SlideShare a Scribd company logo
Issue Date:
Revision:
Resource Public Key
Infrastructure (RPKI)
As part of bdNOG 2 Conference
11 November 2014
2014/11
2
Overview
•  Routing “incidents”
•  RPKI Technical Details
•  RPKI and BGPsec
•  Components and Implementation
•  Deployment Status in the RIRs
•  APNIC Resource Certification
2
Misdirection / Hijacking Incidents
•  YouTube Incident
–  Occurred 24 Feb 2008 (for about 2 hours)
–  Pakistan Telecom announced YT block
•  Google (AS15169) services downed
–  Occurred 5 Nov 2012 (for 30 minutes)
–  Moratel Indonesia (AS23947)
3
How frequent do these hijacking incidents happen?
How we address this…
•  A network should only originate his own prefix
–  How do we verify?
–  How do we avoid false advertisement?
•  A provider should filter prefixes they propagate from
customers
–  Check the legitimacy of address (LoA)
–  Transitive trust; BGP is a trust-based system
4
WHOIS DB – Legitimacy of Address
5
What is RPKI?
•  Resource Public Key Infrastructure (RPKI)
•  A robust security framework for verifying the association
between resource holder and their Internet resources
•  Created to address the issues in RFC 4593 “Generic
Threats to Routing Protocols”
•  Helps to secure Internet routing by validating routes
–  Proof that prefix announcements are coming from the legitimate
holder of the resource
RFC 6480 – An Infrastructure to Support
Secure Internet Routing (Feb 2012)
6
Benefits of RPKI - Routing
•  Prevents route hijacking
–  A prefix originated by an AS without authorization
–  Reason: malicious intent
•  Prevents mis-origination
–  A prefix that is mistakenly originated by an AS which does not own it
–  Also route leakage
–  Reason: configuration mistake / fat finger
7
BGP Security (BGPsec)
•  Extension to BGP that provides improved security for BGP
routing
•  Currently an IETF Internet draft
•  Implemented via a new optional non-transitive BGP path
attribute that contains a digital signature
•  Two things:
–  BGP Prefix Origin Validation (using RPKI)
–  BGP Path Validation
•  Similar efforts in the early days – IDR working group, S-
BGP
8
“Right” to Resources
•  ISP gets their resources from the RIR
•  ISP notifies its upstream of the prefixes to be announced
•  Upstream must check the WHOIS database if resource has
been delegated to customer ISP
We need to be able to authoritatively prove who owns an IP Prefix and
what AS(s) may announce it.
9
RPKI Infrastructure
•  A system to manage the creation and storage of digital
certificates and the associated Route Origin Authorization
documents
•  Main Components:
–  Certificate Authority (CA)
–  Relying Party (RP)
–  Routers with RPKI support
10
Issuing Party
•  Internet Registries (RIR, NIR, Large LIRs)
•  Acts as a Certificate Authority and issues certificates for
customers
•  Provides a web interface to issue ROAs for customer prefixes
•  Publishes the ROA records
APNIC
RPKI
Engine
publication
MyAPNIC GUI
rpki.apnic.net
Repository
11
Route Origin Authorization (ROA)
•  A digital object that contains a list of address prefixes and
one AS number
•  It is an authority created by a prefix holder to authorize an
AS Number to originate one or more specific route
advertisements
•  Publish an ROA using MyAPNIC
12
X.509 Certificate with 3779 Extension
•  Resource certificates are based
on the X.509 v3 certificate format
(RFC 5280)
•  Extended by RFC 3779 – binds a
list of resources (IP, ASN) to the
subject of the certificate
•  SIA – Subject Information Access;
contains a URI that references
the directory
X.509 Certificate
RFC 3779
Extension
SIA
Owner's Public Key
13
Relying Party (RP)
IANA
Repo
APNIC
Repo
RIPE
Repo
LIR Repo LIR Repo
RP Cache
(gather) Validated
Cache
RPKI-Rtr Protocol
rpki.ripe.net
Software which gathers data from CAs
Also called RP cache or validator
14
RPKI Components
15
Trust
Anchor
RP
CACHE
Trust
Anchor
RPKI-Rtr Protocol
APNIC
RPKI
Engine
Trust
Anchor
publicationMyAPNIC GUI rpki.apnic.net
ca0.rpki.net
rpki.ripe.net
Router Origin Validation
•  Router must support RPKI
•  Checks an RP cache / validator
•  Validation returns 3 states:
–  Valid = when authorization is found for prefix X
–  Invalid = when authorization is found for prefix X but not from ASN Y
–  Unknown = when no authorization data is found
•  Vendor support:
–  Cisco IOS – solid in 15.2
–  Cisco IOS/XR – shipped in 4.3.2
–  Juniper – shipped in 12.2
–  Alcatel Lucent – in development
16
RIR Statistics
17
Ref: http://rpki.surfnet.nl/perrir.html
Based on RIS Database dumps from RIPE-NCC
RPKI Monitor
18
Ref: NIST RPKI Monitor
APNIC RPKI Service
•  Enhancement to the RIRs
–  Offers verifiable proof of resource holdings
•  Resource certification is an opt-in service
–  Resource holders choose to request a certificate and profice their
public key to be certified
•  APNIC has integrated the RPKI management service into
MyAPNIC for APNIC Member use
19
What you need to know
•  You are encouraged to experiment, test, play and develop
•  RPKI standards are still being developed, and the operating
environment for RPKI use is still fragile
•  It’s ready for testing and prototyping, but is probably not
ready for production use just yet
•  Please tell us what you find but don’t rely on it in your
network yet
20
What You Can Do Now?
•  Create ROA records in MyAPNIC
•  Build an RP cache
•  Configure your router to use the cache (or a public one)
•  Create BGP policies
Best to do it in a test environment for now! ☺
21
Build an RP Cache
•  Download and install from rpki.net
–  Instructions here: https://trac.rpki.net/wiki/doc/RPKI/Installation/
UbuntuPackages
22
The RP cache has a web interface
Configure Router to Use Cache
router bgp 651nn
…
bgp rpki server tcp 10.0.0.3 port 43779
refresh 60
bgp rpki server tcp 147.28.0.84 port 93920
refresh 60
…
23
RPKI Lab – Randy Bush
BGP Table
r0.sea#sh ip bgp
Network Next Hop Metric LocPrf Weight
Path
* i I198.180.150.0 144.232.9.61 100 0 1239 3927 i
*> I 199.238.113.9 0 2914 3927 i
* I 129.250.11.41 0 2914 3927 i
*> V198.180.152.0 199.238.113.9 0 2914 4128 i
* V 129.250.11.41 0 2914 4128 i
*> N198.180.155.0 199.238.113.9 0 2914 22773 i
* N 129.250.11.41 0 2914 22773 i
*> N198.180.160.0 199.238.113.9 0 2914 23308 13408
5752 i
* N 129.250.11.41 0 2914 23308 13408
5752 i
RPKI Lab – Randy Bush
24
More References
•  Securing BGP
–  The Internet Protocol Journal, Volume 14, No. 2
•  An Infrastructure to Support Secure Internet Routing
–  RFC6480
•  A Reappraisal of Validation in the RPKI
–  Labs.apnic.net/blabs
•  An Introduction to Routing Security (and RPKI Tools)
•  MyAPNIC Resource Certification Guide
25
Questions
26
THANK YOU
www.facebook.com/APNIC
www.twitter.com/apnic
www.youtube.com/apnicmultimedia
www.flickr.com/apnic
www.weibo.com/APNICrir
27

More Related Content

What's hot

APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
MyNOG
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
APNIC
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
APNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
APNIC
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
APNIC
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
APNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practice
Jimmy Lim
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
MyNOG
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
RIPE NCC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
APNIC
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
akg1330
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Fakrul Alam
 
RPKI
RPKIRPKI
RPKI
RIPE NCC
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approach
APNIC
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI status
APNIC
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKI
APNIC
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
Juniper Networks
 

What's hot (20)

APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practice
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
RPKI
RPKIRPKI
RPKI
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approach
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI status
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKI
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
 

Viewers also liked

ISOC Engagement Activities
ISOC Engagement ActivitiesISOC Engagement Activities
ISOC Engagement Activities
Bangladesh Network Operators Group
 
ICANN Engagement Update
ICANN Engagement UpdateICANN Engagement Update
ICANN Engagement Update
Bangladesh Network Operators Group
 
Converged & Efficient Licensing Framework
Converged & Efficient Licensing FrameworkConverged & Efficient Licensing Framework
Converged & Efficient Licensing Framework
Bangladesh Network Operators Group
 
Best Current Operational Practice (BCOP) - Updates from around the world
Best Current Operational Practice (BCOP) - Updates from around the worldBest Current Operational Practice (BCOP) - Updates from around the world
Best Current Operational Practice (BCOP) - Updates from around the world
Bangladesh Network Operators Group
 
IPv6 Address & Deployment Planning
IPv6 Address & Deployment PlanningIPv6 Address & Deployment Planning
IPv6 Address & Deployment Planning
Bangladesh Network Operators Group
 
bdNOG Conference Report
bdNOG Conference Report bdNOG Conference Report
bdNOG Conference Report
Bangladesh Network Operators Group
 
bdCERT Activities Update
bdCERT Activities UpdatebdCERT Activities Update
bdCERT Activities Update
Bangladesh Network Operators Group
 
Securing Asterisk: A practical approach
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approach
Bangladesh Network Operators Group
 
Traffic Engineering for CDNs
Traffic Engineering for CDNs Traffic Engineering for CDNs
Traffic Engineering for CDNs
Bangladesh Network Operators Group
 
EDNS0 Client-Subnet for DNS Based CDNs
EDNS0 Client-Subnet for DNS Based CDNs EDNS0 Client-Subnet for DNS Based CDNs
EDNS0 Client-Subnet for DNS Based CDNs
Bangladesh Network Operators Group
 
APNIC42 Announcement
APNIC42 AnnouncementAPNIC42 Announcement
Dot BD Domain and Shared Registry Model- A Policy Proposal
Dot BD Domain and Shared Registry Model- A Policy Proposal Dot BD Domain and Shared Registry Model- A Policy Proposal
Dot BD Domain and Shared Registry Model- A Policy Proposal
Bangladesh Network Operators Group
 
OpenStack Cloud Administration Through Live Demonstration
OpenStack Cloud Administration Through Live DemonstrationOpenStack Cloud Administration Through Live Demonstration
OpenStack Cloud Administration Through Live Demonstration
Bangladesh Network Operators Group
 
Inter-AS MPLS VPN Deployment
Inter-AS MPLS VPN DeploymentInter-AS MPLS VPN Deployment
Inter-AS MPLS VPN Deployment
Bangladesh Network Operators Group
 
Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS
Bangladesh Network Operators Group
 
Broadband for Digital Bangladesh & recommendation from ISPAB
Broadband for Digital Bangladesh & recommendation from ISPABBroadband for Digital Bangladesh & recommendation from ISPAB
Broadband for Digital Bangladesh & recommendation from ISPAB
Bangladesh Network Operators Group
 
Awareness of Children Internet Addiction
Awareness of Children Internet Addiction Awareness of Children Internet Addiction
Awareness of Children Internet Addiction
Bangladesh Network Operators Group
 
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment Challenges of L2 NID Based Architecture for vCPE and NFV Deployment
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment
Bangladesh Network Operators Group
 
Participant Access Control in IP Multicasting
Participant Access Control in IP Multicasting Participant Access Control in IP Multicasting
Participant Access Control in IP Multicasting
Bangladesh Network Operators Group
 
Practical Implementation of BGP Community with Geotags
Practical Implementation of BGP Community with GeotagsPractical Implementation of BGP Community with Geotags
Practical Implementation of BGP Community with Geotags
Bangladesh Network Operators Group
 

Viewers also liked (20)

ISOC Engagement Activities
ISOC Engagement ActivitiesISOC Engagement Activities
ISOC Engagement Activities
 
ICANN Engagement Update
ICANN Engagement UpdateICANN Engagement Update
ICANN Engagement Update
 
Converged & Efficient Licensing Framework
Converged & Efficient Licensing FrameworkConverged & Efficient Licensing Framework
Converged & Efficient Licensing Framework
 
Best Current Operational Practice (BCOP) - Updates from around the world
Best Current Operational Practice (BCOP) - Updates from around the worldBest Current Operational Practice (BCOP) - Updates from around the world
Best Current Operational Practice (BCOP) - Updates from around the world
 
IPv6 Address & Deployment Planning
IPv6 Address & Deployment PlanningIPv6 Address & Deployment Planning
IPv6 Address & Deployment Planning
 
bdNOG Conference Report
bdNOG Conference Report bdNOG Conference Report
bdNOG Conference Report
 
bdCERT Activities Update
bdCERT Activities UpdatebdCERT Activities Update
bdCERT Activities Update
 
Securing Asterisk: A practical approach
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approach
 
Traffic Engineering for CDNs
Traffic Engineering for CDNs Traffic Engineering for CDNs
Traffic Engineering for CDNs
 
EDNS0 Client-Subnet for DNS Based CDNs
EDNS0 Client-Subnet for DNS Based CDNs EDNS0 Client-Subnet for DNS Based CDNs
EDNS0 Client-Subnet for DNS Based CDNs
 
APNIC42 Announcement
APNIC42 AnnouncementAPNIC42 Announcement
APNIC42 Announcement
 
Dot BD Domain and Shared Registry Model- A Policy Proposal
Dot BD Domain and Shared Registry Model- A Policy Proposal Dot BD Domain and Shared Registry Model- A Policy Proposal
Dot BD Domain and Shared Registry Model- A Policy Proposal
 
OpenStack Cloud Administration Through Live Demonstration
OpenStack Cloud Administration Through Live DemonstrationOpenStack Cloud Administration Through Live Demonstration
OpenStack Cloud Administration Through Live Demonstration
 
Inter-AS MPLS VPN Deployment
Inter-AS MPLS VPN DeploymentInter-AS MPLS VPN Deployment
Inter-AS MPLS VPN Deployment
 
Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS
 
Broadband for Digital Bangladesh & recommendation from ISPAB
Broadband for Digital Bangladesh & recommendation from ISPABBroadband for Digital Bangladesh & recommendation from ISPAB
Broadband for Digital Bangladesh & recommendation from ISPAB
 
Awareness of Children Internet Addiction
Awareness of Children Internet Addiction Awareness of Children Internet Addiction
Awareness of Children Internet Addiction
 
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment Challenges of L2 NID Based Architecture for vCPE and NFV Deployment
Challenges of L2 NID Based Architecture for vCPE and NFV Deployment
 
Participant Access Control in IP Multicasting
Participant Access Control in IP Multicasting Participant Access Control in IP Multicasting
Participant Access Control in IP Multicasting
 
Practical Implementation of BGP Community with Geotags
Practical Implementation of BGP Community with GeotagsPractical Implementation of BGP Community with Geotags
Practical Implementation of BGP Community with Geotags
 

Similar to Resource Public Key Infrastructure (RPKI)

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
Siena Perry
 
Rpki -manrs_(7_september)
Rpki  -manrs_(7_september)Rpki  -manrs_(7_september)
Rpki -manrs_(7_september)
NaveenLakshman
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
APNIC
 
Route Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKI
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
APNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
APNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
APNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
APNIC
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
Bangladesh Network Operators Group
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
APNIC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
APNIC
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?
APNIC
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net tools
Muhammad Moinur Rahman
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
APNIC
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
Bangladesh Network Operators Group
 
Recent Developments in RPKI
Recent Developments in RPKIRecent Developments in RPKI
Recent Developments in RPKI
RIPE NCC
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
RIPE NCC
 

Similar to Resource Public Key Infrastructure (RPKI) (20)

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Rpki -manrs_(7_september)
Rpki  -manrs_(7_september)Rpki  -manrs_(7_september)
Rpki -manrs_(7_september)
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
Route Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKI
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh Phokeer
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net tools
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
Recent Developments in RPKI
Recent Developments in RPKIRecent Developments in RPKI
Recent Developments in RPKI
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Bangladesh Network Operators Group
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Bangladesh Network Operators Group
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
Bangladesh Network Operators Group
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
Bangladesh Network Operators Group
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
Bangladesh Network Operators Group
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
Bangladesh Network Operators Group
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
Bangladesh Network Operators Group
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
Bangladesh Network Operators Group
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
Bangladesh Network Operators Group
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
Bangladesh Network Operators Group
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
Bangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
Bangladesh Network Operators Group
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
Bangladesh Network Operators Group
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
Bangladesh Network Operators Group
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
Bangladesh Network Operators Group
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
Bangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
Bangladesh Network Operators Group
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
Bangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 

Recently uploaded

How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
Emre Gündoğdu
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 

Recently uploaded (12)

How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 

Resource Public Key Infrastructure (RPKI)

  • 1. Issue Date: Revision: Resource Public Key Infrastructure (RPKI) As part of bdNOG 2 Conference 11 November 2014 2014/11 2
  • 2. Overview •  Routing “incidents” •  RPKI Technical Details •  RPKI and BGPsec •  Components and Implementation •  Deployment Status in the RIRs •  APNIC Resource Certification 2
  • 3. Misdirection / Hijacking Incidents •  YouTube Incident –  Occurred 24 Feb 2008 (for about 2 hours) –  Pakistan Telecom announced YT block •  Google (AS15169) services downed –  Occurred 5 Nov 2012 (for 30 minutes) –  Moratel Indonesia (AS23947) 3 How frequent do these hijacking incidents happen?
  • 4. How we address this… •  A network should only originate his own prefix –  How do we verify? –  How do we avoid false advertisement? •  A provider should filter prefixes they propagate from customers –  Check the legitimacy of address (LoA) –  Transitive trust; BGP is a trust-based system 4
  • 5. WHOIS DB – Legitimacy of Address 5
  • 6. What is RPKI? •  Resource Public Key Infrastructure (RPKI) •  A robust security framework for verifying the association between resource holder and their Internet resources •  Created to address the issues in RFC 4593 “Generic Threats to Routing Protocols” •  Helps to secure Internet routing by validating routes –  Proof that prefix announcements are coming from the legitimate holder of the resource RFC 6480 – An Infrastructure to Support Secure Internet Routing (Feb 2012) 6
  • 7. Benefits of RPKI - Routing •  Prevents route hijacking –  A prefix originated by an AS without authorization –  Reason: malicious intent •  Prevents mis-origination –  A prefix that is mistakenly originated by an AS which does not own it –  Also route leakage –  Reason: configuration mistake / fat finger 7
  • 8. BGP Security (BGPsec) •  Extension to BGP that provides improved security for BGP routing •  Currently an IETF Internet draft •  Implemented via a new optional non-transitive BGP path attribute that contains a digital signature •  Two things: –  BGP Prefix Origin Validation (using RPKI) –  BGP Path Validation •  Similar efforts in the early days – IDR working group, S- BGP 8
  • 9. “Right” to Resources •  ISP gets their resources from the RIR •  ISP notifies its upstream of the prefixes to be announced •  Upstream must check the WHOIS database if resource has been delegated to customer ISP We need to be able to authoritatively prove who owns an IP Prefix and what AS(s) may announce it. 9
  • 10. RPKI Infrastructure •  A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents •  Main Components: –  Certificate Authority (CA) –  Relying Party (RP) –  Routers with RPKI support 10
  • 11. Issuing Party •  Internet Registries (RIR, NIR, Large LIRs) •  Acts as a Certificate Authority and issues certificates for customers •  Provides a web interface to issue ROAs for customer prefixes •  Publishes the ROA records APNIC RPKI Engine publication MyAPNIC GUI rpki.apnic.net Repository 11
  • 12. Route Origin Authorization (ROA) •  A digital object that contains a list of address prefixes and one AS number •  It is an authority created by a prefix holder to authorize an AS Number to originate one or more specific route advertisements •  Publish an ROA using MyAPNIC 12
  • 13. X.509 Certificate with 3779 Extension •  Resource certificates are based on the X.509 v3 certificate format (RFC 5280) •  Extended by RFC 3779 – binds a list of resources (IP, ASN) to the subject of the certificate •  SIA – Subject Information Access; contains a URI that references the directory X.509 Certificate RFC 3779 Extension SIA Owner's Public Key 13
  • 14. Relying Party (RP) IANA Repo APNIC Repo RIPE Repo LIR Repo LIR Repo RP Cache (gather) Validated Cache RPKI-Rtr Protocol rpki.ripe.net Software which gathers data from CAs Also called RP cache or validator 14
  • 16. Router Origin Validation •  Router must support RPKI •  Checks an RP cache / validator •  Validation returns 3 states: –  Valid = when authorization is found for prefix X –  Invalid = when authorization is found for prefix X but not from ASN Y –  Unknown = when no authorization data is found •  Vendor support: –  Cisco IOS – solid in 15.2 –  Cisco IOS/XR – shipped in 4.3.2 –  Juniper – shipped in 12.2 –  Alcatel Lucent – in development 16
  • 19. APNIC RPKI Service •  Enhancement to the RIRs –  Offers verifiable proof of resource holdings •  Resource certification is an opt-in service –  Resource holders choose to request a certificate and profice their public key to be certified •  APNIC has integrated the RPKI management service into MyAPNIC for APNIC Member use 19
  • 20. What you need to know •  You are encouraged to experiment, test, play and develop •  RPKI standards are still being developed, and the operating environment for RPKI use is still fragile •  It’s ready for testing and prototyping, but is probably not ready for production use just yet •  Please tell us what you find but don’t rely on it in your network yet 20
  • 21. What You Can Do Now? •  Create ROA records in MyAPNIC •  Build an RP cache •  Configure your router to use the cache (or a public one) •  Create BGP policies Best to do it in a test environment for now! ☺ 21
  • 22. Build an RP Cache •  Download and install from rpki.net –  Instructions here: https://trac.rpki.net/wiki/doc/RPKI/Installation/ UbuntuPackages 22 The RP cache has a web interface
  • 23. Configure Router to Use Cache router bgp 651nn … bgp rpki server tcp 10.0.0.3 port 43779 refresh 60 bgp rpki server tcp 147.28.0.84 port 93920 refresh 60 … 23 RPKI Lab – Randy Bush
  • 24. BGP Table r0.sea#sh ip bgp Network Next Hop Metric LocPrf Weight Path * i I198.180.150.0 144.232.9.61 100 0 1239 3927 i *> I 199.238.113.9 0 2914 3927 i * I 129.250.11.41 0 2914 3927 i *> V198.180.152.0 199.238.113.9 0 2914 4128 i * V 129.250.11.41 0 2914 4128 i *> N198.180.155.0 199.238.113.9 0 2914 22773 i * N 129.250.11.41 0 2914 22773 i *> N198.180.160.0 199.238.113.9 0 2914 23308 13408 5752 i * N 129.250.11.41 0 2914 23308 13408 5752 i RPKI Lab – Randy Bush 24
  • 25. More References •  Securing BGP –  The Internet Protocol Journal, Volume 14, No. 2 •  An Infrastructure to Support Secure Internet Routing –  RFC6480 •  A Reappraisal of Validation in the RPKI –  Labs.apnic.net/blabs •  An Introduction to Routing Security (and RPKI Tools) •  MyAPNIC Resource Certification Guide 25