APNIC Training Delivery Manager Tashi Phuntsho, presents on practical ways to implement RPKI at the IAA Life in Lockdown online event, 'how to stop heists, hijacks and hostages', held on 21 July 2020.

1. 1
(the trouble with)
Securing the Internet Routing
Tashi Phuntsho (tashi@apnic.net)
Senior Network Analyst/Technical Trainer

2. 22
Headlines
https://blog.qrator.net/en/how-you-deal-route-leaks_69/
https://twitter.com/bgpmon/status/1246842916502302723?s=21

3. 33
Headlines
https://twitter.com/atoonk/status/1143143943531454464/photo/1 https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/amp/

4. 44
Headlines
https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies

5. 55
Headlines
After (JP->JP)
https://dyn.com/blog/large-bgp-leak-by-google-disrupts-internet-in-japan/
Before (JP->JP)

6. 66
Headlines

7. 77
Why do we keep seeing these?
• As always, there is no Evil bit (RFC3514)
– a bad routing update does not identify itself as BAD

8. 88
Current Practice
Peering/Transit
Request
LOA Check
Filters (in/out)
LOA Check
Whois
(manual)
Letter of
Authority
IRR (RPSL)

9. 99
Tools & Techniques
• Look up whois
– verify holder of a resource

10. 1010
Tools & Techniques
• Ask for a Letter of Authority
– Absolve from any liabilities

11. 1111
Tools & Techniques
• Look up/ask to enter
details in IRR
– describes route origination
and inter-AS routing policies

12. 1212
Tools & Techniques
• IRR
– Helps generate network (prefix & as-path) filters using RPSL
tools
• Filter out route advertisements not described in the registry

13. 13
IRR Issues
• No single authority model
• How do I know an RR entry is
genuine/correct?
• Too many RRs
• If two RRs have conflicting data, which
one do I trust?
• Incomplete data
– If a route is not in a RR, is the
route
• Invalid, or
• Is the RR just missing data?

14. 1414
Enter the RPKI framework
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
RPKI
Repo
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator

15. 1515
Implementation
• Sign your route origins (create your ROAs)
Prefix 2406:6400::/32
Max-length /36
Origin ASN AS45192

16. 1616
ROA considerations
• Max length attribute
– Minimal ROA
• ROAs to cover only those prefixes announced in BGP
• https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-03
– Reduces spoofed origin-AS attack surface
0
500
1000
1500
2000
2500
3000
3500
4000
Dec'19 Jan'20 Feb'20 May'20 July'20
Invalids (Max Length)
IPv4 IPv6

17. 1717
ROA considerations
• Know your network (origin AS)
– Do you have multiple ASes?
• Are they independent ASes? or
• Transit AS + multiple Access ASes?
https://blog.apnic.net/2020/04/10/rise-of-the-invalids/
0
500
1000
1500
2000
2500
Dec'19 Jan'20 Feb'20 May'20 July'20
Invalids (Orgin AS)
IPv4 IPv6

18. 1818
Implementation
• Run your own RPKI validator:
– Dragon Research RPKI toolkit - https://github.com/dragonresearch/rpki.net
– RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3
– Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.7.1
– OctoRPKI/GoRTR (Cloudflare’s toolkit) - https://github.com/cloudflare/cfrpki
– Fort (NIC Mexico’s Validator) - https://nicmx.github.io/FORT-validator/
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/

19. 1919
Validator considerations
• Securing the RTR session
– Plain text (TCP)
• run within your routing domain
– Other auth options
• SSH (v2)
• MD5 auth
• IPsec
• TLS
• TCP-AO

20. 2020
Validator considerations
• When RTR session fails
– Based on the expire interval of ROA cache
• JunOS/SR-OS: 3600s, IOS-XE: 300s (RFC min ~ 600secs)
– Defaults to NOT FOUND
• Including Invalids
– Hence, at least 2 x Validators (RTR sessions)

21. 2121
Validator considerations
• VRP output

22. 2222
Implementation
• Enable RTR on your routers
• eBGP speakers (border/peering/transit)
– Know your platform defaults and knobs
• Example: IOS-XE wont use Invalids for best path selection
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>

23. 2323
Implementation
• Acting on the Validation states
– Tag & do nothing~ You have downstream/route server @IXPs
[Valid (ASN:65XX1), Not Found (ASN:65XX2), Invalid (ASN:65XX3)]
– RFC7115
• Prefer “Valid > Not Found > Invalid”
– Drop Invalids
• ~6K IPv4 and ~3K IPv6 routes

24. 2424
Operational Considerations
• Default routes?
– Will match anything ~ Invalids

25. 2525
Other developments
• ROA with AS-0 origin (RFC6483/RFC7607)
– Negative attestation
• No valid ASN has been granted authority
• Not to be routed (Ex - IXP LAN prefixes)
– Overridden by another ROA
• with an origin AS other than AS-0
– Prop-132: unallocated/unassigned APNIC space
• Similar to RFC6491 for special-use/reserved/unallocated

26. 2626
So, what can we all do?
• Basic BGP OpSec hygiene – RFC7454/RFC8212
– RFC8212: BGP default reject or something similar
– Filter your customers and peers
• Prefix filters, Prefix limit
• AS-PATH filters, AS-PATH limit
• Use IRR objects (source option) or ROA-to-IRR
– Filter your upstream(s)
– Create ROAs for your resources
– Filter inbound routes based on ROAs à ROV
• Join industry initiatives like MANRS
• https://www.manrs.org/

27. 2727
AU focus
NOT FOUND
AFRINIC APNIC ARIN RIPE IRINN JPNIC
IPv4 44 17106 379 104 13 7
IPv6 1561 8 8
~18K
~1.5K
INVALIDS
APNIC Validity JPNIC Validity
IPv4 20 16(ML), 3(AS), 1(ASML) 1 1xAS
IPv6 6 4(ML), 2(AS)

28. 2828
AU focus
Network Routed
(v4)
ROA
(AS, Prefix, ML)
Validity
AS132405 (Summit Internet) 4x/24s 132405,43.250.92.0/22,22 Invalid ML
AS134090 (XIntegration) 2x/24s 134090,103.106.88.0/22,22
134090,103.106.90.0/23,23
Invalid ML
AS10214 (Pentanet) 2x/24s 10214,121.200.32.0/23,23
132458, 121.200.32.0/23,23
Invalid ML
AS17918 (AC3) 2x24s 14168,122.252.148.0/22,22
16509, 122.252.148.0/22,22
Invalid ASML
AS4739 (Internode) 1x16 4713,118.0.0.0/12,24 Invalid AS
AS1221 (Telstra AU) 1x24 4637,192.74.139.0/24,24 Invalid AS
Network Routed
(v6)
ROA
(AS, Prefix, ML)
Validity
AS59256(Ausnet Servers) 2x/48s 59256,2401:9CC0::/32,32 Invalid ML
AS64098 (IP Transit) 1x/48 64098,2403:780::/32,40 Invalid ML
AS134409 (Public DNS/Host Link) 1x48 24322,2407:C820::/32,32
24322,2407:C280:FFFF::/48,48
Invalid AS
AS38220 (Amaze) 1x36 45177,2403:CC00:4000::/36,36 Invalid AS

29. 2929
Acknowledgement
• Geoff Huston, APNIC
• Randy Bush, IIJ Labs/Arrcus

30. 30
THANK YOU