2. Agenda
RPKI; For more secure routingRPKI; For more secure routing
Grow your business with more IP resourcesGrow your business with more IP resources
Upcoming APNIC eventsUpcoming APNIC events
VizAS; Visualize your network infrastructureVizAS; Visualize your network infrastructure
2
6. IPv4 You pay
Get IPv6 for
no extra fee
/24 No extra fees /48
/22 No extra fees /32
IPv6 Kick Start
No evaluation required
6
7. Agenda
RPKI; For more secure routingRPKI; For more secure routing
Grow your business with more IP resources
Upcoming APNIC events
VizAS; Visualize your network infrastructure
7
8. 8
A
AS1 (ISP of Victim)
AS4 (Large ISP)
AS2
(Legitimate owner of 2001:DB8::/32)
BGP:2001:DB8::/32BGP:2001:DB8::/32
B
C
D
BGP:2001:DB8::/48BGP:2001:DB8::/48
BGP:2001:DB8::/32
BGP:2001:DB8::/48
BGP:2001:DB8::/32
BGP:2001:DB8::/48
AS3 (ISP of Hijacker)
Source : http://www.secureworks.com/
9. Resource Public Key Infrastructure
What is RPKI?
•A robust security framework for verifying the association
between resource holders and their Internet resources
•Uses x.509 certificates with RFC3779 extensions
• Collaborative effort by all RIRs to help secure Internet
routing by validating routes
9
10. APNIC’s involvement in RPKI
• Initial phase introduced by RIRs in 2009
• Initiative from APNIC aimed at:
– Improving the security of inter-domain routing
– Augmenting the information published in the whois database
10
11. Motivation
11
• Prevent route hijacking
– Only the rightful custodian can originate the prefix announcement
– ISPs filter prefixes they propagate
• Minimize common routing errors
– Limits human errors
– Prioritize routes with certificates
12. Real-life routing incidents
• July 2015 – Axcelx; hosting provider in Boston leaked Reddit routes,
knocking off websites dependent on Amazon and AWS
• June 2015 - Telecom Malaysia caused large-scale routing issues due
to route leak
• April 2014 - Indosat leaked 32,000 routes
• April 2010 - China Telecom advertisement caused 15% of Internet
traffic to pass through Chinese servers
• February 2008 - Pakistan Telecom announced 208.65.153.0/24
(YouTube prefix)
12
13. APNIC Resource Certification
Valid from: 2015.11.20
Valid to: 2016.11.20
Origin ASN: 131107
IP prefix: 2001:0DB8::/32
Most specific allowed: /36
Valid from: 2015.11.20
Valid to: 2016.11.20
Origin ASN: 131107
IP prefix: 2001:0DB8::/32
Most specific allowed: /36
Create your ROAs now
through APNIC’s Resource
Certification Tool.
www.apnic.net/ROA
13
14. Creating ROAs in MyAPNIC
14
• What you need to have before creating a ROA
– Must be an APNIC Member
– Have access to MyAPNIC with 2 factor authentication
• Takes only 5 minutes to create, and 10 minutes to be
visible to the public
15. TOTP, more convenient 2FA
15
Digital certificates are not needed
Can get full access from ANY device you login with
www.apnic.net/2FA
17. Route management made easier
17
Services improvements for route management
next year
• One page to manage routes and ROAs
• Ability to create ROA together with route object
• Quick visualization of all your routes and ROAs
• View who is using your ASN
18. Success story
• May 2015: APNIC Outreach in Bangladesh
– 13 organizations visited
– Onsite support to create ROA objects
18
561 valid
prefixes (24%)
561 valid
prefixes (24%)
http://rpki.surfnet.nl/bd.html
20. Agenda
RPKI; For more secure routing
Grow your business with more IP resources
Upcoming APNIC events
VizAS; Visualize your network infrastructureVizAS; Visualize your network infrastructure
20
21. Reduce delays
Add more robustness
Peering
Internet Peering is a local
routing optimization, a way to
exchange some of your traffic
with neither party incurring
Internet transit fees.
21
22. VizAS: Visualize your connectivity
AS Numbers with more
downstream connectivity
located towards the
centre.
Lines show their
connectivity to down
streams
22
23. VizAS: Visualize your connectivity
AS Numbers on the edge
have no down streams.
They provide services to
end users.
Red means heavy traffic.
Yellow means low traffic.
23
25. Agenda
RPKI; For more secure routing
Grow your business with more IP resources
Upcoming APNIC eventsUpcoming APNIC events
VizAS; Visualize your network infrastructure
25
29. Technical Assistance Service
TAS - Thailand TAS - Bangladesh
Support for scalable and
resilient networks and best
practices in network operations
Support for scalable and
resilient networks and best
practices in network operations
• Distribution and registration of resources
• Supporting reverse DNS delegation
• Managing whois and IRR
• Resource Certification
• IPv6 deployment
• Internet infrastructure security
• Supporting open & neutral IXP & root servers
• Distribution and registration of resources
• Supporting reverse DNS delegation
• Managing whois and IRR
• Resource Certification
• IPv6 deployment
• Internet infrastructure security
• Supporting open & neutral IXP & root servers
www.apnic.net/taswww.apnic.net/tas
29
Outreach in Sri Lanka (8 Members),
Bangladesh (13 Members), Thailand (10 Members)
Outreach in Sri Lanka (8 Members),
Bangladesh (13 Members), Thailand (10 Members)
In this I am trying to show you a very simple illustration of how a route hijacking happens.
Entity B, the legitimate owner of the /16 prefix rightfully announces his prefix using AS2, and entity C, a large ISP propagates this information.
Entity D, the hijacker announces a more specific /24 using AS3.
Without RPKI in place, AS4 cannot distinguish between the rightful announcement and the false announcement. Therefore, large ISP propagates with false announcement to the internet.
Once this happens, part of the traffic which is suppose to go to the entity B is diverted to the hijacker.
Firstly, You have to be an APNIC member and received your resources from APNIC.
Secondly, to access this Certificate Authorization service, you need to have access to MyAPNIC
Finally, your Digital Certificate must be installed and active
----- Meeting Notes (2/11/15 16:24) -----
TOTP through ROA. Part of ROA
TAS is a new initiative to support APNIC member’s efforts to deploy and maintain scalable and resilient networks and best practices in network operations
Technical assistance is offered to network operators that need help to tackle projects such as IPv6 deployment. It intends to be provided on a cost recovery basis.
APNIC Technical Assistance Service is developed around APNIC’s fundamental missions, Distributing and registration of resources etc. etc. etc. and also supporting deployment of open and neutral IXP and root servers. APNIC TAS also works closely with external parties such as NSRC (Network Startup Resource Centre) and ITU.
If you are interested in please pls send your inquiry to helpdesk@apnic.net