Presentation given by George Michaelson at PhNOG 2016, Manila, Philippines, 25 January 2016.

1. Moar roas!
George Michaelson
ggm@pobox.com

2. RPKI
• 10+ year exercise to secure Internet Number
Resource (INR) holdings, rouEng
– The longterm goal is secure BGP
– We’re a long way off widespread secure BGP
• Resource Public Key Infrastructure
– We issue cerEficates over your resources
– You can use these to sign things
– The cerEficates carry a list of INR so clearly associate
the INR with whatever you sign
– If you protect your keys, only you can sign

3. Eg Provisioning
• Dude.. Route my prefix
– ok: show me a LeUer of Authority
• Bad Guy: (forges company leUerhead)
– Ok: I’ll route that prefix
• Good Guy: Wait.. WAT? You just routed it on a
piece of paper with company leUerhead?
• Low barrier to entry. A LOA is not “proof”
• Lets try that again…

4. Eg Provisioning
• Dude.. Route my prefix
– ok: show me a ROA with my AS origin.
• Good Guy: (goes off and creates ROA)
– Ok: I’ll route that prefix
– Bad Guy: Curses! Foiled!!!!!
• Low cost but effecEve barrier to cheats.
– A ROA IS “proof”
• Hard to fake
– Even if you route your own INR, a ROA means nobody
else can originate your prefixes
– Hijacks become much harder

5. Really?
RouEng permissions
are about as weak.
Somebody out there, is
Going to believe an
LOA.
In the end rouEng is all
About money.

6. Extra Benefits.. And costs
• BGPmon services will now check seen routes
in BGP against your ROA and warn you if they
see divergent behaviour
– Instant warning of hijacks
• APNIC is looking into possible future services
in this space
• You have to keep your ROA in sync with BGP
changes. If you alter prefix announces you
may have to update the ROA. This isn’t hard.

7. Goal: protect your own net
• Does RPKI fix everything?
– No.
– In fact, it doesn’t do much right now because of low
worldwide coverage
• But its sEll worth doing.
– Why? Because you should clearly show what you
operate and manage, to prevent people hijacking your
assets
• Do you want to wind up routed by somebody
without knowing about it?
– 2000 prefixes hijacked (NANOG discussion & others)

8. How do I do it?
• Easy!
• Go into MyAPNIC
– Go to the Resource CerEficaEon pane
– Turn it on
– We show your BGP, if its right one click does it
– You need to keep your BGP/ROA in sync
• Having problems?
– Speak to a hostmaster/helpdesk or any APNIC
staff at training and other events

9. CreaEng ROA Records

10. Adding ROA Records

11. DeleEng ROA Records

12. Step-by-Step Guide
• Visit hUp://www.apnic.net/roa

13. APNIC Helpdesk Chat

14. Can I see how its going?
• Prototype tool to ‘browse’ the AP region map
and see what percentage of IP ranges in an
economy are protected by ROA
• Work in Progress but we’re hoping this and
other models of new service will be coming
out soon. We want to develop more (moar)
tools.
• Tell us what you think! What do you want
from APNIC network informaEon ?

15. ROA by ASN, per economy
Economy Count Economy Count Economy Count
(null) 5 ID 2 NC 2
AF 1 IN 7 NL 2
AU 38 IT 1 NP 5
BD 57 JP 22 NZ 27
CH 1 LA 1 PH 28
CN 1 LK 10 PK 5
FI 1 MM 5 SG 16
GB 3 MN 3 TH 9
GU 1 MV 2 US 15
HK 3 MY 7 WS 3

16. ROA by ASN, per economy
Economy Count Economy Count Economy Count
(null) 5 ID 2 NC 2
AF 1 IN 7 NL 2
AU 38 IT 1 NP 5
BD 57 JP 22 NZ 27
CH 1 LA 1 PH 28
CN 1 LK 10 PK 5
FI 1 MM 5 SG 16
GB 3 MN 3 TH 9
GU 1 MV 2 US 15
HK 3 MY 7 WS 3

17. WAT????
Economy Count Economy Count Economy Count
(null) 5 ID 2 NC 2
AF 1 IN 7 NL 2
AU 38 IT 1 NP 5
BD 57 JP 22 NZ 27
CH 1 LA 1 PH 28
CN 1 LK 10 PK 5
FI 1 MM 5 SG 16
GB 3 MN 3 TH 9
GU 1 MV 2 US 15
HK 3 MY 7 WS 3

18. WAIT.. WAIT…
Economy Count Economy Count Economy Count
(null) 5 ID 2 NC 2
AF 1 IN 7 NL 2
AU 38 IT 1 NP 5
BD 57 JP 22 NZ 27
CH 1 LA 1 PH 28
CN 1 LK 10 PK 5
FI 1 MM 5 SG 16
GB 3 MN 3 TH 9
GU 1 MV 2 US 15
HK 3 MY 7 WS 3

19. No, its ok
• Null is AS0 which some people use to stop long
prefixes being announced
• The others are the economies in the ROA, made in the
APNIC ‘ROA Factory’.
– The Economies of the ASN rouEng, the origin-AS inside the
ROA
– Some people use outside agencies to route their prefixes
managed in APNIC region
– Some people outside the APNIC region have resources
inside the APNIC region
• So.. If the Origin-AS counts are that cool what about
the prefixes?

20. ROA by prefix, by economy
Economy Count Economy Count Economy Count
AF 1 KH 9 NZ 26
AU 53 LA 1 PF 2
BD 57 LK 10 PH 29
BT 2 MM 5 PK 5
GU 1 MN 3 SG 20
HK 12 MV 2 TH 8
ID 3 MY 7 US 2
IN 10 NC 2 WS 3
JP 25 NP 8

21. This is sEll confusing
• Yea but how much of the asset in the
economy is this? How many ‘references’ isn’t
the same as ‘how much resource’ is it?
• Ok. Lets try another way
– Lets see what the RELATIVE amount of prefix in a
given economy, is covered by a ROA
– But lets do it visually
– In a webtool we can walk around in.

22. hUp://labs.apnic.net/widgets/roas-proto/

23. hUp://labs.apnic.net/widgets/roas-proto/

24. hUp://labs.apnic.net/widgets/roas-proto/

25. hUp://labs.apnic.net/widgets/roas-proto/

26. Two finger swipe (right click) Zooms in
Lep mouse drags map

27. We need moar
• BoUom line: the number of parEcipants is driven
by how many of you we can lock in a room and
prevent you from leaving unEl you have made a
ROA
– Or, who do it for tee shirts
– (we sEll have tee shirts)
• We need more. A lot more.
– We need the percentages to rise, so we can start to
get tracEon behind processes using strong checks on
who controls the assets.

28. Turn it on!
• If you don’t have it already, get into MyAPNIC
and turn on RPKI
• Make a ROA for your announcements
• Start monitoring who out there might be mis-
using your resources.

29. MOAR! MIAW!!!