SlideShare a Scribd company logo

RPKI Introduction by Randy Bush

MyNOG
MyNOG

RPKI-Based Origin Validation, Routers, & Caches discusses the technical background and deployment of RPKI (Resource Public Key Infrastructure) and RPKI-based origin validation. It explains how RPKI uses X.509 certificates signed by regional internet registries to prove IP prefix and AS number ownership. It also describes how routers can obtain ROA (Route Origin Authorization) data from RPKI caches to mark BGP updates as valid, invalid, or not found based on prefix and origin AS matching. This helps prevent route hijacking and origin misconfigurations.

Technology
1 of 57
Download to read offline
RPKI-Based Origin Validation, Routers, & Caches MYNOG / Kuala Lampur 2013.11.28 Randy Bush <randy@psg.com> Rob Austein <sra@hactrn.net> Michael Elkins <me@sigpipe.org> 2013.11.28 MYNOG RPKI 1
Agenda •  Some Technical Background •  Mis-Origination - YouTube Incident •  The RPKI – Needed Infrastructure •  RPKI-Based Origin Validation •  Use the GUI to make ROAs and look at the result on a router •  Build your own Relying Party Server •  Discussion 2013.11.28 MYNOG RPKI 2
This is Not New •  1986 – Bellovin & Perlman identify the vulnerability in DNS and Routing •  1999 - National Academies study called it out •  2000 – S-BGP – X.509 PKI to support Secure BGP - Kent, Lynn, et al. •  2003 – NANOG S-BGP Workshop •  2006 – RPKI.NET(for ARIN) & APNIC start work on RPKI. RIPE starts in 2008. •  2009 – RPKI.NET Open Testbed and running code in test routers 2013.11.28 MYNOG RPKI 3
What is an AS? An ISP or End Site Sprint Verizon AS 701 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 4
What is an AS? An ISP or End Site Sprint Verizon AS 701 Amazon AS 16509 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 GoJ Customers buy ‘Transit’ AS 234 Sakura AS 9370 5
An IP Prefix is Announced & Propagated Sprint Verizon AS 701 Amazon AS 16509 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 147.28.0.0/16 GoJ Customers buy ‘Transit’ AS 234 Sakura AS 9370 6
From Inside a Router BGP routing table entry for 147.28.0.0/16 Origin AS 16509 1239 2497 234 The AS-Path 2013.11.28 MYNOG RPKI 7
Of Course it’s Uglier J r1.iad#sh ip bgp 147.28.0.0/16 BGP routing table entry for 147.28.0.0/16, version 21440610 Paths: (2 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 16509 1239 2497 234 144.232.18.81 from 144.232.18.81 (144.228.241.254) Origin IGP, metric 841, localpref 100, valid, external, best Community: 3297:100 3927:380 path 67E8FFCC RPKI State valid Refresh Epoch 1 16509 701 2497 234 129.250.10.157 (metric 11) from 198.180.150.253 (198.180.150.253) Origin IGP, metric 95, localpref 100, valid, internal Community: 2914:410 2914:1007 2914:2000 2914:3000 3927:380 path 699A867C RPKI State valid 2013.11.28 MYNOG RPKI 8
The YouTube Incident Global Internet The Plan PCCW Pakistan Telekom Pakistan Internet 2013.11.28 MYNOG RPKI YouTube Poison Pakistan Internal Routing 9
The YouTube Incident What Happened Global Internet PCCW YouTube Oops! Pakistan Telekom Pakistan Internet 2013.11.28 MYNOG RPKI Poisoned the Global Internet 10
We Call this Mis-Origination a Prefix is Originated by an AS Which Does Not Own It 2013.11.28 MYNOG RPKI 11
I Do Not Call it Hijacking Because that Assumes Negative Intent 2013.11.28 MYNOG RPKI 12
And These Accidents Happen Every Day Usually to Small Folk Sometimes to Large 2013.11.28 MYNOG RPKI 13
So, What’s the Plan? 2013.11.28 MYNOG RPKI 14
Three Pieces •  RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (deployed at all RIRs) •  Origin Validation – Using the RPKI to detect and prevent mis-originations of someone else’s prefixes (in deployment) •  AS-Path Validation AKA BGPsec – Prevent Path Attacks on BGP (in IETF) 2013.11.28 MYNOG RPKI 15
Why Origin Validation? •  Prevent YouTube accident & Far Worse •  Prevent 7007 accident, UU/Sprint 2 days! •  Prevents most accidental announcements •  Does not prevent malicious path attacks such as the Kapela/Pilosov DefCon attack •  That requires Path Validation, the third step, a few years away 2013.11.28 MYNOG RPKI 16
We Need to be Able to Authoritatively Prove Who Owns an IP Prefix And What AS(s) May Announce It 2013.11.28 MYNOG RPKI 17
Prefix Ownership Follows the Allocation Hierarchy IANA, RIRs, ISPs, … 2013.11.28 MYNOG RPKI 18
X.509-Based IP Resource PKI 2013.11.28 MYNOG RPKI 19
RFCs Have Been Long Published 2013.11.28 MYNOG RPKI 20
Deployed by All RIRs 2013.11.28 MYNOG RPKI 21
ROAs Registered by > 1,000 Operators 2013.11.28 MYNOG RPKI 22
In Live Routers 2013.11.28 MYNOG RPKI 23
X.509 Certificate w/ 3779 Ext X.509 Cert Signed by Parent’s Private Key CA RFC 3779 Extension Describes IP Resources (Addr & ASN) SIA – URI for where this Publishes Owner’s Public Key 2013.11.28 MYNOG RPKI 24
Cert/ARIN CA 98.128.0.0/16 Public Key SIA Certificate Hierarchy follows Allocation Hierarchy Cert/ISC CA Cert/RGnet CA Cert/PSGnet 98.128.0.0/20 98.128.16.0/20 98.128.32.0/19 Public Key Public Key Public Key Cert/Randy CA Cert/Rob CA 98.128.16.0/24 98.128.17.0/24 Public Key 2013.11.28 MYNOG RPKI CA Public Key 25
That’s Who Owns It but Who May Route It? 2013.11.28 MYNOG RPKI 26
Route Origin Authorization (ROA) CA Owning Cert 98.128.0.0/16 147.28.0.0/16 EE Cert 98.128.0.0/16 End Entity Cert can not sign certs. can sign other things e.g. ROAs Public Key Public Key ROA This is not a Cert It is a signed blob 98.128.0.0/16 AS 42 2013.11.28 MYNOG RPKI 27
How RPKI is Generated Up / Down to Parent GUI RPKI Certificate Engine Publication Protocol Resource PKI IP Resource Certs ASN Resource Certs Route Origin Attestations Up / Down to Child 2013.11.28 MYNOG RPKI 28
Issuing Parties IANA Publication Protocol GUI Please Issue My Cert GUI Please Issue My Cert GUI Please Issue My Cert 2013.11.28 MYNOG RPKI Up/ Down APNIC Up/ Down JPNIC Up/ Down Trust Anchor Resource PKI Cert Issuance Publication Protocol Resource PKI Cert Issuance Publication Protocol Resource PKI Cert Issuance 29
Issuing Parties Trust Anchor GUI IANA Publication Protocol Up Down GUI APNIC SIA Pointers Publication Protocol Up Down GUI 2013.11.28 MYNOG RPKI JPNIC Resource PKI Resource PKI SIA Pointers Publication Protocol Resource PKI 30
Issuing Parties Relying Parties Trust Anchor GUI IANA Publication Protocol Up Down GUI APNIC SIA Pointers Publication Protocol Up Down GUI 2013.11.28 MYNOG RPKI JPNIC Resource PKI Validated Cache Pseudo IRR route: descr: origin: notify: mnt-by: changed: source: 147.28.0.0/16! 147.28.0.0/16-16! AS3130! irr-hack@rpki.net! MAINT-RPKI! irr-hack@rpki.net 20110606! RPKI! NOC Tools Resource PKI SIA Pointers Publication Protocol RCynic Gatherer Resource PKI BGP Decision Process 31
How Do ROAs Affect BGP Updates? 2013.11.28 MYNOG RPKI 32
Trust Anchor IANA GUI Publication Protocol Up Down APNIC GUI SIA Pointers Publication Protocol GUI SIA Pointers Publication Protocol In NOC 2013.11.28 MYNOG RPKI Resource PKI In PoP RCynic Gatherer Crypto Check Validated Cache Up Down JPNIC Resource PKI Resource PKI Crypto Stripped RPKI to Rtr Protocol BGP Decision Process 33
ROAs Become Router ROAs Want to Run on Current Hardware RPKI Cache 2013.11.28 MYNOG RPKI RPKI-Rtr Protocol Crypto is Stripped RPKI ROAs 34
IPv4 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 4 | | +-------------------------------------------+ | | | Length=20 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..32 | 0..32 | | +-------------------------------------------+ | | | IPv4 prefix | | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------' 2013.11.28 MYNOG RPKI 35
IPv6 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 6 | | +-------------------------------------------+ | | | Length=40 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..128 | 0..128 | | +-------------------------------------------+ | | +-----+ | | +--IPv6 prefix ---+ | | +-----+ | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------' 2013.11.28 MYNOG RPKI 96 More Bits No Magic 36
Marking BGP Updates BGP Peer BGP Data BGP Updates Mark RPKI Cache 2013.11.28 MYNOG RPKI RPKI-Rtr Protocol RPKI ROAs Valid Invalid NotFound 37
Result of Check •  Valid – A matching/covering ROA was found with a matching AS number •  Invalid – A covering ROA was found, but the AS number did not match, and there was no other matching one •  NotFound – No matching or covering ROA was found, same as today 2013.11.28 MYNOG RPKI 38
Configure Router to Get ROAs router bgp 651nn … bgp rpki server tcp 192.168.179.3 port 43779 refresh 60 bgp rpki server tcp 147.28.0.84 port 93920 refresh 60 … 2013.11.28 MYNOG RPKI 39
Valid! r0.sea#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24, version 3043542 Paths: (3 available, best #1, table default) 6939 27318 206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid 2914 4459 27318 199.238.113.9 from 199.238.113.9 (129.250.0.19) Origin IGP, metric 43, localpref 100, valid, external Community: 2914:410 2914:1005 2914:3000 3130:380 path 09AF35CC RPKI State valid 2013.11.28 MYNOG RPKI 40
Invalid! r0.sea#show bgp 198.180.150.0 BGP routing table entry for 198.180.150.0/24, version 2546236 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 8 Refresh Epoch 1 1239 3927 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid 2013.11.28 MYNOG RPKI 41
NotFound r0.sea#show bgp 64.9.224.0 BGP routing table entry for 64.9.224.0/20, version 35201 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 Refresh Epoch 1 1239 3356 36492 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 4, localpref 100, valid, internal Community: 3130:370 path 11861AA4 RPKI State not found 2013.11.28 MYNOG RPKI 42
The Operator Tests the Mark and then Applies Local Policy 2013.11.28 MYNOG RPKI 43
Fairly Secure route-map validity-0 match rpki valid set local-preference 100 route-map validity-1 match rpki not-found set local-preference 50 ! invalid is dropped 2013.11.28 MYNOG RPKI 44
Paranoid route-map validity-0 match rpki valid set local-preference 110 ! everything else dropped 2013.11.28 MYNOG RPKI 45
Security Geek route-map validity-0 match rpki invalid set local-preference 110 ! everything else dropped 2013.11.28 MYNOG RPKI 46
After AS-Path route-map validity-0 match rpki not-found set metric 100 route-map validity-1 match rpki invalid set metric 150 route-map validity-2 set metric 50 2013.11.28 MYNOG RPKI 47
Set a Community route-map validity-0 match rpki valid set community 3130:400 route-map validity-1 match rpki invalid set community 3130:200 route-map validity-2 set community 3130:300 2013.11.28 MYNOG RPKI 48
And it is All Monitored BGP Data BGP Updates mark RPKI-Rtr Protocol 2013.11.28 MYNOG RPKI Valid Invalid NotFound RPKI ROAs SNMP syslog N O C 49
But in the End, You Control Your Policy “Announcements with Invalid origins SHOULD NOT be used, but MAY be used to meet special operational needs. In such circumstances, the announcement SHOULD have a lower preference than that given to Valid or NotFound.” -- draft-ietf-sidr-origin-ops 2013.11.28 MYNOG RPKI 50
RPKI at the Registries •  RIPE seriously deployed with a few thousand LIRs and thousands of ROAs •  APNIC is operational and moving forward, moving to RIPE’s GUI •  ARIN is doing their best to make RPKI deployment very hard •  LACNIC is deployed and has 100s of LIRs •  AFRINIC is deployed with O(25) LIRs 2013.11.28 MYNOG RPKI 51
RIPE Progress •  Policy just passed to allow registration of legacy space without having to become a member or sign away all rights •  Policy just passed to allow registration of 40,000 PI allocations to end sites without having to become a full member •  And RIPE already had thousands of RPKI registrations 2013.11.28 MYNOG RPKI 52
LACNIC / Ecuador •  LACNIC working with the Ecuador Internet Exchange •  All ISPs and lmost all address space in Ecuador is certified and has ROAs •  All members of the exchange are using RPKI-Rtr protocol to get ROAs from a cache at the exchange •  Watching routers to see markings 2013.11.28 MYNOG RPKI 53
Per-RIR Statistics Much Better Than IPv6 Half are Two LIRs 2013.11.28 MYNOG RPKI Embarrassing 54
Router Origin Validation •  Cisco IOS – solid in 15.2 •  Cisco IOS/XR – shipped in 4.3.2 •  Juniper – shipped in 12.2 •  AlcaLu – in development 2013.11.28 MYNOG RPKI 55
RPKI Implementations •  RIPE/NCC – CA (partial closed) & RP (partial open) •  APNIC – CA only – Closed Source •  RTRlib/Berlin – RP only – Open Source •  BBN – RP Only – Open Source •  RPKI.NET – CA & RP – Open Source 2013.11.28 MYNOG RPKI 56
RPKI.NET / Dragon Labs •  Open Source BSD License •  CA – Hosted and Delegated Models, GUI •  RP – RPKI-RTR, NOC Tools, IRR Gen •  FreeBSD, Ubuntu, Debian, … Packaged (docs still catching up) 2013.11.28 MYNOG RPKI 57

Recommended

Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
APNIC
 
Multicast for ipv6
Multicast for ipv6Multicast for ipv6
Multicast for ipv6
Frederic Bovy
 
Mavenir: Monetizing RCS through Innovation on Cloud Native Network​
Mavenir: Monetizing RCS through Innovation on Cloud Native Network​Mavenir: Monetizing RCS through Innovation on Cloud Native Network​
Mavenir: Monetizing RCS through Innovation on Cloud Native Network​
Mavenir
 
3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based Architecture3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based Architecture
Sridhar Bhaskaran
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
MyNOG
 
Sangoma SS7 Gateway Training
Sangoma SS7 Gateway TrainingSangoma SS7 Gateway Training
Sangoma SS7 Gateway Training
Empatiq İletişim Teknolojileri AŞ.
 
PCRF-Policy Charging System-Functional Analysis
PCRF-Policy Charging System-Functional AnalysisPCRF-Policy Charging System-Functional Analysis
PCRF-Policy Charging System-Functional Analysis
Biju M R
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)
JuHwan Lee
 

Recommended

Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
APNIC
 
Multicast for ipv6
Multicast for ipv6Multicast for ipv6
Multicast for ipv6
Frederic Bovy
 
Mavenir: Monetizing RCS through Innovation on Cloud Native Network​
Mavenir: Monetizing RCS through Innovation on Cloud Native Network​Mavenir: Monetizing RCS through Innovation on Cloud Native Network​
Mavenir: Monetizing RCS through Innovation on Cloud Native Network​
Mavenir
 
3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based Architecture3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based Architecture
Sridhar Bhaskaran
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
MyNOG
 
Sangoma SS7 Gateway Training
Sangoma SS7 Gateway TrainingSangoma SS7 Gateway Training
Sangoma SS7 Gateway Training
Empatiq İletişim Teknolojileri AŞ.
 
PCRF-Policy Charging System-Functional Analysis
PCRF-Policy Charging System-Functional AnalysisPCRF-Policy Charging System-Functional Analysis
PCRF-Policy Charging System-Functional Analysis
Biju M R
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)
JuHwan Lee
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and Kubernetes
Paolo Visintin
 
ACI MultiFabric 소개
ACI MultiFabric 소개ACI MultiFabric 소개
ACI MultiFabric 소개
Woo Hyung Choi
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bulls
Swapnil Kapate
 
BGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerBGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN Controller
APNIC
 
AWS VPC by hellocloud.io
AWS VPC by hellocloud.ioAWS VPC by hellocloud.io
AWS VPC by hellocloud.io
Hello Cloud
 
IIJmio meeting 19 IIJ フルMVNO徹底解説
IIJmio meeting 19 IIJ フルMVNO徹底解説IIJmio meeting 19 IIJ フルMVNO徹底解説
IIJmio meeting 19 IIJ フルMVNO徹底解説
techlog (Internet Initiative Japan Inc.)
 
3.3 gpp NR USER Plane introduction
3.3 gpp NR USER Plane introduction3.3 gpp NR USER Plane introduction
3.3 gpp NR USER Plane introduction
Saurabh Verma
 
MPLS VPN
MPLS VPNMPLS VPN
MPLS VPN
Shahzaib Mahesar
 
FDD_LTE_19_New_Feature_Document.pdf.pdf
FDD_LTE_19_New_Feature_Document.pdf.pdfFDD_LTE_19_New_Feature_Document.pdf.pdf
FDD_LTE_19_New_Feature_Document.pdf.pdf
ssusere571261
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06
Licenciatura en Redes y Sistemas Operativos
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf
Abubakar416712
 
BGP Monitoring Protocol
BGP Monitoring ProtocolBGP Monitoring Protocol
BGP Monitoring Protocol
Bertrand Duvivier
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basics
Karel Berkovec
 
IPv6 cohabitation et migration - Oussama SALIHI
IPv6 cohabitation et migration - Oussama SALIHIIPv6 cohabitation et migration - Oussama SALIHI
IPv6 cohabitation et migration - Oussama SALIHI
grecma
 
5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach
5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach
5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach
Capgemini
 
MPLS Tutorial
MPLS TutorialMPLS Tutorial
MPLS Tutorial
kennedy Ochieng Ndire
 
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
Kirill Tsym
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & James
Febrian ‎
 
Mellanox VXLAN Acceleration
Mellanox VXLAN AccelerationMellanox VXLAN Acceleration
Mellanox VXLAN Acceleration
Mellanox Technologies
 
Converting From Nexus NX-OS Mode to ACI Mode.
Converting From Nexus NX-OS Mode to ACI Mode.Converting From Nexus NX-OS Mode to ACI Mode.
Converting From Nexus NX-OS Mode to ACI Mode.
David kankam
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
APNIC
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
Bangladesh Network Operators Group
 

More Related Content

What's hot

Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and Kubernetes
Paolo Visintin
 
ACI MultiFabric 소개
ACI MultiFabric 소개ACI MultiFabric 소개
ACI MultiFabric 소개
Woo Hyung Choi
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bulls
Swapnil Kapate
 
BGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerBGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN Controller
APNIC
 
AWS VPC by hellocloud.io
AWS VPC by hellocloud.ioAWS VPC by hellocloud.io
AWS VPC by hellocloud.io
Hello Cloud
 
IIJmio meeting 19 IIJ フルMVNO徹底解説
IIJmio meeting 19 IIJ フルMVNO徹底解説IIJmio meeting 19 IIJ フルMVNO徹底解説
IIJmio meeting 19 IIJ フルMVNO徹底解説
techlog (Internet Initiative Japan Inc.)
 
3.3 gpp NR USER Plane introduction
3.3 gpp NR USER Plane introduction3.3 gpp NR USER Plane introduction
3.3 gpp NR USER Plane introduction
Saurabh Verma
 
MPLS VPN
MPLS VPNMPLS VPN
MPLS VPN
Shahzaib Mahesar
 
FDD_LTE_19_New_Feature_Document.pdf.pdf
FDD_LTE_19_New_Feature_Document.pdf.pdfFDD_LTE_19_New_Feature_Document.pdf.pdf
FDD_LTE_19_New_Feature_Document.pdf.pdf
ssusere571261
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06
Licenciatura en Redes y Sistemas Operativos
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf
Abubakar416712
 
BGP Monitoring Protocol
BGP Monitoring ProtocolBGP Monitoring Protocol
BGP Monitoring Protocol
Bertrand Duvivier
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basics
Karel Berkovec
 
IPv6 cohabitation et migration - Oussama SALIHI
IPv6 cohabitation et migration - Oussama SALIHIIPv6 cohabitation et migration - Oussama SALIHI
IPv6 cohabitation et migration - Oussama SALIHI
grecma
 
5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach
5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach
5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach
Capgemini
 
MPLS Tutorial
MPLS TutorialMPLS Tutorial
MPLS Tutorial
kennedy Ochieng Ndire
 
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
Kirill Tsym
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & James
Febrian ‎
 
Mellanox VXLAN Acceleration
Mellanox VXLAN AccelerationMellanox VXLAN Acceleration
Mellanox VXLAN Acceleration
Mellanox Technologies
 
Converting From Nexus NX-OS Mode to ACI Mode.
Converting From Nexus NX-OS Mode to ACI Mode.Converting From Nexus NX-OS Mode to ACI Mode.
Converting From Nexus NX-OS Mode to ACI Mode.
David kankam
 

What's hot (20)

Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and Kubernetes
 
ACI MultiFabric 소개
ACI MultiFabric 소개ACI MultiFabric 소개
ACI MultiFabric 소개
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bulls
 
BGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerBGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN Controller
 
AWS VPC by hellocloud.io
AWS VPC by hellocloud.ioAWS VPC by hellocloud.io
AWS VPC by hellocloud.io
 
IIJmio meeting 19 IIJ フルMVNO徹底解説
IIJmio meeting 19 IIJ フルMVNO徹底解説IIJmio meeting 19 IIJ フルMVNO徹底解説
IIJmio meeting 19 IIJ フルMVNO徹底解説
 
3.3 gpp NR USER Plane introduction
3.3 gpp NR USER Plane introduction3.3 gpp NR USER Plane introduction
3.3 gpp NR USER Plane introduction
 
MPLS VPN
MPLS VPNMPLS VPN
MPLS VPN
 
FDD_LTE_19_New_Feature_Document.pdf.pdf
FDD_LTE_19_New_Feature_Document.pdf.pdfFDD_LTE_19_New_Feature_Document.pdf.pdf
FDD_LTE_19_New_Feature_Document.pdf.pdf
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf
 
BGP Monitoring Protocol
BGP Monitoring ProtocolBGP Monitoring Protocol
BGP Monitoring Protocol
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basics
 
IPv6 cohabitation et migration - Oussama SALIHI
IPv6 cohabitation et migration - Oussama SALIHIIPv6 cohabitation et migration - Oussama SALIHI
IPv6 cohabitation et migration - Oussama SALIHI
 
5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach
5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach
5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approach
 
MPLS Tutorial
MPLS TutorialMPLS Tutorial
MPLS Tutorial
 
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & James
 
Mellanox VXLAN Acceleration
Mellanox VXLAN AccelerationMellanox VXLAN Acceleration
Mellanox VXLAN Acceleration
 
Converting From Nexus NX-OS Mode to ACI Mode.
Converting From Nexus NX-OS Mode to ACI Mode.Converting From Nexus NX-OS Mode to ACI Mode.
Converting From Nexus NX-OS Mode to ACI Mode.
 

Similar to RPKI Introduction by Randy Bush

PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
APNIC
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
Bangladesh Network Operators Group
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
APNIC
 
BGP
BGPBGP
BGP
KHNOG
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
Bangladesh Network Operators Group
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
Siena Perry
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
Bangladesh Network Operators Group
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment Update
APNIC
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
NaveenLakshman
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
Bangladesh Network Operators Group
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net tools
Muhammad Moinur Rahman
 
6th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.06th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.0
A Achyar Nur
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PROIDEA
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
APNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
APNIC
 
BMP: the pa amb tomàquet your BGP monitoring was missing
BMP: the pa amb tomàquet your BGP monitoring was missingBMP: the pa amb tomàquet your BGP monitoring was missing
BMP: the pa amb tomàquet your BGP monitoring was missing
CSUC - Consorci de Serveis Universitaris de Catalunya
 

Similar to RPKI Introduction by Randy Bush (20)

PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
BGP
BGPBGP
BGP
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment Update
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net tools
 
6th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.06th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.0
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
BMP: the pa amb tomàquet your BGP monitoring was missing
BMP: the pa amb tomàquet your BGP monitoring was missingBMP: the pa amb tomàquet your BGP monitoring was missing
BMP: the pa amb tomàquet your BGP monitoring was missing
 

More from MyNOG

MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIAMEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MyNOG
 
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s HotspotsMalaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
MyNOG
 
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICESHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
MyNOG
 
Building a Connected Future: The Power of Interconnection
Building a Connected Future: The Power of InterconnectionBuilding a Connected Future: The Power of Interconnection
Building a Connected Future: The Power of Interconnection
MyNOG
 
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIESCOHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
MyNOG
 
Strategies for Seamless Recovery in a Dynamic Data Landscape
Strategies for Seamless Recovery in a Dynamic Data LandscapeStrategies for Seamless Recovery in a Dynamic Data Landscape
Strategies for Seamless Recovery in a Dynamic Data Landscape
MyNOG
 
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
SRv6: DEPLOYMENT & USECASES by Aditya KaulSRv6: DEPLOYMENT & USECASES by Aditya Kaul
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
MyNOG
 
Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
MyNOG
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
MyNOG
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
MyNOG
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
MyNOG
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
MyNOG
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
MyNOG
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
MyNOG
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
MyNOG
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
MyNOG
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
MyNOG
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
MyNOG
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
MyNOG
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
MyNOG
 

More from MyNOG (20)

MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIAMEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
 
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s HotspotsMalaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
 
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICESHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
 
Building a Connected Future: The Power of Interconnection
Building a Connected Future: The Power of InterconnectionBuilding a Connected Future: The Power of Interconnection
Building a Connected Future: The Power of Interconnection
 
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIESCOHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
 
Strategies for Seamless Recovery in a Dynamic Data Landscape
Strategies for Seamless Recovery in a Dynamic Data LandscapeStrategies for Seamless Recovery in a Dynamic Data Landscape
Strategies for Seamless Recovery in a Dynamic Data Landscape
 
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
SRv6: DEPLOYMENT & USECASES by Aditya KaulSRv6: DEPLOYMENT & USECASES by Aditya Kaul
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
 
Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
 

Recently uploaded

Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 

Recently uploaded (20)

Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 

RPKI Introduction by Randy Bush

  • 1. RPKI-Based Origin Validation, Routers, & Caches MYNOG / Kuala Lampur 2013.11.28 Randy Bush <randy@psg.com> Rob Austein <sra@hactrn.net> Michael Elkins <me@sigpipe.org> 2013.11.28 MYNOG RPKI 1
  • 2. Agenda •  Some Technical Background •  Mis-Origination - YouTube Incident •  The RPKI – Needed Infrastructure •  RPKI-Based Origin Validation •  Use the GUI to make ROAs and look at the result on a router •  Build your own Relying Party Server •  Discussion 2013.11.28 MYNOG RPKI 2
  • 3. This is Not New •  1986 – Bellovin & Perlman identify the vulnerability in DNS and Routing •  1999 - National Academies study called it out •  2000 – S-BGP – X.509 PKI to support Secure BGP - Kent, Lynn, et al. •  2003 – NANOG S-BGP Workshop •  2006 – RPKI.NET(for ARIN) & APNIC start work on RPKI. RIPE starts in 2008. •  2009 – RPKI.NET Open Testbed and running code in test routers 2013.11.28 MYNOG RPKI 3
  • 4. What is an AS? An ISP or End Site Sprint Verizon AS 701 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 4
  • 5. What is an AS? An ISP or End Site Sprint Verizon AS 701 Amazon AS 16509 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 GoJ Customers buy ‘Transit’ AS 234 Sakura AS 9370 5
  • 6. An IP Prefix is Announced & Propagated Sprint Verizon AS 701 Amazon AS 16509 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 147.28.0.0/16 GoJ Customers buy ‘Transit’ AS 234 Sakura AS 9370 6
  • 7. From Inside a Router BGP routing table entry for 147.28.0.0/16 Origin AS 16509 1239 2497 234 The AS-Path 2013.11.28 MYNOG RPKI 7
  • 8. Of Course it’s Uglier J r1.iad#sh ip bgp 147.28.0.0/16 BGP routing table entry for 147.28.0.0/16, version 21440610 Paths: (2 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 16509 1239 2497 234 144.232.18.81 from 144.232.18.81 (144.228.241.254) Origin IGP, metric 841, localpref 100, valid, external, best Community: 3297:100 3927:380 path 67E8FFCC RPKI State valid Refresh Epoch 1 16509 701 2497 234 129.250.10.157 (metric 11) from 198.180.150.253 (198.180.150.253) Origin IGP, metric 95, localpref 100, valid, internal Community: 2914:410 2914:1007 2914:2000 2914:3000 3927:380 path 699A867C RPKI State valid 2013.11.28 MYNOG RPKI 8
  • 9. The YouTube Incident Global Internet The Plan PCCW Pakistan Telekom Pakistan Internet 2013.11.28 MYNOG RPKI YouTube Poison Pakistan Internal Routing 9
  • 11. We Call this Mis-Origination a Prefix is Originated by an AS Which Does Not Own It 2013.11.28 MYNOG RPKI 11
  • 12. I Do Not Call it Hijacking Because that Assumes Negative Intent 2013.11.28 MYNOG RPKI 12
  • 13. And These Accidents Happen Every Day Usually to Small Folk Sometimes to Large 2013.11.28 MYNOG RPKI 13
  • 15. Three Pieces •  RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (deployed at all RIRs) •  Origin Validation – Using the RPKI to detect and prevent mis-originations of someone else’s prefixes (in deployment) •  AS-Path Validation AKA BGPsec – Prevent Path Attacks on BGP (in IETF) 2013.11.28 MYNOG RPKI 15
  • 16. Why Origin Validation? •  Prevent YouTube accident & Far Worse •  Prevent 7007 accident, UU/Sprint 2 days! •  Prevents most accidental announcements •  Does not prevent malicious path attacks such as the Kapela/Pilosov DefCon attack •  That requires Path Validation, the third step, a few years away 2013.11.28 MYNOG RPKI 16
  • 17. We Need to be Able to Authoritatively Prove Who Owns an IP Prefix And What AS(s) May Announce It 2013.11.28 MYNOG RPKI 17
  • 18. Prefix Ownership Follows the Allocation Hierarchy IANA, RIRs, ISPs, … 2013.11.28 MYNOG RPKI 18
  • 20. RFCs Have Been Long Published 2013.11.28 MYNOG RPKI 20
  • 22. ROAs Registered by > 1,000 Operators 2013.11.28 MYNOG RPKI 22
  • 23. In Live Routers 2013.11.28 MYNOG RPKI 23
  • 24. X.509 Certificate w/ 3779 Ext X.509 Cert Signed by Parent’s Private Key CA RFC 3779 Extension Describes IP Resources (Addr & ASN) SIA – URI for where this Publishes Owner’s Public Key 2013.11.28 MYNOG RPKI 24
  • 26. That’s Who Owns It but Who May Route It? 2013.11.28 MYNOG RPKI 26
  • 27. Route Origin Authorization (ROA) CA Owning Cert 98.128.0.0/16 147.28.0.0/16 EE Cert 98.128.0.0/16 End Entity Cert can not sign certs. can sign other things e.g. ROAs Public Key Public Key ROA This is not a Cert It is a signed blob 98.128.0.0/16 AS 42 2013.11.28 MYNOG RPKI 27
  • 28. How RPKI is Generated Up / Down to Parent GUI RPKI Certificate Engine Publication Protocol Resource PKI IP Resource Certs ASN Resource Certs Route Origin Attestations Up / Down to Child 2013.11.28 MYNOG RPKI 28
  • 29. Issuing Parties IANA Publication Protocol GUI Please Issue My Cert GUI Please Issue My Cert GUI Please Issue My Cert 2013.11.28 MYNOG RPKI Up/ Down APNIC Up/ Down JPNIC Up/ Down Trust Anchor Resource PKI Cert Issuance Publication Protocol Resource PKI Cert Issuance Publication Protocol Resource PKI Cert Issuance 29
  • 31. Issuing Parties Relying Parties Trust Anchor GUI IANA Publication Protocol Up Down GUI APNIC SIA Pointers Publication Protocol Up Down GUI 2013.11.28 MYNOG RPKI JPNIC Resource PKI Validated Cache Pseudo IRR route: descr: origin: notify: mnt-by: changed: source: 147.28.0.0/16! 147.28.0.0/16-16! AS3130! irr-hack@rpki.net! MAINT-RPKI! irr-hack@rpki.net 20110606! RPKI! NOC Tools Resource PKI SIA Pointers Publication Protocol RCynic Gatherer Resource PKI BGP Decision Process 31
  • 32. How Do ROAs Affect BGP Updates? 2013.11.28 MYNOG RPKI 32
  • 33. Trust Anchor IANA GUI Publication Protocol Up Down APNIC GUI SIA Pointers Publication Protocol GUI SIA Pointers Publication Protocol In NOC 2013.11.28 MYNOG RPKI Resource PKI In PoP RCynic Gatherer Crypto Check Validated Cache Up Down JPNIC Resource PKI Resource PKI Crypto Stripped RPKI to Rtr Protocol BGP Decision Process 33
  • 34. ROAs Become Router ROAs Want to Run on Current Hardware RPKI Cache 2013.11.28 MYNOG RPKI RPKI-Rtr Protocol Crypto is Stripped RPKI ROAs 34
  • 35. IPv4 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 4 | | +-------------------------------------------+ | | | Length=20 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..32 | 0..32 | | +-------------------------------------------+ | | | IPv4 prefix | | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------' 2013.11.28 MYNOG RPKI 35
  • 36. IPv6 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 6 | | +-------------------------------------------+ | | | Length=40 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..128 | 0..128 | | +-------------------------------------------+ | | +-----+ | | +--IPv6 prefix ---+ | | +-----+ | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------' 2013.11.28 MYNOG RPKI 96 More Bits No Magic 36
  • 37. Marking BGP Updates BGP Peer BGP Data BGP Updates Mark RPKI Cache 2013.11.28 MYNOG RPKI RPKI-Rtr Protocol RPKI ROAs Valid Invalid NotFound 37
  • 38. Result of Check •  Valid – A matching/covering ROA was found with a matching AS number •  Invalid – A covering ROA was found, but the AS number did not match, and there was no other matching one •  NotFound – No matching or covering ROA was found, same as today 2013.11.28 MYNOG RPKI 38
  • 39. Configure Router to Get ROAs router bgp 651nn … bgp rpki server tcp 192.168.179.3 port 43779 refresh 60 bgp rpki server tcp 147.28.0.84 port 93920 refresh 60 … 2013.11.28 MYNOG RPKI 39
  • 40. Valid! r0.sea#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24, version 3043542 Paths: (3 available, best #1, table default) 6939 27318 206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid 2914 4459 27318 199.238.113.9 from 199.238.113.9 (129.250.0.19) Origin IGP, metric 43, localpref 100, valid, external Community: 2914:410 2914:1005 2914:3000 3130:380 path 09AF35CC RPKI State valid 2013.11.28 MYNOG RPKI 40
  • 41. Invalid! r0.sea#show bgp 198.180.150.0 BGP routing table entry for 198.180.150.0/24, version 2546236 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 8 Refresh Epoch 1 1239 3927 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid 2013.11.28 MYNOG RPKI 41
  • 42. NotFound r0.sea#show bgp 64.9.224.0 BGP routing table entry for 64.9.224.0/20, version 35201 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 Refresh Epoch 1 1239 3356 36492 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 4, localpref 100, valid, internal Community: 3130:370 path 11861AA4 RPKI State not found 2013.11.28 MYNOG RPKI 42
  • 43. The Operator Tests the Mark and then Applies Local Policy 2013.11.28 MYNOG RPKI 43
  • 44. Fairly Secure route-map validity-0 match rpki valid set local-preference 100 route-map validity-1 match rpki not-found set local-preference 50 ! invalid is dropped 2013.11.28 MYNOG RPKI 44
  • 45. Paranoid route-map validity-0 match rpki valid set local-preference 110 ! everything else dropped 2013.11.28 MYNOG RPKI 45
  • 46. Security Geek route-map validity-0 match rpki invalid set local-preference 110 ! everything else dropped 2013.11.28 MYNOG RPKI 46
  • 47. After AS-Path route-map validity-0 match rpki not-found set metric 100 route-map validity-1 match rpki invalid set metric 150 route-map validity-2 set metric 50 2013.11.28 MYNOG RPKI 47
  • 48. Set a Community route-map validity-0 match rpki valid set community 3130:400 route-map validity-1 match rpki invalid set community 3130:200 route-map validity-2 set community 3130:300 2013.11.28 MYNOG RPKI 48
  • 49. And it is All Monitored BGP Data BGP Updates mark RPKI-Rtr Protocol 2013.11.28 MYNOG RPKI Valid Invalid NotFound RPKI ROAs SNMP syslog N O C 49
  • 50. But in the End, You Control Your Policy “Announcements with Invalid origins SHOULD NOT be used, but MAY be used to meet special operational needs. In such circumstances, the announcement SHOULD have a lower preference than that given to Valid or NotFound.” -- draft-ietf-sidr-origin-ops 2013.11.28 MYNOG RPKI 50
  • 51. RPKI at the Registries •  RIPE seriously deployed with a few thousand LIRs and thousands of ROAs •  APNIC is operational and moving forward, moving to RIPE’s GUI •  ARIN is doing their best to make RPKI deployment very hard •  LACNIC is deployed and has 100s of LIRs •  AFRINIC is deployed with O(25) LIRs 2013.11.28 MYNOG RPKI 51
  • 52. RIPE Progress •  Policy just passed to allow registration of legacy space without having to become a member or sign away all rights •  Policy just passed to allow registration of 40,000 PI allocations to end sites without having to become a full member •  And RIPE already had thousands of RPKI registrations 2013.11.28 MYNOG RPKI 52
  • 53. LACNIC / Ecuador •  LACNIC working with the Ecuador Internet Exchange •  All ISPs and lmost all address space in Ecuador is certified and has ROAs •  All members of the exchange are using RPKI-Rtr protocol to get ROAs from a cache at the exchange •  Watching routers to see markings 2013.11.28 MYNOG RPKI 53
  • 54. Per-RIR Statistics Much Better Than IPv6 Half are Two LIRs 2013.11.28 MYNOG RPKI Embarrassing 54
  • 55. Router Origin Validation •  Cisco IOS – solid in 15.2 •  Cisco IOS/XR – shipped in 4.3.2 •  Juniper – shipped in 12.2 •  AlcaLu – in development 2013.11.28 MYNOG RPKI 55
  • 56. RPKI Implementations •  RIPE/NCC – CA (partial closed) & RP (partial open) •  APNIC – CA only – Closed Source •  RTRlib/Berlin – RP only – Open Source •  BBN – RP Only – Open Source •  RPKI.NET – CA & RP – Open Source 2013.11.28 MYNOG RPKI 56
  • 57. RPKI.NET / Dragon Labs •  Open Source BSD License •  CA – Hosted and Delegated Models, GUI •  RP – RPKI-RTR, NOC Tools, IRR Gen •  FreeBSD, Ubuntu, Debian, … Packaged (docs still catching up) 2013.11.28 MYNOG RPKI 57