AS24424 members: AS-GOOGLE-IT <- Member AS SET in the AS SET members: AS-MEEBO members: AS-METAWEB-2 mnt-by: MAINT-AS15169 changed: raybennett@google.com 20180614 #14:42:00Z source: RADB 16
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh More on Internet Routing Registries ● There are as many as 25 IRRs and were created for different reasons historically. ● RIR (Regional Internet Registry) based RIRs like APNIC, ARIN are common across their member users. ● Non-for profit RADB used mostly by larger organisations, free option ALTDB (for general Internet). ● One can define which IRR one is using at the peeringdb e.g RADB::AS-HURRICANE for Hurricane Electric or APNIC::AS9498:AS-BHARTI-IN for Airtel. ● RADB mirrors all major IRRs and thus a query to RADB includes it’s own database as well as data of other mirrors IRRs. ● Most of filtering tools by default use RADB for generating filters. 17
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Query to RADB... whois -h whois.radb.net 163.47.158.0/24 route: 163.47.158.0/24 origin: AS10075 descr: Fiber @ Home Limited House - 7/B, Road - 13, Gulshan - 1 mnt-by: MAINT-FIBERATHOME-BD last-modified: 2019-04-03T13:58:31Z source: APNIC 18
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Query to RADB... whois -h whois.radb.net 163.47.158.0/24 route: 163.47.158.0/24 origin: AS10075 descr: Fiber @ Home Limited House - 7/B, Road - 13, Gulshan - 1 mnt-by: MAINT-FIBERATHOME-BD last-modified: 2019-04-03T13:58:31Z source: APNIC <- Shows the source database 19
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh bgpq3 - Tool for generating filters ● Open source tool bgpq3 can be used for generating filters based on IRR. ● It supports syntax of Cisco, JunOS out of the box. ● It also supports generating filter list based on custom syntax of any given hardware. ● Supports JSON based output format. ● Includes supports for AS Path based filters as well as IPv6. ● Supports only generation of filters and one needs to have a mechanism to push these filters to the routers. 20
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh bgpq3 - in action bgpq3 -l Anurag AS58901 -6 no ipv6 prefix-list Anurag ipv6 prefix-list Anurag permit 2402:b580::/32 ipv6 prefix-list Anurag permit 2402:b580:1::/48 ipv6 prefix-list Anurag permit 2402:b580:2::/48 ipv6 prefix-list Anurag permit 2402:b580:3::/48 bgpq3 -J -l Anurag AS58901 -6 policy-options { replace: prefix-list Anurag { 2402:b580::/32; 2402:b580:1::/48; 2402:b580:2::/48; 2402:b580:3::/48; } } 21
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh bgpq3 - in action bgpq3 -l Anurag AS58901 -6 no ipv6 prefix-list Anurag ipv6 prefix-list Anurag permit 2402:b580::/32 ipv6 prefix-list Anurag permit 2402:b580:1::/48 ipv6 prefix-list Anurag permit 2402:b580:2::/48 <- Cisco iOS style syntax ipv6 prefix-list Anurag permit 2402:b580:3::/48 bgpq3 -J -l Anurag AS58901 -6 policy-options { replace: prefix-list Anurag { 2402:b580::/32; 2402:b580:1::/48; <- JunOS syntax 2402:b580:2::/48; 2402:b580:3::/48; } } 22
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh It’s querying RADB and formatting whois -h whois.radb.net '!6as58901' A66 2402:b580:1::/48 2402:b580:3::/48 2402:b580:2::/48 2402:b580::/32 C More on this on RADB here: https://www.radb.net/query/help 23
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh So how well IRR based filtering works? 24
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh So how well IRR based filtering works? <- Not so well! 25
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Filtering Statistics across the Internet ● There are as many as 758313 prefixes visible in global routing table (IPv4 + IPv6) ● Out of total routes: 603185 (79.54%) have valid route objects, 58587 (7.73%) have no valid route objects and 96514 (12.73%) have mismatching route object. ● Thus IRR based filtering can filter/blackhole 155101 routes or 20.45 of the total routes in the global table. 26
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Challenges with IRR based filtering ● IRR is old and not very easy to integrate with the routers. ● There no one-solution-fits-all projects which can generate filters and push to all possible hardwares. (Things are much better off in route-servers run at the internet exchanges) ● IRRs by design are log books and whatever goes in there, usually stays in there. In other words they are full of old outdated route objects. ● The “software speaking to the routers & pushing config” isn’t very common across smaller networks. 27
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Some of developments in routing security... ● Some larger networks including Hurricane Electric are now filtering over 98% peers (~25k BGP sessions) based on IRR. ● Google has announced to start filtering based on IRR by Sept 2019 (at NANOG 75). ● Internet Exchanges like BharatIX (in Mumbai), DECIX (in Frankfurt), INEX (in Dublin), Equinix IX Singapore etc are actively filtering prefixes based on IRR. ● RPKI is being pushed for to use cryptography to validate prefix origin and is supported in latest version of various vendors. For supported hardware, it’s very to implement in a route-map / routing-policy. ● RPKI is being integrated in next version of IRR (IRR 4) to ensure route objects cannot be created where ROA mismatch happens. ● AT&T has announced that it now drops prefixes where RPKI validation fails. 28
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh RPKI in action... router bgp 58901 address-family ipv4 unicast neighbor 1.2.3.4 route-map Customer-IN in bgp bestpath prefix-validate allow-invalid ! route-map Customer-IN permit 10 match rpki invalid set local-preference 50 ! route-map Customer-IN permit 20 match rpki not-found set local-preference 100 ! route-map Customer-IN permit 30 match rpki valid set local-preference 200 ! route-map Customer-IN permit 40 29
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh RPKI in action... router bgp 58901 address-family ipv4 unicast neighbor 1.2.3.4 route-map Customer-IN in bgp bestpath prefix-validate allow-invalid ! route-map Customer-IN permit 10 match rpki invalid set local-preference 50 <- Low localpref on route if RPKI check is invalid (Remember: High localpref wins) ! route-map Customer-IN permit 20 match rpki not-found set local-preference 100 <- Mid level localpref on route is no ROA is present ! route-map Customer-IN permit 30 match rpki valid set local-preference 200 <- High localpref when RPKI check is valid and route is preferred ! route-map Customer-IN permit 40 30
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Easy way to check IRR as well as RPKI for prefixes... 31
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Check for IRR / RPKI ROA validation ● Hurricane Electric’s BGP toolkit (free web tool!) supports both IRR as well as RPKI checks. ● Simply go to bgp.he.net and search with network name or AS number or prefix and you will see the status of prefixes. ● G Reflects when correct matching route object exists. ● Reflects when parent route object exists (say for /17 or /21 etc when announcement is for /22). ● Reflects when there is a mismatch of route objects. ● Reflects when RPKI check is valid. ● Reflects when RPKI check is invalid. 32
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Check for IRR / RPKI ROA validation https://bgp.he.net/AS13335#_prefixes https://bgp.he.net/AS10075#_prefixes 33
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Check for IRR / RPKI ROA validation https://bgp.he.net/AS58601#_prefixes 34
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Stats for top 5 BD ASNs 35
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Contribute in the cleanup! 36
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh How can you contribute? ● If you maintain resources (IPv4, IPv6 or AS numbers) then ensure to register route objects for them in either of databases - database of your RIR (in Asia - do via My APNIC portal, in US - use ARIN portal). ● Create ROAs with your origin ASN and prefix length you intend to announce. ● Report all incorrect IRR entries you encounter to those registries to help them in removing old junk. ● If your provider has invalid route object or missing route object - suggest them to create one. ● DO NOT register route object on behalf of someone as a proxy entry as that has been a bad practice. ● If you have downstream ASNs behind you, register a AS SET. ● Register yourself on peeringdb.com portal and remember to mention your AS SET in the IRR section. 37
Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh References 1. Tier 1 Networks Wikipedia Page - https://en.wikipedia.org/wiki/Tier_1_network#List_of_Tier_1_networks 2. BGP Version 4 RFC - https://tools.ietf.org/html/rfc4271 3. Root DNS servers list/locations - https://root-servers.org/ 4. BGP in 2017 (APNIC Blog) - https://blog.apnic.net/2018/01/10/bgp-in-2017/ 5. RSPL - http://www.irr.net/docs/rpsl.html 6. bgpq3 - https://github.com/snar/bgpq3 7. Hurricane Electric’s route filtering algorithm - http://routing.he.net/algorithm.html 8. Google route filtering announcement NANOG75 - https://pc.nanog.org/static/published/meetings/NANOG75/1959/20190220_Morrow_Li ghtning_Talk_Prefix_v1.pdf 9. IRR (present one) - https://github.com/irrdnet/irrd 10. IRR v4 (in deveopment) - https://github.com/irrdnet/irrd4 11. AT&T drops RPKI invalid for peers - https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html 38
Questions/Comments? Anurag Bhatia, Hurricane Electric (AS6939) anurag@he.net Twitter: @anurag_bhatia Web: https://he.net

Recommended

Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressBangladesh Network Operators Group
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS FirewallBangladesh Network Operators Group
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
Tech f42
Tech f42Tech f42
Tech f42SelectedPresentations
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRBangladesh Network Operators Group
 

Recommended

Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressBangladesh Network Operators Group
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS FirewallBangladesh Network Operators Group
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
Tech f42
Tech f42Tech f42
Tech f42SelectedPresentations
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRBangladesh Network Operators Group
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBangladesh Network Operators Group
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyStephen Kho
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresPavel Odintsov
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12Bangladesh Network Operators Group
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...SolarWinds
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
Routing diff
Routing diffRouting diff
Routing diffBangladesh Network Operators Group
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshBangladesh Network Operators Group
 

More Related Content

What's hot

An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyStephen Kho
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresPavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...SolarWinds
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 

What's hot (20)

An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoring
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy Agency
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP Infrastructures
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection tool
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat Defense
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigation
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 

Similar to Let's talk about routing security, Anurag Bhatia, Hurricane Electric

LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 
【English version】3GPP 5G Standalone Access Registration Call flow_Rev3.00_202...
【English version】3GPP 5G Standalone Access Registration Call flow_Rev3.00_202...【English version】3GPP 5G Standalone Access Registration Call flow_Rev3.00_202...
【English version】3GPP 5G Standalone Access Registration Call flow_Rev3.00_202...Ryuichi Yasunaga
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
 
SLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experienceSLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experienceAPNIC
 
768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?Dhiman Chowdhury
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationAndy Davidson
 
RPKI and Me
RPKI and MeRPKI and Me
RPKI and MeMyNOG
 
Rapid Detection of BGP Anomalies
Rapid Detection of BGP AnomaliesRapid Detection of BGP Anomalies
Rapid Detection of BGP AnomaliesAPNIC
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 

Similar to Let's talk about routing security, Anurag Bhatia, Hurricane Electric (20)

Routing diff
Routing diffRouting diff
Routing diff
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
 
ION Bangladesh - Secure BGP and Operational Report of Bangladesh
ION Bangladesh - Secure BGP and Operational Report of BangladeshION Bangladesh - Secure BGP and Operational Report of Bangladesh
ION Bangladesh - Secure BGP and Operational Report of Bangladesh
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 
【English version】3GPP 5G Standalone Access Registration Call flow_Rev3.00_202...
【English version】3GPP 5G Standalone Access Registration Call flow_Rev3.00_202...【English version】3GPP 5G Standalone Access Registration Call flow_Rev3.00_202...
【English version】3GPP 5G Standalone Access Registration Call flow_Rev3.00_202...
 
SA call flow
SA call flowSA call flow
SA call flow
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesia
 
Secure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of BangladeshSecure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of Bangladesh
 
SLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experienceSLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experience
 
768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
 
RPKI and Me
RPKI and MeRPKI and Me
RPKI and Me
 
Rapid Detection of BGP Anomalies
Rapid Detection of BGP AnomaliesRapid Detection of BGP Anomalies
Rapid Detection of BGP Anomalies
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 

Recently uploaded

On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 

Recently uploaded (20)

On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 

Let's talk about routing security, Anurag Bhatia, Hurricane Electric

  • 1. Let’s talk about routing security How secure is our routing infrastructure in 2019?
  • 2. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Fundamentals of global routing... 2
  • 3. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Internet - Network of ASNs... ● Internet is simply network of autonomous networks all connected together and speaking “BGP”. ● There are around 64k autonomous networks (known by their number called ASN) in IPv4 routing and 17k ASNs in IPv6 world. ● A set of around 15 networks stitch these ASNs together by forming a “default free / transit free zone” and essentially all ASNs in the world are direct/indirect customer of either of these ASNs. ● A large part of modern traffic flows from a limited set of ASNs (content networks) to eyeball networks via PNI’s and Internet Exchanges 3
  • 4. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Internet - Network of ASNs... 4
  • 5. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Internet - Network of ASNs...(+ DNS!) ● BGP ensures interconnection of networks and DNS ensures domain to IP mapping. ● DNS relies on set of 13 logical root DNS servers and practically as many as 980 instances across the world via anycast. ● These 13 root DNS addresses are hardcoded in DNS resolver software (like BIND, powerdns etc) and hence security of these 13 IPs is important. ● DNS resolver contacts either of 13 based on reply time and other factors in the resolution algorithm. 5
  • 6. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh So how “trust” in the BGP works? 6
  • 7. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Trust in the BGP... ● BGP supports filtering and networks can define in filter what they can accept or reject and the default action (accept/reject). ● Filters can be based on IP prefix, ASN or AS Path or other factors like BGP community. ● It’s quite easy to generate filters for networks near the edge but very hard as one goes near the core. ● Edge filtering - Filter the networks which connect to you based on static filter based on prefix and some other basic rules and full stop. ● Filtering beyond the edge - Allow prefixes of your downstream customer + their downstream + further their downstream and so on... 7
  • 8. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Trust in the BGP... As per research data by Mr Geoff Huston (Scientist at APNIC) average AS path length in IPv4 world is around 5.7 and hence for a case like AS 1 <- AS2 <- AS3 <- AS4 <- AS5 it’s very hard for AS1 to what to allow for AS4 (learnt via AS2). 8
  • 9. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Filtering chain... AS 1 AS 2 Upstream Provider Customer Provider I have 203.0.113.0/24! Accept 203.0.113.0/24 ip prefix-list Customer-AS2 permit 203.0.113.0/24 9
  • 10. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Filtering chain... AS 1 AS 2 I have 203.0.113.0/24! Accept 203.0.113.0/24 + 203.0.114.0/24 AS 3 I have 203.0.114.0/24! ip prefix-list Customer-AS2 permit 203.0.113.0/24 ip prefix-list Customer-AS2 permit 203.0.114.0/24 10
  • 11. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh How does filtering works at the “Internet scale” ? 11
  • 12. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh IRR - Internet Routing Registries ● IRRs are the public “registers” where one can log what they want to do and then just do it. ● IRRs use RPSL (Routing Policy Specific Language) to define “route object” where one defines prefix, origin AS, description etc and upstream can generate filters based on that. ● IRRs use “AS SETs” which define ASNs in a set (for instance a set of customer ASNs) and that is used to define customers ASNs. ● AS SETs can further have AS Sets of customer and that helps to generate downstream’s downstream’s downstream filter. 12
  • 13. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh IRR - Route Object Example whois -h whois.radb.net 216.218.128.0/17 route: 216.218.128.0/17 descr: Hurricane Electric 55 South Market St San Jose, CA origin: AS6939 notify: noc@he.net changed: noc@he.net 20170407 mnt-by: HE-NOC source: RADB 13
  • 14. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh IRR - Route Object Example whois -h whois.radb.net 216.218.128.0/17 route: 216.218.128.0/17 <- Prefix descr: Hurricane Electric 55 South Market St San Jose, CA origin: AS6939 <- Origin AS notify: noc@he.net changed: noc@he.net 20170407 mnt-by: HE-NOC source: RADB 14
  • 15. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh IRR - AS SET Example whois -h whois.radb.net AS-Google as-set: AS-GOOGLE descr: Google members: AS11344 members: AS13949 members: AS15169 members: AS15276 members: AS19425 members: AS22577 members: AS26910 members: AS36040 members: AS36384 members: AS36492 members: AS36561 members: AS394725 members: AS40873 members: AS41264 members: AS43515 members: AS55023 members: AS6432 members: AS19527 members: AS26684 members: AS395973 members: AS36039 members: AS24424 members: AS-GOOGLE-IT members: AS-MEEBO members: AS-METAWEB-2 mnt-by: MAINT-AS15169 changed: raybennett@google.com 20180614 #14:42:00Z source: RADB 15
  • 16. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh IRR - AS SET Example whois -h whois.radb.net AS-Google as-set: AS-GOOGLE <- Name of AS Set descr: Google members: AS11344 <- Member ASN in the AS SET members: AS13949 members: AS15169 members: AS15276 members: AS19425 members: AS22577 members: AS26910 members: AS36040 members: AS36384 members: AS36492 members: AS36561 members: AS394725 members: AS40873 members: AS41264 members: AS43515 members: AS55023 members: AS6432 members: AS19527 members: AS26684 members: AS395973 members: AS36039 members: AS24424 members: AS-GOOGLE-IT <- Member AS SET in the AS SET members: AS-MEEBO members: AS-METAWEB-2 mnt-by: MAINT-AS15169 changed: raybennett@google.com 20180614 #14:42:00Z source: RADB 16
  • 17. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh More on Internet Routing Registries ● There are as many as 25 IRRs and were created for different reasons historically. ● RIR (Regional Internet Registry) based RIRs like APNIC, ARIN are common across their member users. ● Non-for profit RADB used mostly by larger organisations, free option ALTDB (for general Internet). ● One can define which IRR one is using at the peeringdb e.g RADB::AS-HURRICANE for Hurricane Electric or APNIC::AS9498:AS-BHARTI-IN for Airtel. ● RADB mirrors all major IRRs and thus a query to RADB includes it’s own database as well as data of other mirrors IRRs. ● Most of filtering tools by default use RADB for generating filters. 17
  • 18. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Query to RADB... whois -h whois.radb.net 163.47.158.0/24 route: 163.47.158.0/24 origin: AS10075 descr: Fiber @ Home Limited House - 7/B, Road - 13, Gulshan - 1 mnt-by: MAINT-FIBERATHOME-BD last-modified: 2019-04-03T13:58:31Z source: APNIC 18
  • 19. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Query to RADB... whois -h whois.radb.net 163.47.158.0/24 route: 163.47.158.0/24 origin: AS10075 descr: Fiber @ Home Limited House - 7/B, Road - 13, Gulshan - 1 mnt-by: MAINT-FIBERATHOME-BD last-modified: 2019-04-03T13:58:31Z source: APNIC <- Shows the source database 19
  • 20. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh bgpq3 - Tool for generating filters ● Open source tool bgpq3 can be used for generating filters based on IRR. ● It supports syntax of Cisco, JunOS out of the box. ● It also supports generating filter list based on custom syntax of any given hardware. ● Supports JSON based output format. ● Includes supports for AS Path based filters as well as IPv6. ● Supports only generation of filters and one needs to have a mechanism to push these filters to the routers. 20
  • 21. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh bgpq3 - in action bgpq3 -l Anurag AS58901 -6 no ipv6 prefix-list Anurag ipv6 prefix-list Anurag permit 2402:b580::/32 ipv6 prefix-list Anurag permit 2402:b580:1::/48 ipv6 prefix-list Anurag permit 2402:b580:2::/48 ipv6 prefix-list Anurag permit 2402:b580:3::/48 bgpq3 -J -l Anurag AS58901 -6 policy-options { replace: prefix-list Anurag { 2402:b580::/32; 2402:b580:1::/48; 2402:b580:2::/48; 2402:b580:3::/48; } } 21
  • 22. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh bgpq3 - in action bgpq3 -l Anurag AS58901 -6 no ipv6 prefix-list Anurag ipv6 prefix-list Anurag permit 2402:b580::/32 ipv6 prefix-list Anurag permit 2402:b580:1::/48 ipv6 prefix-list Anurag permit 2402:b580:2::/48 <- Cisco iOS style syntax ipv6 prefix-list Anurag permit 2402:b580:3::/48 bgpq3 -J -l Anurag AS58901 -6 policy-options { replace: prefix-list Anurag { 2402:b580::/32; 2402:b580:1::/48; <- JunOS syntax 2402:b580:2::/48; 2402:b580:3::/48; } } 22
  • 23. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh It’s querying RADB and formatting whois -h whois.radb.net '!6as58901' A66 2402:b580:1::/48 2402:b580:3::/48 2402:b580:2::/48 2402:b580::/32 C More on this on RADB here: https://www.radb.net/query/help 23
  • 24. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh So how well IRR based filtering works? 24
  • 25. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh So how well IRR based filtering works? <- Not so well! 25
  • 26. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Filtering Statistics across the Internet ● There are as many as 758313 prefixes visible in global routing table (IPv4 + IPv6) ● Out of total routes: 603185 (79.54%) have valid route objects, 58587 (7.73%) have no valid route objects and 96514 (12.73%) have mismatching route object. ● Thus IRR based filtering can filter/blackhole 155101 routes or 20.45 of the total routes in the global table. 26
  • 27. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Challenges with IRR based filtering ● IRR is old and not very easy to integrate with the routers. ● There no one-solution-fits-all projects which can generate filters and push to all possible hardwares. (Things are much better off in route-servers run at the internet exchanges) ● IRRs by design are log books and whatever goes in there, usually stays in there. In other words they are full of old outdated route objects. ● The “software speaking to the routers & pushing config” isn’t very common across smaller networks. 27
  • 28. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Some of developments in routing security... ● Some larger networks including Hurricane Electric are now filtering over 98% peers (~25k BGP sessions) based on IRR. ● Google has announced to start filtering based on IRR by Sept 2019 (at NANOG 75). ● Internet Exchanges like BharatIX (in Mumbai), DECIX (in Frankfurt), INEX (in Dublin), Equinix IX Singapore etc are actively filtering prefixes based on IRR. ● RPKI is being pushed for to use cryptography to validate prefix origin and is supported in latest version of various vendors. For supported hardware, it’s very to implement in a route-map / routing-policy. ● RPKI is being integrated in next version of IRR (IRR 4) to ensure route objects cannot be created where ROA mismatch happens. ● AT&T has announced that it now drops prefixes where RPKI validation fails. 28
  • 29. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh RPKI in action... router bgp 58901 address-family ipv4 unicast neighbor 1.2.3.4 route-map Customer-IN in bgp bestpath prefix-validate allow-invalid ! route-map Customer-IN permit 10 match rpki invalid set local-preference 50 ! route-map Customer-IN permit 20 match rpki not-found set local-preference 100 ! route-map Customer-IN permit 30 match rpki valid set local-preference 200 ! route-map Customer-IN permit 40 29
  • 30. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh RPKI in action... router bgp 58901 address-family ipv4 unicast neighbor 1.2.3.4 route-map Customer-IN in bgp bestpath prefix-validate allow-invalid ! route-map Customer-IN permit 10 match rpki invalid set local-preference 50 <- Low localpref on route if RPKI check is invalid (Remember: High localpref wins) ! route-map Customer-IN permit 20 match rpki not-found set local-preference 100 <- Mid level localpref on route is no ROA is present ! route-map Customer-IN permit 30 match rpki valid set local-preference 200 <- High localpref when RPKI check is valid and route is preferred ! route-map Customer-IN permit 40 30
  • 31. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Easy way to check IRR as well as RPKI for prefixes... 31
  • 32. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Check for IRR / RPKI ROA validation ● Hurricane Electric’s BGP toolkit (free web tool!) supports both IRR as well as RPKI checks. ● Simply go to bgp.he.net and search with network name or AS number or prefix and you will see the status of prefixes. ● G Reflects when correct matching route object exists. ● Reflects when parent route object exists (say for /17 or /21 etc when announcement is for /22). ● Reflects when there is a mismatch of route objects. ● Reflects when RPKI check is valid. ● Reflects when RPKI check is invalid. 32
  • 33. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Check for IRR / RPKI ROA validation https://bgp.he.net/AS13335#_prefixes https://bgp.he.net/AS10075#_prefixes 33
  • 34. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Check for IRR / RPKI ROA validation https://bgp.he.net/AS58601#_prefixes 34
  • 35. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Stats for top 5 BD ASNs 35
  • 36. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh Contribute in the cleanup! 36
  • 37. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh How can you contribute? ● If you maintain resources (IPv4, IPv6 or AS numbers) then ensure to register route objects for them in either of databases - database of your RIR (in Asia - do via My APNIC portal, in US - use ARIN portal). ● Create ROAs with your origin ASN and prefix length you intend to announce. ● Report all incorrect IRR entries you encounter to those registries to help them in removing old junk. ● If your provider has invalid route object or missing route object - suggest them to create one. ● DO NOT register route object on behalf of someone as a proxy entry as that has been a bad practice. ● If you have downstream ASNs behind you, register a AS SET. ● Register yourself on peeringdb.com portal and remember to mention your AS SET in the IRR section. 37
  • 38. Anurag Bhatia - Hurricane Electric - Let’s talk about routing security - bdNOG 10 - Chittagong, Bangladesh References 1. Tier 1 Networks Wikipedia Page - https://en.wikipedia.org/wiki/Tier_1_network#List_of_Tier_1_networks 2. BGP Version 4 RFC - https://tools.ietf.org/html/rfc4271 3. Root DNS servers list/locations - https://root-servers.org/ 4. BGP in 2017 (APNIC Blog) - https://blog.apnic.net/2018/01/10/bgp-in-2017/ 5. RSPL - http://www.irr.net/docs/rpsl.html 6. bgpq3 - https://github.com/snar/bgpq3 7. Hurricane Electric’s route filtering algorithm - http://routing.he.net/algorithm.html 8. Google route filtering announcement NANOG75 - https://pc.nanog.org/static/published/meetings/NANOG75/1959/20190220_Morrow_Li ghtning_Talk_Prefix_v1.pdf 9. IRR (present one) - https://github.com/irrdnet/irrd 10. IRR v4 (in deveopment) - https://github.com/irrdnet/irrd4 11. AT&T drops RPKI invalid for peers - https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html 38
  • 39. Questions/Comments? Anurag Bhatia, Hurricane Electric (AS6939) anurag@he.net Twitter: @anurag_bhatia Web: https://he.net