SlideShare ist ein Scribd-Unternehmen logo

Route Hijaking and the role of RPKI

APNIC
APNIC

Presented by Fakrul Alam, APNIC's Senior Trainer, at the 19th Pacific Network Operators Group Meeting (PacNOG 19) held in Fiji, 28 November 2016.

Internet
1 von 22
Downloaden Sie, um offline zu lesen
Route Hijacking and the role of RPKI in Securing Internet Routing Infrastructure Fakrul Alam Senior Training Officer APNIC fakrul@apnic.net
2 BGP 101 2001:db8::/32 Network Next Hop AS_PATH Age Attrs > 2406:6400::/32 2001:df2:ee00::1 65531 65533 65535 05:30:49 [{Origin: i}] 65530 65533 64512 65535 2001:db8:ab::1 655322406:6400::/32 > 2406:6400::/32 2001:df2:ee11::1 65530 65420 05:30:49 [{Origin: i}] 65531 65420 65534 > 2406:6400::/32 2001:df2:ee11::1 65530 65420 05:30:49 [{Origin: i}]
Current Practice • Filtering limited to the edges facing the customer • Filters on peering and transit sessions are often too complex or take too many resources • Check prefix before announcing it 3 Receive Request LOA Check Create Associate Prefix / AS Filter
Filter Where? • Secure BGP Templates – http://www.cymru.com/gillsr/doc uments/junos-bgp-template.htm – https://www.team- cymru.org/ReadingRoom/Templ ates/secure-bgp-template.html 4
5 IP Address & AS Number Digital Certificate RPKI Resource Public Key Infrastructure
6 BGP 101 + RPKI 2001:db8::/32 Network Next Hop AS_PATH Age Attrs V*> 2406:6400::/32 2001:df2:ee00::1 65531 65533 65535 05:30:49 [{Origin: i}] 65530 65533 64512 65535 2001:db8:ab::1 655322406:6400::/32 I > 2406:6400::/32 2001:df2:ee11::1 65530 65420 05:30:49 [{Origin: i}] 65531 65420 65534
PKI In Other Application • HTTPS – Web Address as RESOURCE – Hierarchical Trust Model – CA as the root of the TRUST – Browser does the VERIFICATION • DNSSEC – Zone as RESOURCE – Hierarchical Trust Model – . as the root of the TRUST – DNS Resolver does the VERIFICATION 7
What About RPKI? 8
The Eco System 9
RPKI Trust Anchor 10 IANA AFRINIC RIPE NCC ARIN APNIC LACNIC NIR NIR ISP ISP ISP ISP ISP Trust Anchor CertificateResource Allocation Hierarchy Issued Certificates match allocation actions
RPKI Implementation 11 • As an Announcer/LIR – You choose if you want certification – You choose if you want to create ROAs – You choose AS, max length • As a Relying Party – You can choose if you use the validator – You can override the lists of valid ROAs in the cache, adding or removing valid ROAs locally – You can choose to make any routing decisions based on the results of the BGP Verification (valid/invalid/unknown) 1. Publish ROA 2. RPKI Cache Validator 3. Router Configuration
Activate RPKI engine 12
Create ROA 13 • Create ROA for smaller block. 1. Write your ASN 2. Your IP Block 3. Subnet 4. Click Add 131107 2001:df2:ee00::/48 48
How Do We Verify? 14
RPKI in Action 15 • {bgp4} Routers validate updates from other BGP peers • {rtr} Caches feeds routers using RTR protocol with ROA information • {rsync} Caches retrieves and cryptographically validates certificates & ROAs from repositories ASBR {rtr} DNS Trust Anchors DNS Trust AnchorsDNS Trust Anchors DNS RPKI Cache Validator {rsync} {bgp4} repository upstream
RPKI Implementation Issues 16
RPKI Data Violation : Invalid ASN • Invalid origin AS is visible • From private ASN!
RPKI Data Violation : Fixed Length Mismatch • Most of the cases involve an invalid prefix (fixed length mismatch) – Further allocation to the customer
Fiji Total ASNs delegated by RIR: 8, Visible IPv4 routes: 50, Visible IPv6 routes: 5 http://rpki.apnictraining.net/output/fj.html
Moving Forward • RPKI adoption is growing – You are encouraged to create ROA. Experiment, test, play and develop – You can implement in you infrastructure and do origin validation • Something to consider – Upgrade at least ASBRs to RPKI capable code – In most cases, operators create ROAs for min length and advertise longest prefix – Some ROAs are invalid due to further allocation to customers • https://www.apnic.net/ROA 20
Data Collection • GoBGP – https://github.com/osrg/gobgp • RPKI Dashboard – https://github.com/remydb/RPKI-Dashboard • RIPE RPKI Statistics – https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html • RIPE Cache Validator API – http://rpki-validator.apnictraining.net:8080/export 21
Thank You

Empfohlen

BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
APNIC
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
APNIC
 
npNOG 2: APNIC IPv6 deployment
npNOG 2: APNIC IPv6 deploymentnpNOG 2: APNIC IPv6 deployment
npNOG 2: APNIC IPv6 deployment
APNIC
 
NZNOG 2020: APNIC update
NZNOG 2020: APNIC updateNZNOG 2020: APNIC update
NZNOG 2020: APNIC update
APNIC
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?
GeoffHuston
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
APNIC
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 

Empfohlen

BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
APNIC
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
APNIC
 
npNOG 2: APNIC IPv6 deployment
npNOG 2: APNIC IPv6 deploymentnpNOG 2: APNIC IPv6 deployment
npNOG 2: APNIC IPv6 deployment
APNIC
 
NZNOG 2020: APNIC update
NZNOG 2020: APNIC updateNZNOG 2020: APNIC update
NZNOG 2020: APNIC update
APNIC
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?
GeoffHuston
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
APNIC
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
Fakrul Alam
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73
APNIC
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNIC
APNIC
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGP
APNIC
 
APNIC IPv6 Deployment
APNIC IPv6 DeploymentAPNIC IPv6 Deployment
APNIC IPv6 Deployment
APNIC
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
MyNOG
 
Welcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaWelcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, Mongolia
APNIC
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
Siena Perry
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
APNIC
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoT
APNIC
 
IPv6 in Cellular Networks
IPv6 in Cellular NetworksIPv6 in Cellular Networks
IPv6 in Cellular Networks
APNIC
 
Scaling BGP
Scaling BGPScaling BGP
Scaling BGP
APNIC
 
DIY Netflow Data Analytic with ELK Stack by CL Lee
DIY Netflow Data Analytic with ELK Stack by CL LeeDIY Netflow Data Analytic with ELK Stack by CL Lee
DIY Netflow Data Analytic with ELK Stack by CL Lee
MyNOG
 
IPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networksIPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networks
APNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
APNIC
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
APNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
APNIC
 
Introduction to CSIRTs
Introduction to CSIRTsIntroduction to CSIRTs
Introduction to CSIRTs
APNIC
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust Anchor
APNIC
 

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNIC
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGP
 
APNIC IPv6 Deployment
APNIC IPv6 DeploymentAPNIC IPv6 Deployment
APNIC IPv6 Deployment
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
 
Welcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaWelcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, Mongolia
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoT
 
IPv6 in Cellular Networks
IPv6 in Cellular NetworksIPv6 in Cellular Networks
IPv6 in Cellular Networks
 
Scaling BGP
Scaling BGPScaling BGP
Scaling BGP
 
DIY Netflow Data Analytic with ELK Stack by CL Lee
DIY Netflow Data Analytic with ELK Stack by CL LeeDIY Netflow Data Analytic with ELK Stack by CL Lee
DIY Netflow Data Analytic with ELK Stack by CL Lee
 
IPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networksIPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networks
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 

Andere mochten auch

Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Positive Hack Days
 

Andere mochten auch (7)

Introduction to CSIRTs
Introduction to CSIRTsIntroduction to CSIRTs
Introduction to CSIRTs
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust Anchor
 
RPKI Deployment Panel
RPKI Deployment PanelRPKI Deployment Panel
RPKI Deployment Panel
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
 
Symantec 2010 Critical Infrastructure Protection Study
Symantec 2010 Critical Infrastructure Protection StudySymantec 2010 Critical Infrastructure Protection Study
Symantec 2010 Critical Infrastructure Protection Study
 
Securing Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKISecuring Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKI
 

Ähnlich wie Route Hijaking and the role of RPKI

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 

Ähnlich wie Route Hijaking and the role of RPKI (20)

RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh RPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
Routing Security
Routing SecurityRouting Security
Routing Security
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh Phokeer
 
HKNOG 9.0: (the trouble with) Securing Internet Routing
HKNOG 9.0: (the trouble with) Securing Internet RoutingHKNOG 9.0: (the trouble with) Securing Internet Routing
HKNOG 9.0: (the trouble with) Securing Internet Routing
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment Update
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
 
RPKI
RPKIRPKI
RPKI
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 

Mehr von APNIC

Mehr von APNIC (20)

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 

Kürzlich hochgeladen

在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
galaxypingy
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 

Kürzlich hochgeladen (20)

在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 

Route Hijaking and the role of RPKI

  • 1. Route Hijacking and the role of RPKI in Securing Internet Routing Infrastructure Fakrul Alam Senior Training Officer APNIC fakrul@apnic.net
  • 2. 2 BGP 101 2001:db8::/32 Network Next Hop AS_PATH Age Attrs > 2406:6400::/32 2001:df2:ee00::1 65531 65533 65535 05:30:49 [{Origin: i}] 65530 65533 64512 65535 2001:db8:ab::1 655322406:6400::/32 > 2406:6400::/32 2001:df2:ee11::1 65530 65420 05:30:49 [{Origin: i}] 65531 65420 65534 > 2406:6400::/32 2001:df2:ee11::1 65530 65420 05:30:49 [{Origin: i}]
  • 3. Current Practice • Filtering limited to the edges facing the customer • Filters on peering and transit sessions are often too complex or take too many resources • Check prefix before announcing it 3 Receive Request LOA Check Create Associate Prefix / AS Filter
  • 4. Filter Where? • Secure BGP Templates – http://www.cymru.com/gillsr/doc uments/junos-bgp-template.htm – https://www.team- cymru.org/ReadingRoom/Templ ates/secure-bgp-template.html 4
  • 5. 5 IP Address & AS Number Digital Certificate RPKI Resource Public Key Infrastructure
  • 6. 6 BGP 101 + RPKI 2001:db8::/32 Network Next Hop AS_PATH Age Attrs V*> 2406:6400::/32 2001:df2:ee00::1 65531 65533 65535 05:30:49 [{Origin: i}] 65530 65533 64512 65535 2001:db8:ab::1 655322406:6400::/32 I > 2406:6400::/32 2001:df2:ee11::1 65530 65420 05:30:49 [{Origin: i}] 65531 65420 65534
  • 7. PKI In Other Application • HTTPS – Web Address as RESOURCE – Hierarchical Trust Model – CA as the root of the TRUST – Browser does the VERIFICATION • DNSSEC – Zone as RESOURCE – Hierarchical Trust Model – . as the root of the TRUST – DNS Resolver does the VERIFICATION 7
  • 10. RPKI Trust Anchor 10 IANA AFRINIC RIPE NCC ARIN APNIC LACNIC NIR NIR ISP ISP ISP ISP ISP Trust Anchor CertificateResource Allocation Hierarchy Issued Certificates match allocation actions
  • 11. RPKI Implementation 11 • As an Announcer/LIR – You choose if you want certification – You choose if you want to create ROAs – You choose AS, max length • As a Relying Party – You can choose if you use the validator – You can override the lists of valid ROAs in the cache, adding or removing valid ROAs locally – You can choose to make any routing decisions based on the results of the BGP Verification (valid/invalid/unknown) 1. Publish ROA 2. RPKI Cache Validator 3. Router Configuration
  • 13. Create ROA 13 • Create ROA for smaller block. 1. Write your ASN 2. Your IP Block 3. Subnet 4. Click Add 131107 2001:df2:ee00::/48 48
  • 14. How Do We Verify? 14
  • 15. RPKI in Action 15 • {bgp4} Routers validate updates from other BGP peers • {rtr} Caches feeds routers using RTR protocol with ROA information • {rsync} Caches retrieves and cryptographically validates certificates & ROAs from repositories ASBR {rtr} DNS Trust Anchors DNS Trust AnchorsDNS Trust Anchors DNS RPKI Cache Validator {rsync} {bgp4} repository upstream
  • 17. RPKI Data Violation : Invalid ASN • Invalid origin AS is visible • From private ASN!
  • 18. RPKI Data Violation : Fixed Length Mismatch • Most of the cases involve an invalid prefix (fixed length mismatch) – Further allocation to the customer
  • 19. Fiji Total ASNs delegated by RIR: 8, Visible IPv4 routes: 50, Visible IPv6 routes: 5 http://rpki.apnictraining.net/output/fj.html
  • 20. Moving Forward • RPKI adoption is growing – You are encouraged to create ROA. Experiment, test, play and develop – You can implement in you infrastructure and do origin validation • Something to consider – Upgrade at least ASBRs to RPKI capable code – In most cases, operators create ROAs for min length and advertise longest prefix – Some ROAs are invalid due to further allocation to customers • https://www.apnic.net/ROA 20
  • 21. Data Collection • GoBGP – https://github.com/osrg/gobgp • RPKI Dashboard – https://github.com/remydb/RPKI-Dashboard • RIPE RPKI Statistics – https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html • RIPE Cache Validator API – http://rpki-validator.apnictraining.net:8080/export 21