Scribd Logo
Upload

Welcome to Scribd!

  • Zilverline RPKI

    Uploaded by

    xenes
    3 views34 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views34 pages

    Zilverline RPKI

    Uploaded by

    xenes

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 34

    Presentation Title

    Presentation Subtitle

    Name | Date | Event


    Section Title
    Section subtitle
    3
    RIRs are responsible for:

    • Keeping the registry up to date, correct,


    and secur

    • Using hierarchical allocation

    • Maintaining neutrality towards all


    members

    4
    e

    Section Title
    Section subtitle
    Internet building blocks

    ASN (Autonomous System Number)


    6
    Internet building blocks
    Autonomous System

    ASN Addresses
    ASN (Autonomous System Interconnect
    Number)
    7
    Routing on the Internet

    Can I Is A
    trust B? correct?
    “BGP protocol”

    A B: “I have 194.x.x.x” B
    193.x.x.x 194.x.x.x
    A: “I have 193.x.x.x”

    Routing table Routing table


    194.x.x.x = B 193.x.x.x = A

    RPKI Webinar 8
    Route Propagation

    7 00
    =
    AS15 M
    E D
    40 AS756 AS164 AS33
    LP=

    MED=500
    LP=100
    R1 R2 66.2.9.0/24

    route
    LP
    =5
    0 tra c

    AS25 AS5

    9
    ffi
    Accidents Happen
    • Fat Fingers
    - 2 and 3 are really close on our keyboards….

    • Policy Violations (leaks)


    - Oops, we did not want this to go on the public Internet
    - Infamous incident with Pakistan Telecom and YouTube

    RPKI Webinar 10
    Incidents Are Common
    • 2019 Routing Security Review
    - 12,600 incidents
    - 4,4% of all ASNs affected
    - 3,000 ASNs are victims of at least one incident
    - 1,300 ASNs caused at least one incident

    Source: https://bgpstream.com

    RPKI Webinar 11
    Routing on the Internet

    “Internet Routing Registry”

    Can I Is A
    trust B? correct?

    A B: “I have 194.x.x.x” B
    193.x.x.x 194.x.x.x
    A: “I have 193.x.x.x”

    Routing table Routing table


    194.x.x.x = B 193.x.x.x = A

    RPKI Webinar 12
    Problem Statement
    • Some IRR data can not be fully trusted
    - Accuracy
    - Incomplete data
    - Lack of maintenance

    • Not every RIR has an IRR


    - Third party databases need to be used
    - No verification of who holds IPs/ASNs

    BGP Operations and Security 13


    Problem Statement

    • 14
    Section Title
    Section subtitle
    Resource Public Key Infrastructure

    • Ties IP addresses and ASNs to public keys


    • Follows the hierarchy of the registries
    • Authorised statements from resource holders
    - “ASN X is authorised to announce my Prefix Y”
    - Signed, holder of Y

    BGP Operations and Security 16


    RPKI Certificate Structure
    Certificate hierarchy follows allocation hierarchy

    ARIN APNIC RIPE LACNIC AFRINIC

    Member Member Member

    ROA ROA ROA

    BGP Operations and Security 17


    RPKI Chain of Trust

    ALL Resources
    public key

    Root’s private key signature

    LIR’s Resources
    public key
    signature

    BGP Operations and Security 18


    Two elements of RPKI

    Signing Validating

    Create your ROAs Verifying others

    BGP Operations and Security 19


    RPKI Chain of Trust

    ALL Resources
    public key

    signature

    LIR’s Resources ROA


    public key
    signature signature

    BGP Operations and Security 20


    Hosted RPKI

    • RIR hosts a CA and signs all ROAs


    • Automate signing and key rollovers
    • Allows you focus on creating and publishing
    ROAs

    BGP Operations and Security 21


    Route Origin Authorisation

    ROA Prefix
    is authorised to be announced by
    signature AS Number

    LIR’s private key

    BGP Operations and Security 22


    • Source: https://stat.ripe.net/NL#tabId=routing

    Presenter name | Event | Date 23


    • Source: https://stat.ripe.net/NL#tabId=routing

    Presenter name | Event | Date 24


    Hosted or Delegated RPKI

    RIPE

    Member Member Member

    ROA ROA ROA ROA ROA

    ROA

    Member-X CA RIPE NCC Hosted System Member-Y CA

    BGP Operations and Security 25


    Section Title
    Section subtitle
    Two elements of RPKI

    Signing Validating

    Create your ROAs Verifying others

    BGP Operations and Security 27


    Trust Anchor Locator (TAL)

    List of ROAs

    Repository Repository Repository Repository Repository

    Cerfificates

    RIPE NCC ARIN APNIC LACNIC AFRINIC


    TAL TAL TAL TAL

    • Location of RIR repositories


    • Root’s public key
    Validator

    BGP Operations and Security 28


    Relying Party
    List of ROAs
    Repository Repository Repository Repository Repository

    Cerfificates

    RIPE NCC ARIN APNIC LACNIC AFRINIC

    Validator

    BGP Operations and Security 29


    Relying Party

    BGP Announcements
    AS111 10.0.8.0/22
    ROA AS222 10.0.6.0/24
    AS333 10.4.16.0/20
    AS111 10.0.12.0/22
    AS111 10.0.16.0/22
    AS111 10.0.20.0/22

    BETTER ROUTING DECISIONS

    BGP Operations and Security 30


    Routing on the Internet

    RPKI Repository
    A is authorised
    to announce 2. Validate route
    192.0.2.0/24
    Is A
    1. Create route correct?
    authorisation record
    (ROA)

    A B
    BGP
    192.0.2.0/24 193.0.24.0/21
    A: “I have 192.0.2.0/24”

    RPKI Webinar 31
    Status of Transit and Cloud
    Name Type Details Status
    Telia Transit Signed & Filtering Safe
    Cogent Transit Signed & Filtering Safe
    GTT Transit Signed & Filtering Safe
    NTT Transit Signed & Filtering Safe
    Hurricane Electric Transit Signed & Filtering Safe
    Tata Transit Signed & Filtering Safe
    PCCW Transit Signed & Filtering Safe
    RETN Transit Partially Signed & Safe
    Cloud are Cloud Filtering
    Signed & Filtering Safe
    Amazon Cloud Signed & Filtering Safe
    Net ix Cloud Signed & Filtering Safe
    Wikimedia Cloud Signed & Filtering Safe
    Foundation
    Scaleway Cloud Signed & Filtering Safe
    • Source: isbgpsafeyet.com 32
    fl
    fl
    What We’re Working On
    • Repository Resiliency: Cloud
    • Security: Audit Framework, different security
    assessments
    • Improving Q&A
    • Reporting on our findings
    • Doing RPKI ourselves!

    Presenter name | Event | Date 33


    Questions

    You might also like