SlideShare ist ein Scribd-Unternehmen logo

Resource Certification

RIPE NCC
RIPE NCC

presentation given by Alex Band at UKNOF 18

Technologie
1 von 18
Downloaden Sie, um offline zu lesen
Resource Certification Alex Band, Product Manager UKNOF18
Internet Routing • Routing is non-hierarchical, open and free • Freedom comes at a price: - You can announce any address block on your router - Route leaking happens frequently, impact is high Entire networks become unavailable - - Route hijacking is easy, as long as peers don’t filter • IPv4 address depletion may intensify issue 2
Digital Resource Certificates • Based on open IETF standards (sidr) • Issued by the RIRs • States that an Internet number resource has been registered by the RIPE NCC • Do not list any identity information - All resource information can be found in the registry 3
What Certification offers • Proof of holdership • Secure Inter-Domain Routing - Route Origin Authorisation • Resource transfers • Validation is the added value! 4
The system certificate authority 5
The system (2) • Accessible through the LIR Portal • Administrator grants access to users 6
Proof of holdership • • • 7
Route Origin Authorisation (ROA) • fi • • 8
ROA Creation Demo 9
Software Validation of Certificates and ROAs • Validators access publicly accessible repository • Three software tools available 1. RIPE NCC Validator - Easy to set-up and use, limited feature set 2. rcynic 3. BBN Relying Party Software - Complex set-up, but more options and felixibility http://ripe.net/certification/validation 11
BGPmon ROA validation service • Relies heavily on RIPE NCC Validator $ whois -h whois.bgpmon.net 200.7.86.0 Prefix: 195.157.0.0/16 Prefix description: Netscalibur UK Ltd Country code: GB Origin AS: 8426 Origin AS Name: CLARANET-AS ClaraNET RPKI status: ROA validation successful $ whois -h whois.bgpmon.net " --roa 8426 195.157.0.0/16" 0 - Valid ------------------------ ROA Details ------------------------ Origin ASN: AS8426 Not valid Before: 2011-01-01 13:56:21 Not valid After: 2012-07-01 00:00:00 Trust Anchor: rpki.ripe.net Prefixes: 213.165.128.0/19 195.157.0.0/16 194.112.32.0/19 12
Hardware Validation: RPKI-RTR Protocol BGP validated RPKI RTR Decision cache PROTOCOL Process route-map validity-0 match rpki-invalid drop route-map validity-1 match rpki-not-found set localpref 50 // valid defaults to 100 13
Hardware Validation: RPKI-RTR Protocol BGP validated RPKI RTR Decision cache PROTOCOL Process • Cisco roadmap has router validation for RLS12 / IOS-XR in 2011 • Juniper is actively working on validation as well 14
Where are we now? After 17 Days 175 LIRs have enabled the service and created 152 ROAs covering 419 prefixes 15
The road ahead • Web-based validator • Up / Down protocol - Run your own Certificate Authority - Allow PI holders to manage ROAs - Transfers between RIRs - ERX space • ROA tools - Import using combination of IRR + BGP + Human - Receive alert if ROA does not match BGP 16
More information: http://ripe.net/certification 17
Questions?

Empfohlen

Certification
CertificationCertification
Certification
RIPE NCC
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
RIPE NCC
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
APNIC
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generation
APNIC
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
Bangladesh Network Operators Group
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet Routing
APNIC
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
MyNOG
 

Empfohlen

Certification
CertificationCertification
Certification
RIPE NCC
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
RIPE NCC
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
APNIC
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generation
APNIC
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
Bangladesh Network Operators Group
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet Routing
APNIC
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
MyNOG
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
APNIC
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
Bangladesh Network Operators Group
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s Implementation
MyNOG
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
Cisco Canada
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
Robb Boyd
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
Bangladesh Network Operators Group
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
Fakrul Alam
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
APNIC
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
APNIC
 
Routing diff
Routing diffRouting diff
Routing diff
Bangladesh Network Operators Group
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PROIDEA
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
Bangladesh Network Operators Group
 
Segment Routing: Prepare Your Network For New Business Models
Segment Routing: Prepare Your Network For New Business ModelsSegment Routing: Prepare Your Network For New Business Models
Segment Routing: Prepare Your Network For New Business Models
Cisco Service Provider
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
akg1330
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRT
APNIC
 
RPKI invalids aren't gone yet
RPKI invalids aren't gone yetRPKI invalids aren't gone yet
RPKI invalids aren't gone yet
Bangladesh Network Operators Group
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
APNIC
 
Routing Security
Routing SecurityRouting Security
Routing Security
RIPE NCC
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6
Ahmed AbdelSalam
 
WAN SDN meet Segment Routing
WAN SDN meet Segment RoutingWAN SDN meet Segment Routing
WAN SDN meet Segment Routing
APNIC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
Siena Perry
 

Weitere ähnliche Inhalte

Was ist angesagt?

TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
Robb Boyd
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PROIDEA
 
Segment Routing: Prepare Your Network For New Business Models
Segment Routing: Prepare Your Network For New Business ModelsSegment Routing: Prepare Your Network For New Business Models
Segment Routing: Prepare Your Network For New Business Models
Cisco Service Provider
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6
Ahmed AbdelSalam
 

Was ist angesagt? (20)

ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s Implementation
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
Routing diff
Routing diffRouting diff
Routing diff
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
 
Segment Routing: Prepare Your Network For New Business Models
Segment Routing: Prepare Your Network For New Business ModelsSegment Routing: Prepare Your Network For New Business Models
Segment Routing: Prepare Your Network For New Business Models
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRT
 
RPKI invalids aren't gone yet
RPKI invalids aren't gone yetRPKI invalids aren't gone yet
RPKI invalids aren't gone yet
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
Routing Security
Routing SecurityRouting Security
Routing Security
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6
 
WAN SDN meet Segment Routing
WAN SDN meet Segment RoutingWAN SDN meet Segment Routing
WAN SDN meet Segment Routing
 

Ähnlich wie Resource Certification

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 

Ähnlich wie Resource Certification (20)

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?
 
MyNOG 8: Next Generation Internet Number Registry Services
MyNOG 8: Next Generation Internet Number Registry ServicesMyNOG 8: Next Generation Internet Number Registry Services
MyNOG 8: Next Generation Internet Number Registry Services
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net tools
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej WolskiPLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 

Mehr von RIPE NCC

Mehr von RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 

Kürzlich hochgeladen

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Kürzlich hochgeladen (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Resource Certification

  • 1. Resource Certification Alex Band, Product Manager UKNOF18
  • 2. Internet Routing • Routing is non-hierarchical, open and free • Freedom comes at a price: - You can announce any address block on your router - Route leaking happens frequently, impact is high Entire networks become unavailable - - Route hijacking is easy, as long as peers don’t filter • IPv4 address depletion may intensify issue 2
  • 3. Digital Resource Certificates • Based on open IETF standards (sidr) • Issued by the RIRs • States that an Internet number resource has been registered by the RIPE NCC • Do not list any identity information - All resource information can be found in the registry 3
  • 4. What Certification offers • Proof of holdership • Secure Inter-Domain Routing - Route Origin Authorisation • Resource transfers • Validation is the added value! 4
  • 5. The system certificate authority 5
  • 6. The system (2) • Accessible through the LIR Portal • Administrator grants access to users 6
  • 7. Proof of holdership • • • 7
  • 8. Route Origin Authorisation (ROA) • fi • • 8
  • 10.
  • 11. Software Validation of Certificates and ROAs • Validators access publicly accessible repository • Three software tools available 1. RIPE NCC Validator - Easy to set-up and use, limited feature set 2. rcynic 3. BBN Relying Party Software - Complex set-up, but more options and felixibility http://ripe.net/certification/validation 11
  • 12. BGPmon ROA validation service • Relies heavily on RIPE NCC Validator $ whois -h whois.bgpmon.net 200.7.86.0 Prefix: 195.157.0.0/16 Prefix description: Netscalibur UK Ltd Country code: GB Origin AS: 8426 Origin AS Name: CLARANET-AS ClaraNET RPKI status: ROA validation successful $ whois -h whois.bgpmon.net " --roa 8426 195.157.0.0/16" 0 - Valid ------------------------ ROA Details ------------------------ Origin ASN: AS8426 Not valid Before: 2011-01-01 13:56:21 Not valid After: 2012-07-01 00:00:00 Trust Anchor: rpki.ripe.net Prefixes: 213.165.128.0/19 195.157.0.0/16 194.112.32.0/19 12
  • 13. Hardware Validation: RPKI-RTR Protocol BGP validated RPKI RTR Decision cache PROTOCOL Process route-map validity-0 match rpki-invalid drop route-map validity-1 match rpki-not-found set localpref 50 // valid defaults to 100 13
  • 14. Hardware Validation: RPKI-RTR Protocol BGP validated RPKI RTR Decision cache PROTOCOL Process • Cisco roadmap has router validation for RLS12 / IOS-XR in 2011 • Juniper is actively working on validation as well 14
  • 15. Where are we now? After 17 Days 175 LIRs have enabled the service and created 152 ROAs covering 419 prefixes 15
  • 16. The road ahead • Web-based validator • Up / Down protocol - Run your own Certificate Authority - Allow PI holders to manage ROAs - Transfers between RIRs - ERX space • ROA tools - Import using combination of IRR + BGP + Human - Receive alert if ROA does not match BGP 16