SlideShare une entreprise Scribd logo

AFRINIC Presentation - Resource certification by Amreesh Phokeer

AFRINIC
AFRINIC

AFRINIC Presentation - Resource certification by Amreesh Phokeer

Internet
1  sur  25
Télécharger pour lire hors ligne
Resource Certification (RPKI) @AFRINIC Amreesh Phokeer IWeek’16, JNB, ZA September 20, 2016
Agenda ● What is the rationale behind RPKI? ● What is resource certification? ● How to get your resources certified? ● How to sign your routing announcements? ● How to make your router talk RPKI? ● How to build filters based on validated routes? ● Demo ● Current hot topics 2
Rationale ● Routing mostly based on trust ● BGP offer amazing possibilities but poor security ● No systematic way to filter peers and customers ● Unreliable sources of policy information ● The Internet is full of stories of: ○ Route leaks you said? ○ BGP hijacks ○ Traffic redirection ○ Blackholing 3
Mitigation techniques ● Conservative filtering ● Use of Routing Registries but: ○ Do not have all routing information ○ Do not necessarily mirror each other ○ Routing policies not kept up-to-date ○ Error-prone 4
Youtube and Pakistan Telecom (2008) 5
Timeline 6
China Telecom - Traffic redirection 7
How do we securing Internet Routing? ● A route consist of: ○ An origin-as and a prefix ○ A path 8
How do we securing Internet Routing? ● A route consist of: ○ An origin-as and a prefix ○ A path 9
How do we securing Internet Routing? ● A route consist of: ○ An origin-as and a prefix ○ A path 10 Prefix origination AS_PATH You need to secure both!!!
Solution - RPKI ● SIDR group at the IETF ○ How to securely verify that an AS is authorised to announce a prefix? (Origin Validation) ○ How to make sure that the AS_PATH has not been modified? (BGPSEC) ● Origin validation ○ RFC 5280: X.509 Public Key Infrastructure ○ RFC 3779: Extensions for IP addresses and ASN ● BGPSEC (still on-going) 11
Role of the RIR ● Receives global allocations from IANA ● Distribute and manage resources at a regional level ● Make sure information are up-to-date and accurate ● Becomes the de-facto authority as sole registry regionally 12 IANA AFRINIC LIR EU APNIC RIPE NCC ARIN LACNIC
Role of the RIR ● Receives global allocations from IANA ● Distribute and manage resources at a regional level ● Make sure information are up-to-date and accurate ● Becomes the de-facto authority as sole registry regionally 13 IANA AFRINIC LIR EU APNIC RIPE NCC ARIN LACNIC
Resource Certificates ● RPKI defines two types of certificates: ○ CA - Certificate Authority (to issue CA or EE) ○ EE - End-entity (digital signature, etc) ● Certify resources - verifiable ownership! ● AFRINIC has a self-signed root certificate ● IANA one-day! ● Opt-in service, one year validity ● Exclude legacy space/members 14
Certificate hierarchy 15 Issuer: AFRINIC Subject: ISP1 Resources: 192.2.0.0/16 Pub Key Info: <ISP1-key> Signed by: <root-key-priv> Resource Allocation Hierarchy Issuer: ISP1 Subject: ISP2 Resources: 192.2.200.0/22 Pub Key Info: <isp2-key> Signed by: <afrinic-key-priv> Issuer: ISP2 Subject: ISP2-EE Resources: 192.2.200.0/24 Pub Key Info: <isp2-ee-key> Signed by: <isp2-key-priv> ROA AS 3 192.2.200.0/24-24
Repositories ● Public ● Certificates and ROA ● CRL and MFT ● Hosted or delegated ● HOSTED MODE only 16 IANA AFRINIC LIR EU APNIC RIPE NCC ARIN LACNIC R R R R R R R Publish at parent
AFRINIC’s Repository 17 AFRINIC Root Certificate AFRINIC member’s repository
Demo https://my.afrinic.net 18
Validated caches 19 AFRINIC Validator Host: validator.afrinic.net Port: 8080
Configure your router 20 router bgp 12345 … bgp rpki server tcp 192.168.179.3 port 43779 refresh 60 bgp rpki server tcp 147.28.0.84 port 93920 refresh 60
Route announcement status 21 ● Valid – A matching/covering prefix was found with a matching AS number ● Invalid – A covering prefix was found, but the AS number did not match, and there was no other matching one ● NotFound – No matching or covering prefix was found, same as today
You define your own policy 22 Fairly Secure route-map validity-0 match rpki valid set local-preference 100 route-map validity-1 match rpki not-found set local-preference 50 ! invalid is dropped Paranoid route-map validity-0 match rpki valid set local-preference 110 ! everything else dropped Security Geek route-map validity-0 match rpki invalid set local-preference 110 ! everything else dropped
RPKI tools ● Validators: ○ RIPE Validator ○ Rcynic - www.rpki.net (CA+Validator) ○ RPSTIR ● Looking glasses: ○ bgp.he.net ○ Bgpmon ○ RIPEStat 23
RPKI Hot topics ● Global trust anchor ○ ICANN/IANA/NRO ○ Support from local RIR community ● RPKI Adverse actions ● RPKI Validation considered ○ Transfers of resources ○ ERX spaces 24
Questions rpki-help@afrinic.net 25

Recommandé

MyIX Updates
MyIX UpdatesMyIX Updates
MyIX UpdatesMyNOG
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Bangladesh Network Operators Group
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
RPKI
RPKIRPKI
RPKIRIPE NCC
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification TutorialRIPE NCC
 
IPv6 growth at Hurricane Electric’s AS6939
IPv6 growth at Hurricane Electric’s AS6939IPv6 growth at Hurricane Electric’s AS6939
IPv6 growth at Hurricane Electric’s AS6939APNIC
 
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...Deploy360 Programme (Internet Society)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshFakrul Alam
 

Recommandé

MyIX Updates
MyIX UpdatesMyIX Updates
MyIX UpdatesMyNOG
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Bangladesh Network Operators Group
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
RPKI
RPKIRPKI
RPKIRIPE NCC
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification TutorialRIPE NCC
 
IPv6 growth at Hurricane Electric’s AS6939
IPv6 growth at Hurricane Electric’s AS6939IPv6 growth at Hurricane Electric’s AS6939
IPv6 growth at Hurricane Electric’s AS6939APNIC
 
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...Deploy360 Programme (Internet Society)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshFakrul Alam
 
ION Costa Rica - About the IETF and How to Get Involved
ION Costa Rica - About the IETF and How to Get InvolvedION Costa Rica - About the IETF and How to Get Involved
ION Costa Rica - About the IETF and How to Get InvolvedDeploy360 Programme (Internet Society)
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial Bangladesh Network Operators Group
 
LACNIC Update
LACNIC UpdateLACNIC Update
LACNIC UpdateAPNIC
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
 
Tech w22
Tech w22Tech w22
Tech w22SelectedPresentations
 
Certification
CertificationCertification
CertificationRIPE NCC
 
Resource Certification
Resource CertificationResource Certification
Resource CertificationRIPE NCC
 
Clinical Photos - Autosomal Dominant conditions
Clinical Photos - Autosomal Dominant conditionsClinical Photos - Autosomal Dominant conditions
Clinical Photos - Autosomal Dominant conditionsmeducationdotnet
 
Metodos para el cálculo de un sistema de ecuaciones
Metodos para el cálculo de un sistema de ecuacionesMetodos para el cálculo de un sistema de ecuaciones
Metodos para el cálculo de un sistema de ecuacionesJose Aranda
 
Macedonio Fernández.
Macedonio Fernández. Macedonio Fernández.
Macedonio Fernández. Jose Aranda
 
Trabajo de daniela montes
Trabajo de daniela montesTrabajo de daniela montes
Trabajo de daniela montesDaniela Ortega
 
Màquines simples tecnologia
Màquines simples tecnologiaMàquines simples tecnologia
Màquines simples tecnologiasaracasamian
 
Emprendimiento l.e
Emprendimiento l.eEmprendimiento l.e
Emprendimiento l.ealonso90
 
Ideasdenegocio
IdeasdenegocioIdeasdenegocio
Ideasdenegociodanielballesteros91
 
Sesion mat3g 5
Sesion mat3g 5Sesion mat3g 5
Sesion mat3g 5mbohorquezm
 
Diabetic review
Diabetic reviewDiabetic review
Diabetic reviewmeducationdotnet
 
Henry David Thoreau
Henry David ThoreauHenry David Thoreau
Henry David ThoreauJose Aranda
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
Diversity_in_the_Workplace_Certificate_2016
Diversity_in_the_Workplace_Certificate_2016Diversity_in_the_Workplace_Certificate_2016
Diversity_in_the_Workplace_Certificate_2016Bárbara Guimarães
 
Contrato de corretagem de venda de bens imóveis com clausula de exclusividade
Contrato de corretagem de venda de bens imóveis com clausula de exclusividadeContrato de corretagem de venda de bens imóveis com clausula de exclusividade
Contrato de corretagem de venda de bens imóveis com clausula de exclusividadeOsvaldo Barbosa Lemes
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 

Contenu connexe

Tendances

LACNIC Update
LACNIC UpdateLACNIC Update
LACNIC UpdateAPNIC
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
 
Certification
CertificationCertification
CertificationRIPE NCC
 
Resource Certification
Resource CertificationResource Certification
Resource CertificationRIPE NCC
 

Tendances (7)

ION Costa Rica - About the IETF and How to Get Involved
ION Costa Rica - About the IETF and How to Get InvolvedION Costa Rica - About the IETF and How to Get Involved
ION Costa Rica - About the IETF and How to Get Involved
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
LACNIC Update
LACNIC UpdateLACNIC Update
LACNIC Update
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
 
Tech w22
Tech w22Tech w22
Tech w22
 
Certification
CertificationCertification
Certification
 
Resource Certification
Resource CertificationResource Certification
Resource Certification
 

En vedette

Clinical Photos - Autosomal Dominant conditions
Clinical Photos - Autosomal Dominant conditionsClinical Photos - Autosomal Dominant conditions
Clinical Photos - Autosomal Dominant conditionsmeducationdotnet
 
Metodos para el cálculo de un sistema de ecuaciones
Metodos para el cálculo de un sistema de ecuacionesMetodos para el cálculo de un sistema de ecuaciones
Metodos para el cálculo de un sistema de ecuacionesJose Aranda
 
Macedonio Fernández.
Macedonio Fernández. Macedonio Fernández.
Macedonio Fernández. Jose Aranda
 
Trabajo de daniela montes
Trabajo de daniela montesTrabajo de daniela montes
Trabajo de daniela montesDaniela Ortega
 
Màquines simples tecnologia
Màquines simples tecnologiaMàquines simples tecnologia
Màquines simples tecnologiasaracasamian
 
Emprendimiento l.e
Emprendimiento l.eEmprendimiento l.e
Emprendimiento l.ealonso90
 
Henry David Thoreau
Henry David ThoreauHenry David Thoreau
Henry David ThoreauJose Aranda
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
Diversity_in_the_Workplace_Certificate_2016
Diversity_in_the_Workplace_Certificate_2016Diversity_in_the_Workplace_Certificate_2016
Diversity_in_the_Workplace_Certificate_2016Bárbara Guimarães
 
Contrato de corretagem de venda de bens imóveis com clausula de exclusividade
Contrato de corretagem de venda de bens imóveis com clausula de exclusividadeContrato de corretagem de venda de bens imóveis com clausula de exclusividade
Contrato de corretagem de venda de bens imóveis com clausula de exclusividadeOsvaldo Barbosa Lemes
 

En vedette (13)

Clinical Photos - Autosomal Dominant conditions
Clinical Photos - Autosomal Dominant conditionsClinical Photos - Autosomal Dominant conditions
Clinical Photos - Autosomal Dominant conditions
 
Metodos para el cálculo de un sistema de ecuaciones
Metodos para el cálculo de un sistema de ecuacionesMetodos para el cálculo de un sistema de ecuaciones
Metodos para el cálculo de un sistema de ecuaciones
 
Macedonio Fernández.
Macedonio Fernández. Macedonio Fernández.
Macedonio Fernández.
 
Trabajo de daniela montes
Trabajo de daniela montesTrabajo de daniela montes
Trabajo de daniela montes
 
Màquines simples tecnologia
Màquines simples tecnologiaMàquines simples tecnologia
Màquines simples tecnologia
 
Emprendimiento l.e
Emprendimiento l.eEmprendimiento l.e
Emprendimiento l.e
 
Ideasdenegocio
IdeasdenegocioIdeasdenegocio
Ideasdenegocio
 
Sesion mat3g 5
Sesion mat3g 5Sesion mat3g 5
Sesion mat3g 5
 
Diabetic review
Diabetic reviewDiabetic review
Diabetic review
 
Henry David Thoreau
Henry David ThoreauHenry David Thoreau
Henry David Thoreau
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
Diversity_in_the_Workplace_Certificate_2016
Diversity_in_the_Workplace_Certificate_2016Diversity_in_the_Workplace_Certificate_2016
Diversity_in_the_Workplace_Certificate_2016
 
Contrato de corretagem de venda de bens imóveis com clausula de exclusividade
Contrato de corretagem de venda de bens imóveis com clausula de exclusividadeContrato de corretagem de venda de bens imóveis com clausula de exclusividade
Contrato de corretagem de venda de bens imóveis com clausula de exclusividade
 

Similaire à AFRINIC Presentation - Resource certification by Amreesh Phokeer

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)Fakrul Alam
 
APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5APNIC
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs APNIC
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfRIPE NCC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4APNIC
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 

Similaire à AFRINIC Presentation - Resource certification by Amreesh Phokeer (20)

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net tools
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practice
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRT
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
 

Plus de AFRINIC

AIS19 - Policies under discussion
AIS19 - Policies under discussionAIS19 - Policies under discussion
AIS19 - Policies under discussionAFRINIC
 
AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)AFRINIC
 
AFRINIC 101 2017
AFRINIC 101 2017AFRINIC 101 2017
AFRINIC 101 2017AFRINIC
 
AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)AFRINIC
 
Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...AFRINIC
 
Insight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level LatenciesInsight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level LatenciesAFRINIC
 
Deep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country LatenciesDeep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country LatenciesAFRINIC
 
Studying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sectorStudying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sectorAFRINIC
 
Routing security and implications for NRENs
Routing security and implications for NRENsRouting security and implications for NRENs
Routing security and implications for NRENsAFRINIC
 
APRICOT Latency Clustering
APRICOT Latency ClusteringAPRICOT Latency Clustering
APRICOT Latency ClusteringAFRINIC
 
Latency clustering AfPIF2017
Latency clustering AfPIF2017Latency clustering AfPIF2017
Latency clustering AfPIF2017AFRINIC
 
AFRINIC RIA MoU
AFRINIC RIA MoUAFRINIC RIA MoU
AFRINIC RIA MoUAFRINIC
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS MeasurementsAFRINIC
 
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC
 
Tampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From AfricaTampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From AfricaAFRINIC
 
Assessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital ResilienceAssessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital ResilienceAFRINIC
 
Measuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENsMeasuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENsAFRINIC
 
State of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in AfricaState of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in AfricaAFRINIC
 
TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas tool TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas toolAFRINIC
 
Measuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicatorsMeasuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicatorsAFRINIC
 

Plus de AFRINIC (20)

AIS19 - Policies under discussion
AIS19 - Policies under discussionAIS19 - Policies under discussion
AIS19 - Policies under discussion
 
AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)
 
AFRINIC 101 2017
AFRINIC 101 2017AFRINIC 101 2017
AFRINIC 101 2017
 
AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)
 
Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...
 
Insight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level LatenciesInsight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level Latencies
 
Deep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country LatenciesDeep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country Latencies
 
Studying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sectorStudying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sector
 
Routing security and implications for NRENs
Routing security and implications for NRENsRouting security and implications for NRENs
Routing security and implications for NRENs
 
APRICOT Latency Clustering
APRICOT Latency ClusteringAPRICOT Latency Clustering
APRICOT Latency Clustering
 
Latency clustering AfPIF2017
Latency clustering AfPIF2017Latency clustering AfPIF2017
Latency clustering AfPIF2017
 
AFRINIC RIA MoU
AFRINIC RIA MoUAFRINIC RIA MoU
AFRINIC RIA MoU
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
 
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer Migration
 
Tampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From AfricaTampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From Africa
 
Assessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital ResilienceAssessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital Resilience
 
Measuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENsMeasuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENs
 
State of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in AfricaState of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in Africa
 
TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas tool TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas tool
 
Measuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicatorsMeasuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicators
 

Dernier

定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 

Dernier (20)

定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 

AFRINIC Presentation - Resource certification by Amreesh Phokeer

  • 1. Resource Certification (RPKI) @AFRINIC Amreesh Phokeer IWeek’16, JNB, ZA September 20, 2016
  • 2. Agenda ● What is the rationale behind RPKI? ● What is resource certification? ● How to get your resources certified? ● How to sign your routing announcements? ● How to make your router talk RPKI? ● How to build filters based on validated routes? ● Demo ● Current hot topics 2
  • 3. Rationale ● Routing mostly based on trust ● BGP offer amazing possibilities but poor security ● No systematic way to filter peers and customers ● Unreliable sources of policy information ● The Internet is full of stories of: ○ Route leaks you said? ○ BGP hijacks ○ Traffic redirection ○ Blackholing 3
  • 4. Mitigation techniques ● Conservative filtering ● Use of Routing Registries but: ○ Do not have all routing information ○ Do not necessarily mirror each other ○ Routing policies not kept up-to-date ○ Error-prone 4
  • 5. Youtube and Pakistan Telecom (2008) 5
  • 7. China Telecom - Traffic redirection 7
  • 8. How do we securing Internet Routing? ● A route consist of: ○ An origin-as and a prefix ○ A path 8
  • 9. How do we securing Internet Routing? ● A route consist of: ○ An origin-as and a prefix ○ A path 9
  • 10. How do we securing Internet Routing? ● A route consist of: ○ An origin-as and a prefix ○ A path 10 Prefix origination AS_PATH You need to secure both!!!
  • 11. Solution - RPKI ● SIDR group at the IETF ○ How to securely verify that an AS is authorised to announce a prefix? (Origin Validation) ○ How to make sure that the AS_PATH has not been modified? (BGPSEC) ● Origin validation ○ RFC 5280: X.509 Public Key Infrastructure ○ RFC 3779: Extensions for IP addresses and ASN ● BGPSEC (still on-going) 11
  • 12. Role of the RIR ● Receives global allocations from IANA ● Distribute and manage resources at a regional level ● Make sure information are up-to-date and accurate ● Becomes the de-facto authority as sole registry regionally 12 IANA AFRINIC LIR EU APNIC RIPE NCC ARIN LACNIC
  • 13. Role of the RIR ● Receives global allocations from IANA ● Distribute and manage resources at a regional level ● Make sure information are up-to-date and accurate ● Becomes the de-facto authority as sole registry regionally 13 IANA AFRINIC LIR EU APNIC RIPE NCC ARIN LACNIC
  • 14. Resource Certificates ● RPKI defines two types of certificates: ○ CA - Certificate Authority (to issue CA or EE) ○ EE - End-entity (digital signature, etc) ● Certify resources - verifiable ownership! ● AFRINIC has a self-signed root certificate ● IANA one-day! ● Opt-in service, one year validity ● Exclude legacy space/members 14
  • 15. Certificate hierarchy 15 Issuer: AFRINIC Subject: ISP1 Resources: 192.2.0.0/16 Pub Key Info: <ISP1-key> Signed by: <root-key-priv> Resource Allocation Hierarchy Issuer: ISP1 Subject: ISP2 Resources: 192.2.200.0/22 Pub Key Info: <isp2-key> Signed by: <afrinic-key-priv> Issuer: ISP2 Subject: ISP2-EE Resources: 192.2.200.0/24 Pub Key Info: <isp2-ee-key> Signed by: <isp2-key-priv> ROA AS 3 192.2.200.0/24-24
  • 16. Repositories ● Public ● Certificates and ROA ● CRL and MFT ● Hosted or delegated ● HOSTED MODE only 16 IANA AFRINIC LIR EU APNIC RIPE NCC ARIN LACNIC R R R R R R R Publish at parent
  • 17. AFRINIC’s Repository 17 AFRINIC Root Certificate AFRINIC member’s repository
  • 19. Validated caches 19 AFRINIC Validator Host: validator.afrinic.net Port: 8080
  • 20. Configure your router 20 router bgp 12345 … bgp rpki server tcp 192.168.179.3 port 43779 refresh 60 bgp rpki server tcp 147.28.0.84 port 93920 refresh 60
  • 21. Route announcement status 21 ● Valid – A matching/covering prefix was found with a matching AS number ● Invalid – A covering prefix was found, but the AS number did not match, and there was no other matching one ● NotFound – No matching or covering prefix was found, same as today
  • 22. You define your own policy 22 Fairly Secure route-map validity-0 match rpki valid set local-preference 100 route-map validity-1 match rpki not-found set local-preference 50 ! invalid is dropped Paranoid route-map validity-0 match rpki valid set local-preference 110 ! everything else dropped Security Geek route-map validity-0 match rpki invalid set local-preference 110 ! everything else dropped
  • 23. RPKI tools ● Validators: ○ RIPE Validator ○ Rcynic - www.rpki.net (CA+Validator) ○ RPSTIR ● Looking glasses: ○ bgp.he.net ○ Bgpmon ○ RIPEStat 23
  • 24. RPKI Hot topics ● Global trust anchor ○ ICANN/IANA/NRO ○ Support from local RIR community ● RPKI Adverse actions ● RPKI Validation considered ○ Transfers of resources ○ ERX spaces 24