SlideShare a Scribd company logo

Should I run my own RPKI Certificate Authority?

APNIC
APNIC

Presentation by Tim Bruijnzeels at APRICOT 2019 on Wednesday, 27 February 2019.

Internet
1 of 36
TIM BRUIJNZEELS & MARTIN HOFFMANN APRICOT2019 SHOULDIRUNMYOWN RPKI CERTIFICATE AUTHORITY?
NLnet labs?
Purveyors of fine open source software since 1899
RPKI
RPKI Quick Start • Resource Public Key Infrastructure • Aimed at making Internet routing more secure • Provide Route Origin Validation (ROV) now • Stepping stone to Path Validation
ORIGIN VALIDATION Quick Start • Organisation holds certificate containing all Internet Resources • Uses it to make authoritative statements about intended routing • Signed objects called Route Origin Authorizations (ROAs) • Other operators — “Relying Parties” — download and validate ROAs • Make routing decisions based on the outcome; • Valid, Invalid or NotFound
“Is this BGP route origination authorised by the legitimate holder of the IP space?”
ORIGIN VALIDATION Quick Start AS65001 10.0.0.0/20 AS65003 AS65004 AS65005 10.0.0.0/20 10.0.0.0/24 10.0.0.0/20 10.0.0.0/24 AS65002 looks like anycast most specific wins
ORIGIN VALIDATION Quick Start AS65001 10.0.0.0/20 AS65003 AS65004 AS65005 10.0.0.0/20 10.0.0.0/24 10.0.0.0/20 AS65002 ROA AS65001 10.0.0.0/20 max 24
PATH SPOOFING AS65001 10.0.0.0/20 AS65003 AS65004 AS65005 10.0.0.0/24 10.0.0.0/20 ROA AS65001 10.0.0.0/20 max 24AS65001 10.0.0.0/24 10.0.0.0/24 prepends with AS65001
Origin vs. Path Validation • Route Origin Validation (ROV) already provides value for most issues: • Most mis-originations are accidental — “fat-fingering” • For many networks, the most important prefixes are one hop away • Practical Path Validation is achievable, dra!s are in progress: • dra!-azimov-sidrops-aspa-profile • dra!-azimov-sidrops-aspa-verification
Go all in! • It’s be"er to create no ROAs than bad ones • Once you start create ROAs, maintain them! • Make RPKI part of standard operations • Set up monitoring and alerting • Train your first line help desk
The Moving Parts
SEPARATE COMPONENTS 
 CERTIFICATE AUTHORITY creates & signs 
 PUBLICATION SERVER makes available 
 RELYING
 PARTY validates
LACNIC repository NIR repository LIR repository ARIN repository rsync RPKI-RTR RPKI VALIDATION 
 Relying Party Software validated cache
RPKI Certificate Structure APNICAFRINIC LACNIC RIPE NCC ARIN NIR member NIR member member member member member member ROAROA ROA
Hosted vs. Delegated RPKI • Hosted RPKI • The resource issuer — RIR, NIR, LIR — offers RPKI as a service • Certificates, keys, and signed products are all kept and 
 published in their infrastructure • Delegated RPKI • Run your own Certificate Authority, generate your own 
 signed products and publish them yourself
Hosted RPKI • All five RIR have been offering Hosted RPKI since 2011 • Various NIRs in the APNIC region also have a
 hosted service, or are working on it. • Request certificate and issue ROAs through web portal • Implementations vary across regions: • User interface guidance to create high quality ROAs • Se"ing up alerts for misconfigurations and possible hijacks
Delegated RPKI • Run Certificate Authority (CA) as a child of the RIR/NIR/LIR • Install and maintain so!ware yourself • Generate your own certificate, have it signed by the parent CA • Publish signed objects yourself, or ask a third party to do it for you • When a relying party connects to the Trust Anchor, it will automatically follow the chain down to your publication point • You may delegate down to child CAs for your own customers or business units
WHICH ONE IS RIGHT FOR ME?
Hosted RPKI • No cost of hardware, operations, key storage, publication, etc. • No worries about uptime or availability (at least not first hand) • Easy to get started and use • Great to gain operational experience with the system • Almost nothing to manage
Delegated RPKI • Be"er integration with operator’s own systems • Be"er control of which users get to make changes • Option to delegate to customers, so that they can manage their own ROAs • Organization is operationally independent from the parent RIR • Operator of a global network can operate a single system, rather than maintain ROAs in up to five web interfaces • Organization will be the only one in possession of their private key
Choosing DELEGATED RPKI
“What kind of setup will I need,
 in terms of software, hardware
 and services?”
OPEN SOURCE CA SOFTWARE • rpkid, by Dragon Research Labs • Python-based solution • Krill, by NLnet Labs • Rust-based solution • Coming late 2019
Hardware & Connectivity • Certificate Authority • Modest hardware is fine for most use cases
 • Publication Server • Internet-facing, with all related consequences • Run it yourself, or outsource it — the hybrid option
The hybrid option • Hosted publication server • No worries about uptime, DDOS a"acks, etc. • At least one $CLOUD provider has offered to run this as a free service
Publication Infrastructure • RPKI relies on rsync for distribution for now • RRDP, which uses HTTPS, is its replacement (RFC8182) • Deployed by RIPE NCC and APNIC • ARIN has it on their suggested work items for 2019 • Ideally suited for CDN participation in publication • Note: CA doesn’t need uptime, your publication server does!
What if it breaks? • No DNSSEC horror story; e.g. unavailable zone 
 due to signing mishap • RPKI provides a positive statement on routing intent • Lose your keys? Hardware failure? 
 Publication server being DDOSed? All routes will eventually fall back to the “NotFound” state, as if RPKI were never used
Should I choose Delegated RPKI? • Is Delegated RPKI more secure? No! Yes? • The RIR giveth, the RIR taketh away; they can always revoke your certificate anyway • But you will have be"er access control to your own keys
 • Is Delegated RPKI more convenient? It depends… • Is the pain of running your own so!ware less than clicking 
 around one or more web interfaces at 3AM? • How many prefixes do you manage (across the globe)? • How o!en do they change? • Can you manage space for customers? • Do you have to deal with multiple parent UIs/APIs?
further
 reading
RPKI documentation project https://rpki.readthedocs.io
nlnetlabs.nl/rpki @ rpki-team@nlnetlabs.nl @nlnetlabs h"ps://www.nlnetlabs.nl/mailman/listinfo/rpki

Recommended

Route Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIAPNIC
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
IXP Design and Operational BCP
IXP Design and Operational BCPIXP Design and Operational BCP
IXP Design and Operational BCPAPNIC
 
The Zen of High Performance Messaging with NATS (Strange Loop 2016)
The Zen of High Performance Messaging with NATS (Strange Loop 2016)The Zen of High Performance Messaging with NATS (Strange Loop 2016)
The Zen of High Performance Messaging with NATS (Strange Loop 2016)wallyqs
 
Oracle نوشته مهندس اسمعیل دخت
Oracle نوشته مهندس اسمعیل دختOracle نوشته مهندس اسمعیل دخت
Oracle نوشته مهندس اسمعیل دختYashar Esmaildokht
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open SourceGleb Smirnoff
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address PlanningAPNIC
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 

Recommended

Route Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIAPNIC
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
IXP Design and Operational BCP
IXP Design and Operational BCPIXP Design and Operational BCP
IXP Design and Operational BCPAPNIC
 
The Zen of High Performance Messaging with NATS (Strange Loop 2016)
The Zen of High Performance Messaging with NATS (Strange Loop 2016)The Zen of High Performance Messaging with NATS (Strange Loop 2016)
The Zen of High Performance Messaging with NATS (Strange Loop 2016)wallyqs
 
Oracle نوشته مهندس اسمعیل دخت
Oracle نوشته مهندس اسمعیل دختOracle نوشته مهندس اسمعیل دخت
Oracle نوشته مهندس اسمعیل دختYashar Esmaildokht
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open SourceGleb Smirnoff
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address PlanningAPNIC
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing DaemonAPNIC
 
InfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must KnowInfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must KnowMellanox Technologies
 
fooConf - JavaScript frameworks of tomorrow
fooConf - JavaScript frameworks of tomorrowfooConf - JavaScript frameworks of tomorrow
fooConf - JavaScript frameworks of tomorrowJuho Vepsäläinen
 
Fidl analysis
Fidl analysisFidl analysis
Fidl analysisTekObserver
 
Telstra Global Network Map
Telstra Global Network MapTelstra Global Network Map
Telstra Global Network Mapchalja
 
Flow Monitoring Tools, What do we have, What do we need?
Flow Monitoring Tools, What do we have, What do we need?Flow Monitoring Tools, What do we have, What do we need?
Flow Monitoring Tools, What do we have, What do we need?CSUC - Consorci de Serveis Universitaris de Catalunya
 
Splunk HTTP Event Collector
Splunk HTTP Event CollectorSplunk HTTP Event Collector
Splunk HTTP Event CollectorSplunk
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOLEnhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOLNutan Singh
 
Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...
Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...
Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...Mitul Tiwari
 
Bgp
BgpBgp
BgpFebrian ‎
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityBangladesh Network Operators Group
 
IXP Route Servers with RPKI and IXP Manager
IXP Route Servers with RPKI and IXP ManagerIXP Route Servers with RPKI and IXP Manager
IXP Route Servers with RPKI and IXP ManagerAPNIC
 
Network automation (NetDevOps) with Ansible
Network automation (NetDevOps) with AnsibleNetwork automation (NetDevOps) with Ansible
Network automation (NetDevOps) with AnsibleBangladesh Network Operators Group
 
Openstack live migration
Openstack live migrationOpenstack live migration
Openstack live migrationymtech
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming TechniquesAPNIC
 
PHP Installed on IBM i - the Nickel Tour
PHP Installed on IBM i - the Nickel TourPHP Installed on IBM i - the Nickel Tour
PHP Installed on IBM i - the Nickel TourRod Flohr
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 

More Related Content

What's hot

BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing DaemonAPNIC
 
InfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must KnowInfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must KnowMellanox Technologies
 
fooConf - JavaScript frameworks of tomorrow
fooConf - JavaScript frameworks of tomorrowfooConf - JavaScript frameworks of tomorrow
fooConf - JavaScript frameworks of tomorrowJuho Vepsäläinen
 
Telstra Global Network Map
Telstra Global Network MapTelstra Global Network Map
Telstra Global Network Mapchalja
 
Splunk HTTP Event Collector
Splunk HTTP Event CollectorSplunk HTTP Event Collector
Splunk HTTP Event CollectorSplunk
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOLEnhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOLNutan Singh
 
Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...
Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...
Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...Mitul Tiwari
 
IXP Route Servers with RPKI and IXP Manager
IXP Route Servers with RPKI and IXP ManagerIXP Route Servers with RPKI and IXP Manager
IXP Route Servers with RPKI and IXP ManagerAPNIC
 
Openstack live migration
Openstack live migrationOpenstack live migration
Openstack live migrationymtech
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming TechniquesAPNIC
 
PHP Installed on IBM i - the Nickel Tour
PHP Installed on IBM i - the Nickel TourPHP Installed on IBM i - the Nickel Tour
PHP Installed on IBM i - the Nickel TourRod Flohr
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 

What's hot (20)

BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing Daemon
 
InfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must KnowInfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must Know
 
fooConf - JavaScript frameworks of tomorrow
fooConf - JavaScript frameworks of tomorrowfooConf - JavaScript frameworks of tomorrow
fooConf - JavaScript frameworks of tomorrow
 
Fidl analysis
Fidl analysisFidl analysis
Fidl analysis
 
Telstra Global Network Map
Telstra Global Network MapTelstra Global Network Map
Telstra Global Network Map
 
Flow Monitoring Tools, What do we have, What do we need?
Flow Monitoring Tools, What do we have, What do we need?Flow Monitoring Tools, What do we have, What do we need?
Flow Monitoring Tools, What do we have, What do we need?
 
Splunk HTTP Event Collector
Splunk HTTP Event CollectorSplunk HTTP Event Collector
Splunk HTTP Event Collector
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOLEnhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
 
Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...
Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...
Big Data Ecosystem at LinkedIn. Keynote talk at Big Data Innovators Gathering...
 
Bgp
BgpBgp
Bgp
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
IXP Route Servers with RPKI and IXP Manager
IXP Route Servers with RPKI and IXP ManagerIXP Route Servers with RPKI and IXP Manager
IXP Route Servers with RPKI and IXP Manager
 
Network automation (NetDevOps) with Ansible
Network automation (NetDevOps) with AnsibleNetwork automation (NetDevOps) with Ansible
Network automation (NetDevOps) with Ansible
 
Openstack live migration
Openstack live migrationOpenstack live migration
Openstack live migration
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming Techniques
 
PHP Installed on IBM i - the Nickel Tour
PHP Installed on IBM i - the Nickel TourPHP Installed on IBM i - the Nickel Tour
PHP Installed on IBM i - the Nickel Tour
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection tool
 

Similar to Should I run my own RPKI Certificate Authority?

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)Fakrul Alam
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfRIPE NCC
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
 
Certification
CertificationCertification
CertificationRIPE NCC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej WolskiPLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej WolskiPROIDEA
 
GlobalSign's Hosted OCSP for IoT PKIs
GlobalSign's Hosted OCSP for IoT PKIsGlobalSign's Hosted OCSP for IoT PKIs
GlobalSign's Hosted OCSP for IoT PKIsGlobalSign
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringAPNIC
 
Resource Certification
Resource CertificationResource Certification
Resource CertificationRIPE NCC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
 

Similar to Should I run my own RPKI Certificate Authority? (20)

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
Certification
CertificationCertification
Certification
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net tools
 
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej WolskiPLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
 
GlobalSign's Hosted OCSP for IoT PKIs
GlobalSign's Hosted OCSP for IoT PKIsGlobalSign's Hosted OCSP for IoT PKIs
GlobalSign's Hosted OCSP for IoT PKIs
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
Resource Certification
Resource CertificationResource Certification
Resource Certification
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
Vp ns
Vp nsVp ns
Vp ns
 

More from APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

More from APNIC (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Recently uploaded

VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdfkeithzhangding
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 

Recently uploaded (20)

VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 

Should I run my own RPKI Certificate Authority?

  • 1. TIM BRUIJNZEELS & MARTIN HOFFMANN APRICOT2019 SHOULDIRUNMYOWN RPKI CERTIFICATE AUTHORITY?
  • 3. Purveyors of fine open source software since 1899
  • 4.
  • 6. RPKI Quick Start • Resource Public Key Infrastructure • Aimed at making Internet routing more secure • Provide Route Origin Validation (ROV) now • Stepping stone to Path Validation
  • 7. ORIGIN VALIDATION Quick Start • Organisation holds certificate containing all Internet Resources • Uses it to make authoritative statements about intended routing • Signed objects called Route Origin Authorizations (ROAs) • Other operators — “Relying Parties” — download and validate ROAs • Make routing decisions based on the outcome; • Valid, Invalid or NotFound
  • 8. “Is this BGP route origination authorised by the legitimate holder of the IP space?”
  • 9. ORIGIN VALIDATION Quick Start AS65001 10.0.0.0/20 AS65003 AS65004 AS65005 10.0.0.0/20 10.0.0.0/24 10.0.0.0/20 10.0.0.0/24 AS65002 looks like anycast most specific wins
  • 10. ORIGIN VALIDATION Quick Start AS65001 10.0.0.0/20 AS65003 AS65004 AS65005 10.0.0.0/20 10.0.0.0/24 10.0.0.0/20 AS65002 ROA AS65001 10.0.0.0/20 max 24
  • 12. Origin vs. Path Validation • Route Origin Validation (ROV) already provides value for most issues: • Most mis-originations are accidental — “fat-fingering” • For many networks, the most important prefixes are one hop away • Practical Path Validation is achievable, dra!s are in progress: • dra!-azimov-sidrops-aspa-profile • dra!-azimov-sidrops-aspa-verification
  • 13. Go all in! • It’s be"er to create no ROAs than bad ones • Once you start create ROAs, maintain them! • Make RPKI part of standard operations • Set up monitoring and alerting • Train your first line help desk
  • 14.
  • 16. SEPARATE COMPONENTS 
 CERTIFICATE AUTHORITY creates & signs 
 PUBLICATION SERVER makes available 
 RELYING
 PARTY validates
  • 18. RPKI Certificate Structure APNICAFRINIC LACNIC RIPE NCC ARIN NIR member NIR member member member member member member ROAROA ROA
  • 19. Hosted vs. Delegated RPKI • Hosted RPKI • The resource issuer — RIR, NIR, LIR — offers RPKI as a service • Certificates, keys, and signed products are all kept and 
 published in their infrastructure • Delegated RPKI • Run your own Certificate Authority, generate your own 
 signed products and publish them yourself
  • 20. Hosted RPKI • All five RIR have been offering Hosted RPKI since 2011 • Various NIRs in the APNIC region also have a
 hosted service, or are working on it. • Request certificate and issue ROAs through web portal • Implementations vary across regions: • User interface guidance to create high quality ROAs • Se"ing up alerts for misconfigurations and possible hijacks
  • 21.
  • 22. Delegated RPKI • Run Certificate Authority (CA) as a child of the RIR/NIR/LIR • Install and maintain so!ware yourself • Generate your own certificate, have it signed by the parent CA • Publish signed objects yourself, or ask a third party to do it for you • When a relying party connects to the Trust Anchor, it will automatically follow the chain down to your publication point • You may delegate down to child CAs for your own customers or business units
  • 24. Hosted RPKI • No cost of hardware, operations, key storage, publication, etc. • No worries about uptime or availability (at least not first hand) • Easy to get started and use • Great to gain operational experience with the system • Almost nothing to manage
  • 25. Delegated RPKI • Be"er integration with operator’s own systems • Be"er control of which users get to make changes • Option to delegate to customers, so that they can manage their own ROAs • Organization is operationally independent from the parent RIR • Operator of a global network can operate a single system, rather than maintain ROAs in up to five web interfaces • Organization will be the only one in possession of their private key
  • 27. “What kind of setup will I need,
 in terms of software, hardware
 and services?”
  • 28. OPEN SOURCE CA SOFTWARE • rpkid, by Dragon Research Labs • Python-based solution • Krill, by NLnet Labs • Rust-based solution • Coming late 2019
  • 29. Hardware & Connectivity • Certificate Authority • Modest hardware is fine for most use cases
 • Publication Server • Internet-facing, with all related consequences • Run it yourself, or outsource it — the hybrid option
  • 30. The hybrid option • Hosted publication server • No worries about uptime, DDOS a"acks, etc. • At least one $CLOUD provider has offered to run this as a free service
  • 31. Publication Infrastructure • RPKI relies on rsync for distribution for now • RRDP, which uses HTTPS, is its replacement (RFC8182) • Deployed by RIPE NCC and APNIC • ARIN has it on their suggested work items for 2019 • Ideally suited for CDN participation in publication • Note: CA doesn’t need uptime, your publication server does!
  • 32. What if it breaks? • No DNSSEC horror story; e.g. unavailable zone 
 due to signing mishap • RPKI provides a positive statement on routing intent • Lose your keys? Hardware failure? 
 Publication server being DDOSed? All routes will eventually fall back to the “NotFound” state, as if RPKI were never used
  • 33. Should I choose Delegated RPKI? • Is Delegated RPKI more secure? No! Yes? • The RIR giveth, the RIR taketh away; they can always revoke your certificate anyway • But you will have be"er access control to your own keys
 • Is Delegated RPKI more convenient? It depends… • Is the pain of running your own so!ware less than clicking 
 around one or more web interfaces at 3AM? • How many prefixes do you manage (across the globe)? • How o!en do they change? • Can you manage space for customers? • Do you have to deal with multiple parent UIs/APIs?