SlideShare ist ein Scribd-Unternehmen logo

RPKI Introduction by Randy Bush

MyNOG
MyNOG

RPKI Introduction by Randy Bush

Technologie
1 von 57
Downloaden Sie, um offline zu lesen
RPKI-Based Origin Validation, Routers, & Caches MYNOG / Kuala Lampur 2013.11.28 Randy Bush <randy@psg.com> Rob Austein <sra@hactrn.net> Michael Elkins <me@sigpipe.org> 2013.11.28 MYNOG RPKI 1
Agenda •  Some Technical Background •  Mis-Origination - YouTube Incident •  The RPKI – Needed Infrastructure •  RPKI-Based Origin Validation •  Use the GUI to make ROAs and look at the result on a router •  Build your own Relying Party Server •  Discussion 2013.11.28 MYNOG RPKI 2
This is Not New •  1986 – Bellovin & Perlman identify the vulnerability in DNS and Routing •  1999 - National Academies study called it out •  2000 – S-BGP – X.509 PKI to support Secure BGP - Kent, Lynn, et al. •  2003 – NANOG S-BGP Workshop •  2006 – RPKI.NET(for ARIN) & APNIC start work on RPKI. RIPE starts in 2008. •  2009 – RPKI.NET Open Testbed and running code in test routers 2013.11.28 MYNOG RPKI 3
What is an AS? An ISP or End Site Sprint Verizon AS 701 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 4
What is an AS? An ISP or End Site Sprint Verizon AS 701 Amazon AS 16509 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 GoJ Customers buy ‘Transit’ AS 234 Sakura AS 9370 5
An IP Prefix is Announced & Propagated Sprint Verizon AS 701 Amazon AS 16509 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 147.28.0.0/16 GoJ Customers buy ‘Transit’ AS 234 Sakura AS 9370 6
From Inside a Router BGP routing table entry for 147.28.0.0/16 Origin AS 16509 1239 2497 234 The AS-Path 2013.11.28 MYNOG RPKI 7
Of Course it’s Uglier J r1.iad#sh ip bgp 147.28.0.0/16 BGP routing table entry for 147.28.0.0/16, version 21440610 Paths: (2 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 16509 1239 2497 234 144.232.18.81 from 144.232.18.81 (144.228.241.254) Origin IGP, metric 841, localpref 100, valid, external, best Community: 3297:100 3927:380 path 67E8FFCC RPKI State valid Refresh Epoch 1 16509 701 2497 234 129.250.10.157 (metric 11) from 198.180.150.253 (198.180.150.253) Origin IGP, metric 95, localpref 100, valid, internal Community: 2914:410 2914:1007 2914:2000 2914:3000 3927:380 path 699A867C RPKI State valid 2013.11.28 MYNOG RPKI 8
The YouTube Incident Global Internet The Plan PCCW Pakistan Telekom Pakistan Internet 2013.11.28 MYNOG RPKI YouTube Poison Pakistan Internal Routing 9
The YouTube Incident What Happened Global Internet PCCW YouTube Oops! Pakistan Telekom Pakistan Internet 2013.11.28 MYNOG RPKI Poisoned the Global Internet 10
We Call this Mis-Origination a Prefix is Originated by an AS Which Does Not Own It 2013.11.28 MYNOG RPKI 11
I Do Not Call it Hijacking Because that Assumes Negative Intent 2013.11.28 MYNOG RPKI 12
And These Accidents Happen Every Day Usually to Small Folk Sometimes to Large 2013.11.28 MYNOG RPKI 13
So, What’s the Plan? 2013.11.28 MYNOG RPKI 14
Three Pieces •  RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (deployed at all RIRs) •  Origin Validation – Using the RPKI to detect and prevent mis-originations of someone else’s prefixes (in deployment) •  AS-Path Validation AKA BGPsec – Prevent Path Attacks on BGP (in IETF) 2013.11.28 MYNOG RPKI 15
Why Origin Validation? •  Prevent YouTube accident & Far Worse •  Prevent 7007 accident, UU/Sprint 2 days! •  Prevents most accidental announcements •  Does not prevent malicious path attacks such as the Kapela/Pilosov DefCon attack •  That requires Path Validation, the third step, a few years away 2013.11.28 MYNOG RPKI 16
We Need to be Able to Authoritatively Prove Who Owns an IP Prefix And What AS(s) May Announce It 2013.11.28 MYNOG RPKI 17
Prefix Ownership Follows the Allocation Hierarchy IANA, RIRs, ISPs, … 2013.11.28 MYNOG RPKI 18
X.509-Based IP Resource PKI 2013.11.28 MYNOG RPKI 19
RFCs Have Been Long Published 2013.11.28 MYNOG RPKI 20
Deployed by All RIRs 2013.11.28 MYNOG RPKI 21
ROAs Registered by > 1,000 Operators 2013.11.28 MYNOG RPKI 22
In Live Routers 2013.11.28 MYNOG RPKI 23
X.509 Certificate w/ 3779 Ext X.509 Cert Signed by Parent’s Private Key CA RFC 3779 Extension Describes IP Resources (Addr & ASN) SIA – URI for where this Publishes Owner’s Public Key 2013.11.28 MYNOG RPKI 24
Cert/ARIN CA 98.128.0.0/16 Public Key SIA Certificate Hierarchy follows Allocation Hierarchy Cert/ISC CA Cert/RGnet CA Cert/PSGnet 98.128.0.0/20 98.128.16.0/20 98.128.32.0/19 Public Key Public Key Public Key Cert/Randy CA Cert/Rob CA 98.128.16.0/24 98.128.17.0/24 Public Key 2013.11.28 MYNOG RPKI CA Public Key 25
That’s Who Owns It but Who May Route It? 2013.11.28 MYNOG RPKI 26
Route Origin Authorization (ROA) CA Owning Cert 98.128.0.0/16 147.28.0.0/16 EE Cert 98.128.0.0/16 End Entity Cert can not sign certs. can sign other things e.g. ROAs Public Key Public Key ROA This is not a Cert It is a signed blob 98.128.0.0/16 AS 42 2013.11.28 MYNOG RPKI 27
How RPKI is Generated Up / Down to Parent GUI RPKI Certificate Engine Publication Protocol Resource PKI IP Resource Certs ASN Resource Certs Route Origin Attestations Up / Down to Child 2013.11.28 MYNOG RPKI 28
Issuing Parties IANA Publication Protocol GUI Please Issue My Cert GUI Please Issue My Cert GUI Please Issue My Cert 2013.11.28 MYNOG RPKI Up/ Down APNIC Up/ Down JPNIC Up/ Down Trust Anchor Resource PKI Cert Issuance Publication Protocol Resource PKI Cert Issuance Publication Protocol Resource PKI Cert Issuance 29
Issuing Parties Trust Anchor GUI IANA Publication Protocol Up Down GUI APNIC SIA Pointers Publication Protocol Up Down GUI 2013.11.28 MYNOG RPKI JPNIC Resource PKI Resource PKI SIA Pointers Publication Protocol Resource PKI 30
Issuing Parties Relying Parties Trust Anchor GUI IANA Publication Protocol Up Down GUI APNIC SIA Pointers Publication Protocol Up Down GUI 2013.11.28 MYNOG RPKI JPNIC Resource PKI Validated Cache Pseudo IRR route: descr: origin: notify: mnt-by: changed: source: 147.28.0.0/16! 147.28.0.0/16-16! AS3130! irr-hack@rpki.net! MAINT-RPKI! irr-hack@rpki.net 20110606! RPKI! NOC Tools Resource PKI SIA Pointers Publication Protocol RCynic Gatherer Resource PKI BGP Decision Process 31
How Do ROAs Affect BGP Updates? 2013.11.28 MYNOG RPKI 32
Trust Anchor IANA GUI Publication Protocol Up Down APNIC GUI SIA Pointers Publication Protocol GUI SIA Pointers Publication Protocol In NOC 2013.11.28 MYNOG RPKI Resource PKI In PoP RCynic Gatherer Crypto Check Validated Cache Up Down JPNIC Resource PKI Resource PKI Crypto Stripped RPKI to Rtr Protocol BGP Decision Process 33
ROAs Become Router ROAs Want to Run on Current Hardware RPKI Cache 2013.11.28 MYNOG RPKI RPKI-Rtr Protocol Crypto is Stripped RPKI ROAs 34
IPv4 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 4 | | +-------------------------------------------+ | | | Length=20 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..32 | 0..32 | | +-------------------------------------------+ | | | IPv4 prefix | | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------' 2013.11.28 MYNOG RPKI 35
IPv6 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 6 | | +-------------------------------------------+ | | | Length=40 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..128 | 0..128 | | +-------------------------------------------+ | | +-----+ | | +--IPv6 prefix ---+ | | +-----+ | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------' 2013.11.28 MYNOG RPKI 96 More Bits No Magic 36
Marking BGP Updates BGP Peer BGP Data BGP Updates Mark RPKI Cache 2013.11.28 MYNOG RPKI RPKI-Rtr Protocol RPKI ROAs Valid Invalid NotFound 37
Result of Check •  Valid – A matching/covering ROA was found with a matching AS number •  Invalid – A covering ROA was found, but the AS number did not match, and there was no other matching one •  NotFound – No matching or covering ROA was found, same as today 2013.11.28 MYNOG RPKI 38
Configure Router to Get ROAs router bgp 651nn … bgp rpki server tcp 192.168.179.3 port 43779 refresh 60 bgp rpki server tcp 147.28.0.84 port 93920 refresh 60 … 2013.11.28 MYNOG RPKI 39
Valid! r0.sea#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24, version 3043542 Paths: (3 available, best #1, table default) 6939 27318 206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid 2914 4459 27318 199.238.113.9 from 199.238.113.9 (129.250.0.19) Origin IGP, metric 43, localpref 100, valid, external Community: 2914:410 2914:1005 2914:3000 3130:380 path 09AF35CC RPKI State valid 2013.11.28 MYNOG RPKI 40
Invalid! r0.sea#show bgp 198.180.150.0 BGP routing table entry for 198.180.150.0/24, version 2546236 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 8 Refresh Epoch 1 1239 3927 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid 2013.11.28 MYNOG RPKI 41
NotFound r0.sea#show bgp 64.9.224.0 BGP routing table entry for 64.9.224.0/20, version 35201 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 Refresh Epoch 1 1239 3356 36492 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 4, localpref 100, valid, internal Community: 3130:370 path 11861AA4 RPKI State not found 2013.11.28 MYNOG RPKI 42
The Operator Tests the Mark and then Applies Local Policy 2013.11.28 MYNOG RPKI 43
Fairly Secure route-map validity-0 match rpki valid set local-preference 100 route-map validity-1 match rpki not-found set local-preference 50 ! invalid is dropped 2013.11.28 MYNOG RPKI 44
Paranoid route-map validity-0 match rpki valid set local-preference 110 ! everything else dropped 2013.11.28 MYNOG RPKI 45
Security Geek route-map validity-0 match rpki invalid set local-preference 110 ! everything else dropped 2013.11.28 MYNOG RPKI 46
After AS-Path route-map validity-0 match rpki not-found set metric 100 route-map validity-1 match rpki invalid set metric 150 route-map validity-2 set metric 50 2013.11.28 MYNOG RPKI 47
Set a Community route-map validity-0 match rpki valid set community 3130:400 route-map validity-1 match rpki invalid set community 3130:200 route-map validity-2 set community 3130:300 2013.11.28 MYNOG RPKI 48
And it is All Monitored BGP Data BGP Updates mark RPKI-Rtr Protocol 2013.11.28 MYNOG RPKI Valid Invalid NotFound RPKI ROAs SNMP syslog N O C 49
But in the End, You Control Your Policy “Announcements with Invalid origins SHOULD NOT be used, but MAY be used to meet special operational needs. In such circumstances, the announcement SHOULD have a lower preference than that given to Valid or NotFound.” -- draft-ietf-sidr-origin-ops 2013.11.28 MYNOG RPKI 50
RPKI at the Registries •  RIPE seriously deployed with a few thousand LIRs and thousands of ROAs •  APNIC is operational and moving forward, moving to RIPE’s GUI •  ARIN is doing their best to make RPKI deployment very hard •  LACNIC is deployed and has 100s of LIRs •  AFRINIC is deployed with O(25) LIRs 2013.11.28 MYNOG RPKI 51
RIPE Progress •  Policy just passed to allow registration of legacy space without having to become a member or sign away all rights •  Policy just passed to allow registration of 40,000 PI allocations to end sites without having to become a full member •  And RIPE already had thousands of RPKI registrations 2013.11.28 MYNOG RPKI 52
LACNIC / Ecuador •  LACNIC working with the Ecuador Internet Exchange •  All ISPs and lmost all address space in Ecuador is certified and has ROAs •  All members of the exchange are using RPKI-Rtr protocol to get ROAs from a cache at the exchange •  Watching routers to see markings 2013.11.28 MYNOG RPKI 53
Per-RIR Statistics Much Better Than IPv6 Half are Two LIRs 2013.11.28 MYNOG RPKI Embarrassing 54
Router Origin Validation •  Cisco IOS – solid in 15.2 •  Cisco IOS/XR – shipped in 4.3.2 •  Juniper – shipped in 12.2 •  AlcaLu – in development 2013.11.28 MYNOG RPKI 55
RPKI Implementations •  RIPE/NCC – CA (partial closed) & RP (partial open) •  APNIC – CA only – Closed Source •  RTRlib/Berlin – RP only – Open Source •  BBN – RP Only – Open Source •  RPKI.NET – CA & RP – Open Source 2013.11.28 MYNOG RPKI 56
RPKI.NET / Dragon Labs •  Open Source BSD License •  CA – Hosted and Delegated Models, GUI •  RP – RPKI-RTR, NOC Tools, IRR Gen •  FreeBSD, Ubuntu, Debian, … Packaged (docs still catching up) 2013.11.28 MYNOG RPKI 57

Empfohlen

Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial Bangladesh Network Operators Group
 
RIP RTCP RTSP
RIP RTCP RTSPRIP RTCP RTSP
RIP RTCP RTSPDev Heba
 
F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!Niasta Learning
 
Drive test
Drive testDrive test
Drive testMd Joynal Abaden
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Chap 13 stream control transmission protocol
Chap 13 stream control transmission protocolChap 13 stream control transmission protocol
Chap 13 stream control transmission protocolNoctorous Jamal
 

Empfohlen

Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial Bangladesh Network Operators Group
 
RIP RTCP RTSP
RIP RTCP RTSPRIP RTCP RTSP
RIP RTCP RTSPDev Heba
 
F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!Niasta Learning
 
Drive test
Drive testDrive test
Drive testMd Joynal Abaden
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Chap 13 stream control transmission protocol
Chap 13 stream control transmission protocolChap 13 stream control transmission protocol
Chap 13 stream control transmission protocolNoctorous Jamal
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?APNIC
 
Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...
Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...
Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...StreamNative
 
Scaling the Container Dataplane
Scaling the Container Dataplane Scaling the Container Dataplane
Scaling the Container Dataplane Michelle Holley
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
Juniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliJuniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliFebrian ‎
 
DMVPN Lab WorkBook
DMVPN Lab WorkBookDMVPN Lab WorkBook
DMVPN Lab WorkBookRHC Technologies
 
IX Best Practices by Tay Chee Yong
IX Best Practices by Tay Chee YongIX Best Practices by Tay Chee Yong
IX Best Practices by Tay Chee YongMyNOG
 
Kamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaKamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaDaniel-Constantin Mierla
 
UMTS/WCDMA Call Flows for PS services
UMTS/WCDMA Call Flows for PS servicesUMTS/WCDMA Call Flows for PS services
UMTS/WCDMA Call Flows for PS servicesJustin MA (馬嘉昌)
 
Better Together: How Graph database enables easy data integration with Spark ...
Better Together: How Graph database enables easy data integration with Spark ...Better Together: How Graph database enables easy data integration with Spark ...
Better Together: How Graph database enables easy data integration with Spark ...TigerGraph
 
LTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrum
LTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrumLTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrum
LTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrumQualcomm Research
 
Internet Peering and the Role of an IXP
Internet Peering and the Role of an IXPInternet Peering and the Role of an IXP
Internet Peering and the Role of an IXPJacob Dagunduro
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN TroubleshootingEMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN TroubleshootingAruba, a Hewlett Packard Enterprise company
 
Lte drivetest guideline with genex probe
Lte drivetest guideline with genex probeLte drivetest guideline with genex probe
Lte drivetest guideline with genex probeRay KHASTUR
 
Introduction of dmvpn
Introduction of dmvpnIntroduction of dmvpn
Introduction of dmvpnE-Lins Technology Co. Ltd.
 
Getting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ariGetting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ariPascal Cadotte-Michaud
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Bangladesh Network Operators Group
 
Inter-AS MPLS VPN Deployment
Inter-AS MPLS VPN DeploymentInter-AS MPLS VPN Deployment
Inter-AS MPLS VPN DeploymentBangladesh Network Operators Group
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net ToolsBangladesh Network Operators Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?APNIC
 
Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...
Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...
Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...StreamNative
 
Scaling the Container Dataplane
Scaling the Container Dataplane Scaling the Container Dataplane
Scaling the Container Dataplane Michelle Holley
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
Juniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliJuniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliFebrian ‎
 
IX Best Practices by Tay Chee Yong
IX Best Practices by Tay Chee YongIX Best Practices by Tay Chee Yong
IX Best Practices by Tay Chee YongMyNOG
 
UMTS/WCDMA Call Flows for PS services
UMTS/WCDMA Call Flows for PS servicesUMTS/WCDMA Call Flows for PS services
UMTS/WCDMA Call Flows for PS servicesJustin MA (馬嘉昌)
 
Better Together: How Graph database enables easy data integration with Spark ...
Better Together: How Graph database enables easy data integration with Spark ...Better Together: How Graph database enables easy data integration with Spark ...
Better Together: How Graph database enables easy data integration with Spark ...TigerGraph
 
LTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrum
LTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrumLTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrum
LTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrumQualcomm Research
 
Internet Peering and the Role of an IXP
Internet Peering and the Role of an IXPInternet Peering and the Role of an IXP
Internet Peering and the Role of an IXPJacob Dagunduro
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
Lte drivetest guideline with genex probe
Lte drivetest guideline with genex probeLte drivetest guideline with genex probe
Lte drivetest guideline with genex probeRay KHASTUR
 
Getting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ariGetting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ariPascal Cadotte-Michaud
 

Was ist angesagt? (20)

SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?
 
Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...
Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...
Tracking Apache Pulsar Messages with Apache SkyWalking - Pulsar Virtual Summi...
 
Scaling the Container Dataplane
Scaling the Container Dataplane Scaling the Container Dataplane
Scaling the Container Dataplane
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
 
Juniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliJuniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by Soricelli
 
DMVPN Lab WorkBook
DMVPN Lab WorkBookDMVPN Lab WorkBook
DMVPN Lab WorkBook
 
IX Best Practices by Tay Chee Yong
IX Best Practices by Tay Chee YongIX Best Practices by Tay Chee Yong
IX Best Practices by Tay Chee Yong
 
Kamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaKamailio - SIP Routing in Lua
Kamailio - SIP Routing in Lua
 
UMTS/WCDMA Call Flows for PS services
UMTS/WCDMA Call Flows for PS servicesUMTS/WCDMA Call Flows for PS services
UMTS/WCDMA Call Flows for PS services
 
Better Together: How Graph database enables easy data integration with Spark ...
Better Together: How Graph database enables easy data integration with Spark ...Better Together: How Graph database enables easy data integration with Spark ...
Better Together: How Graph database enables easy data integration with Spark ...
 
LTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrum
LTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrumLTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrum
LTE-U/LAA, MuLTEfire™ and Wi-Fi; making best use of unlicensed spectrum
 
Internet Peering and the Role of an IXP
Internet Peering and the Role of an IXPInternet Peering and the Role of an IXP
Internet Peering and the Role of an IXP
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN TroubleshootingEMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
 
Lte drivetest guideline with genex probe
Lte drivetest guideline with genex probeLte drivetest guideline with genex probe
Lte drivetest guideline with genex probe
 
Introduction of dmvpn
Introduction of dmvpnIntroduction of dmvpn
Introduction of dmvpn
 
Getting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ariGetting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ari
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
Inter-AS MPLS VPN Deployment
Inter-AS MPLS VPN DeploymentInter-AS MPLS VPN Deployment
Inter-AS MPLS VPN Deployment
 

Ähnlich wie RPKI Introduction by Randy Bush

PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdateAPNIC
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
6th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.06th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.0A Achyar Nur
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPROIDEA
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC
 

Ähnlich wie RPKI Introduction by Randy Bush (20)

PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
BGP
BGPBGP
BGP
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment Update
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net tools
 
6th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.06th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.0
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
BMP: the pa amb tomàquet your BGP monitoring was missing
BMP: the pa amb tomàquet your BGP monitoring was missingBMP: the pa amb tomàquet your BGP monitoring was missing
BMP: the pa amb tomàquet your BGP monitoring was missing
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh Phokeer
 

Mehr von MyNOG

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10MyNOG
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023MyNOG
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksMyNOG
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersMyNOG
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureMyNOG
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network ControllerMyNOG
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformMyNOG
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalidsMyNOG
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXMyNOG
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in KubernetesMyNOG
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmMyNOG
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEMyNOG
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...MyNOG
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveMyNOG
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...MyNOG
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...MyNOG
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyNOG
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...MyNOG
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearMyNOG
 

Mehr von MyNOG (20)

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 

Kürzlich hochgeladen

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Kürzlich hochgeladen (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

RPKI Introduction by Randy Bush

  • 1. RPKI-Based Origin Validation, Routers, & Caches MYNOG / Kuala Lampur 2013.11.28 Randy Bush <randy@psg.com> Rob Austein <sra@hactrn.net> Michael Elkins <me@sigpipe.org> 2013.11.28 MYNOG RPKI 1
  • 2. Agenda •  Some Technical Background •  Mis-Origination - YouTube Incident •  The RPKI – Needed Infrastructure •  RPKI-Based Origin Validation •  Use the GUI to make ROAs and look at the result on a router •  Build your own Relying Party Server •  Discussion 2013.11.28 MYNOG RPKI 2
  • 3. This is Not New •  1986 – Bellovin & Perlman identify the vulnerability in DNS and Routing •  1999 - National Academies study called it out •  2000 – S-BGP – X.509 PKI to support Secure BGP - Kent, Lynn, et al. •  2003 – NANOG S-BGP Workshop •  2006 – RPKI.NET(for ARIN) & APNIC start work on RPKI. RIPE starts in 2008. •  2009 – RPKI.NET Open Testbed and running code in test routers 2013.11.28 MYNOG RPKI 3
  • 4. What is an AS? An ISP or End Site Sprint Verizon AS 701 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 4
  • 5. What is an AS? An ISP or End Site Sprint Verizon AS 701 Amazon AS 16509 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 GoJ Customers buy ‘Transit’ AS 234 Sakura AS 9370 5
  • 6. An IP Prefix is Announced & Propagated Sprint Verizon AS 701 Amazon AS 16509 2013.11.28 MYNOG RPKI AS 1239 Big ISPs ‘Peering’ IIJ AS 2497 147.28.0.0/16 GoJ Customers buy ‘Transit’ AS 234 Sakura AS 9370 6
  • 7. From Inside a Router BGP routing table entry for 147.28.0.0/16 Origin AS 16509 1239 2497 234 The AS-Path 2013.11.28 MYNOG RPKI 7
  • 8. Of Course it’s Uglier J r1.iad#sh ip bgp 147.28.0.0/16 BGP routing table entry for 147.28.0.0/16, version 21440610 Paths: (2 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 16509 1239 2497 234 144.232.18.81 from 144.232.18.81 (144.228.241.254) Origin IGP, metric 841, localpref 100, valid, external, best Community: 3297:100 3927:380 path 67E8FFCC RPKI State valid Refresh Epoch 1 16509 701 2497 234 129.250.10.157 (metric 11) from 198.180.150.253 (198.180.150.253) Origin IGP, metric 95, localpref 100, valid, internal Community: 2914:410 2914:1007 2914:2000 2914:3000 3927:380 path 699A867C RPKI State valid 2013.11.28 MYNOG RPKI 8
  • 9. The YouTube Incident Global Internet The Plan PCCW Pakistan Telekom Pakistan Internet 2013.11.28 MYNOG RPKI YouTube Poison Pakistan Internal Routing 9
  • 11. We Call this Mis-Origination a Prefix is Originated by an AS Which Does Not Own It 2013.11.28 MYNOG RPKI 11
  • 12. I Do Not Call it Hijacking Because that Assumes Negative Intent 2013.11.28 MYNOG RPKI 12
  • 13. And These Accidents Happen Every Day Usually to Small Folk Sometimes to Large 2013.11.28 MYNOG RPKI 13
  • 15. Three Pieces •  RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (deployed at all RIRs) •  Origin Validation – Using the RPKI to detect and prevent mis-originations of someone else’s prefixes (in deployment) •  AS-Path Validation AKA BGPsec – Prevent Path Attacks on BGP (in IETF) 2013.11.28 MYNOG RPKI 15
  • 16. Why Origin Validation? •  Prevent YouTube accident & Far Worse •  Prevent 7007 accident, UU/Sprint 2 days! •  Prevents most accidental announcements •  Does not prevent malicious path attacks such as the Kapela/Pilosov DefCon attack •  That requires Path Validation, the third step, a few years away 2013.11.28 MYNOG RPKI 16
  • 17. We Need to be Able to Authoritatively Prove Who Owns an IP Prefix And What AS(s) May Announce It 2013.11.28 MYNOG RPKI 17
  • 18. Prefix Ownership Follows the Allocation Hierarchy IANA, RIRs, ISPs, … 2013.11.28 MYNOG RPKI 18
  • 20. RFCs Have Been Long Published 2013.11.28 MYNOG RPKI 20
  • 22. ROAs Registered by > 1,000 Operators 2013.11.28 MYNOG RPKI 22
  • 23. In Live Routers 2013.11.28 MYNOG RPKI 23
  • 24. X.509 Certificate w/ 3779 Ext X.509 Cert Signed by Parent’s Private Key CA RFC 3779 Extension Describes IP Resources (Addr & ASN) SIA – URI for where this Publishes Owner’s Public Key 2013.11.28 MYNOG RPKI 24
  • 26. That’s Who Owns It but Who May Route It? 2013.11.28 MYNOG RPKI 26
  • 27. Route Origin Authorization (ROA) CA Owning Cert 98.128.0.0/16 147.28.0.0/16 EE Cert 98.128.0.0/16 End Entity Cert can not sign certs. can sign other things e.g. ROAs Public Key Public Key ROA This is not a Cert It is a signed blob 98.128.0.0/16 AS 42 2013.11.28 MYNOG RPKI 27
  • 28. How RPKI is Generated Up / Down to Parent GUI RPKI Certificate Engine Publication Protocol Resource PKI IP Resource Certs ASN Resource Certs Route Origin Attestations Up / Down to Child 2013.11.28 MYNOG RPKI 28
  • 29. Issuing Parties IANA Publication Protocol GUI Please Issue My Cert GUI Please Issue My Cert GUI Please Issue My Cert 2013.11.28 MYNOG RPKI Up/ Down APNIC Up/ Down JPNIC Up/ Down Trust Anchor Resource PKI Cert Issuance Publication Protocol Resource PKI Cert Issuance Publication Protocol Resource PKI Cert Issuance 29
  • 31. Issuing Parties Relying Parties Trust Anchor GUI IANA Publication Protocol Up Down GUI APNIC SIA Pointers Publication Protocol Up Down GUI 2013.11.28 MYNOG RPKI JPNIC Resource PKI Validated Cache Pseudo IRR route: descr: origin: notify: mnt-by: changed: source: 147.28.0.0/16! 147.28.0.0/16-16! AS3130! irr-hack@rpki.net! MAINT-RPKI! irr-hack@rpki.net 20110606! RPKI! NOC Tools Resource PKI SIA Pointers Publication Protocol RCynic Gatherer Resource PKI BGP Decision Process 31
  • 32. How Do ROAs Affect BGP Updates? 2013.11.28 MYNOG RPKI 32
  • 33. Trust Anchor IANA GUI Publication Protocol Up Down APNIC GUI SIA Pointers Publication Protocol GUI SIA Pointers Publication Protocol In NOC 2013.11.28 MYNOG RPKI Resource PKI In PoP RCynic Gatherer Crypto Check Validated Cache Up Down JPNIC Resource PKI Resource PKI Crypto Stripped RPKI to Rtr Protocol BGP Decision Process 33
  • 34. ROAs Become Router ROAs Want to Run on Current Hardware RPKI Cache 2013.11.28 MYNOG RPKI RPKI-Rtr Protocol Crypto is Stripped RPKI ROAs 34
  • 35. IPv4 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 4 | | +-------------------------------------------+ | | | Length=20 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..32 | 0..32 | | +-------------------------------------------+ | | | IPv4 prefix | | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------' 2013.11.28 MYNOG RPKI 35
  • 36. IPv6 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 6 | | +-------------------------------------------+ | | | Length=40 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..128 | 0..128 | | +-------------------------------------------+ | | +-----+ | | +--IPv6 prefix ---+ | | +-----+ | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------' 2013.11.28 MYNOG RPKI 96 More Bits No Magic 36
  • 37. Marking BGP Updates BGP Peer BGP Data BGP Updates Mark RPKI Cache 2013.11.28 MYNOG RPKI RPKI-Rtr Protocol RPKI ROAs Valid Invalid NotFound 37
  • 38. Result of Check •  Valid – A matching/covering ROA was found with a matching AS number •  Invalid – A covering ROA was found, but the AS number did not match, and there was no other matching one •  NotFound – No matching or covering ROA was found, same as today 2013.11.28 MYNOG RPKI 38
  • 39. Configure Router to Get ROAs router bgp 651nn … bgp rpki server tcp 192.168.179.3 port 43779 refresh 60 bgp rpki server tcp 147.28.0.84 port 93920 refresh 60 … 2013.11.28 MYNOG RPKI 39
  • 40. Valid! r0.sea#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24, version 3043542 Paths: (3 available, best #1, table default) 6939 27318 206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid 2914 4459 27318 199.238.113.9 from 199.238.113.9 (129.250.0.19) Origin IGP, metric 43, localpref 100, valid, external Community: 2914:410 2914:1005 2914:3000 3130:380 path 09AF35CC RPKI State valid 2013.11.28 MYNOG RPKI 40
  • 41. Invalid! r0.sea#show bgp 198.180.150.0 BGP routing table entry for 198.180.150.0/24, version 2546236 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 8 Refresh Epoch 1 1239 3927 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid 2013.11.28 MYNOG RPKI 41
  • 42. NotFound r0.sea#show bgp 64.9.224.0 BGP routing table entry for 64.9.224.0/20, version 35201 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 Refresh Epoch 1 1239 3356 36492 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 4, localpref 100, valid, internal Community: 3130:370 path 11861AA4 RPKI State not found 2013.11.28 MYNOG RPKI 42
  • 43. The Operator Tests the Mark and then Applies Local Policy 2013.11.28 MYNOG RPKI 43
  • 44. Fairly Secure route-map validity-0 match rpki valid set local-preference 100 route-map validity-1 match rpki not-found set local-preference 50 ! invalid is dropped 2013.11.28 MYNOG RPKI 44
  • 45. Paranoid route-map validity-0 match rpki valid set local-preference 110 ! everything else dropped 2013.11.28 MYNOG RPKI 45
  • 46. Security Geek route-map validity-0 match rpki invalid set local-preference 110 ! everything else dropped 2013.11.28 MYNOG RPKI 46
  • 47. After AS-Path route-map validity-0 match rpki not-found set metric 100 route-map validity-1 match rpki invalid set metric 150 route-map validity-2 set metric 50 2013.11.28 MYNOG RPKI 47
  • 48. Set a Community route-map validity-0 match rpki valid set community 3130:400 route-map validity-1 match rpki invalid set community 3130:200 route-map validity-2 set community 3130:300 2013.11.28 MYNOG RPKI 48
  • 49. And it is All Monitored BGP Data BGP Updates mark RPKI-Rtr Protocol 2013.11.28 MYNOG RPKI Valid Invalid NotFound RPKI ROAs SNMP syslog N O C 49
  • 50. But in the End, You Control Your Policy “Announcements with Invalid origins SHOULD NOT be used, but MAY be used to meet special operational needs. In such circumstances, the announcement SHOULD have a lower preference than that given to Valid or NotFound.” -- draft-ietf-sidr-origin-ops 2013.11.28 MYNOG RPKI 50
  • 51. RPKI at the Registries •  RIPE seriously deployed with a few thousand LIRs and thousands of ROAs •  APNIC is operational and moving forward, moving to RIPE’s GUI •  ARIN is doing their best to make RPKI deployment very hard •  LACNIC is deployed and has 100s of LIRs •  AFRINIC is deployed with O(25) LIRs 2013.11.28 MYNOG RPKI 51
  • 52. RIPE Progress •  Policy just passed to allow registration of legacy space without having to become a member or sign away all rights •  Policy just passed to allow registration of 40,000 PI allocations to end sites without having to become a full member •  And RIPE already had thousands of RPKI registrations 2013.11.28 MYNOG RPKI 52
  • 53. LACNIC / Ecuador •  LACNIC working with the Ecuador Internet Exchange •  All ISPs and lmost all address space in Ecuador is certified and has ROAs •  All members of the exchange are using RPKI-Rtr protocol to get ROAs from a cache at the exchange •  Watching routers to see markings 2013.11.28 MYNOG RPKI 53
  • 54. Per-RIR Statistics Much Better Than IPv6 Half are Two LIRs 2013.11.28 MYNOG RPKI Embarrassing 54
  • 55. Router Origin Validation •  Cisco IOS – solid in 15.2 •  Cisco IOS/XR – shipped in 4.3.2 •  Juniper – shipped in 12.2 •  AlcaLu – in development 2013.11.28 MYNOG RPKI 55
  • 56. RPKI Implementations •  RIPE/NCC – CA (partial closed) & RP (partial open) •  APNIC – CA only – Closed Source •  RTRlib/Berlin – RP only – Open Source •  BBN – RP Only – Open Source •  RPKI.NET – CA & RP – Open Source 2013.11.28 MYNOG RPKI 56
  • 57. RPKI.NET / Dragon Labs •  Open Source BSD License •  CA – Hosted and Delegated Models, GUI •  RP – RPKI-RTR, NOC Tools, IRR Gen •  FreeBSD, Ubuntu, Debian, … Packaged (docs still catching up) 2013.11.28 MYNOG RPKI 57