SlideShare a Scribd company logo

PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less

APNIC
APNIC

APNIC Senior Resource Analyst/Technical Trainer Warren Finch presents on RPKI at PacNOG 32, held Nuku'alofa, Tonga on 1 December 2023.

Internet
1 of 20
Download to read offline
1 RPKI In 30 Minutes Or Less A short introduction to the technology and operations of Resource Public Key Infrastructure for Routing Security https://academy.apnic.net/
2 The Problem? • BGP since inception has not been secure. • Increasingly leakage of routes have caused outages. • These incidents are not always accidents. • Where to start? https://blog.apnic.net/2021/07/13/readthedocs/
4 4 Demo: BGP Hijack
5 5 Demo: BGP Hijack
6 IP Route Lookup R6 You R1 135536 R3 135538 61.45.248.0/22 R5 135540 61.45.248.0/22 135540 135538 135536 i R4 135539 R3 135538 61.45.248.0/24 61.45.248.0/24 135538 135539 i
7 7 RPKI • Resource Public Key Infrastructure • Real assignment data from the five (5) Regional Internet Registries • Attestation of the ORIGIN Autonomous System Number for internet addresses. • RSA Cryptography. https://blog.apnic.net/2020/04/21/rpki-and-trust-anchors/
8 Certificates, Authorities and Routes: OH MY! Key Concept 1: ROUTE ORIGIN AUTHORISATION https://blog.apnic.net/2019/09/11/how-to-creating-rpki-roas-in-myapnic/
9 9 Check ROA Progress https://observatory.manrs.org/#/overview
10 10 There is more to do … Key Concept 2: ROUTE ORIGIN VALIDATION https://rpki.readthedocs.io/en/latest/index.html#sec-rpki-ops
11 v1.0 11 Are ROAs enough? • What if I forge the origin AS in the AS path? q Would be accepted as good – pass origin validation! • Which means, we need to secure the AS path as well q AS path validation (per-prefix) • We can use RPKI certificates for this • What if the IP address (IP spoofing) is forged? q Requires other methods, like ingress filtering refer to BCP38
12 What is missing from Routing Security? Origins Pathways ASN to ASN RPKI ASPA BGPSEC https://www.rfc-editor.org/rfc/rfc8205.html https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/ https://www.rfc-editor.org/rfc/rfc8210
13 Deployment Considerations “The Basics” • RFC7115+RFC9319 / BCP185 • https://datatracker.ietf.org/doc/html/rfc7115 • https://datatracker.ietf.org/doc/html/rfc9319 “The Three” Distribution of RPKI data Network Placement Routing Policy https://www.google.com/search?q=rpki+deployment
14 14 Routing Policy? Photo by Markus Spiske on Unsplash
15 15 RPKI Uptake? Stats.Labs.APNIC.Net • RPKI RoV Drop-Invalid • RPKI ROA Publication Are your routes signed and have you started to drop invalid routes?
16 Which RFC to read? • Must read • Should read • May read https://rpki-rfc.routingsecurity.net
17 17 Source IP spoofing – Mitigation • BCP38 (RFC2827) – Since 1998! – https://tools.ietf.org/html/bcp38 • Only allow traffic with valid source addresses to – Leave your network • Only from your own address space – To enter/transit your network • Only from downstream customer address space
18 uRPF – Unicast Reverse Path • Modes of Operation (IOS): – Strict: verifies both source address and incoming interface with entries in the forwarding table – Loose: verifies existence of route to source address pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 Forwarding Table: 2406:6400:100::/48 ge0/0 2406:6400:200::/48 fa0/0 pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
19 19 Enterprise B IP address block 10.2.1.0/24 RFC2827 (BCP38) – Ingress Filtering ISP A IP address block 10.0.0.0/8 Drop Source IP: 10.2.1.20 Source IP: 192.168.0.4 Source IP: 10.2.1.3
20 20 MANRS • Mutually Agreed Norms of Routing Security – An ISOC led initiative to implement industry best practices to ensure security of routing system • https://www.manrs.org/ – Inbound/outbound filtering – prefix/as-path – Source address validation – BCP38 – Coordination – correct & up to date contacts – Validation – ROAs/IRR objects
21 Discussion Questions and Answers Photo by Simone Secci on Unsplash

Recommended

HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
Siena Perry
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
Bangladesh Network Operators Group
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
APNIC
 
IAA Life in Lockdown series: Securing Internet Routing
IAA Life in Lockdown series: Securing Internet RoutingIAA Life in Lockdown series: Securing Internet Routing
IAA Life in Lockdown series: Securing Internet Routing
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
APNIC
 

Recommended

HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
Siena Perry
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
Bangladesh Network Operators Group
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
APNIC
 
IAA Life in Lockdown series: Securing Internet Routing
IAA Life in Lockdown series: Securing Internet RoutingIAA Life in Lockdown series: Securing Internet Routing
IAA Life in Lockdown series: Securing Internet Routing
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
APNIC
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
APNIC
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
APNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
APNIC
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
Bangladesh Network Operators Group
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route Validity
APNIC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
Fakrul Alam
 
RPKI Introduction by Randy Bush
RPKI Introduction by Randy BushRPKI Introduction by Randy Bush
RPKI Introduction by Randy Bush
MyNOG
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
APNIC
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
NaveenLakshman
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
akg1330
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
APNIC
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
Bangladesh Network Operators Group
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
APNIC
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
APNIC
 
Deployment factors and Current status
Deployment factors and Current statusDeployment factors and Current status
Deployment factors and Current status
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
APNIC
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
APNIC
 
RPKI
RPKIRPKI
RPKI
RIPE NCC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 

More Related Content

Similar to PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less

Similar to PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less (20)

RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route Validity
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
RPKI Introduction by Randy Bush
RPKI Introduction by Randy BushRPKI Introduction by Randy Bush
RPKI Introduction by Randy Bush
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 
Deployment factors and Current status
Deployment factors and Current statusDeployment factors and Current status
Deployment factors and Current status
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
 
RPKI
RPKIRPKI
RPKI
 

More from APNIC

More from APNIC (20)

Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 

Recently uploaded

一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
aagad
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 

Recently uploaded (12)

一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
Stay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design TrendsStay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design Trends
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 

PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less

  • 1. 1 RPKI In 30 Minutes Or Less A short introduction to the technology and operations of Resource Public Key Infrastructure for Routing Security https://academy.apnic.net/
  • 2. 2 The Problem? • BGP since inception has not been secure. • Increasingly leakage of routes have caused outages. • These incidents are not always accidents. • Where to start? https://blog.apnic.net/2021/07/13/readthedocs/
  • 5. 6 IP Route Lookup R6 You R1 135536 R3 135538 61.45.248.0/22 R5 135540 61.45.248.0/22 135540 135538 135536 i R4 135539 R3 135538 61.45.248.0/24 61.45.248.0/24 135538 135539 i
  • 6. 7 7 RPKI • Resource Public Key Infrastructure • Real assignment data from the five (5) Regional Internet Registries • Attestation of the ORIGIN Autonomous System Number for internet addresses. • RSA Cryptography. https://blog.apnic.net/2020/04/21/rpki-and-trust-anchors/
  • 7. 8 Certificates, Authorities and Routes: OH MY! Key Concept 1: ROUTE ORIGIN AUTHORISATION https://blog.apnic.net/2019/09/11/how-to-creating-rpki-roas-in-myapnic/
  • 9. 10 10 There is more to do … Key Concept 2: ROUTE ORIGIN VALIDATION https://rpki.readthedocs.io/en/latest/index.html#sec-rpki-ops
  • 10. 11 v1.0 11 Are ROAs enough? • What if I forge the origin AS in the AS path? q Would be accepted as good – pass origin validation! • Which means, we need to secure the AS path as well q AS path validation (per-prefix) • We can use RPKI certificates for this • What if the IP address (IP spoofing) is forged? q Requires other methods, like ingress filtering refer to BCP38
  • 11. 12 What is missing from Routing Security? Origins Pathways ASN to ASN RPKI ASPA BGPSEC https://www.rfc-editor.org/rfc/rfc8205.html https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/ https://www.rfc-editor.org/rfc/rfc8210
  • 12. 13 Deployment Considerations “The Basics” • RFC7115+RFC9319 / BCP185 • https://datatracker.ietf.org/doc/html/rfc7115 • https://datatracker.ietf.org/doc/html/rfc9319 “The Three” Distribution of RPKI data Network Placement Routing Policy https://www.google.com/search?q=rpki+deployment
  • 14. 15 15 RPKI Uptake? Stats.Labs.APNIC.Net • RPKI RoV Drop-Invalid • RPKI ROA Publication Are your routes signed and have you started to drop invalid routes?
  • 15. 16 Which RFC to read? • Must read • Should read • May read https://rpki-rfc.routingsecurity.net
  • 16. 17 17 Source IP spoofing – Mitigation • BCP38 (RFC2827) – Since 1998! – https://tools.ietf.org/html/bcp38 • Only allow traffic with valid source addresses to – Leave your network • Only from your own address space – To enter/transit your network • Only from downstream customer address space
  • 17. 18 uRPF – Unicast Reverse Path • Modes of Operation (IOS): – Strict: verifies both source address and incoming interface with entries in the forwarding table – Loose: verifies existence of route to source address pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 Forwarding Table: 2406:6400:100::/48 ge0/0 2406:6400:200::/48 fa0/0 pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
  • 18. 19 19 Enterprise B IP address block 10.2.1.0/24 RFC2827 (BCP38) – Ingress Filtering ISP A IP address block 10.0.0.0/8 Drop Source IP: 10.2.1.20 Source IP: 192.168.0.4 Source IP: 10.2.1.3
  • 19. 20 20 MANRS • Mutually Agreed Norms of Routing Security – An ISOC led initiative to implement industry best practices to ensure security of routing system • https://www.manrs.org/ – Inbound/outbound filtering – prefix/as-path – Source address validation – BCP38 – Coordination – correct & up to date contacts – Validation – ROAs/IRR objects