SlideShare une entreprise Scribd logo

RPKI Certification Tutorial

RIPE NCC
RIPE NCC

This document discusses Resource Public Key Infrastructure (RPKI) and how it can be used to secure Internet routing by validating the origin of IP prefixes and autonomous system numbers (ASNs) in the Border Gateway Protocol (BGP). The RIPE NCC issues free digital certificates as part of RPKI that validate an organization's registration of IP address blocks and ASNs. Route Origin Authorizations (ROAs) allow organizations to authorize which ASNs can originate which IP prefixes. Software runs periodic checks on the RPKI repository to determine the validity of BGP route announcements. Router vendors are adding support for RPKI validation which can influence routing decisions based on a route's validity status.

Technologie
1  sur  19
Télécharger pour lire hors ligne
Resource Certification (RPKI) Making BGP more secure SEE2 - Macedonia
Resource Certification (RPKI) – SEE2 Macedonia The RIPE NCC involvement in RPKI • The authority on who is the registered holder of an Internet Number Resource in our region – IPv4 and IPv6 Address Blocks – Autonomous System Numbers • Information is kept in the Registry • Accuracy and completeness are key 2
Resource Certification (RPKI) – SEE2 Macedonia Digital Resource Certificates • Based on open IETF standards (sidr) – RFC 5280: X.509 PKI Certificates – RFC 3779: Extensions for IP Addresses and ASNs – RFC 6481-6493: Resource Public Key Infrastructure • Issued by the RIRs since 1 January 2011 • State that an Internet number resource has been registered by the RIPE NCC 3
Resource Certification (RPKI) – SEE2 Macedonia Digital Resource Certificates • Resource Certification is a free, opt-in service – Your choice to request a certificate – Linked to registration – Renewed every 12 months • Enhancement to our Registry – Offers validatable proof of holdership 4
Resource Certification (RPKI) – SEE2 Macedonia Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust anchor) – Generate and publish Certificate yourself • RIPE NCC Hosted Platform – All processes are secured and automated – One click set-up of Resource Certificate – WebUI to manage Certificates in LIR Portal 5
Using RPKI for BGP Origin Validation
Resource Certification (RPKI) – SEE2 Macedonia Certification to Secure Internet Routing • Members can use their resource certificate to make statements about their BGP Routing • Also in the ROA: Maximum Prefix Length – The smallest prefix the ASN may announce 7 Route Origin Authorisation (ROA): “I authorise this Autonomous System to originate these IP prefixes”
Resource Certification (RPKI) – SEE2 Macedonia Route Origin Authorisations • A ROA affects the RPKI validity of a BGP route: – VALID: ROA found, authorised announcement – INVALID: ROA found, unauthorised announcement – UNKNOWN: No ROA found (resource not yet signed) 8 Every operator is free to base any routing decision on these three validity states
Demo Using the hosted system...
Making routing decisions using the RIPE NCC RPKI Validator
Resource Certification (RPKI) – SEE2 Macedonia Validation in Practice • All certificates and ROAs are published in a repository and available for download • Software running on your own machine will periodically retrieve and verify the information – Cryptographic tools check all the signatures • The result is a list of all valid combinations of ASN and prefix, the “validated cache” 11
Resource Certification (RPKI) – SEE2 Macedonia The RIPE NCC RPKI Validator toolset • http://ripe.net/certification/tools-and-resources • Requires Sun Java 1.6 and rsync • No installation required – Unzip the package – Run the program: ./bin/rpki-validator • Web-interface available on localhost port 8080 12
Resource Certification (RPKI) – SEE2 Macedonia The RIPE NCC RPKI Validator toolset 13
Demo Using the RPKI Validator...
Resource Certification (RPKI) – SEE2 Macedonia RPKI support in routers • The RPKI-RTR Protocol is an IETF Internet Draft • Production Cisco Support: – ASR1000, 7600, ASR903 and ASR901 in releases 15.2(1)S or XE 3.5 • Cisco Early Field Trial (EFT): – ASR9000, CRS1, CRS3 and c12K (IOS-XR) • Juniper has support since version 12.2 • Quagga has support through BGP-SRX 15
Resource Certification (RPKI) – SEE2 Macedonia Router Configuration – Cisco ! route-map rpki-loc-pref permit 10 match rpki invalid set local-preference 90 ! route-map rpki-loc-pref permit 20 match rpki not-found set local-preference 100 ! route-map rpki-loc-pref permit 30 match rpki valid set local-preference 110 16
Resource Certification (RPKI) – SEE2 Macedonia Public Testbeds • RIPE NCC has a Cisco: – Telnet to rpki-rtr.ripe.net – Username: ripe, no password • Kaia Global Networks have a Juniper: – Telnet to 193.34.50.25 – Username: rpki, password: testbed • http://ripe.net/certification/router-configuration 17
Resource Certification (RPKI) – SEE2 Macedonia http://ripe.net/certification #RPKI Information and Announcements 18
Questions? alexb@ripe.net @alexander_band certification@ripe.net

Recommandé

Resource Certification
Resource CertificationResource Certification
Resource Certification
RIPE NCC
 
Certification
CertificationCertification
Certification
RIPE NCC
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
APNIC
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet Routing
APNIC
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
Bangladesh Network Operators Group
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generation
APNIC
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
Bangladesh Network Operators Group
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
APNIC
 

Recommandé

Resource Certification
Resource CertificationResource Certification
Resource Certification
RIPE NCC
 
Certification
CertificationCertification
Certification
RIPE NCC
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
APNIC
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet Routing
APNIC
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
Bangladesh Network Operators Group
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generation
APNIC
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
Bangladesh Network Operators Group
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
APNIC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
Fakrul Alam
 
APNIC Services by Anna Mulingbayan
APNIC Services by Anna MulingbayanAPNIC Services by Anna Mulingbayan
APNIC Services by Anna Mulingbayan
MyNOG
 
FIWARE Global Summit - Connecting to LoRa networks: Practical Demo
FIWARE Global Summit - Connecting to LoRa networks: Practical DemoFIWARE Global Summit - Connecting to LoRa networks: Practical Demo
FIWARE Global Summit - Connecting to LoRa networks: Practical Demo
FIWARE
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
MyNOG
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approach
APNIC
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX Updates
MyNOG
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRT
APNIC
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
APNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
APNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
APNIC
 
NZNOG 2020: APNIC update
NZNOG 2020: APNIC updateNZNOG 2020: APNIC update
NZNOG 2020: APNIC update
APNIC
 
RPKI
RPKIRPKI
RPKI
RIPE NCC
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Fakrul Alam
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Open Networking Summit
 
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej WolskiPLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
PROIDEA
 
mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]
APNIC
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKI
APNIC
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
MyNOG
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
APNIC
 
RIPE NCC Regional Outreach/IANA Oversight Transition
RIPE NCC Regional Outreach/IANA Oversight TransitionRIPE NCC Regional Outreach/IANA Oversight Transition
RIPE NCC Regional Outreach/IANA Oversight Transition
RIPE NCC
 
IPv4 Hijacking: Our Experience
IPv4 Hijacking: Our ExperienceIPv4 Hijacking: Our Experience
IPv4 Hijacking: Our Experience
RIPE NCC
 
140909 enog 8 - internet governance update - maxim burtikov
140909 enog 8 - internet governance update - maxim burtikov140909 enog 8 - internet governance update - maxim burtikov
140909 enog 8 - internet governance update - maxim burtikov
RIPE NCC
 

Contenu connexe

Tendances

Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Open Networking Summit
 

Tendances (19)

RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
APNIC Services by Anna Mulingbayan
APNIC Services by Anna MulingbayanAPNIC Services by Anna Mulingbayan
APNIC Services by Anna Mulingbayan
 
FIWARE Global Summit - Connecting to LoRa networks: Practical Demo
FIWARE Global Summit - Connecting to LoRa networks: Practical DemoFIWARE Global Summit - Connecting to LoRa networks: Practical Demo
FIWARE Global Summit - Connecting to LoRa networks: Practical Demo
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approach
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX Updates
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRT
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
NZNOG 2020: APNIC update
NZNOG 2020: APNIC updateNZNOG 2020: APNIC update
NZNOG 2020: APNIC update
 
RPKI
RPKIRPKI
RPKI
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
 
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej WolskiPLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14: Quo Vadis RPKI - Andrzej Wolski
 
mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKI
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 

En vedette

En vedette (8)

RIPE NCC Regional Outreach/IANA Oversight Transition
RIPE NCC Regional Outreach/IANA Oversight TransitionRIPE NCC Regional Outreach/IANA Oversight Transition
RIPE NCC Regional Outreach/IANA Oversight Transition
 
IPv4 Hijacking: Our Experience
IPv4 Hijacking: Our ExperienceIPv4 Hijacking: Our Experience
IPv4 Hijacking: Our Experience
 
140909 enog 8 - internet governance update - maxim burtikov
140909 enog 8 - internet governance update - maxim burtikov140909 enog 8 - internet governance update - maxim burtikov
140909 enog 8 - internet governance update - maxim burtikov
 
Policy Making: A Powerful Tool
Policy Making: A Powerful ToolPolicy Making: A Powerful Tool
Policy Making: A Powerful Tool
 
"Lost Stars" - Why Operators Switch Off IPv6
"Lost Stars" - Why Operators Switch Off IPv6"Lost Stars" - Why Operators Switch Off IPv6
"Lost Stars" - Why Operators Switch Off IPv6
 
Are Dutch Internet Paths Local - A Measurement Study Using RIPE Atlas
Are Dutch Internet Paths Local - A Measurement Study Using RIPE AtlasAre Dutch Internet Paths Local - A Measurement Study Using RIPE Atlas
Are Dutch Internet Paths Local - A Measurement Study Using RIPE Atlas
 
RIPE Atlas
RIPE AtlasRIPE Atlas
RIPE Atlas
 
RIPE Routing Information Service
RIPE Routing Information ServiceRIPE Routing Information Service
RIPE Routing Information Service
 

Similaire à RPKI Certification Tutorial

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 

Similaire à RPKI Certification Tutorial (20)

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
Route Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKI
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
Rpki with rpki.net tools
Rpki with rpki.net toolsRpki with rpki.net tools
Rpki with rpki.net tools
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh Phokeer
 
IP Address Certification (RPKI)
IP Address Certification (RPKI)IP Address Certification (RPKI)
IP Address Certification (RPKI)
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
Recent Developments in RPKI
Recent Developments in RPKIRecent Developments in RPKI
Recent Developments in RPKI
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
 
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKIARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
 

Plus de RIPE NCC

Plus de RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 

Dernier

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Dernier (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

RPKI Certification Tutorial

  • 1. Resource Certification (RPKI) Making BGP more secure SEE2 - Macedonia
  • 2. Resource Certification (RPKI) – SEE2 Macedonia The RIPE NCC involvement in RPKI • The authority on who is the registered holder of an Internet Number Resource in our region – IPv4 and IPv6 Address Blocks – Autonomous System Numbers • Information is kept in the Registry • Accuracy and completeness are key 2
  • 3. Resource Certification (RPKI) – SEE2 Macedonia Digital Resource Certificates • Based on open IETF standards (sidr) – RFC 5280: X.509 PKI Certificates – RFC 3779: Extensions for IP Addresses and ASNs – RFC 6481-6493: Resource Public Key Infrastructure • Issued by the RIRs since 1 January 2011 • State that an Internet number resource has been registered by the RIPE NCC 3
  • 4. Resource Certification (RPKI) – SEE2 Macedonia Digital Resource Certificates • Resource Certification is a free, opt-in service – Your choice to request a certificate – Linked to registration – Renewed every 12 months • Enhancement to our Registry – Offers validatable proof of holdership 4
  • 5. Resource Certification (RPKI) – SEE2 Macedonia Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust anchor) – Generate and publish Certificate yourself • RIPE NCC Hosted Platform – All processes are secured and automated – One click set-up of Resource Certificate – WebUI to manage Certificates in LIR Portal 5
  • 6. Using RPKI for BGP Origin Validation
  • 7. Resource Certification (RPKI) – SEE2 Macedonia Certification to Secure Internet Routing • Members can use their resource certificate to make statements about their BGP Routing • Also in the ROA: Maximum Prefix Length – The smallest prefix the ASN may announce 7 Route Origin Authorisation (ROA): “I authorise this Autonomous System to originate these IP prefixes”
  • 8. Resource Certification (RPKI) – SEE2 Macedonia Route Origin Authorisations • A ROA affects the RPKI validity of a BGP route: – VALID: ROA found, authorised announcement – INVALID: ROA found, unauthorised announcement – UNKNOWN: No ROA found (resource not yet signed) 8 Every operator is free to base any routing decision on these three validity states
  • 10. Making routing decisions using the RIPE NCC RPKI Validator
  • 11. Resource Certification (RPKI) – SEE2 Macedonia Validation in Practice • All certificates and ROAs are published in a repository and available for download • Software running on your own machine will periodically retrieve and verify the information – Cryptographic tools check all the signatures • The result is a list of all valid combinations of ASN and prefix, the “validated cache” 11
  • 12. Resource Certification (RPKI) – SEE2 Macedonia The RIPE NCC RPKI Validator toolset • http://ripe.net/certification/tools-and-resources • Requires Sun Java 1.6 and rsync • No installation required – Unzip the package – Run the program: ./bin/rpki-validator • Web-interface available on localhost port 8080 12
  • 13. Resource Certification (RPKI) – SEE2 Macedonia The RIPE NCC RPKI Validator toolset 13
  • 14. Demo Using the RPKI Validator...
  • 15. Resource Certification (RPKI) – SEE2 Macedonia RPKI support in routers • The RPKI-RTR Protocol is an IETF Internet Draft • Production Cisco Support: – ASR1000, 7600, ASR903 and ASR901 in releases 15.2(1)S or XE 3.5 • Cisco Early Field Trial (EFT): – ASR9000, CRS1, CRS3 and c12K (IOS-XR) • Juniper has support since version 12.2 • Quagga has support through BGP-SRX 15
  • 16. Resource Certification (RPKI) – SEE2 Macedonia Router Configuration – Cisco ! route-map rpki-loc-pref permit 10 match rpki invalid set local-preference 90 ! route-map rpki-loc-pref permit 20 match rpki not-found set local-preference 100 ! route-map rpki-loc-pref permit 30 match rpki valid set local-preference 110 16
  • 17. Resource Certification (RPKI) – SEE2 Macedonia Public Testbeds • RIPE NCC has a Cisco: – Telnet to rpki-rtr.ripe.net – Username: ripe, no password • Kaia Global Networks have a Juniper: – Telnet to 193.34.50.25 – Username: rpki, password: testbed • http://ripe.net/certification/router-configuration 17
  • 18. Resource Certification (RPKI) – SEE2 Macedonia http://ripe.net/certification #RPKI Information and Announcements 18