The document provides an introduction to internet routing, BGP hijacking, and the Resource Public Key Infrastructure (RPKI) system for securing internet routing. It discusses how BGP works and how hijacks can occur when more specific routes are announced. The document then summarizes the RPKI framework for validating route origins using Route Origin Authorizations (ROAs) and filtering routes based on their validation state. It provides examples of implementing RPKI on routers to help secure internet routing.

1. 1

2. 2
v1.02
BGP Hijacking & Securing
Internet Routing
(with RPKI)

3. 3
v1.03
Agenda
An introduction to the following:
• Internet Routing System
• Border Gateway Protocol(BGP) Hijacks
• Resource Public Key Infrastructure (RPKI)

4. 4
v1.04
Internet Routing
Google Maps. (2017). Google Maps. [online]Available at: https://goo.gl/maps/Zdw6sruvkb75DiL17 [Accessed 4 Dec.2020].

5. 5
v1.05
Internet Routing
Screen shottaken from “3.5.3.4 Packet Tracer - Configure and Verify eBGP.pka” example from Connecting Networks Cisco Netacademycourse

6. 6
v1.06

7. 7
v1.07
Forwarding Information
Base (FIB)
Routing Information
Base (RIB)
BGP 4 Routing Table
IS-IS - Link State
Database
Connected Routes
Static Routes
Routing Table
Image by Stephan Fuchs from Pixabay

8. 8
v1.08
Based on destination IP address - “longest match”
routing
More specific prefix preferred over less specific prefix
Which address would you choose for locating this venue:
1.Brisbane, Queensland
2.George Street, Brisbane, Queensland
3.Z4 Atrium 2 George St, Brisbane, Queensland
IP Route Lookup

9. 9
v1.09
IP Route Lookup
YOU
135533135534
61.45.248.0/22
135535
61.45.248.0/22 135535 135534 135533 i
135540135539
61.45.248.0/24
61.45.248.0/24 135539 135540 i

10. 10
v1.010
IP Route Lookup
YOU
135533135534
61.45.248.0/24
135535
61.45.248.0/24 135535 135534 135533 i
135540135539
61.45.248.0/24
61.45.248.0/24 135539 135540 i

11. 11
v1.011
BGP Hijack 101
• Announce a more specific
path
• Announce an IP address
space that is owned by
someone else
Williams, R. (2015). street signs being stolen [Image].
Retrieved from https://media.apnarm.net.au/media/images/2015/02/06/IQT_06-02-2015_NEWS_05_STOLENSIGNS1_t1880.jpg

12. 12
v1.012
Hijacks and Leaks in 2019
0
50
100
150
200
250
300
350
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
2019
BGP leak Possible Hijack
https://bgpstream.com
http://blog.catchpoint.com/2020/04/09/one-year-bgp-security

13. 13
v1.013
Hijacks and Leaks in 2020 (so far)
https://bgpstream.com
0
50
100
150
200
250
300
350
Jan Feb Mar Apr
2020
BGP leak Possible Hijack

14. 14
Demo: BGP Hijack

15. 15
(the trouble with)
Securing the Internet Routing
Tashi Phuntsho (tashi@apnic.net)
Senior Network Analyst/Technical Trainer

16. 1616
Acknowledgement
• Stole slides/ideas from
– Geoff Huston, APNIC ☺

17. 1717
Headlines
https://bgpstream.com/event/251690
AS1221 (Telstra) hijacks/leaks – 30 Sept 2020

18. 1818
Headlines
https://blog.qrator.net/en/how-you-deal-route-leaks_69/
https://tw itter.com/bgpmon/status/1246842916502302723?s=21

19. 1919
Headlines
https://tw itter.com/atoonk/status/1143143943531454464/photo/1 https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/amp/

20. 2020
Headlines
https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies

21. 2121
Headlines

22. 2222
Why do we keep seeing these?
• Because NO ONE is in charge?
– No single authority model for the Internet
• No reference point for what’s right in routing
• Routing is VARIABLE
– The view of the network depends on where you are
• Different routing outcomes at different locations
– ~ no reference view to compare the local view 

23. 2323
Why do we keep seeing these?
• Routing works by RUMOUR
– Tell what you know to your neighbors, and Learn what your
neighbors know
– Assume everyone is correct (and honest)
• Is the originating network the rightful owner?

24. 2424
Why do we keep seeing these?
• Routing works in REVERSE
– Outbound advertisement affects inbound traffic
– Inbound (Accepted) advertisement influence outbound traffic

25. 2525
Why do we keep seeing these?
• No evil (E) bit (RFC3514)
– a bad routing update does not identify itself as BAD

26. 2626
Current Practice
Peering/Transit
Request
LOA Check
Filters (in/out)
LOA Check
Whois
(manual)
Letter of
Authority
IRR (RPSL)

27. 2727
Tools & Techniques
• Look up whois
– verify holder of a resource

28. 2828
Tools & Techniques
• Ask for a Letter of Authority
– Absolve from any liabilities

29. 2929
Tools & Techniques
• Look up/ask to enter
details in IRR
– describes route origination
and inter-AS routing policies

30. 3030
Tools & Techniques
• IRR
– Helps generate network (prefix & as-path) filters using RPSL
tools
• Filter out route advertisements not described in the registry

31. 31
IRR Issues
• No single authority model
• How do I know an RR entry is
genuine/correct?
• Too many RRs
• If two RRs have conflicting data, which
one do I trust?
• Incomplete data
– If a route is not in a RR, is the
route
• Invalid, or
• Is the RR just missing data?

32. 3232
Enter the RPKI framework
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
RPKI
Repo
RPKI-to-Router (RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator

33. 3333
Implementation
• Sign your route origins (create your ROAs)
Prefix 2406:6400::/32
Max-length /36
Origin ASN AS45192

34. 3434
Implementation
• Run your own RPKI validator:
– Dragon Research RPKI toolkit - https://github.com/dragonresearch/rpki.net
– **RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3/releases/tag/3.2-2020.10.28.23.06
(will be deprecated in 2021)
– Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.8.2
– OctoRPKI/GoRTR (Cloudflare’s toolkit) https://github.com/cloudflare/cfrpki/releases/tag/v1.2.2
– Fort (NIC Mexico’s Validator) - https://github.com/NICMx/FORT-validator/releases/tag/v1.4.2
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/

35. 3535
Implementation
• Enable RPKI/RTR on your routers
• eBGP speakers (border/peering/transit)
– Know your platform defaults and knobs
• Example: IOS-XE wont use Invalids for best path selection
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>

36. 3636
Validation States
• Acting on the Validation states
– Tag & do nothing~ You have downstream/route server @IXPs
– RFC7115 – preference
– Drop Invalids
[Valid (ASN:65XX0), Not Found (ASN:65XX1), Invalid (ASN:65XX2)]
[Valid > Not Found > Invalid]
IPv4 ~ 6K
IPv6 ~ 1K

37. 3737
So, what should we do?
• Basic BGP OpSec hygiene – RFC7454/RFC8212
– RFC8212: BGP default reject or something similar
– Filter your customers and peers
• Prefix filters, Prefix limit
• AS-PATH filters, AS-PATH limit
• Use IRR objects (source option) or ROA-to-IRR
– Filter your upstream(s)
– Create ROAs for your resources
– Filter inbound routes based on ROAs → ROV
• Join industry initiatives like MANRS
• https://www.manrs.org/

38. 3838
AU focus
NOT FOUND
AFRINIC APNIC ARIN RIPE IRINN JPNIC
IPv4 35 16229 383 103 12 5
IPv6 1591 8 8
~17K
~1.6K
INVALIDS
APNIC Validity JPNIC Validity RIPE Validity
IPv4 39 9xML, 24xAS, 6xASML 1 1xAS 4 4xML
IPv6 17 14xML, 2xAS, 1xASML

39. 39
Demo: RPKI in action

40. 40
THANK YOU