APNIC Training Delivery Manager Tashi Phuntsho, presents on practical ways to implement RPKI at the IAA Life in Lockdown online event, 'how to stop heists, hijacks and hostages', held on 21 July 2020.
11. 1111
Tools & Techniques
• Look up/ask to enter
details in IRR
– describes route origination
and inter-AS routing policies
12. 1212
Tools & Techniques
• IRR
– Helps generate network (prefix & as-path) filters using RPSL
tools
• Filter out route advertisements not described in the registry
13. 13
IRR Issues
• No single authority model
• How do I know an RR entry is
genuine/correct?
• Too many RRs
• If two RRs have conflicting data, which
one do I trust?
• Incomplete data
– If a route is not in a RR, is the
route
• Invalid, or
• Is the RR just missing data?
14. 1414
Enter the RPKI framework
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
RPKI
Repo
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator
16. 1616
ROA considerations
• Max length attribute
– Minimal ROA
• ROAs to cover only those prefixes announced in BGP
• https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-03
– Reduces spoofed origin-AS attack surface
0
500
1000
1500
2000
2500
3000
3500
4000
Dec'19 Jan'20 Feb'20 May'20 July'20
Invalids (Max Length)
IPv4 IPv6
17. 1717
ROA considerations
• Know your network (origin AS)
– Do you have multiple ASes?
• Are they independent ASes? or
• Transit AS + multiple Access ASes?
https://blog.apnic.net/2020/04/10/rise-of-the-invalids/
0
500
1000
1500
2000
2500
Dec'19 Jan'20 Feb'20 May'20 July'20
Invalids (Orgin AS)
IPv4 IPv6
18. 1818
Implementation
• Run your own RPKI validator:
– Dragon Research RPKI toolkit - https://github.com/dragonresearch/rpki.net
– RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3
– Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.7.1
– OctoRPKI/GoRTR (Cloudflare’s toolkit) - https://github.com/cloudflare/cfrpki
– Fort (NIC Mexico’s Validator) - https://nicmx.github.io/FORT-validator/
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/
19. 1919
Validator considerations
• Securing the RTR session
– Plain text (TCP)
• run within your routing domain
– Other auth options
• SSH (v2)
• MD5 auth
• IPsec
• TLS
• TCP-AO
20. 2020
Validator considerations
• When RTR session fails
– Based on the expire interval of ROA cache
• JunOS/SR-OS: 3600s, IOS-XE: 300s (RFC min ~ 600secs)
– Defaults to NOT FOUND
• Including Invalids
– Hence, at least 2 x Validators (RTR sessions)
22. 2222
Implementation
• Enable RTR on your routers
• eBGP speakers (border/peering/transit)
– Know your platform defaults and knobs
• Example: IOS-XE wont use Invalids for best path selection
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>
23. 2323
Implementation
• Acting on the Validation states
– Tag & do nothing~ You have downstream/route server @IXPs
[Valid (ASN:65XX1), Not Found (ASN:65XX2), Invalid (ASN:65XX3)]
– RFC7115
• Prefer “Valid > Not Found > Invalid”
– Drop Invalids
• ~6K IPv4 and ~3K IPv6 routes
25. 2525
Other developments
• ROA with AS-0 origin (RFC6483/RFC7607)
– Negative attestation
• No valid ASN has been granted authority
• Not to be routed (Ex - IXP LAN prefixes)
– Overridden by another ROA
• with an origin AS other than AS-0
– Prop-132: unallocated/unassigned APNIC space
• Similar to RFC6491 for special-use/reserved/unallocated
26. 2626
So, what can we all do?
• Basic BGP OpSec hygiene – RFC7454/RFC8212
– RFC8212: BGP default reject or something similar
– Filter your customers and peers
• Prefix filters, Prefix limit
• AS-PATH filters, AS-PATH limit
• Use IRR objects (source option) or ROA-to-IRR
– Filter your upstream(s)
– Create ROAs for your resources
– Filter inbound routes based on ROAs à ROV
• Join industry initiatives like MANRS
• https://www.manrs.org/