APNIC Senior Resource Internet Analyst Wita Laksono gives and overview of RQC and RPKI at IDNOG 6 in Jakarta, Indonesia, on 25 July 2019.

1. 1
IDNOG 06 Conference
25 July 2019
Jakarta Indonesia
Wita Laksono

2. 2
RQC
Resources Quality Check

3. RQC
In response to the APNIC 2018 Member Survey, the Resource
Quality Check provides different widgets that assist in assessing
the quality of internet number resources delegated from APNIC, i.e.
• Routing Status and Routing History
• Geolocation History
• WHOIS current data
• Information of the past delegations and custodianship history
• Blacklist entries

4. RQC at https://netox.apnic.net

5. 5
RPKI
Resource Public Key Infrastructure
29
RPKI
Resource Public Key Infrastructure

6. RPKI
• RPKI is a public key infrastructure (PKI) framework,
originally designed to secure BGP routing
⎯ Based on X.509 PKI standards
• RPKI adds INR information to X.509 certificates issued to
resource holders
⎯ Representing INR custodianship and other status
⎯ Certification hierarchy follows INR delegation hierarchy
IANA ➔ RIR ➔ NIR ➔ ISP ➔ …

7. RPKI hierarchy
ISP ISP ISP ISP
IANA
CA
APNIC
CA
LACNIC
CA
RIPE- NCC
CA
ARIN
CA
AFRINIC
CA
NIR
ISP

8. RPKI applications
• Route Origin Validation (ROV)
⎯ Validation of Route Origin Authorisations (ROA) to make BGP routing
decisions
• Resources Tagged Attestations (RTA)
⎯ Allows an arbitrary digital object to be signed by the holder of the IP
address/ASN mentioned in the digital object, using RPKI
• Other future applications
8

9. ROV
RTA
…
x.509
cert
RPKI
9
RPKI
RDAP
whois
registry
database

10. RPKI application: ROV
• Route Origin Validation
AS17821
Announce:
203.176.32.0/19
Peer
?

11. ROA
• Route Origin Authorization (ROA)
⎯ Giving an ASN authority to route specific IP blocks
⎯ Contains a list of prefixes with ASN authorized to announce
⎯ Signed by IP resource holder
• RPKI validates the integrity of the ROA
⎯ It is provably created by the holder of the prefix
⎯ Can now be used to construct route filters for prefix-OriginAS pair in BGP
11
Prefix 203.176.32.0/19
Max-length /24
Origin ASN AS17821

12. RPKI Validator
• Gathers and validates ROAs from the distributed RPKI databases
⎯ Using rsync or RRDP (preferable)
⎯ Maintains a validated cache representing complete global state
• Can then perform ROV for routers using RPKI-Router (RTR) protocol
rpki.apnic.net
IANA
APNIC RIPE
ISP ISP
rsync
RRDP
Validated
cache
Validator

13. ROV at Border Routers
ISP
Validated
cache
Validator
RPKI-to-Router (RTR)

14. Route validation states
• Not Found (Unknown)
⎯ No ROA found, probably not created yet
⎯ This will be “default” for some time
• Valid
⎯ ROA exists
⎯ Prefix, Origin ASN and prefix-length match those found in validated cache
• Invalid
⎯ ROA exists
⎯ Prefix found, but Origin ASN is wrong, Prefix-length longer than Max-length, or
certificates are expired or otherwise invalid.
⎯ Some action needed

15. Action for invalid routes
• For inbound routes from upstreams/peers
⎯ Drop them
⎯ Give them lower LOCAL_PREF
⎯ Do nothing (not recommended)
• For outbound routes to customers
⎯ Tag them before re-distributing them to customers
⎯ Allow customers to make their own choices
• Tagging (eg at IXPs)
⎯ Apply community tags based on the validation state
§ Not Found (ASN:65XX1)
§ Valid (ASN:65XX2)
§ Invalid (ASN:65XX3)

16. RPKI application: RTA
• Take existing “letter of authority” practice
⎯ Typically a scanned/signed PDF under company letterhead
⎯ Unverifiable without more information
• Generate “detached signature” using RPKI
⎯ Signing certificate contains IP address range listed in the letter of
authority document
⎯ This is now a cryptographically verifiable letter of authority
• Pilot implementation
⎯ In development at APNIC (via MyAPNIC)
⎯ IETF draft in progress

17. RPKI benefits
• Improved in-band verification of resource custodianship
⎯ Much safer than manually checking whois or IRR database
⎯ Ease of automation
• Secure Origin is the first step to preventing many attacks on BGP
integrity
⎯ BGP Path remains a problem which is under development
⎯ Related information such as IRR Policy can now leverage strong proofs
of validity (end the maintainer-authority problem in RADB/IRR)
• Instruction/information from the resource custodian can be
cryptographically verified (e.g. LOA signing)

18. RPKI Stats

19. How do I start?
• Use MyAPNIC:
⎯ Create ROAs to better protect your own routes
§ Encourage your peers/customers to do the same
§ Encourage your IXP to implement Route Origin Validation (ROV) in their Route
Server
⎯ Then
§ Set up route validation at your own border routers
§ Use public or IXP validator, or your own

20. Create ROA in MyAPNIC

21. 21
APNIC New Policies

22. APNIC New Policies Implementation
• Prop-125: Validation of “abuse-mailbox” and other IRT
emails
• Prop-127: Change maximum delegation size of 103/8 IPv4
address pool to a /23
• Prop-128: Multihoming not required for ASN
• Prop-129: Abolish waiting list for unmet IPv4 requests
22

24. 24
Questions?