RPKI Technology Overview

Sandeep Bhanoori
GS-JTAC-400

© 2021 Juniper Networks 1

Juniper Business Use Only
Forward-Looking Statements
This presentation contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the
Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. Except for historical information contained herein, all
statements could be deemed forward-looking statement, including, without limitation, Juniper Networks’ views concerning our business outlook; economic and
market outlook; our expectations with respect to market trends; our product development; the strength of certain use-cases and customer segments; the introduction
of future products; the strength of our solution portfolio; the timing of recovery from COVID-19 on customer demand and resolution of supply challenges; and overall
future prospects.
Actual results or events could differ materially from those anticipated in those forward-looking statements as a result of several factors, including: general economic
and political conditions globally or regionally; the duration of the COVID-19 pandemic; business and economic conditions in the networking industry; changes in
overall technology spending by our customers; the network capacity requirements of our customers and, in particular, cloud and communication service providers; the
timing of orders and their fulfillment; manufacturing and supply chain constraints, changes or disruptions; availability of product components; delays in scheduled
product availability; adoption of regulations or standards affecting Juniper Networks’ products, services or the networking industry; the impact of import tariffs; and
other factors listed in Juniper Networks’ most recent reports on Form 10-Q and 10-K filed with the Securities and Exchange Commission. These forward-looking
statements are not guarantees of future performance and speak only as of the date of this presentation. Juniper Networks undertakes no obligation to update the
information in this presentation in the event facts or circumstances subsequently change.
Statement of Product Direction. Juniper Networks may disclose information related to development and plans for future products, features or enhancements, known
as a Plan of Record (“POR”). These details provided are based on Juniper’s current development efforts and plans. These development efforts and plans are subject to
change at Juniper’s sole discretion, without notice. Except as may be set forth in definitive agreements, Juniper Networks provides no assurances and assumes no
responsibility to introduce products, features or enhancements described in this presentation. Purchasing decisions by third-parties should not be based on this POR
and no purchases are contingent upon Juniper Networks delivering any feature or functionality depicted in this presentation.
Company Logos. Juniper Networks, the Juniper Networks logo, Juniper, Junos, and Mist AI are registered trademarks of Juniper Networks, Inc. and/or its affiliates in
the United States and other countries. Other names and/or logos may be trademarks of their respective owners, and Juniper Networks’ use hereof does not imply an
affiliation with, or endorsement by, the owners of these trademarks or logos.

© 2021 Juniper Networks 2

Juniper Business Use Only
 Agenda
• What is RPKI technology?

• Terminology under RPKI?

• How RPKI works?

• What is internet security?

• How RPKI-RTR works?

• How a router implements RPKI?

© 2021 Juniper Networks 3

Juniper Business Use Only
What is RPKI?

• RPKI – Resource Public Key Infrastructure.

• RPKI Technology enables authorized and reliable means of updating their IP resources in the global routing
table.

• This infrastructure is used to make internet routing more native driven, reliable and secure.

• Legitimate holder of a block of IP addresses can make an authoritative statement about AS to originate their
prefix, and network operators can download and validate these statements and make routing decisions
based on them.

• Resource Public Key Infrastructure (RPKI) revolves around the right to use Internet number resources, such
as IP addresses and autonomous system (AS) numbers.

© 2021 Juniper Networks 4

Juniper Business Use Only
Terminology

ROA - Route Origin Authorization

- ROA is a signed statement that consists of a prefix, a maximum prefix length, and originating ASN.

ROV - Route Origin Validation

- Functionality that is operationally used to closely mimic what route objects in the IRR intend to do in a
trustworthy manner.

© 2021 Juniper Networks 5

Juniper Business Use Only
Terminology

VRP - Validated ROA Payload

- Once the data has been downloaded, the validator will verify the signatures on all objects and output
the valid route origins as a list. Each object in this list contains an IP prefix, a maximum length, and an
origin AS number. This object is referred to as validated ROA payload (VRP). The collection of VRPs is
known as the validated cache.

RPKI-RTR Protocol - Resource Public Key Infrastructure-Router protocol

- This is the protocol that runs between the

validator and the router to feed enough
validated data to make necessary decision

© 2021 Juniper Networks 6

Juniper Business Use Only
IANA Hierarchy

© 2021 Juniper Networks 7

Juniper Business Use Only
IANA Hierarchy

© 2021 Juniper Networks 8

Juniper Business Use Only
IANA Allocation Hierarchy

© 2021 Juniper Networks 9

Juniper Business Use Only
X.509 Certificates Version

Serial Number
• X.509 Digital Certificates Signature Algorithm ID
- Subject validity period, public key and other fields.
Issuer Name
- Standardised under RFC 5280.
Validity Period (Not Before)
(Not After)
• With extensions
Subject Name
- RFC 3779 defines extensions that allow the internet
resources as certificate fields. Public Key Info
Public Key Algorithm
• List of IPv4 and IPv6 and ASNs assigned to an Organization. Subject Public Key

RFC 3379 Extensions

Certificate Signature Algorithm

Certificate Algorithm

© 2021 Juniper Networks 10

Juniper Business Use Only
RPKI States
Operators are eligible to acquire ROAs from the RIRs and feed their routers
to act based on the validation status. A particular announcement will
generally have one of three states:

VALID: This is the state if the ROA and route announcement matches. It is
expected that all operators will allow these routes to be installed in
their routers. It is possible they may up-preference these routes.

INVALID: This is the state if the ROA and route announcement are
different. They either differ in originating ASN or is more specific than
Peer/Transit
is allowed by the maximum prefix length that is set in the ROA.

UNKNOWN: This is the default state, if no ROA is available for an

announcement. It is expected that all operators will allow these
routes to be installed in their routers, but with lower priority than the
VALID announcements.

© 2021 Juniper Networks 11

Juniper Business Use Only
RPKI States
Invalid ROA (Different from invalid prefix as mentioned above)
• It’s easy to confuse this term with the validity state of a BGP announcement.
• It can occur that a ROA doesn’t pass cryptographic verification, for example because it expired.
• As a result, it is discarded and will not affect any BGP announcement.
• Only a ‘valid ROA’—can make a BGP announcement Valid or Invalid.

The only entity that can make any changes to the ROA is the RIR-listed authorized owner of the IP resource.

If an Existing/New authorized owner wanted to add/update their resources below links are useful.
RIR Portal
AFRINIC https://my.afrinic.net
APNIC https://myapnic.net
ARIN https://account.arin.net
LACNIC https://milacnic.lacnic.net
RIPE NCC https://my.ripe.net
© 2021 Juniper Networks 12
Juniper Business Use Only
Routing Errors

Route Leak (RFC 7908): A route leak is the propagation of routing announcement(s) beyond their intended scope.
That is, an announcement from an Autonomous System (AS) of a learned BGP route to another AS is in
violation of the intended policies of the receiver, the sender, and/or one of the ASes along the preceding
AS path.

Route Hijack: BGP Route Hijacking, also called prefix hijacking, route hijacking or IP hijacking, is the
illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained
using the Border Gateway Protocol (BGP).

© 2021 Juniper Networks 13

Juniper Business Use Only
Live Internet Routing Incidents

© 2021 Juniper Networks 14

Juniper Business Use Only
RPKI Validator:

• Juniper and most major vendors do

support RPKI based validation in their
routers in coherence with BGP and
take necessary decision.

• The validated cache can be fed directly

into RPKI-capable routers via the RPKI
to Router Protocol (RPKI-RTR),
described in RFC 8210 using third-
party software's called validators.

• Router does not perform any of the

cryptographic validation, this is all
handled by the relying party software.

© 2021 Juniper Networks 15

Juniper Business Use Only
RPKI Validators

© 2021 Juniper Networks 16

Juniper Business Use Only
© 2021 Juniper Networks 17
Juniper Business Use Only
© 2021 Juniper Networks 18
Juniper Business Use Only
© 2021 Juniper Networks 19
Juniper Business Use Only
Configuration and Verification:
root@jtac-PTX1000> show validation session
Session State Flaps Uptime #IPv4/IPv6 records
10.85.186.222 Up 0 2d 21:03:21 228555/44123

root@jtac-PTX1000> show validation session 10.85.186.222 root@jtac-PTX1000> show validation statistics

detail Total RV records: 272678
Session 10.85.186.222, State: up, Session index: 2 Total Replication RV records: 272678
Group: ntt-rtr, Preference: 100 Prefix entries: 248838
Local IPv4 address: 10.85.173.11, Port: 8383 Origin-AS entries: 272678
Refresh time: 1800s Memory utilization: 108302386 bytes
Hold time: 3600s Policy origin-validation requests: 0
Record Life time: 7200s Valid: 0
Serial (Full Update): 618 Invalid: 0
Serial (Incremental Update): 676 Unknown: 0
Session flaps: 0 BGP import policy reevaluation notifications: 15
Session uptime: 2d 21:14:40 inet.0, 8
Last PDU received: 00:11:34 inet6.0, 7
IPv4 prefix count: 228555
IPv6 prefix count: 44123

© 2021 Juniper Networks 20

Juniper Business Use Only
Configuration and Verification:
root@jtac-PTX1000> show validation database
RV database for instance master
Prefix Origin-AS Session State Mismatch
1.0.0.0/24-24 13335 10.85.186.222 valid
1.0.4.0/22-22 38803 10.85.186.222 valid
1.0.4.0/24-24 38803 10.85.186.222 valid
1.0.5.0/24-24 38803 10.85.186.222 valid
1.0.6.0/24-24 38803 10.85.186.222 valid

root@jtac-PTX1000> show validation database record 192.0.64.0/18 detail

RV database for instance master
Prefix Origin-AS Session State Mismatch
192.0.64.0/18-24 2635 10.85.186.222 valid
IPv4 records: 1
IPv6 records: 0

root@jtac-PTX1000> show validation database | count

Count: 272680 lines

© 2021 Juniper Networks 21

Juniper Business Use Only
Configuration and Verification:
root@jtac-PTX1000> show configuration routing-options validation group rpki-rtr session 10.85.186.222

refresh-time 1800;

hold-time 3600;

record-lifetime 7200;

port 8383;

Rule 1: Hold Time = 2 * Refresh Time (Default)

Rule 2: Record-Lifetime > 2 * Refresh timer. (Default: Record-Lifetime = 6 * Refresh timer)

Refresh-Time: The time aged after which an incremental update is requested from the RPKI server.

Hold-Time: The time after which the RPKI-RTR session is considered down after inactivity.

Record-Lifetime: The maximum time aged after which the record is considered expired.
© 2021 Juniper Networks 22
Juniper Business Use Only
 Thank you

© 2021 Juniper Networks 23

Juniper Business Use Only