This document provides information on resource public key infrastructure (RPKI) and route origin authorization (ROA). It discusses problems with relying solely on Internet routing registries (IRRs), and how RPKI addresses these issues by tying IP addresses and autonomous system numbers (ASNs) to public keys. It describes the RPKI certificate structure and chain of trust, as well as the roles of signing ROAs, validating others, hosted RPKI systems, and relying parties. Examples of incidents from inaccurate or incomplete IRR data are given. The status of major transit and cloud providers in supporting RPKI is listed.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
Network Operations Engineer Sheryl Hermoso presens an overview of ‘RPKI for secure Internet routing infrastructure’ at PacNOG 23 in the Marshall Islands from 3 to 7 December 2018.
RPKI (Resource Public Key Infrastructure)Fakrul Alam
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP Addresses) to a trust anchor. (wikipedia)
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
Network Operations Engineer Sheryl Hermoso presens an overview of ‘RPKI for secure Internet routing infrastructure’ at PacNOG 23 in the Marshall Islands from 3 to 7 December 2018.
23rd PITA AGM and Conference: Internet number registry services - the next ge...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and
their importance to Internet stability and security at the 23rd Pacific Islands Telecommunications Association Annual General Meeting (PITA 23 AGM) and Annual Conference in Nadi, Fiji from 8 to 12 April 2019.
APNIC Senior Network Analyst Tashi Phuntsho presents on the importance of routing security at SANOG 34 in Kolkata, India from 31 July to 7 August 2019.
RPKI is one of the newest technology securing inter-domain routing. This presentation explore how ISP's in Bangladesh is adopting this solution and what is the status of RPKI deployment.
BGP: Whats so special about the number 512?GeoffHuston
It was reported that parts of the Internet crashed when the number of routes in the Internet's Inter-domain routing table (BGP) exceeded 512K routes. This presentation looks at the growth of the Internet's routing table and how this correlates to the capacity and speed of memory in hardware routers.
23rd PITA AGM and Conference: Internet number registry services - the next ge...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and
their importance to Internet stability and security at the 23rd Pacific Islands Telecommunications Association Annual General Meeting (PITA 23 AGM) and Annual Conference in Nadi, Fiji from 8 to 12 April 2019.
APNIC Senior Network Analyst Tashi Phuntsho presents on the importance of routing security at SANOG 34 in Kolkata, India from 31 July to 7 August 2019.
RPKI is one of the newest technology securing inter-domain routing. This presentation explore how ISP's in Bangladesh is adopting this solution and what is the status of RPKI deployment.
BGP: Whats so special about the number 512?GeoffHuston
It was reported that parts of the Internet crashed when the number of routes in the Internet's Inter-domain routing table (BGP) exceeded 512K routes. This presentation looks at the growth of the Internet's routing table and how this correlates to the capacity and speed of memory in hardware routers.
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and their importance to Internet stability and security at the ICANN APAC-TWNIC Engagement Forum in Taipei, Taiwan from 16 to 17 April. 2019
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
Internet Resource Analyst Pubudu Jayasinghe presents on securing the BGP through RPKI at the second Lanka Network Operators Group meeting in Colombo, Sri Lanka from 1 to 2 November 2018.
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsAPNIC
APNIC Training Delivery Manager Shane Hermoso presents on the status of RPKI deployment in the Asia Pacific and the importance of cleaning up invalids at VNIX-NOG 2023, Da Lat, Viet Nam from 5 to 6 October 2023.
APNIC Product Manager, Registry Services George Michaelson present on why RPKI really matters at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
APAN 50: RPKI industry trends and initiatives APNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of the RPKI, why it is important, and how to create ROAs and ROVs to secure routing announcements.
APNIC Senior Network Analyst and Training Manager Tashi Phuntsho presents on why securing Internet routing is important, and outlines some tools and techniques that can help network operators.
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
APNIC Director General Paul Wilson gives a presentation on Internet number registry services - the next generation at ThaiNOG 2019, held with BKNIX 2019 in Bangkok, Thailand from 7 to 8 May 2019.
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of RPKI as another security consideration for peering at Peering Asia 2.0, held in Hong Kong from 24 to 25 October 2018.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
4. 4
RIRs are responsible for:
• Keeping the registry up to date, correct,
and secur
e
• Using hierarchical allocation
s
• Maintaining neutrality towards all
members
7. 7
ASN (Autonomous System Number)
Internet building blocks
ASN Addresses Interconnect
Autonomous System
8. RPKI Webinar 8
Routing on the Internet
“BGP protocol”
Can I
trust B?
Routing table
194.x.x.x = B
Routing table
193.x.x.x = A
Is A
correct?
A
193.x.x.x
B
194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
10. RPKI Webinar 10
Accidents Happen
• Fat Fingers
- 2 and 3 are really close on our keyboards….
• Policy Violations (leaks)
- Oops, we did not want this to go on the public Internet
- Infamous incident with Pakistan Telecom and YouTube
11. RPKI Webinar 11
Incidents Are Common
• 2019 Routing Security Review
- 12,600 incidents
- 4,4% of all ASNs affected
- 3,000 ASNs are victims of at least one incident
- 1,300 ASNs caused at least one incident
Source: https://bgpstream.com
12. RPKI Webinar 12
Routing on the Internet
Can I
trust B?
Routing table
194.x.x.x = B
Routing table
193.x.x.x = A
Is A
correct?
A
193.x.x.x
B
194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
“Internet Routing Registry”
13. BGP Operations and Security 13
Problem Statement
• Some IRR data can not be fully trusted
- Accuracy
- Incomplete data
- Lack of maintenance
• Not every RIR has an IRR
- Third party databases need to be used
- No verification of who holds IPs/ASNs
16. BGP Operations and Security 16
Resource Public Key Infrastructure
• Ties IP addresses and ASNs to public keys
• Follows the hierarchy of the registries
• Authorised statements from resource holders
- “ASN X is authorised to announce my Prefix Y”
- Signed, holder of Y
17. BGP Operations and Security 17
RPKI Certificate Structure
Member Member Member
ROA ROA ROA
Certificate hierarchy follows allocation hierarchy
ARIN APNIC RIPE LACNIC AFRINIC
18. BGP Operations and Security 18
RPKI Chain of Trust
ALL Resources
LIR’s Resources
Root’s private key signature
signature
public key
public key
19. BGP Operations and Security 19
Two elements of RPKI
Signing
Create your ROAs
Validating
Verifying others
20. BGP Operations and Security 20
RPKI Chain of Trust
LIR’s Resources
signature
public key
ALL Resources
signature
public key
ROA
signature
21. BGP Operations and Security 21
Hosted RPKI
• RIR hosts a CA and signs all ROAs
• Automate signing and key rollovers
• Allows you focus on creating and publishing
ROAs
22. BGP Operations and Security 22
Route Origin Authorisation
Prefix
is authorised to be announced by
AS Number
LIR’s private key
ROA
signature
23. Presenter name | Event | Date 23
• Source: https://stat.ripe.net/NL#tabId=routing
24. Presenter name | Event | Date 24
• Source: https://stat.ripe.net/NL#tabId=routing
25. BGP Operations and Security 25
Hosted or Delegated RPKI
RIPE
ROA ROA
ROA ROA
ROA
Member Member Member
ROA
Member-X CA Member-Y CA
RIPE NCC Hosted System
27. BGP Operations and Security 27
Two elements of RPKI
Signing
Create your ROAs
Validating
Verifying others
28. BGP Operations and Security 28
Trust Anchor Locator (TAL)
RIPE NCC ARIN APNIC AFRINIC
LACNIC
Validator
Repository Repository Repository Repository Repository
• Location of RIR repositories
• Root’s public key
TAL TAL TAL TAL
List of ROAs
Cerfificates
29. BGP Operations and Security 29
Relying Party
RIPE NCC ARIN APNIC AFRINIC
LACNIC
Validator
Repository Repository Repository Repository Repository
List of ROAs
Cerfificates
31. RPKI Webinar 31
Routing on the Internet
Is A
correct?
A
192.0.2.0/24
B
193.0.24.0/21
A: “I have 192.0.2.0/24”
1. Create route
authorisation record
(ROA)
2. Validate route
RPKI Repository
A is authorised
to announce
192.0.2.0/24
BGP
32. Status of Transit and Cloud
32
Name Type Details Status
Telia Transit Signed & Filtering Safe
Cogent Transit Signed & Filtering Safe
GTT Transit Signed & Filtering Safe
NTT Transit Signed & Filtering Safe
Hurricane Electric Transit Signed & Filtering Safe
Tata Transit Signed & Filtering Safe
PCCW Transit Signed & Filtering Safe
RETN Transit Partially Signed &
Filtering
Safe
Cloud
fl
are Cloud Signed & Filtering Safe
Amazon Cloud Signed & Filtering Safe
Net
fl
ix Cloud Signed & Filtering Safe
Wikimedia
Foundation
Cloud Signed & Filtering Safe
Scaleway Cloud Signed & Filtering Safe
• Source: isbgpsafeyet.com
33. Presenter name | Event | Date 33
What We’re Working On
• Repository Resiliency: Cloud
• Security: Audit Framework, different security
assessments
• Improving Q&A
• Reporting on our findings
• Doing RPKI ourselves!