Community tools to fight against DDoS, SANOG 27APNIC
Community tools can help fight DDoS attacks in three ways:
1. Bogon filtering blocks traffic from bogon address space not assigned to any network. Networks share bogon lists and filter incoming routes.
2. Flow Sonar provides visual network traffic analysis to detect anomalies indicating attacks. It incorporates DDoS alert feeds to identify compromised sources.
3. UTRS implements remote triggered blackhole filtering to divert suspected attack traffic to a null route. Cooperating networks distribute and apply attack filters to mitigate large infrastructure attacks.
APNIC deployed IPv6 across its network and services over several years using the following approach:
1) APNIC initially used its IPv6 allocation of 2001:DC0:2000::/35 and split it into /48 and /64 subnets for its network. It configured IPv6 routing and DNS services for these subnets.
2) APNIC then deployed IPv6 for its critical services like DNS, web, FTP, mail, and load balancing. This included configuring IPv6 addresses and enabling IPv6 protocols for these services.
3) APNIC later added anycast instances of its DNS services and regional whois service using cloud providers to improve availability. Lessons learned included testing services thoroughly before deployment and monitoring
APNIC Senior Internet Resource Analyst Elly Tawhai gives an update on some of APNIC's new initiatives at NZNOG 2020 in Christchurch, New Zealand, from 28 to 31 January 2020.
BGP: Whats so special about the number 512?GeoffHuston
It was reported that parts of the Internet crashed when the number of routes in the Internet's Inter-domain routing table (BGP) exceeded 512K routes. This presentation looks at the growth of the Internet's routing table and how this correlates to the capacity and speed of memory in hardware routers.
This document provides an overview of network state awareness and troubleshooting techniques. The agenda covers troubleshooting methodology, packet forwarding review, active and passive monitoring, quality of service, control plane, and routing protocol stability. It distinguishes between the control plane, which creates routing information based on aggregated data, and the data plane, which makes forwarding decisions based on packet details. Various troubleshooting tools are discussed like traceroute, interface statistics, NetFlow, and performance monitoring to analyze the network from the data plane perspective.
Community tools to fight against DDoS, SANOG 27APNIC
Community tools can help fight DDoS attacks in three ways:
1. Bogon filtering blocks traffic from bogon address space not assigned to any network. Networks share bogon lists and filter incoming routes.
2. Flow Sonar provides visual network traffic analysis to detect anomalies indicating attacks. It incorporates DDoS alert feeds to identify compromised sources.
3. UTRS implements remote triggered blackhole filtering to divert suspected attack traffic to a null route. Cooperating networks distribute and apply attack filters to mitigate large infrastructure attacks.
APNIC deployed IPv6 across its network and services over several years using the following approach:
1) APNIC initially used its IPv6 allocation of 2001:DC0:2000::/35 and split it into /48 and /64 subnets for its network. It configured IPv6 routing and DNS services for these subnets.
2) APNIC then deployed IPv6 for its critical services like DNS, web, FTP, mail, and load balancing. This included configuring IPv6 addresses and enabling IPv6 protocols for these services.
3) APNIC later added anycast instances of its DNS services and regional whois service using cloud providers to improve availability. Lessons learned included testing services thoroughly before deployment and monitoring
APNIC Senior Internet Resource Analyst Elly Tawhai gives an update on some of APNIC's new initiatives at NZNOG 2020 in Christchurch, New Zealand, from 28 to 31 January 2020.
BGP: Whats so special about the number 512?GeoffHuston
It was reported that parts of the Internet crashed when the number of routes in the Internet's Inter-domain routing table (BGP) exceeded 512K routes. This presentation looks at the growth of the Internet's routing table and how this correlates to the capacity and speed of memory in hardware routers.
This document provides an overview of network state awareness and troubleshooting techniques. The agenda covers troubleshooting methodology, packet forwarding review, active and passive monitoring, quality of service, control plane, and routing protocol stability. It distinguishes between the control plane, which creates routing information based on aggregated data, and the data plane, which makes forwarding decisions based on packet details. Various troubleshooting tools are discussed like traceroute, interface statistics, NetFlow, and performance monitoring to analyze the network from the data plane perspective.
- 22% of visible DNS resolvers are capable of making IPv6 queries, but 35% of DNS queries are actually passed to these resolvers, indicating more widespread IPv6 support.
- The top IPv6-capable resolvers are operated by companies like Google, AT&T, and Comcast, serving over 60% of queries.
- IPv6 DNS responses have a high success rate (96%) when response sizes are kept below the typical 1500 byte MTU to avoid fragmentation issues.
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
The document provides an introduction to internet routing, BGP hijacking, and the Resource Public Key Infrastructure (RPKI) system for securing internet routing. It discusses how BGP works and how hijacks can occur when more specific routes are announced. The document then summarizes the RPKI framework for validating route origins using Route Origin Authorizations (ROAs) and filtering routes based on their validation state. It provides examples of implementing RPKI on routers to help secure internet routing.
Rolling the Root Zone DNSSEC Key Signing Key, by Edward Lewis.
A presentation given at APNIC 42's DNS and INR Security session on Monday, 3 October 2016.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
This document summarizes the results of measuring IPv6 performance by embedding scripts in online ads. IPv6 connections were found to be about as fast as IPv4 connections, with IPv6 being faster around half the time and within 10ms of IPv4 for most connections. However, IPv6 connections were also found to be less reliable, with an average failure rate of 1.5% compared to 0.2% for IPv4. While speeds are generally comparable once established, the higher failure rate of IPv6 connections means IPv4 still has an advantage in reliability of initial connections.
The Next Generation Internet Number Registry ServicesMyNOG
This document provides an overview of registry services, including the Registration Data Access Protocol (RDAP) and the Resource Public Key Infrastructure (RPKI). RDAP is designed to replace the aging WHOIS protocol by providing structured query and response formats to enable automation. RDAP also supports access control, internationalization, redirection and extensibility. RPKI is a PKI framework that adds Internet number resource information to certificates to cryptographically validate resource ownership and authorization of routing announcements. It enables applications like route origin validation to secure the routing system. The document discusses how RDAP and RPKI work and provide benefits like improved security, automation and verification of registry data.
Welcome to the APNIC Member Gathering, MongoliaAPNIC
Services Director George Kuo presents on IPv6 deployment in the region; IPv6 in broadband networks, getting more IPv4 address space; APNIC whois data quality, and routing security at a Member Gathering in Mongolia from 13 to 14 June 2017.
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
CommunicAsia 2017: IPv6 deployment architecture for IoTAPNIC
APNIC Training and Technical Assistance Manager Nurul Islam discusses the design options for IPv6 in a broadband access network and the impact that IoT will have on this in order to support future growth at CommunicAsia 2017.
This document discusses IPv6 deployment in cellular networks. It notes the need to support IPv6 due to IPv4 address exhaustion and increasing number of devices and addresses per device. Dual-stack is presented as the best solution, but alternatives like IPv6-only with NAT64 are also discussed. NAT64 allows IPv6-only clients to access IPv4 content by translating IPv6 to IPv4, though it has limitations. 464XLAT provides a more robust transition technology that works better with applications using literal IPv4 addresses. The document reviews performance and deployment considerations for various IPv6 transition technologies in cellular networks.
DIY Netflow Data Analytic with ELK Stack by CL LeeMyNOG
This document discusses using the ELK stack (Elasticsearch, Logstash, Kibana) to analyze netflow data. It describes IP ServerOne's infrastructure managing over 5000 servers across multiple data centers. Netflow data is collected and sent to Logstash for processing, then stored in Elasticsearch for querying and visualization in Kibana. Examples are given of how the data can be used, such as identifying top talkers, traffic profiling by ASN, and troubleshooting with IP conversation history. The ELK stack is concluded to be a powerful yet not difficult tool for analyzing netflow traffic.
IPv6 deployment architecture for broadband access networksAPNIC
At CommunicAsia 2016, Training and Technical Assistance Manager Nurul Islam discussed the design option for IPv6 in a broadband access network and the impact that IoT will have on this in order to support future growth.
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
This document discusses IPv4 transfers and the Resource Public Key Infrastructure (RPKI). It provides information on who can transfer IPv4 addresses between APNIC members and other RIRs, and shows statistics on IPv4 transfers from Singapore. It describes what RPKI is and how it helps secure internet routing by validating routes. It provides instructions on how to create Route Origin Authorization (ROA) objects in MyAPNIC to participate in RPKI and the benefits of maintaining ROAs. Statistics on ROA adoption in several Asian countries are also presented, along with an example of a successful ROA deployment campaign in Bangladesh.
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and their importance to Internet stability and security at the ICANN APAC-TWNIC Engagement Forum in Taipei, Taiwan from 16 to 17 April. 2019
The document discusses trust anchors and public key infrastructure (PKI) in the context of the Resource Public Key Infrastructure (RPKI). It presents several models for establishing trust anchors for the RPKI, including:
1) A single IANA-issued trust anchor with subordinate certificates issued by each Regional Internet Registry (RIR) matching their number resource allocations. This would not support transferred resources.
2) An interim APNIC trust anchor structure containing self-signed certificates from each RIR to allow migration to a single IANA trust anchor.
3) Individual per-RIR self-signed trust anchors, a simpler interim model but requiring more work to transition to a single IANA trust anchor.
- 22% of visible DNS resolvers are capable of making IPv6 queries, but 35% of DNS queries are actually passed to these resolvers, indicating more widespread IPv6 support.
- The top IPv6-capable resolvers are operated by companies like Google, AT&T, and Comcast, serving over 60% of queries.
- IPv6 DNS responses have a high success rate (96%) when response sizes are kept below the typical 1500 byte MTU to avoid fragmentation issues.
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
The document provides an introduction to internet routing, BGP hijacking, and the Resource Public Key Infrastructure (RPKI) system for securing internet routing. It discusses how BGP works and how hijacks can occur when more specific routes are announced. The document then summarizes the RPKI framework for validating route origins using Route Origin Authorizations (ROAs) and filtering routes based on their validation state. It provides examples of implementing RPKI on routers to help secure internet routing.
Rolling the Root Zone DNSSEC Key Signing Key, by Edward Lewis.
A presentation given at APNIC 42's DNS and INR Security session on Monday, 3 October 2016.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
This document summarizes the results of measuring IPv6 performance by embedding scripts in online ads. IPv6 connections were found to be about as fast as IPv4 connections, with IPv6 being faster around half the time and within 10ms of IPv4 for most connections. However, IPv6 connections were also found to be less reliable, with an average failure rate of 1.5% compared to 0.2% for IPv4. While speeds are generally comparable once established, the higher failure rate of IPv6 connections means IPv4 still has an advantage in reliability of initial connections.
The Next Generation Internet Number Registry ServicesMyNOG
This document provides an overview of registry services, including the Registration Data Access Protocol (RDAP) and the Resource Public Key Infrastructure (RPKI). RDAP is designed to replace the aging WHOIS protocol by providing structured query and response formats to enable automation. RDAP also supports access control, internationalization, redirection and extensibility. RPKI is a PKI framework that adds Internet number resource information to certificates to cryptographically validate resource ownership and authorization of routing announcements. It enables applications like route origin validation to secure the routing system. The document discusses how RDAP and RPKI work and provide benefits like improved security, automation and verification of registry data.
Welcome to the APNIC Member Gathering, MongoliaAPNIC
Services Director George Kuo presents on IPv6 deployment in the region; IPv6 in broadband networks, getting more IPv4 address space; APNIC whois data quality, and routing security at a Member Gathering in Mongolia from 13 to 14 June 2017.
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
CommunicAsia 2017: IPv6 deployment architecture for IoTAPNIC
APNIC Training and Technical Assistance Manager Nurul Islam discusses the design options for IPv6 in a broadband access network and the impact that IoT will have on this in order to support future growth at CommunicAsia 2017.
This document discusses IPv6 deployment in cellular networks. It notes the need to support IPv6 due to IPv4 address exhaustion and increasing number of devices and addresses per device. Dual-stack is presented as the best solution, but alternatives like IPv6-only with NAT64 are also discussed. NAT64 allows IPv6-only clients to access IPv4 content by translating IPv6 to IPv4, though it has limitations. 464XLAT provides a more robust transition technology that works better with applications using literal IPv4 addresses. The document reviews performance and deployment considerations for various IPv6 transition technologies in cellular networks.
DIY Netflow Data Analytic with ELK Stack by CL LeeMyNOG
This document discusses using the ELK stack (Elasticsearch, Logstash, Kibana) to analyze netflow data. It describes IP ServerOne's infrastructure managing over 5000 servers across multiple data centers. Netflow data is collected and sent to Logstash for processing, then stored in Elasticsearch for querying and visualization in Kibana. Examples are given of how the data can be used, such as identifying top talkers, traffic profiling by ASN, and troubleshooting with IP conversation history. The ELK stack is concluded to be a powerful yet not difficult tool for analyzing netflow traffic.
IPv6 deployment architecture for broadband access networksAPNIC
At CommunicAsia 2016, Training and Technical Assistance Manager Nurul Islam discussed the design option for IPv6 in a broadband access network and the impact that IoT will have on this in order to support future growth.
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
This document discusses IPv4 transfers and the Resource Public Key Infrastructure (RPKI). It provides information on who can transfer IPv4 addresses between APNIC members and other RIRs, and shows statistics on IPv4 transfers from Singapore. It describes what RPKI is and how it helps secure internet routing by validating routes. It provides instructions on how to create Route Origin Authorization (ROA) objects in MyAPNIC to participate in RPKI and the benefits of maintaining ROAs. Statistics on ROA adoption in several Asian countries are also presented, along with an example of a successful ROA deployment campaign in Bangladesh.
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and their importance to Internet stability and security at the ICANN APAC-TWNIC Engagement Forum in Taipei, Taiwan from 16 to 17 April. 2019
The document discusses trust anchors and public key infrastructure (PKI) in the context of the Resource Public Key Infrastructure (RPKI). It presents several models for establishing trust anchors for the RPKI, including:
1) A single IANA-issued trust anchor with subordinate certificates issued by each Regional Internet Registry (RIR) matching their number resource allocations. This would not support transferred resources.
2) An interim APNIC trust anchor structure containing self-signed certificates from each RIR to allow migration to a single IANA trust anchor.
3) Individual per-RIR self-signed trust anchors, a simpler interim model but requiring more work to transition to a single IANA trust anchor.
This document summarizes a panel discussion on RPKI deployment. The panel discussed various RPKI deployment models including using public and local cache servers, deploying RPKI in IXPs and with route reflectors, and integrating RPKI with IRR systems. The panel also addressed common issues that can arise with RPKI such as customers claiming their prefixes are announced by other ASNs, addressing route leaks, and using RPKI information to mitigate DDoS attacks. Next steps discussed included improving internationalization support, providing feedback to developers, and launching an RPKI pilot service.
Michael Appelby: Why the protection of information is critical for our society
http://www.infinit.dk/dk/nyheder-og-reportager/cyber-security-4-0-reportage.htm
Industrial Cybersecurity and Critical Infrastructure Protection in EuropePositive Hack Days
This document provides an overview of critical infrastructure protection in Europe presented by Ignacio Paredes of the Industrial Cybersecurity Center. It discusses the convergence of physical and cyber worlds and how industrial control systems have become interconnected over TCP/IP and use general purpose operating systems. This has introduced cybersecurity challenges to operational technology environments. The document reviews cyber attacks on critical infrastructure like Stuxnet and Shamoon and regulations around critical infrastructure protection in the US and EU. It argues that identifying and prioritizing critical infrastructure is important but questions who will pay for protection and whether regulations have led to minimum compliance over real protection.
Symantec 2010 Critical Information Infrastructure Protection (CIP) Survey found, among other things, that 53 percent of critical infrastructure providers report that their networks have experienced what they perceived as politically motivated cyber attacks. Participants claimed to have experienced such an attack on an average of 10 times in the past five years, incurring an average cost of $850,000 during a period of five years to their businesses.
The document discusses securing internet routing through the use of Routing Policy Specification Language (RPSL) and the Resource Public Key Infrastructure (RPKI). It provides an overview of BGP routing, describes common routing incidents, and explains how RPSL objects like autonomous systems, IP addresses, contacts, and maintainers can be used to define routing policies and authorize changes. It also covers how RPKI allows origin validation through digital signatures to prevent prefix hijacking.
RPKI is one of the newest technology securing inter-domain routing. This presentation explore how ISP's in Bangladesh is adopting this solution and what is the status of RPKI deployment.
RPKI is a system that provides validation of IP address and AS number ownership through the use of digital certificates. It aims to reduce routing leaks and hijacking by allowing routers to verify that the origin AS of a route matches what is published in the RPKI database. The key components of RPKI are trust anchors maintained by Regional Internet Registries, Route Origin Authorizations (ROA) that are published by network operators, and validators that check BGP routes against the ROA database.
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...akg1330
RPKI is a relatively new technology that permits origin validation for IP prefixes. This is an important steps towards securing the global routing infrastructure.
Presentation given during Firetalks at ShmooCon 2015:
http://youtu.be/oa8T5HLtY8I
RPKI deployment status in Bangladesh is still developing, with an adoption rate of around 4.67% currently. While over 70% of Bangladeshi prefixes are valid according to RPKI, about 3.42% are invalid and 1.25% are unknown. More work is needed to fully deploy RPKI and ensure all announced prefixes are valid. RPKI adoption is still low compared to IPv6 deployment rates in Bangladesh. Monitoring tools show some invalid prefixes still being announced from Bangladeshi networks.
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
The document provides an overview of the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents like hijacking and misdirection. It discusses how RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that an Autonomous System is authorized to originate routes for specific IP address blocks. The key components of RPKI include Certificate Authorities, Relying Parties, and routers configured with RPKI support to filter routes based on validation of origin AS authorization. Deployment status at the Regional Internet Registries and an APNIC RPKI service are also covered.
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
Global routing validation involves facilitating the validation of routing information on a global scale through two main systems - the Internet Routing Registries (IRR) and the Resource Public Key Infrastructure (RPKI). Routing information such as routing policies, autonomous system numbers, and IP prefixes should be publicly available in a common format to allow for global validation. The RPKI system uses digital certificates to authoritatively associate network resources like IP addresses and autonomous system numbers to their legitimate owners and allows identification of which autonomous systems have permission to originate those addresses. Implementing RPKI and origin validation helps secure routing and prevent route hijacking.
This document provides an introduction to BGP routing security and the Resource Public Key Infrastructure (RPKI). It explains that RPKI ties IP addresses and autonomous system numbers (ASNs) to public keys to validate route origination. It details how RPKI uses certificates signed by regional internet registries to establish a chain of trust from root certificates to route origin authorization (ROA) files created by network operators. It also discusses tools for validating ROAs and using the results to make routing decisions, as well as ongoing efforts to fully validate the security of inter-domain routing.
APNIC Network Operations Engineer and Senior Training Officer Sheryl Hermoso gives an update on ROA and RPKI deployment in the Philippines at PhNOG 2020 in Manila, Philippines, on 24 February 2020.
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC
This document discusses Resource Public Key Infrastructure (RPKI) and resource certification. RPKI aims to secure Internet routing by verifying which autonomous systems (AS) are authorized to originate which IP address prefixes. It does this through origin validation using X.509 certificates and Route Origin Authorizations (ROAs). The document outlines how regional Internet registries (RIRs) like AFRINIC issue certificates to members and publish the certificate hierarchy and ROAs to validate routes. It demonstrates configuring routers to use validated routes and defines routing policies based on validation status. Finally, it discusses ongoing work topics like a global trust anchor.
This document provides an overview of Route Origin Validation (ROV) using Resource Public Key Infrastructure (RPKI) and the Routinator software. It discusses how RPKI and Route Origin Authorizations (ROAs) allow network operators to validate the origin AS of IP prefixes through a digital certificate and signature-based system. The document outlines the steps to set up Routinator as an RPKI validator, generate ROAs, and configure routers to perform ROV. It also provides examples of analyzing invalid route origins and working with network owners to resolve routing issues.
The document discusses Route Origin Validation (ROV) using Resource Public Key Infrastructure (RPKI) as outlined by the Mutually Agreed Norms for Routing Security (MANRS) initiative. It describes how RPKI uses digitally signed certificates and Route Origin Authorizations (ROAs) to validate the origin AS of IP prefixes in BGP routing announcements. The validation status can be used to filter or modify routes. Instructions are provided on setting up various open-source RPKI validators like Routinator, OctoRPKI, and FORT to perform ROV and feed the validated ROA cache into BGP routers.
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsAPNIC
APNIC Training Delivery Manager Shane Hermoso presents on the status of RPKI deployment in the Asia Pacific and the importance of cleaning up invalids at VNIX-NOG 2023, Da Lat, Viet Nam from 5 to 6 October 2023.
This document provides information on resource public key infrastructure (RPKI) and route origin authorization (ROA). It discusses problems with relying solely on Internet routing registries (IRRs), and how RPKI addresses these issues by tying IP addresses and autonomous system numbers (ASNs) to public keys. It describes the RPKI certificate structure and chain of trust, as well as the roles of signing ROAs, validating others, hosted RPKI systems, and relying parties. Examples of incidents from inaccurate or incomplete IRR data are given. The status of major transit and cloud providers in supporting RPKI is listed.
This document discusses how multi-homing and RPKI can provide robust and secure internet connections. It explains that multi-homing with BGP allows networks to direct traffic through the most cost effective connections, improving resilience and performance. RPKI helps secure BGP routing by preventing route hijacking and mis-origination through the use of Route Origin Authorizations (ROAs) and an RPKI validator. ROAs authorize which ASNs can originate which IP prefixes. The validator checks BGP updates against ROAs to label routes as valid, invalid, or not found. This validation information can then be used to define routing policies.
Similar to Route Hijaking and the role of RPKI (20)
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
3. Current Practice
• Filtering limited to the edges facing the customer
• Filters on peering and transit sessions are often too
complex or take too many resources
• Check prefix before announcing it
3
Receive Request LOA Check
Create Associate
Prefix / AS Filter
5. 5
IP Address & AS
Number
Digital Certificate
RPKI
Resource Public Key Infrastructure
6. 6
BGP 101 + RPKI
2001:db8::/32
Network Next Hop AS_PATH Age Attrs
V*> 2406:6400::/32 2001:df2:ee00::1 65531 65533 65535 05:30:49 [{Origin: i}]
65530
65533
64512
65535
2001:db8:ab::1
655322406:6400::/32
I > 2406:6400::/32 2001:df2:ee11::1 65530 65420 05:30:49 [{Origin: i}]
65531
65420
65534
7. PKI In Other Application
• HTTPS
– Web Address as RESOURCE
– Hierarchical Trust Model
– CA as the root of the TRUST
– Browser does the VERIFICATION
• DNSSEC
– Zone as RESOURCE
– Hierarchical Trust Model
– . as the root of the TRUST
– DNS Resolver does the VERIFICATION
7
11. RPKI Implementation
11
• As an Announcer/LIR
– You choose if you want certification
– You choose if you want to create ROAs
– You choose AS, max length
• As a Relying Party
– You can choose if you use the validator
– You can override the lists of valid ROAs
in the cache, adding or removing valid
ROAs locally
– You can choose to make any routing
decisions based on the results of the
BGP Verification (valid/invalid/unknown)
1. Publish ROA
2. RPKI Cache Validator
3. Router Configuration
15. RPKI in Action
15
• {bgp4} Routers validate
updates from other BGP
peers
• {rtr} Caches feeds routers
using RTR protocol with
ROA information
• {rsync} Caches retrieves
and cryptographically
validates certificates &
ROAs from repositories
ASBR
{rtr}
DNS
Trust Anchors
DNS
Trust AnchorsDNS
Trust Anchors
DNS
RPKI Cache Validator
{rsync}
{bgp4}
repository
upstream
17. RPKI Data Violation : Invalid ASN
• Invalid origin AS is visible
• From private ASN!
18. RPKI Data Violation : Fixed Length
Mismatch
• Most of the cases involve an invalid prefix (fixed length
mismatch)
– Further allocation
to the customer
19. Fiji
Total ASNs delegated by RIR: 8, Visible IPv4 routes: 50, Visible IPv6 routes: 5
http://rpki.apnictraining.net/output/fj.html
20. Moving Forward
• RPKI adoption is growing
– You are encouraged to create ROA. Experiment, test, play and develop
– You can implement in you infrastructure and do origin validation
• Something to consider
– Upgrade at least ASBRs to RPKI capable code
– In most cases, operators create ROAs for min length and advertise
longest prefix
– Some ROAs are invalid due to further allocation to customers
• https://www.apnic.net/ROA
20