RIPE NCC, profile picture
Uploaded byRIPE NCC
80 views

Routing Security

This document provides an introduction to BGP routing security and the Resource Public Key Infrastructure (RPKI). It explains that RPKI ties IP addresses and autonomous system numbers (ASNs) to public keys to validate route origination. It details how RPKI uses certificates signed by regional internet registries to establish a chain of trust from root certificates to route origin authorization (ROA) files created by network operators. It also discusses tools for validating ROAs and using the results to make routing decisions, as well as ongoing efforts to fully validate the security of inter-domain routing.

Technology
Related topics:
RIPE NCC

Embed presentation

Download to read offline
Nathalie Trenaman| 13 April 2021 | Lebanese University, Faculty of Sciences Routing Security
Introduction to BGP routing
3 Internet building blocks ASN (Autonomous System Number)
4 ASN (Autonomous System Number) Internet building blocks ASN Addresses Interconnect Autonomous System
5 Routing on the Internet “BGP protocol” Can I trust AS2? Routing table 
 194.x.x.x = AS2 Routing table 
 193.x.x.x = AS1 Is AS1 correct? AS1 
 193.x.x.x AS2 
 194.x.x.x AS2: “I have 194.x.x.x” AS1: “I have 193.x.x.x”
6 Route Propagation AS15 AS756 R1 AS33 AS164 66.2.9.0/24 M ED=700 MED=500 LP=100 LP=50 AS25 AS5 R2 LP=40 tra ffi c route
7 Accidents Happen • Fat Fingers - 2 and 3 are really close on our keyboards…. • Policy Violations (leaks) - Oops, we did not want this to go on the public Internet - Infamous incident with Pakistan Telecom and YouTube
8 Incidents Are Common • 2019 Routing Security Review - 12,600 incidents - 4,4% of all ASNs affected - 3,000 ASNs are victims of at least one incident - 1,300 ASNs caused at least one incident Source: https://bgpstream.com
9 How Bad Is It?
10 Routing on the Internet Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” RIPE Database “Internet Routing Registry”
11 Problem Statement • Some IRR data can not be fully trusted - Accuracy - Incomplete data - Lack of maintenance • Not every RIR has an IRR - Third party databases need to be used - No verification of who holds IPs/ASNs
• Problem Statement
13 Internet Routing Registry • Many exist, most widely used - RIPE Database - RADB • Verification of holdership over resources - RIPE Database for RIPE Region resources only - RADB allows paying customers to create any object - Lots of the other IRRs do not formally verify holdership
Introduction to RPKI
15 Resource Public Key Infrastructure • Ties IP addresses and ASNs to public keys • Follows the hierarchy of the registries • Authorised statements from resource holders - “ASN X is authorised to announce my Prefix Y” - Signed, holder of Y
16 RPKI Certificate Structure Member Member Member ROA ROA ROA Certificate hierarchy follows allocation hierarchy ARIN APNIC RIPE LACNIC AFRINIC
17 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
18 RPKI Chain of Trust RIPE NCC Root Certificate Self-signed ALL Resources Root’s private key signature public key
19 RPKI Chain of Trust LIR Certificate Signed by the Root private key LIR’s Resources Root’s private key signature public key
20 RPKI Adoption
21 Two elements of RPKI Signing Create your ROAs Validating Verifying others
ROAs
23 ROA (Route Origin Authorisation) • A ROA is… • LIRs can create a ROA for each one of their resources (IP address ranges) • Multiple ROAs can be created for an IP range • ROAs can overlap
24 What is in a ROA ? Prefix The network for which you are creating the ROA The ASN that’s supposed to be originating the BGP Announcement Origin ASN Max Length The Maximum prefix length accepted for this ROA
25 RPKI Chain of Trust ALL Resources LIR’s Resources Root’s private key signature signature public key public key
26 Route Origin Authorisation Prefix is authorised to be announced by AS Number LIR’s private key ROA signature
27 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
28 Hosted or Delegated RPKI RIPE ROA ROA ROA ROA ROA Member Member Member ROA Member-X CA Member-Y CA RIPE NCC Hosted System
29 Hosted RPKI • Automatic signing and key roll overs - One click setup of resource certificate - User has a valid and published certificate for as long as they are the holder of the resources - All the complexity is handled by the hosted system • Lets you focus on creating and publishing ROAs - Match your intended BGP configuration
30 Delegated RPKI • Run your own Certification Authority software - Dragon research Labs, RPKI toolkit - NLNetLabs, Krill • Setup connection with RIPE NCC CA • Generate a certificate and get it signed by the parent CA • Run your own repository
31 First login to the dashboard
32 Creating ROAs
33 Reviewing changes
34 Checking the effects
/23 35 193.0.24.0/21 AS2121 Max Length: /21 ROA 193.0.24.0/21 193.0.24.0/22 193.0.28.0/22 193.0.24.0/23 AS2121 Max Length: /24 ROA 193.0.30.0/23 AS2121 Max Length: /23 ROA ✖ ✖ ✔︎ /23 /23 /23 /23 /23 /24 /24 /24 /24 /24 /24 /24 /24 /24 /24 ✖ ✔︎✔︎✔︎✔︎ ✖ ✖ ✖ ✖ ✖ ✖ ✖
36 RPKI Adoption
37 ROA Adoption
38 ROA Accuracy
Validation Tools
40 Two elements of RPKI Signing Create your ROAs Validating Verifying others
41 Routing on the Internet Is A correct? A 
 192.0.2.0/24 B 
 193.0.24.0/21 A: “I have 192.0.2.0/24” 1. Create route authorisation record (ROA) 2. Validate route RPKI Repository A is authorised to announce 192.0.2.0/24 BGP
42 Trust Anchor Locator (TAL) RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository • Location of RIR repositories • Root’s public key TAL TAL TAL TAL List of ROAs Cerfificates
43 RPKI Validators • Software that creates a local “validated cache” with all the valid ROAs - Downloads the RPKI repository from the RIRs - Validates the chain of trust of all the ROAs and associated CAs - Talks to your routers using the RPKI-RTR Protocol
44 Relying Party RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository List of ROAs Cerfificates
45 RPKI-RTR ROAs ROAs VALIDATOR SOFTWARE Verification Validated Cache RPKI-RTR ROUTERS RIR REPOSITORIES
46 Relying Party ROA AS111 10.0.7.30/22 AS222 10.0.6.10/24 AS333 10.4.17.5/20 AS111 10.0.7.30/22 AS111 10.0.7.30/22 AS111 10.0.7.30/22 BGP Announcements BETTER ROUTING DECISIONS
47 RIPE NCC Validator • https://github.com/RIPE-NCC/rpki-validator • Version 3.1 • Java-based, web interface, white-list functionality • Can speak RPKI-RTR
48 Alternatives • All are open source: - Routinator - https://github.com/NLnetLabs/ routinator/ - FORT - https://github.com/NICMx/FORT-validator/ - OctoRPKI - https://github.com/cloudflare/cfrpki - RPKI-client - https://rpki-client.org/ - Prover - https://github.com/lolepezy/rpki-prover - Rpstir2 - https://github.com/bgpsecurity/rpstir2
ROA Validation
50 Two elements of RPKI Signing Create your ROAs Validating Verifying others
51 ROA Validation • Routers receive data from the validated cache via RPKI-RTR • Based on this and on BGP announcements, you have to make decisions - Accept or discard the BGP Announcement - As temporary measure, you could influence other attributes, such as Local Preference
52 ROAs ROAs ROA Validation BGP Validation VALID INVALID VALID INVALID UNKNOWN NOT FOUND
53 Invalid ROA • Invalid ROA - The ROA in the repository cannot be validated by the client (ISP) so it is not included in the validated cache • Invalid BGP announcement - There is a ROA in validated cache for that prefix but for a different AS. - Or the max length doesn’t match. • If no ROA in the cache then announcement is “unknown”
54 Whitelisting • If there is an invalid ROA for a network that’s important for you or your customers, you can whitelist it • This is done on your local validator software - It creates a “fake” ROA for the resources you want • It allows you to contact the operator to fix their ROA - Think of e-mail, contact forms, etc…
55 Take the Poll!
Status of RPKI ROV Name Type Details Status Telia Transit Signed & Filtering Safe Cogent Transit Signed & Filtering Safe GTT Transit Signed & Filtering Safe NTT Transit Signed & Filtering Safe Hurricane Electric Transit Signed & Filtering Safe Tata Transit Signed & Filtering Safe PCCW Transit Signed & Filtering Safe RETN Transit Partially Signed & Filtering Safe Cloud fl are Cloud Signed & Filtering Safe Amazon Cloud Signed & Filtering Safe Net fl ix Cloud Signed & Filtering Safe Wikimedia Foundation Cloud Signed & Filtering Safe Scaleway Cloud Signed & Filtering Safe • Source: isbgpsafeyet.com
57 Where do we go from here ? • RPKI is only one of the steps towards full BGP Validation - Paths are not validated • We need more building blocks - BGPSec (RFC) - ASPA (draft) - AS-Cones (draft)
Questions nathalie@ripe.net rpki@ripe.net

More Related Content

PDF
RPKI with rpki.net Tools
byBangladesh Network Operators Group
 
PDF
Routing diff
byBangladesh Network Operators Group
 
PDF
BGP Flexibility and Its Consequences
byAPNIC
 
PPTX
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
byakg1330
 
PDF
RPKI Deployment Status in Bangladesh
byBangladesh Network Operators Group
 
PDF
Resource Certification
byRIPE NCC
 
PDF
RPKI invalids aren't gone yet
byBangladesh Network Operators Group
 
PDF
A week with analysing RPKI status
byAPNIC
 
RPKI with rpki.net Tools
byBangladesh Network Operators Group
 
Routing diff
byBangladesh Network Operators Group
 
BGP Flexibility and Its Consequences
byAPNIC
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
byakg1330
 
RPKI Deployment Status in Bangladesh
byBangladesh Network Operators Group
 
Resource Certification
byRIPE NCC
 
RPKI invalids aren't gone yet
byBangladesh Network Operators Group
 
A week with analysing RPKI status
byAPNIC
 

What's hot

PDF
RPKI
byRIPE NCC
 
PDF
RPKI Tutorial
byBangladesh Network Operators Group
 
PPTX
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
byAPNIC
 
PDF
Route Hijaking and the role of RPKI
byAPNIC
 
PDF
RPKI Trust Anchor
byAPNIC
 
PDF
Traffic Engineering Using Segment Routing
byCisco Canada
 
PDF
Service Function Chaining with SRv6
byAhmed AbdelSalam
 
PDF
Certification
byRIPE NCC
 
ODP
C Cpres
byramya5a
 
PDF
RPKI Certification Tutorial
byRIPE NCC
 
PDF
Is IPv6 Really Faster?
byAPNIC
 
PDF
How You Will Get Hacked Ten Years from Now
byjulievreeland
 
PDF
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
byBangladesh Network Operators Group
 
PDF
PCTA e-Tech Show 2021: Securing Internet Routing
byAPNIC
 
PDF
I Pv6 Enabling Menog 0.4
byHussein Elmenshawy
 
PPTX
APRICOT 2015 - NetConf for Peering Automation
byTom Paseka
 
RPKI
byRIPE NCC
 
RPKI Tutorial
byBangladesh Network Operators Group
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
byAPNIC
 
Route Hijaking and the role of RPKI
byAPNIC
 
RPKI Trust Anchor
byAPNIC
 
Traffic Engineering Using Segment Routing
byCisco Canada
 
Service Function Chaining with SRv6
byAhmed AbdelSalam
 
Certification
byRIPE NCC
 
C Cpres
byramya5a
 
RPKI Certification Tutorial
byRIPE NCC
 
Is IPv6 Really Faster?
byAPNIC
 
How You Will Get Hacked Ten Years from Now
byjulievreeland
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
byBangladesh Network Operators Group
 
PCTA e-Tech Show 2021: Securing Internet Routing
byAPNIC
 
I Pv6 Enabling Menog 0.4
byHussein Elmenshawy
 
APRICOT 2015 - NetConf for Peering Automation
byTom Paseka
 

Similar to Routing Security

PDF
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
byRIPE NCC
 
PDF
Securing BGP with RPKI - Ondřej Caletka, RIPE NCC
byRIPE NCC
 
PDF
RPKI (Resource Public Key Infrastructure)
byFakrul Alam
 
PDF
Introduction to RPKI
byAPNIC
 
PDF
Resource Public Key Infrastructure (RPKI)
byBangladesh Network Operators Group
 
PDF
npNOG 5: Securing Internet Routing
byAPNIC
 
PDF
Introduction to RPKI - MyNOG
bySiena Perry
 
PDF
Securing BGP
byRIPE NCC
 
PDF
Routing Security, Another Elephant in the Room
byRIPE NCC
 
PDF
btNOG 6: Securing Internet Routing
byAPNIC
 
PDF
PacNOG 23: Secure routing with RPKI
byAPNIC
 
PDF
MMIX Peering Forum: Securing Internet Routing
byAPNIC
 
PPTX
Rpki -manrs_(7_september)
byNaveenLakshman
 
PDF
BKNIX Peering Forum 2019: Securing Internet Routing
byAPNIC
 
PPTX
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
byAPNIC
 
PDF
Introduction to RPKI by Sheryl (Shane) Hermoso
byMyNOG
 
PDF
mnNOG 1: Securing internet Routing
byAPNIC
 
PDF
LkNOG 3: Securing Internet Routing
byAPNIC
 
PDF
SANOG 34: Securing Internet Routing
byAPNIC
 
PDF
Rpki with rpki.net tools
byMuhammad Moinur Rahman
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
byRIPE NCC
 
Securing BGP with RPKI - Ondřej Caletka, RIPE NCC
byRIPE NCC
 
RPKI (Resource Public Key Infrastructure)
byFakrul Alam
 
Introduction to RPKI
byAPNIC
 
Resource Public Key Infrastructure (RPKI)
byBangladesh Network Operators Group
 
npNOG 5: Securing Internet Routing
byAPNIC
 
Introduction to RPKI - MyNOG
bySiena Perry
 
Securing BGP
byRIPE NCC
 
Routing Security, Another Elephant in the Room
byRIPE NCC
 
btNOG 6: Securing Internet Routing
byAPNIC
 
PacNOG 23: Secure routing with RPKI
byAPNIC
 
MMIX Peering Forum: Securing Internet Routing
byAPNIC
 
Rpki -manrs_(7_september)
byNaveenLakshman
 
BKNIX Peering Forum 2019: Securing Internet Routing
byAPNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
byAPNIC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
byMyNOG
 
mnNOG 1: Securing internet Routing
byAPNIC
 
LkNOG 3: Securing Internet Routing
byAPNIC
 
SANOG 34: Securing Internet Routing
byAPNIC
 
Rpki with rpki.net tools
byMuhammad Moinur Rahman
 

More from RIPE NCC

PDF
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
byRIPE NCC
 
PDF
Know Your Network: Utilising RIS and RIPE Atlas to your advantage
byRIPE NCC
 
PDF
RIPE NCC Internet Measurement Tools
byRIPE NCC
 
PDF
RIPE Atlas & other RIPE NCC Internet Measurement Tools
byRIPE NCC
 
PDF
A Look at a Root Cause for DNS Latency - APRICOT 2025
byRIPE NCC
 
PDF
Know Your Network: Why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
PDF
ondrej-caletka-INEX-Deploying_IPv6_mostly.pdf
byRIPE NCC
 
PDF
IPv6 in Central Europe and the Baltics
byRIPE NCC
 
PDF
Internet Landscape and Network Resiliency in South East Europe
byRIPE NCC
 
PDF
jelena-cosic-internet-landscape-and-network-resiliency-in-south-east-europe.pdf
byRIPE NCC
 
PDF
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
byRIPE NCC
 
PDF
Taiwan's Digital Landscape with RIPE NCC Tools
byRIPE NCC
 
PDF
Minimising Impact before incidents occur with RIPE Atlas
byRIPE NCC
 
PDF
Know Your Network; why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
PDF
Navigating IP Addresses: Insights from your Regional Internet Registry
byRIPE NCC
 
PDF
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
byRIPE NCC
 
PDF
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
byRIPE NCC
 
PDF
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
byRIPE NCC
 
PDF
Governing Environmental Sustainability in Tech
byRIPE NCC
 
PDF
Traces of Power: Internet Governance and Climate Action
byRIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
byRIPE NCC
 
Know Your Network: Utilising RIS and RIPE Atlas to your advantage
byRIPE NCC
 
RIPE NCC Internet Measurement Tools
byRIPE NCC
 
RIPE Atlas & other RIPE NCC Internet Measurement Tools
byRIPE NCC
 
A Look at a Root Cause for DNS Latency - APRICOT 2025
byRIPE NCC
 
Know Your Network: Why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
ondrej-caletka-INEX-Deploying_IPv6_mostly.pdf
byRIPE NCC
 
IPv6 in Central Europe and the Baltics
byRIPE NCC
 
Internet Landscape and Network Resiliency in South East Europe
byRIPE NCC
 
jelena-cosic-internet-landscape-and-network-resiliency-in-south-east-europe.pdf
byRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
byRIPE NCC
 
Taiwan's Digital Landscape with RIPE NCC Tools
byRIPE NCC
 
Minimising Impact before incidents occur with RIPE Atlas
byRIPE NCC
 
Know Your Network; why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
Navigating IP Addresses: Insights from your Regional Internet Registry
byRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
byRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
byRIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
byRIPE NCC
 
Governing Environmental Sustainability in Tech
byRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
byRIPE NCC
 

Recently uploaded

PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
The year in review - MarvelClient in 2025
bypanagenda
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 

Routing Security

  • 1.
    Nathalie Trenaman| 13April 2021 | Lebanese University, Faculty of Sciences Routing Security
  • 2.
  • 3.
    3 Internet building blocks ASN(Autonomous System Number)
  • 4.
    4 ASN (Autonomous SystemNumber) Internet building blocks ASN Addresses Interconnect Autonomous System
  • 5.
    5 Routing on theInternet “BGP protocol” Can I trust AS2? Routing table 
 194.x.x.x = AS2 Routing table 
 193.x.x.x = AS1 Is AS1 correct? AS1 
 193.x.x.x AS2 
 194.x.x.x AS2: “I have 194.x.x.x” AS1: “I have 193.x.x.x”
  • 6.
  • 7.
    7 Accidents Happen • FatFingers - 2 and 3 are really close on our keyboards…. • Policy Violations (leaks) - Oops, we did not want this to go on the public Internet - Infamous incident with Pakistan Telecom and YouTube
  • 8.
    8 Incidents Are Common •2019 Routing Security Review - 12,600 incidents - 4,4% of all ASNs affected - 3,000 ASNs are victims of at least one incident - 1,300 ASNs caused at least one incident Source: https://bgpstream.com
  • 9.
  • 10.
    10 Routing on theInternet Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” RIPE Database “Internet Routing Registry”
  • 11.
    11 Problem Statement • SomeIRR data can not be fully trusted - Accuracy - Incomplete data - Lack of maintenance • Not every RIR has an IRR - Third party databases need to be used - No verification of who holds IPs/ASNs
  • 12.
  • 13.
    13 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB • Verification of holdership over resources - RIPE Database for RIPE Region resources only - RADB allows paying customers to create any object - Lots of the other IRRs do not formally verify holdership
  • 14.
  • 15.
    15 Resource Public KeyInfrastructure • Ties IP addresses and ASNs to public keys • Follows the hierarchy of the registries • Authorised statements from resource holders - “ASN X is authorised to announce my Prefix Y” - Signed, holder of Y
  • 16.
    16 RPKI Certificate Structure MemberMember Member ROA ROA ROA Certificate hierarchy follows allocation hierarchy ARIN APNIC RIPE LACNIC AFRINIC
  • 17.
    17 RPKI Chain ofTrust ROA signature LIR’s Resources signature public key ALL Resources signature public key
  • 18.
    18 RPKI Chain ofTrust RIPE NCC Root Certificate Self-signed ALL Resources Root’s private key signature public key
  • 19.
    19 RPKI Chain ofTrust LIR Certificate Signed by the Root private key LIR’s Resources Root’s private key signature public key
  • 20.
  • 21.
    21 Two elements ofRPKI Signing Create your ROAs Validating Verifying others
  • 22.
  • 23.
    23 ROA (Route OriginAuthorisation) • A ROA is… • LIRs can create a ROA for each one of their resources (IP address ranges) • Multiple ROAs can be created for an IP range • ROAs can overlap
  • 24.
    24 What is ina ROA ? Prefix The network for which you are creating the ROA The ASN that’s supposed to be originating the BGP Announcement Origin ASN Max Length The Maximum prefix length accepted for this ROA
  • 25.
    25 RPKI Chain ofTrust ALL Resources LIR’s Resources Root’s private key signature signature public key public key
  • 26.
    26 Route Origin Authorisation Prefix isauthorised to be announced by AS Number LIR’s private key ROA signature
  • 27.
    27 RPKI Chain ofTrust ROA signature LIR’s Resources signature public key ALL Resources signature public key
  • 28.
    28 Hosted or DelegatedRPKI RIPE ROA ROA ROA ROA ROA Member Member Member ROA Member-X CA Member-Y CA RIPE NCC Hosted System
  • 29.
    29 Hosted RPKI • Automaticsigning and key roll overs - One click setup of resource certificate - User has a valid and published certificate for as long as they are the holder of the resources - All the complexity is handled by the hosted system • Lets you focus on creating and publishing ROAs - Match your intended BGP configuration
  • 30.
    30 Delegated RPKI • Runyour own Certification Authority software - Dragon research Labs, RPKI toolkit - NLNetLabs, Krill • Setup connection with RIPE NCC CA • Generate a certificate and get it signed by the parent CA • Run your own repository
  • 31.
    31 First login tothe dashboard
  • 32.
  • 33.
  • 34.
  • 35.
    /23 35 193.0.24.0/21 AS2121 Max Length: /21 ROA 193.0.24.0/21 193.0.24.0/22193.0.28.0/22 193.0.24.0/23 AS2121 Max Length: /24 ROA 193.0.30.0/23 AS2121 Max Length: /23 ROA ✖ ✖ ✔︎ /23 /23 /23 /23 /23 /24 /24 /24 /24 /24 /24 /24 /24 /24 /24 ✖ ✔︎✔︎✔︎✔︎ ✖ ✖ ✖ ✖ ✖ ✖ ✖
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
    40 Two elements ofRPKI Signing Create your ROAs Validating Verifying others
  • 41.
    41 Routing on theInternet Is A correct? A 
 192.0.2.0/24 B 
 193.0.24.0/21 A: “I have 192.0.2.0/24” 1. Create route authorisation record (ROA) 2. Validate route RPKI Repository A is authorised to announce 192.0.2.0/24 BGP
  • 42.
    42 Trust Anchor Locator(TAL) RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository • Location of RIR repositories • Root’s public key TAL TAL TAL TAL List of ROAs Cerfificates
  • 43.
    43 RPKI Validators • Softwarethat creates a local “validated cache” with all the valid ROAs - Downloads the RPKI repository from the RIRs - Validates the chain of trust of all the ROAs and associated CAs - Talks to your routers using the RPKI-RTR Protocol
  • 44.
    44 Relying Party RIPE NCCARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository List of ROAs Cerfificates
  • 45.
  • 46.
    46 Relying Party ROA AS111 10.0.7.30/22 AS22210.0.6.10/24 AS333 10.4.17.5/20 AS111 10.0.7.30/22 AS111 10.0.7.30/22 AS111 10.0.7.30/22 BGP Announcements BETTER ROUTING DECISIONS
  • 47.
    47 RIPE NCC Validator •https://github.com/RIPE-NCC/rpki-validator • Version 3.1 • Java-based, web interface, white-list functionality • Can speak RPKI-RTR
  • 48.
    48 Alternatives • All areopen source: - Routinator - https://github.com/NLnetLabs/ routinator/ - FORT - https://github.com/NICMx/FORT-validator/ - OctoRPKI - https://github.com/cloudflare/cfrpki - RPKI-client - https://rpki-client.org/ - Prover - https://github.com/lolepezy/rpki-prover - Rpstir2 - https://github.com/bgpsecurity/rpstir2
  • 49.
  • 50.
    50 Two elements ofRPKI Signing Create your ROAs Validating Verifying others
  • 51.
    51 ROA Validation • Routersreceive data from the validated cache via RPKI-RTR • Based on this and on BGP announcements, you have to make decisions - Accept or discard the BGP Announcement - As temporary measure, you could influence other attributes, such as Local Preference
  • 52.
    52 ROAs ROAs ROA Validation BGP Validation VALIDINVALID VALID INVALID UNKNOWN NOT FOUND
  • 53.
    53 Invalid ROA • InvalidROA - The ROA in the repository cannot be validated by the client (ISP) so it is not included in the validated cache • Invalid BGP announcement - There is a ROA in validated cache for that prefix but for a different AS. - Or the max length doesn’t match. • If no ROA in the cache then announcement is “unknown”
  • 54.
    54 Whitelisting • If thereis an invalid ROA for a network that’s important for you or your customers, you can whitelist it • This is done on your local validator software - It creates a “fake” ROA for the resources you want • It allows you to contact the operator to fix their ROA - Think of e-mail, contact forms, etc…
  • 55.
  • 56.
    Status of RPKIROV Name Type Details Status Telia Transit Signed & Filtering Safe Cogent Transit Signed & Filtering Safe GTT Transit Signed & Filtering Safe NTT Transit Signed & Filtering Safe Hurricane Electric Transit Signed & Filtering Safe Tata Transit Signed & Filtering Safe PCCW Transit Signed & Filtering Safe RETN Transit Partially Signed & Filtering Safe Cloud fl are Cloud Signed & Filtering Safe Amazon Cloud Signed & Filtering Safe Net fl ix Cloud Signed & Filtering Safe Wikimedia Foundation Cloud Signed & Filtering Safe Scaleway Cloud Signed & Filtering Safe • Source: isbgpsafeyet.com
  • 57.
    57 Where do wego from here ? • RPKI is only one of the steps towards full BGP Validation - Paths are not validated • We need more building blocks - BGPSec (RFC) - ASPA (draft) - AS-Cones (draft)
  • 58.