6. Introduction
●RPKI (Resource Public Key Infrastructure)
●Cryptographically signs your route/prefix and ASN:
○Specifies what prefix length and which ASN can originate a
prefix.
○These are created with ROAs (Route Origin Authorization)
9. Why?
●1997 - AS7007 mistakenly (re)announces 72,000+ routes (becomes
the poster-child for route filtering).
●2008 - ISP in Pakistan accidentally announces IP routes for YouTube
by blackholing the video service internally to their network.
●2017 - Russian ISP leaks 36 prefixes for payments services owned by
Mastercard, Visa, and major banks.
●2018 - BGP hijack of Amazon DNS to steal crypto currency.
●2019 - A BGP Route optimizer hijacks thousands of routes with global
impact
10. Why?
●The web has moved forward with security first
●The Internet hasn’t.
●Let’s bring BGP forward!
12. Where are we today?
●Looking at some ROAs that already exist
●Two great tools:
○http://localcert.ripe.net:8088/roas
○bgpmon whois
○https://rpki.cloudflare.com/rpki.json
13. Where are we today?
●RIPE’s tool, ability to search for any ROAs created.
14. Where are we today?
●Bgpmon’s whois tool:
●Providing the AS and prefix will confirm if its valid
16. Malaysia and RPKI
●Good News!
●Three networks with some RPKI deployment
TM / AS4788
84 ROAs
IPv4 and IPv6
Not covering all IP space
Mostly le /24 (or le /48)
Extreme AS38182
143 ROAs
IPv4 and IPv6
Not covering all IP space
All exact matches (no le)
MYREN / AS24514
32 ROAs
IPv4 and IPv6
Nearly all IP space
covered
All exact matches (no le)
19. RPKI Invalids
●If you’ve created invalid’s, some networks wont
be able to reach you.
●In the case of the previous ROA Invalid:
○It’s a more specific, or there are more specific routes
covering it
○IP Addresses still reachable, but could indicate an
error
21. RPKI Invalids
●Cloudflare (AS13335) and AT&T (AS7018)
are dropping invalids from Peers
●Cloudflare still uses some default
routes, so you might be reachable, but
your prefix would be blackholed from
AT&T
https://twitter.com/Jerome_UZ/status/1067867076390346752
22. Rejection state?
●As of Dec 2018, no Malaysian networks were measured as
rejecting invalids.
●While a few networks have taken good steps in signing their
routes, more needs to be done.
●Congratulations to TM, Extreme Broadband, IPServerOne,
Global Transit, GB Network, Modern One, BasketAsia, MyKris, VC
telecoms, IX Telecom, and others I might have missed in singing
your routes!
23. Rejection state?
●MyIX?
●Consider signing your routes and setting “AS0”. This means this
route should never be announced on the Internet.
●See: https://blog.apnic.net/2018/11/09/myapnic-rpki-service-
now-supports-as0-roa-creation/
24. Rejection state?
●BKNIX (Hi Nan~ J )
●Their IX LAN is set with “AS0”
●This means it should never be announced to the
internet.
{
"prefix": "203.159.68.0/23",
"maxLength": 23,
"asn": "AS0",
"ta": "APNIC"
},
25. Rest of the World?
●Netherlands leading the way!
●Tier-1’s? Sad state.
All have few to none routes signed!
AS7018 / AT&T
AS701 / Verizon
AS174 / Cogent
AS3257 / GTT
AS6762 / Sparkle
AS3356 / Level3
AS7922 / Comcast
AS1239 / Sprint
26. Rest of the World?
AS2914 / NTT, AS1299 / Telia, and AS6453 / Tata
All have limited deployments. Please continue!
38. Final Thoughts
Don’t be scared of RPKI.
Just start.
Sign your routes.
Protect your network.
Don’t forget about other route security (eg: IRR)
Look MANRS and become MANRS compliant!