Professional Documents
Culture Documents
With RPKI
(Resource Public Key Infrastructure)
75.28%
ID Prefix
Many
Advertised Advertised Advertised
More
Routing problems caused by wrong advertisement
happened nearly everyday. Caused internet outages.
13,935 routing incidents happened in 2017
Source : https://blog.apnic.net/2018/01/24/14000-incidents-routing-security-2017/
?
Mengapa hal tersebut bisa
terjadi?
1
Tidak ada satu
sumber data
terpercaya untuk
mengetahui tabel
routing yang benar
RADB APNIC
LEVEL 3 RGNET
2 Routing BGP
menerapkan
prinsip “Saling
Percaya”
I Trust You!
Please Advertise
203.119.13.0/24
I Trust You!
via
You have
AS4622 203.119.13.0/24
via
AS4622
?
Bagaimana kita mengatasi
masalah routing saat ini?
1 LoA (Letter of Authority) check
203.119.13.0/24
via
AS4622
2 Using IRR (Internet Routing
Registry)
BGPQ3
203.119.13.0/24
RADB APNIC via
AS4622
JPIRR LEVEL 3
RGNET ARIN
RADB APNIC
203.119.13.0/24
203.119.13.0/24
1 Ada banyak IRR
via
via
AS7812 AS12345 2 Data inconsistency antar IRR
RGNET ARIN
3 Sulit mengidentifikasi siapa
yang paling benar
JPIRR LEVEL 3
Akses 8.8.8.8
Overview of
Apa itu
RPKI RPKI?
(Resource Public Key
Infrastructure)
1
RPKI Training
Metode kriptografi untuk memastikan route (prefix) yang diadvertise ke BGP hanya
dari AS number yang diperbolehkan.
Pembajakan Route (Tanpa RPKI)
Akses 8.8.8.8
Pembajakan Route (Dengan RPKI)
Hanya AS15169
ROA Diperbolehkan mengadvertise
prefix 8.8.8.0/24 - 23
Akses 8.8.8.8
2 Manfaat RPKI
CA
ISP ISP
4 RPKI Single Trust Anchor
X.509 CERT
Owner
Public Key
6 Komponen RPKI
A B
ARIN AFRINIC
RTR
rsync Protocol
RPKI
APNIC LACNIC Validator
Software
ISP Router
RIPE-NCC IDNIC
RPKI VALIDATOR
Issuing
Party (CA)
2
1 Apa itu Issuing Party?
CA
ISP ISP
3 System RPKI IDNIC
Publik Internal
IDNIC CA APNIC CA
Akses
Rsync
Member Rsync
IDNIC Repository
RPKI DB
RPKI
Service
Akses
myIDNIC
Web
4 Route Origin Authorisation (ROA)
Only AS4622
ROA Allowed to advertise prefix
203.119.13.0/24
2. Member IDNIC
- Roa dapat dibuat dengan bantuan hostmaster
email (hostmaster@idnic.net)
- Menggunakan versi beta ROA dashboard IDNIC (Ready
Oktober 2019)
6 Melakukan Pengecekan ROA
https://bgp.he.net
Relying
Party (RP)
3
1 Apa itu Relying Party (RP)?
RSYNC
VALIDATOR
VALIDATOR
(RP)
(RP)
Relying Party
(RP) RPKI To Router Protocol
(RTR Protocol)
Router
3 Trust Anchor Locator (TAL)
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx9RWSL61YAAYumEiU8z8
qH2ETVIL01ilxZlzIL9JYSORMN5Cmtf8V2JblIealSqgOTGjvSjEsiV73s67zYQI
7C/iSOb96uf3/s86NqbxDiFQGN8qG7RNcdgVuUlAidl8WxvLNI8VhqbAB5uSg/Mr
LeSOvXRja041VptAxIhcGzDMvlAJRwkrYK/Mo8P4E2rSQgwqCgae0ebY1CsJ3Cjf
i67C1nw7oXqJJovvXJ4apGmEv8az23OLC6Ki54Ul/E6xk227BFttqFV3YMtKx42H
cCcDVZZy01n7JjzvO8ccaXmHIgR7utnqhBRNNq5Xc5ZhbkrUsNtiJmrZzVlgU6Ou
0wIDAQAB
Public Key
Setiap RIR memiliki TAL yang dapat didownload untuk dipasang di RPKI Validator. Kecuali TAL
ARIN dapat didownload setelah menyetujui syarat & ketentuan
4 Software Relying Party
RCYNIC (rpki.net)
Octo RPKI (cloudflare.com)
RIPE NCC RPKI Validator (ripe ncc)
Routinator 3000 (nlnetlabs.nl)
RPSTIR (ZDNS)
Route Origin
Validation
(ROV)
4
1 RPKI Validation
ROA
AS4622
203.119.13.0/24
Hardware
Juniper (Junos >v12.2)
Cisco (IOS XR >v4.2.1 & XE >v3.5)
Nokia (SR OS >v12.0.R4)
Software
Bird ( >v2.0.0)
Quagga
Motivasi
5
1 Tingkat Adopsi RPKI
Source :
https://www.nlnetlabs.nl/projects/rpki/
rpki-analytics/
2 Perusahaan yang sudah mulai
menggunakan RPKI
!
route-map rpki-loc-pref permit 10
match rpki invalid
set local-preference 90
!
route-map rpki-loc-pref permit 20
match rpki not-found
set local-preference 100
!
route-map rpki-loc-pref permit 30
match rpki valid
set local-preference 110
Contoh Konfigurasi Juniper
routing-options {
autonomous-system 64511;
validation {
group rpki-validator {
session 10.1.1.6 {
refresh-time 120;
hold-time 180;
port 8282;
local-address 10.1.1.5;
}
}
}
}
Contoh Konfigurasi Bird
roa4 table ROA4;
roa6 table ROA6;
filter peer_in_v4 {
if (roa_check(ROA4, net, bgp_path.last) = ROA_INVALID) then
{
print "Ignore invalid ROA ", net, " for ASN ", bgp_path.last;
reject;
}
accept;
}
protocol bgp {
debug all;
local as 10;
neighbor 202.182.57.1 as 24213;
ipv4 {
import keep filtered;
import filter peer_in_v4;
export none;
};
}
Bird Router
IP : 202.182.57.57
user : training
password : training2019
/usr/local/etc/bird.conf
GNS 3 LAB
SERVER 119.82.224.57
port 3080
https://github.com/GNS3/gns3-gui/releases/tag/v2.2.0b1