RPKI and Me by Tom Paseka

1. RPKI and Me
Tom Paseka
MyNOG 8
July 2019

2. RPKI… but first, a preview!

3. RPKI… but first, a preview!

4. RPKI… but first, a preview!
■RPKI is self serving:
It protects your network and your traffic flows
even if its not your routes being hijacked

5. Introduction
5

6. Introduction
●RPKI (Resource Public Key Infrastructure)
●Cryptographically signs your route/prefix and ASN:
○Specifies what prefix length and which ASN can originate a
prefix.
○These are created with ROAs (Route Origin Authorization)

7. But Why?
7

9. Why?
●1997 - AS7007 mistakenly (re)announces 72,000+ routes (becomes
the poster-child for route filtering).
●2008 - ISP in Pakistan accidentally announces IP routes for YouTube
by blackholing the video service internally to their network.
●2017 - Russian ISP leaks 36 prefixes for payments services owned by
Mastercard, Visa, and major banks.
●2018 - BGP hijack of Amazon DNS to steal crypto currency.
●2019 - A BGP Route optimizer hijacks thousands of routes with global
impact

10. Why?
●The web has moved forward with security first
●The Internet hasn’t.
●Let’s bring BGP forward!

11. Where are we today?
11

12. Where are we today?
●Looking at some ROAs that already exist
●Two great tools:
○http://localcert.ripe.net:8088/roas
○bgpmon whois
○https://rpki.cloudflare.com/rpki.json

13. Where are we today?
●RIPE’s tool, ability to search for any ROAs created.

14. Where are we today?
●Bgpmon’s whois tool:
●Providing the AS and prefix will confirm if its valid

15. How about in Malaysia
15

16. Malaysia and RPKI
●Good News!
●Three networks with some RPKI deployment
TM / AS4788
84 ROAs
IPv4 and IPv6
Not covering all IP space
Mostly le /24 (or le /48)
Extreme AS38182
143 ROAs
IPv4 and IPv6
Not covering all IP space
All exact matches (no le)
MYREN / AS24514
32 ROAs
IPv4 and IPv6
Nearly all IP space
covered
All exact matches (no le)

17. Malaysia and RPKI
●Bad News:
●Some networks with invalids!

18. Malaysia and RPKI
●Bad News:
●Some networks with invalids!
Seen by #peers: 86

19. RPKI Invalids
●If you’ve created invalid’s, some networks wont
be able to reach you.
●In the case of the previous ROA Invalid:
○It’s a more specific, or there are more specific routes
covering it
○IP Addresses still reachable, but could indicate an
error

20. RPKI Invalids
●Unreachable?
●https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html

21. RPKI Invalids
●Cloudflare (AS13335) and AT&T (AS7018)
are dropping invalids from Peers
●Cloudflare still uses some default
routes, so you might be reachable, but
your prefix would be blackholed from
AT&T
https://twitter.com/Jerome_UZ/status/1067867076390346752

22. Rejection state?
●As of Dec 2018, no Malaysian networks were measured as
rejecting invalids.
●While a few networks have taken good steps in signing their
routes, more needs to be done.
●Congratulations to TM, Extreme Broadband, IPServerOne,
Global Transit, GB Network, Modern One, BasketAsia, MyKris, VC
telecoms, IX Telecom, and others I might have missed in singing
your routes!

23. Rejection state?
●MyIX?
●Consider signing your routes and setting “AS0”. This means this
route should never be announced on the Internet.
●See: https://blog.apnic.net/2018/11/09/myapnic-rpki-service-
now-supports-as0-roa-creation/

24. Rejection state?
●BKNIX (Hi Nan~ J )
●Their IX LAN is set with “AS0”
●This means it should never be announced to the
internet.
{
"prefix": "203.159.68.0/23",
"maxLength": 23,
"asn": "AS0",
"ta": "APNIC"
},

25. Rest of the World?
●Netherlands leading the way!
●Tier-1’s? Sad state.
All have few to none routes signed!
AS7018 / AT&T
AS701 / Verizon
AS174 / Cogent
AS3257 / GTT
AS6762 / Sparkle
AS3356 / Level3
AS7922 / Comcast
AS1239 / Sprint

26. Rest of the World?
AS2914 / NTT, AS1299 / Telia, and AS6453 / Tata
All have limited deployments. Please continue!

27. Invalids in the wild!

28. Invalids in the wild!
●Invalids growing.
●Will soon become
reachability issues.
●Feels like the early days
of DNSSEC
(or still now..)

29. How to get yourself setup for RPKI
29

30. Get Setup?
1. Sign your routes.
APNIC created a great guide for MyAPNIC
https://youtu.be/hzCVvnjo6V8

31. Get Setup?
2. Validate
This is more complicated, but I hope we’re making
it easier for everyone J

32. Get Setup?
Collect and sync certificates
from RIRs (eg APNIC)
Speak RTR protocol to
your routers
(for validation)

33. Get Setup?
Guide to getting started:
https://blog.cloudflare.com/cloudflares-rpki-toolkit/

34. Some cool graphics
34

35. https://twitter.com/vastur/status/1063514435543719936

36. https:// http://sg-pub.ripe.net/jasper/rpki-web-test/

37. Final Thoughts
37

38. Final Thoughts
Don’t be scared of RPKI.
Just start.
Sign your routes.
Protect your network.
Don’t forget about other route security (eg: IRR)
Look MANRS and become MANRS compliant!

39. Questions?
39

40. More Resources
https://www.manrs.org/
https://blog.cloudflare.com/rpki/
http://localcert.ripe.net:8088/roas
https://bgp.he.net/
https://youtu.be/hzCVvnjo6V8