RIPE NCC, profile picture
Uploaded byRIPE NCC
PDF, PPTX34 views

RPKI For Routing Security

This document discusses RPKI (Resource Public Key Infrastructure) for securing Internet routing. It provides statistics on RPKI adoption in Luxembourg and neighboring countries, showing that while Luxembourg has over 65% of its address space covered by ROAs, not all networks have fully implemented RPKI. The goal is 100% RPKI implementation to validate all routes and prevent route hijacking, but obstacles still exist to full deployment. The presenter's contact information is provided for any questions.

Technology
Related topics:
RIPE NCC

Embed presentation

Download as PDF, PPTX
RPKI for Secure Routing Brief introduction and some statistics Presentation Gerardo Viviers - RIPE NCC
About Routing Security Brief Intro to RPKI
Hey! You! Ok! I’ll add it to my routes… BGP is Naive… 3 I have the network Y Hi! What’s up? ‘Cause I trust you, stranger!
• Typing errors - Also known as “fat fi ngers” - 2 and 3 are really close on our keyboards… • Routing policy violations - Leaks, fi ltering miscon fi gurations - “We didn’t mean this to go to the public Internet” • Malicious attacks - Route manipulation, BGP hijack, BGP DDOS Routing Incidents 4
If Only We Could Do Something… 5
• Filter Routes based on: - Best practices - Internet Routing Registry - RPKI • All recommendations from MANRS You Can Do Something! 6
RPKI System 7 External Repositories RIPE NCC ARIN APNIC Validator RPKI Repositories Validated Cache rsync/RRDP RPKI-RTR LACNIC AFRINIC ROAs
Routing Security using RPKI 8 RPKI repository ASN K is authorised to announce pre fi x Y RIRs Trust Anchors I have the network Y K I have the network Y X
RPKI Bene fi ts 9 Proof of origin Cryptographic identity veri fi cation Route hijacking prevention
• If we compare ROAs and route(6) objects… - What percent of pre fi xes is in the IRR? - How many are covered by ROAs? • IRR is not maintained very well • RPKI has advantage of all fi ve RIRs supporting it RPKI versus IRR? 10
Statistics To Understand Better
ASNs: 86 IPv4: 1313 IPv6: 186 Routing Statistics Luxembourg 12 Source: RIPEstat
RPKI in Luxembourg 13 ROA Coverage
Neighbour countries comparison 14 % of IPv4 covered by ROAs Amount of IPv4 address space
• Creating ROAs is only half the job… • Comparing against BGP is the other half! • This is what ROV is all about • You decide what to do with the announcements What about Route Origin Validation? 15
World Stats on ROV 16 Source: APNIC
Regional Stats on ROV 17 Country RPKI Validates Netherlands (NL) 71.95% Luxembourg (LU) 65.96% Switzerland (CH) 63.84% France (FR) 56.59% Belgium (BE) 22.49% Germany (DE) 5.90% Source: APNIC DE LU NL BE FR CH
• Address space is being covered by ROAs • But not all address space… • Why not? What are the obstacles? • The goal is to have 100% implementation of RPKI in every network • End result should be a more secure Internet Few ROAs, Many ROVs 18
Questions 19 gviviers@ripe.net

More Related Content

PPTX
HKNOG 7.0: RPKI - it's time to start deploying it
byAPNIC
 
PDF
Routing Security
byRIPE NCC
 
PDF
Resource Public Key Infrastructure (RPKI)
byBangladesh Network Operators Group
 
PDF
Introduction to RPKI
byAPNIC
 
PDF
Introduction to RPKI - MyNOG
bySiena Perry
 
PDF
Routing Security and RPKI: South Korea Focus
byAPNIC
 
PDF
Introduction to RPKI by Sheryl (Shane) Hermoso
byMyNOG
 
PDF
PacNOG 23: Secure routing with RPKI
byAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
byAPNIC
 
Routing Security
byRIPE NCC
 
Resource Public Key Infrastructure (RPKI)
byBangladesh Network Operators Group
 
Introduction to RPKI
byAPNIC
 
Introduction to RPKI - MyNOG
bySiena Perry
 
Routing Security and RPKI: South Korea Focus
byAPNIC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
byMyNOG
 
PacNOG 23: Secure routing with RPKI
byAPNIC
 

Similar to RPKI For Routing Security

PPTX
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
byAPNIC
 
PDF
APAN 50: RPKI industry trends and initiatives
byAPNIC
 
PDF
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
byRIPE NCC
 
PDF
Secure Inter-domain Routing with RPKI
byAPNIC
 
PDF
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
byAPNIC
 
PDF
RPKI and Me
byMyNOG
 
PDF
RPKI Tutorial
byBangladesh Network Operators Group
 
PDF
Why ROV? RPKI Deployment Status in Japan
byAPNIC
 
PDF
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
byAPNIC
 
PDF
Route Hijaking and the role of RPKI
byAPNIC
 
PDF
KHNOG 5: RPKI Status Update
byAPNIC
 
PDF
RPKI Deployment Status in Bangladesh
byBangladesh Network Operators Group
 
PDF
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
byPROIDEA
 
PDF
Rpki with rpki.net tools
byMuhammad Moinur Rahman
 
PDF
NANOG 80: Measuring RPKI Effectiveness
byAPNIC
 
PDF
AusNOG 2022: Measuring RPKI use in BGP
byAPNIC
 
PPTX
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
byAPNIC
 
PDF
The impact of an RPKI validator in Bangladesh and Lessons Learned
byBangladesh Network Operators Group
 
PDF
RPKI Overview, Case Studies, Deployment and Operations
byAPNIC
 
PDF
Developments in Routing Security
byRIPE NCC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
byAPNIC
 
APAN 50: RPKI industry trends and initiatives
byAPNIC
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
byRIPE NCC
 
Secure Inter-domain Routing with RPKI
byAPNIC
 
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
byAPNIC
 
RPKI and Me
byMyNOG
 
RPKI Tutorial
byBangladesh Network Operators Group
 
Why ROV? RPKI Deployment Status in Japan
byAPNIC
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
byAPNIC
 
Route Hijaking and the role of RPKI
byAPNIC
 
KHNOG 5: RPKI Status Update
byAPNIC
 
RPKI Deployment Status in Bangladesh
byBangladesh Network Operators Group
 
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
byPROIDEA
 
Rpki with rpki.net tools
byMuhammad Moinur Rahman
 
NANOG 80: Measuring RPKI Effectiveness
byAPNIC
 
AusNOG 2022: Measuring RPKI use in BGP
byAPNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
byAPNIC
 
The impact of an RPKI validator in Bangladesh and Lessons Learned
byBangladesh Network Operators Group
 
RPKI Overview, Case Studies, Deployment and Operations
byAPNIC
 
Developments in Routing Security
byRIPE NCC
 

More from RIPE NCC

PDF
Securing BGP with RPKI - Ondřej Caletka, RIPE NCC
byRIPE NCC
 
PDF
RIPE Atlas & other RIPE NCC Internet Measurement Tools
byRIPE NCC
 
PDF
Know Your Network: Utilising RIS and RIPE Atlas to your advantage
byRIPE NCC
 
PDF
RIPE NCC Internet Measurement Tools
byRIPE NCC
 
PDF
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
byRIPE NCC
 
PDF
A Look at a Root Cause for DNS Latency - APRICOT 2025
byRIPE NCC
 
PDF
Know Your Network: Why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
PDF
ondrej-caletka-INEX-Deploying_IPv6_mostly.pdf
byRIPE NCC
 
PDF
jelena-cosic-internet-landscape-and-network-resiliency-in-south-east-europe.pdf
byRIPE NCC
 
PDF
Internet Landscape and Network Resiliency in South East Europe
byRIPE NCC
 
PDF
Taiwan's Digital Landscape with RIPE NCC Tools
byRIPE NCC
 
PDF
Minimising Impact before incidents occur with RIPE Atlas
byRIPE NCC
 
PDF
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
byRIPE NCC
 
PDF
Know Your Network; why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
PDF
Navigating IP Addresses: Insights from your Regional Internet Registry
byRIPE NCC
 
PDF
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
byRIPE NCC
 
PDF
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
byRIPE NCC
 
PDF
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
byRIPE NCC
 
PDF
Governing Environmental Sustainability in Tech
byRIPE NCC
 
PDF
Traces of Power: Internet Governance and Climate Action
byRIPE NCC
 
Securing BGP with RPKI - Ondřej Caletka, RIPE NCC
byRIPE NCC
 
RIPE Atlas & other RIPE NCC Internet Measurement Tools
byRIPE NCC
 
Know Your Network: Utilising RIS and RIPE Atlas to your advantage
byRIPE NCC
 
RIPE NCC Internet Measurement Tools
byRIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
byRIPE NCC
 
A Look at a Root Cause for DNS Latency - APRICOT 2025
byRIPE NCC
 
Know Your Network: Why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
ondrej-caletka-INEX-Deploying_IPv6_mostly.pdf
byRIPE NCC
 
jelena-cosic-internet-landscape-and-network-resiliency-in-south-east-europe.pdf
byRIPE NCC
 
Internet Landscape and Network Resiliency in South East Europe
byRIPE NCC
 
Taiwan's Digital Landscape with RIPE NCC Tools
byRIPE NCC
 
Minimising Impact before incidents occur with RIPE Atlas
byRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
byRIPE NCC
 
Know Your Network; why every network operator should host a RIPE Atlas probe
byRIPE NCC
 
Navigating IP Addresses: Insights from your Regional Internet Registry
byRIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
byRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
byRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
byRIPE NCC
 
Governing Environmental Sustainability in Tech
byRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
byRIPE NCC
 

Recently uploaded

PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
The year in review - MarvelClient in 2025
bypanagenda
 
December Patch Tuesday
byIvanti
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 

RPKI For Routing Security

  • 1.
    RPKI for SecureRouting Brief introduction and some statistics Presentation Gerardo Viviers - RIPE NCC
  • 2.
  • 3.
    Hey! You! Ok! I’lladd it to my routes… BGP is Naive… 3 I have the network Y Hi! What’s up? ‘Cause I trust you, stranger!
  • 4.
    • Typing errors -Also known as “fat fi ngers” - 2 and 3 are really close on our keyboards… • Routing policy violations - Leaks, fi ltering miscon fi gurations - “We didn’t mean this to go to the public Internet” • Malicious attacks - Route manipulation, BGP hijack, BGP DDOS Routing Incidents 4
  • 5.
    If Only WeCould Do Something… 5
  • 6.
    • Filter Routesbased on: - Best practices - Internet Routing Registry - RPKI • All recommendations from MANRS You Can Do Something! 6
  • 7.
    RPKI System 7 External Repositories RIPE NCCARIN APNIC Validator RPKI Repositories Validated Cache rsync/RRDP RPKI-RTR LACNIC AFRINIC ROAs
  • 8.
    Routing Security usingRPKI 8 RPKI repository ASN K is authorised to announce pre fi x Y RIRs Trust Anchors I have the network Y K I have the network Y X
  • 9.
    RPKI Bene fi ts 9 Proof oforigin Cryptographic identity veri fi cation Route hijacking prevention
  • 10.
    • If wecompare ROAs and route(6) objects… - What percent of pre fi xes is in the IRR? - How many are covered by ROAs? • IRR is not maintained very well • RPKI has advantage of all fi ve RIRs supporting it RPKI versus IRR? 10
  • 11.
  • 12.
    ASNs: 86 IPv4: 1313 IPv6:186 Routing Statistics Luxembourg 12 Source: RIPEstat
  • 13.
  • 14.
    Neighbour countries comparison 14 %of IPv4 covered by ROAs Amount of IPv4 address space
  • 15.
    • Creating ROAsis only half the job… • Comparing against BGP is the other half! • This is what ROV is all about • You decide what to do with the announcements What about Route Origin Validation? 15
  • 16.
    World Stats onROV 16 Source: APNIC
  • 17.
    Regional Stats onROV 17 Country RPKI Validates Netherlands (NL) 71.95% Luxembourg (LU) 65.96% Switzerland (CH) 63.84% France (FR) 56.59% Belgium (BE) 22.49% Germany (DE) 5.90% Source: APNIC DE LU NL BE FR CH
  • 18.
    • Address spaceis being covered by ROAs • But not all address space… • Why not? What are the obstacles? • The goal is to have 100% implementation of RPKI in every network • End result should be a more secure Internet Few ROAs, Many ROVs 18
  • 19.