SlideShare une entreprise Scribd logo

Rpki -manrs_(7_september)

Télécharger en tant que PPTX, PDF
N
NaveenLakshman

Global routing validation involves facilitating the validation of routing information on a global scale through two main systems - the Internet Routing Registries (IRR) and the Resource Public Key Infrastructure (RPKI). Routing information such as routing policies, autonomous system numbers, and IP prefixes should be publicly available in a common format to allow for global validation. The RPKI system uses digital certificates to authoritatively associate network resources like IP addresses and autonomous system numbers to their legitimate owners and allows identification of which autonomous systems have permission to originate those addresses. Implementing RPKI and origin validation helps secure routing and prevent route hijacking.

Internet
1  sur  68
Action 4: Global Validation (IRR/RPKI) Facilitating validation of routing information on a global scale 1
Global Validation There are 2 ways to provide the validation information (IRR and/or RPKI) Providing information through the IRR system Internet Routing Registries (IRRs) contain information—submitted and maintained by ISPs or other entities—about Autonomous System Numbers (ASNs) and routing prefixes. IRRs can be used by ISPs to develop routing plans. The global IRR is comprised of a network of distributed databases maintained by Regional Internet Registries (RIRs) such as APNIC, service providers (such as NTT), and third parties (such as RADB). 2
Global Validation Routing information should be made available on a global scale to facilitate validation, which includes routing policy, ASNs and prefixes that are intended to be advertised to third parties. Since the extent of the internet is global, information should be made public and published in a well known place using a common format. 3 Object Source Description aut-num IRR Policy documentation route/route6 IRR NLRI/origin as-set IRR Customer cone ROA RPKI NLRI/origin
Global Validation $ whois -h whois.apnic.net 1.1.1.0/24 route: 1.1.1.0/24 origin: AS13335 descr: APNIC Research and Development, 6 Cordelia St mnt-by: MAINT-AU-APNIC-GM85-AP last-modified: 2018-03-16T16:58:06Z source: APNIC 4
Global Validation $ whois -h whois.radb.net 1.1.1.0/24 route: 1.1.1.0/24 origin: AS13335 descr: APNIC Research and Development, 6 Cordelia St mnt-by: MAINT-AU-APNIC-GM85-AP last-modified: 2018-03-16T16:58:06Z source: APNIC route: 1.1.1.0/24 descr: Cloudflare, Inc. descr: 101 Townsend Street, San Francisco, California 94107, US origin: AS13335 mnt-by: MNT-CLOUD14 notify: rir@cloudflare.com 5
Global Validation Internet Routing Registry (IRR) ● Network operators can document which AS is originating their IPv4/IPv6 prefixes ● Used by operators to filter prefixes received from their customers and peers • Third party databases need to be used (RADB, Operators/NTT) • RADB comes with a recurring yearly subscription costs • For RADB, a commercial relationship with merit is required. (lacks accuracy of data) • For RADB any paid member can update/delete information for their resources (lots of junk data) • For NTTCOM, a customer relationship with them is required. 6
7 Resource Public Key Infrastructure (RPKI)
Global Validation Providing information through the RPKI system • Store information about prefixes originated by your network in the form of Route Origin Authorization (ROA) objects. • Only prefixes that belong to your ASN is covered. • Only the origin ASN is verified, not the full path. • All Regional Internet Registries (RIR) offers a hosted Resource Certification service. 8
RPKI ● A security framework for verifying the association between resource holders and their Internet resources ● RPKI is a way to define data in an out-of-band system such that the information that are exchanged by BGP can be validated to be correct. ● RPKI is used to make Internet routing more secure. Attaches digital certificates to network resources upon request that lists all resources held by the member • AS Numbers • IP Addresses 9
Importance of RPKI Authoritatively proof: ● Who is the legitimate owner of an address, and ● Identify which ASNs have the permission from the holder to originate the address ● Secured Routing Table ● Dynamic LOA checking ● Maintaining a Dynamic Chain of Trust ● Digitally Signed Resources Certificate (X.509 Certificates - RFC5280) RPKI can ● prevent route hijacks/mis-origination/misconfiguration 10
ROA (Route Origin Authorization) Legitimate holder of a block of IP addresses can use their resource certificate to make an authoritative, signed statement about which BGP AS is authorized to originate their prefix in BGP ● LIRs can create a ROA for each one of their resource (IP address ranges). ● Multiple ROAs can be created for an IP range ● ROAs can overlap 11 Prefix 103.229.0.0/23 Max-Length /24 Origin ASN AS10075
What can RPKI do? Authoritatively proof: ● Who is the legitimate owner of an address, and ● Identify which ASNs have the permission from the holder to originate the address RPKI can ● prevent route hijacks/mis-origination/misconfiguration 12
RPKI Implementation ● Origin validation uses X.509 certificates with extensions specified in RFC 3779 ● RPKI Cache server (RPKI Validator) synchronizes its local database with TAs ● RPKI Validator exports a simplified version of ROAs as Route Validation (RV) records ● An RV record is a (prefix, maximum length, origin AS) triple ● Router interacts with cache server to query the RV status for a given route ● Router implements BGP policy based on validation status indicated in the RV record for the route 13
RPKI Validation States Valid ● the prefix (prefix length) and AS pair found in the database. Invalid ● prefix is found, but origin AS is wrong ● the prefix length is longer than the maximum length Not Found ● No valid ROA found ● Neither valid nor invalid (perhaps not created) 14
RPKI Components Issuing Party – Internet Registries (*IRs) ● Certificate Authority (CA) that issues resource certificates to end-holders ● Publishes the objects (ROAs) signed by the resource certificate holders 15
RPKI Components Relying Party (RP) ● RPKI Validator that gathers data (ROA) from the distributed RPKI repositories ● Validates each entry’s signature against the TA to build a “Validated cache” 16
RPKI-RTR 17 ROAs ROAs VALIDATOR SOFTWARE Verification Validated Cache RPKI-RTR ROUTERS RIR REPOSITORIES
Relying Party 18 RIPE NCC ARIN APNIC AFRINIC LACNIC Validator
Validator Software ● NLNetLabs Routinator - https://github.com/NLnetLabs/routinator/ ● FORT Validator - https://github.com/NICMx/FORT-validator/ ● Cloudflare OctoRPKI - https://github.com/cloudflare/cfrpki ● RPKI-Client - https://rpki-client.org/ ● Prover - https://github.com/lolepezy/rpki-prover ● Rpstir2 - https://github.com/bgpsecurity/rpstir2 19
How to Install Relying Party Software MANRS - How to Videos OctoRPKI https://youtu.be/3Lx5wL7oG0c Routinator https://youtu.be/0dpmejgkTcs Fort Validator https://youtu.be/lCfUbJhnq3Q 20
Creating ROAs in MyAPNIC 21 MyAPNIC Resources page.
Creating ROA (IPv6 Prefix) 22
Creating ROA (IPv4 Prefix) 23
RTR Validator Global RPKI Repository 65537 65536 65538 65540 65541 65542 2001:db8::/48 65540 65541 65542 i VALID 2001:db8::/48 65537 65536 i INVALID 2001:db8::/48 2001:db8::/48 2001:db8::/32 - 48 65542 2001:db8::/32 - 48 65542 ROA RFC 3849 : 2001:db8::/32 Route Origin Validation (ROV)
25
How to Videos ~ Creating ROAs MyAPNIC: https://youtu.be/NLG2siznuu4 AFRINIC: https://youtu.be/jBWCdfM0jcM ARIN: https://youtu.be/dueSmJwWzQ4 LACNIC: https://youtu.be/VLcvfEJ8T4Y RIPE-NCC: https://youtu.be/KgUXsTKW2b4 26 https://www.manrs.org/resources/how-to-videos/
Origin Validation Configuration (Cisco) 27 (config)# conf t (config)# router bgp 64500 (config-router)# bgp rpki server tcp 100.64.1.1 port 8323 refresh 300 (config-router)# bgp rpki server tcp 100.64.1.1 port 3323 refresh 300
Origin Validation Configuration (Juniper) 28 routing-options { autonomous-system 64500; validation { group rpki-validator { session 100.64.1.1 { refresh-time 120; hold-time 180; port 8282; local-address 100.64.1.2; }}}}
29 ROAs ROAs ROA Validation BGP Validation VALID INVALID VALID INVALID Prefix Validation Status
Origin Validation on CISCO (Low pref to invalids) 30 (config)# route-map RPKI-VALIDATION permit 10 (route-map)# match rpki valid (route-map)# set local-preference 100 ! (route-map)# route-map RPKI-VALIDATION permit 20 (route-map)# match rpki not-found (route-map)# set local-preference 80 ! (route-map)# route-map RPKI-VALIDATION permit 30 (route-map)# match rpki invalid (route-map)# set local-preference 60 High preference valid ROAs Medium preference for routes ROAs not found Very low preference to invalids. Most operators started dropping invalids
Origin Validation on CISCO (Drop invalids) 31 (config-router)# route-map RPKI-VALIDATION permit 10 (route-map)# match rpki valid (route-map)# set local-preference 100 ! (route-map)# route-map RPKI-VALIDATION permit 20 (route-map)# match rpki not-found (route-map)# set local-preference 80 ! (route-map)# route-map RPKI-VALIDATION deny 30 (route-map)# match rpki invalid High preference valid ROAs Medium preference for routes ROAs not found Invalids are dropped
Origin Validation Configuration (Cisco) 32 (config)# router bgp 64511 (config)# address-family ipv4 (config)# neighbor 192.168.1.254 route-map RPKI-VALIDATION in ! (config)# address-family ipv6 (config)# neighbor 2001:db8:12::2 route-map RPKI-VALIDATION in Applying the route-map to the BGP sessions
Origin Validation Configuration (Juniper) 33 policy-statement send-direct { from protocol direct; then accept;} policy-statement RPKI-VALIDATION { term valid { from { protocol bgp; validation-database valid; } then { local-preference 100; validation-state valid; community add origin-validation-state-valid; accept; }} High preference valid ROAs
Origin Validation Configuration (Juniper) 34 term unknown { from protocol bgp; then { local-preference 80; validation-state unknown; community add origin-validation-state-unknown; accept; }} Medium preference for routes ROAs not found
Origin Validation Configuration (Juniper) 35 term invalid { from { protocol bgp; validation-database invalid;} then { local-preference 60; validation-state invalid; community add origin-validation-state-invalid; accept; }} Very low preference to invalids.
Origin Validation Configuration (Juniper) 36 term invalid { from { protocol bgp; validation-database invalid;} then { validation-state invalid; reject; }} Invalids are dropped
RPKI Verification (Server) 37 Courtesy: Routeviews.org
RPKI Verification (Server) 38 Courtesy: routeserver@ATT AS7018
RPKI Table (IPv4) 39 Courtesy: Routeviews.org
RPKI Table (IPv6) 40 Courtesy: Routeviews.org
RPKI State (Valid) 41 Courtesy: Routeviews.org
RPKI State (Invalid) 42 Courtesy: Routeviews.org
RPKI State (Not Found) 43 Courtesy: Routeviews.org
Route Origin Validation (ROV) – Implementations ● Cisco IOS – available from release 15.2 ● Cisco IOS/XR – available from release 4.3.2 ● Juniper – available from release 12.2 ● Nokia – available from release R12.0R4 ● Huawei – available from release V800R009C10 ● FRR – available from release 4.0 ● BIRD – available from release 1.6 ● OpenBGPD – available from OpenBSD release 6.4 ● GoBGP – available since 2018 ● VyOS – available from release 1.2.0-RC11 ● Mikrotik ROS – available from release v7 source: nsrc 44
Implement Origin Validation (ROV) ~ Cisco (IOS-XE, IOS-XR), Juniper, Arista MANRS - How to Videos Cisco Router ROV configuration https://youtu.be/82O_CvW6T8c Juniper JunOS ROV configuration https://youtu.be/NtQ4sqLmw18 Arista ROV configuration https://youtu.be/rXLtZcSY6gc 45 https://www.manrs.org/resources/how-to-videos/
Why join MANRS? 46
Implementing MANRS Actions 47 ● Signals an organization’s security-forward posture and can eliminate SLA violations that reduce profitability or cost customer relationships. ● Reduces routing incidents, helping networks readily identify and address problems with customers or peers. ● Improves network’s operations by establishing better and cleaner peering communication pathways, while also providing granular insight for troubleshooting. ● Addresses many concerns of security-focused enterprises and other customers.
Everyone Benefits 48 ● Joining MANRS means joining a community of security-minded organizations committed to making the global routing infrastructure more robust and secure. ● Consistent MANRS adoption yields steady improvement, but we need more networks to implement the actions and more customers to demand routing security best practices. ● The more networks apply MANRS actions, the fewer incidents there will be, and the less damage they can do.
MANRS is an important step 49 Security is a process, not a state. MANRS provides a structure and a consistent approach to solving security issues facing the Internet. MANRS is the minimum a network should consider, with low risk and cost-effective actions. MANRS is not a one-stop solution to all the Internet’s routing woes, but it is an important step toward a globally robust and secure routing infrastructure.
MANRS Participants (September 2021) ● 576 Network Operators https://www.manrs.org/isps/participants/ • DeeNet Services (AS 136308, 138794) ● 91 Internet eXchange Points (IXP) • Kolkata IX / India Internet Foundation (AS132921) ● 17 CDN and Cloud Providers ● Operators, IX, REN (South Asia) • BdREN, Fiber@Home, Bangladesh Computer Council, BDConnect.net • Cherry World Communication, Cyber Internet, Cybergate 50
MANRS - CDN and Cloud Participants 51 https://www.manrs.org/cdn-cloud-providers/participants/
Join Us 52 Visit https://www.manrs.org • Fill out the sign up form with as much detail as possible. • We may ask questions and run tests Get Involved in the Community • Members support the initiative and implement the actions in their own networks • Members maintain and improve the document and promote MANRS objectives https://www.manrs.org/join/
MANRS Network Operator Application form 53
Action 1: Filtering 54
Action 2: Anti-Spoofing 55
Action 3: Global Coorindation 56
Action 4: Global Validation (IRR/RPKI) 57
Upcoming Sessions 58 MANRS Hands on Workshop (Cisco Platform) 11, September 2021 (Saturday) 11 am IST (GMT+5.30) https://us02web.zoom.us/meeting/register/tZEvdeqoqz4uG9AwimUhPQ10oZhxpg8yhxRK MANRS for Network Operators (Tutorial) 2 hrs session APNIC 52 (Online) | 13, September 2021 (Monday) 11 am IST (GMT+5.30) | 13.30 Local Conference Time (GMT+8) https://conference.apnic.net/52/program/schedule/#/day/1/manrs-for-network-operators
MANRS Implementation Guide 59 If you’re not ready to join yet, implementation guidance is available to help you. • Based on Best Current Operational Practices deployed by network operators, IXPs, CDNs and Cloud providers around the world https://www.manrs.org/isps/bcop/ https://www.manrs.org/ixps/ https://www.manrs.org/cdn-cloud- providers
60 MANRS Observatory
MANRS Observatory | Data Access 61 ● Current access policy: Public will be able to view Overall, Regional and Economy aggregated data ● Only MANRS Participants will have access to detailed data about their network
MANRS Observatory 62
63
MANRS Participants Logo 64
MANRS Hands on Lab (ISOC Hosted) 65
MANRS Lab Modules 66 Lab guide is based on https://www.manrs.org/isps/bcop/ Tutorial is a mix of lectures and hands-on lab sessions to deploy MANRS actions based on best current operational practices. Lab runs on dual-stack infrastructure. MANRS Actions Agenda (Lab Configuration | Cisco IOS Platform) ● Anti-Spoofing (uRPF) ○ BCP38/uRPF Strict Mode ● Filtering (Preventing propagation of incorrect routing information) ○ Specific-prefix outbound filtering of your network to peers and upstreams/transits.
Anti Spoofing Technique (uRPF) 67 ● uRPF is a technique where the router can discard packets with invalid/fake/incorrect source addresses by a simple check against the Forwarding Table (FIB) ○ More efficient than implementing ingress packet filters ● uRPF is a very effective tool to assist with defeating DoS/DDoS attacks, at source ○ Implemented by network operators on access devices, where end- users and end-devices connect to their network
LEARN MORE: https://www.manrs.org https://www.manrs.org/join/ 68

Recommandé

bgp(border gateway protocol)
bgp(border gateway protocol)bgp(border gateway protocol)
bgp(border gateway protocol)
Noor Ul Hudda Memon
 
Using BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsUsing BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet Connections
Rowell Dionicio
 
Border Gateway Protocol
Border Gateway ProtocolBorder Gateway Protocol
Border Gateway Protocol
Kashif Latif
 
A comparison of Segment Routing Data-Plane encodings
A comparison of Segment Routing Data-Plane encodingsA comparison of Segment Routing Data-Plane encodings
A comparison of Segment Routing Data-Plane encodings
Gunter Van de Velde
 
BGP protocol presentation
BGP protocol presentationBGP protocol presentation
BGP protocol presentation
Gorantla Mohanavamsi
 
The benefit of BGP for every service provider
The benefit of BGP for every service providerThe benefit of BGP for every service provider
The benefit of BGP for every service provider
Thomas Mangin
 
BGP Prime
BGP Prime BGP Prime
BGP Prime
KHNOG
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX Updates
MyNOG
 

Recommandé

bgp(border gateway protocol)
bgp(border gateway protocol)bgp(border gateway protocol)
bgp(border gateway protocol)
Noor Ul Hudda Memon
 
Using BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsUsing BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet Connections
Rowell Dionicio
 
Border Gateway Protocol
Border Gateway ProtocolBorder Gateway Protocol
Border Gateway Protocol
Kashif Latif
 
A comparison of Segment Routing Data-Plane encodings
A comparison of Segment Routing Data-Plane encodingsA comparison of Segment Routing Data-Plane encodings
A comparison of Segment Routing Data-Plane encodings
Gunter Van de Velde
 
BGP protocol presentation
BGP protocol presentationBGP protocol presentation
BGP protocol presentation
Gorantla Mohanavamsi
 
The benefit of BGP for every service provider
The benefit of BGP for every service providerThe benefit of BGP for every service provider
The benefit of BGP for every service provider
Thomas Mangin
 
BGP Prime
BGP Prime BGP Prime
BGP Prime
KHNOG
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX Updates
MyNOG
 
Stateful PCE and Segment Routing
Stateful PCE and Segment RoutingStateful PCE and Segment Routing
Stateful PCE and Segment Routing
APNIC
 
Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)
Nutan Singh
 
Nokia IES Configuration guide
Nokia IES Configuration guideNokia IES Configuration guide
Nokia IES Configuration guide
Abel Saduwa
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
Bangladesh Network Operators Group
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
Bangladesh Network Operators Group
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT Routing
Bangladesh Network Operators Group
 
A comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodingsA comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodings
Gunter Van de Velde
 
Bgp
BgpBgp
Bgp
Raghu Kiran
 
BGP (border gateway routing protocol)
BGP (border gateway routing protocol)BGP (border gateway routing protocol)
BGP (border gateway routing protocol)
Netwax Lab
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
Juniper Networks
 
Mum bandwidth management and qos
Mum bandwidth management and qosMum bandwidth management and qos
Mum bandwidth management and qos
Teav Sovandara
 
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiManaging Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
MyNOG
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s Implementation
MyNOG
 
bgp protocol
bgp protocol bgp protocol
bgp protocol
Sukanya Sanyal
 
MPLS + BGP Presentation
MPLS + BGP PresentationMPLS + BGP Presentation
MPLS + BGP Presentation
Gino McCarty
 
Part1
Part1Part1
Part1
cisconetworker
 
Bonhomie
BonhomieBonhomie
Bonhomie
Bonhomie Bope
 
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOLEnhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
Nutan Singh
 
Mpls
MplsMpls
Mpls
Fasih Rehman
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
Andy Davidson
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
Siena Perry
 

Contenu connexe

Tendances

Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiManaging Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
MyNOG
 

Tendances (20)

Stateful PCE and Segment Routing
Stateful PCE and Segment RoutingStateful PCE and Segment Routing
Stateful PCE and Segment Routing
 
Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)
 
Nokia IES Configuration guide
Nokia IES Configuration guideNokia IES Configuration guide
Nokia IES Configuration guide
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT Routing
 
A comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodingsA comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodings
 
Bgp
BgpBgp
Bgp
 
BGP (border gateway routing protocol)
BGP (border gateway routing protocol)BGP (border gateway routing protocol)
BGP (border gateway routing protocol)
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
 
Mum bandwidth management and qos
Mum bandwidth management and qosMum bandwidth management and qos
Mum bandwidth management and qos
 
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiManaging Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s Implementation
 
bgp protocol
bgp protocol bgp protocol
bgp protocol
 
MPLS + BGP Presentation
MPLS + BGP PresentationMPLS + BGP Presentation
MPLS + BGP Presentation
 
Part1
Part1Part1
Part1
 
Bonhomie
BonhomieBonhomie
Bonhomie
 
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOLEnhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
Enhanced Interior Gateway Routing Protocol (EIGRP) || NETWORK PROTOCOL
 
Mpls
MplsMpls
Mpls
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
 

Similaire à Rpki -manrs_(7_september)

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 

Similaire à Rpki -manrs_(7_september) (20)

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
Resource Certification
Resource CertificationResource Certification
Resource Certification
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment Update
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
Certification
CertificationCertification
Certification
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 

Dernier

Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Delhi Call girls
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
SUHANI PANDEY
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Delhi Call girls
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Chandigarh Call girls 9053900678 Call girls in Chandigarh
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
Diya Sharma
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Call Girls in Nagpur High Profile
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
soniya singh
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
Delhi Call girls
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
soniya singh
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
SUHANI PANDEY
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
SUHANI PANDEY
 

Dernier (20)

Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
 

Rpki -manrs_(7_september)

  • 1. Action 4: Global Validation (IRR/RPKI) Facilitating validation of routing information on a global scale 1
  • 2. Global Validation There are 2 ways to provide the validation information (IRR and/or RPKI) Providing information through the IRR system Internet Routing Registries (IRRs) contain information—submitted and maintained by ISPs or other entities—about Autonomous System Numbers (ASNs) and routing prefixes. IRRs can be used by ISPs to develop routing plans. The global IRR is comprised of a network of distributed databases maintained by Regional Internet Registries (RIRs) such as APNIC, service providers (such as NTT), and third parties (such as RADB). 2
  • 3. Global Validation Routing information should be made available on a global scale to facilitate validation, which includes routing policy, ASNs and prefixes that are intended to be advertised to third parties. Since the extent of the internet is global, information should be made public and published in a well known place using a common format. 3 Object Source Description aut-num IRR Policy documentation route/route6 IRR NLRI/origin as-set IRR Customer cone ROA RPKI NLRI/origin
  • 4. Global Validation $ whois -h whois.apnic.net 1.1.1.0/24 route: 1.1.1.0/24 origin: AS13335 descr: APNIC Research and Development, 6 Cordelia St mnt-by: MAINT-AU-APNIC-GM85-AP last-modified: 2018-03-16T16:58:06Z source: APNIC 4
  • 5. Global Validation $ whois -h whois.radb.net 1.1.1.0/24 route: 1.1.1.0/24 origin: AS13335 descr: APNIC Research and Development, 6 Cordelia St mnt-by: MAINT-AU-APNIC-GM85-AP last-modified: 2018-03-16T16:58:06Z source: APNIC route: 1.1.1.0/24 descr: Cloudflare, Inc. descr: 101 Townsend Street, San Francisco, California 94107, US origin: AS13335 mnt-by: MNT-CLOUD14 notify: rir@cloudflare.com 5
  • 6. Global Validation Internet Routing Registry (IRR) ● Network operators can document which AS is originating their IPv4/IPv6 prefixes ● Used by operators to filter prefixes received from their customers and peers • Third party databases need to be used (RADB, Operators/NTT) • RADB comes with a recurring yearly subscription costs • For RADB, a commercial relationship with merit is required. (lacks accuracy of data) • For RADB any paid member can update/delete information for their resources (lots of junk data) • For NTTCOM, a customer relationship with them is required. 6
  • 7. 7 Resource Public Key Infrastructure (RPKI)
  • 8. Global Validation Providing information through the RPKI system • Store information about prefixes originated by your network in the form of Route Origin Authorization (ROA) objects. • Only prefixes that belong to your ASN is covered. • Only the origin ASN is verified, not the full path. • All Regional Internet Registries (RIR) offers a hosted Resource Certification service. 8
  • 9. RPKI ● A security framework for verifying the association between resource holders and their Internet resources ● RPKI is a way to define data in an out-of-band system such that the information that are exchanged by BGP can be validated to be correct. ● RPKI is used to make Internet routing more secure. Attaches digital certificates to network resources upon request that lists all resources held by the member • AS Numbers • IP Addresses 9
  • 10. Importance of RPKI Authoritatively proof: ● Who is the legitimate owner of an address, and ● Identify which ASNs have the permission from the holder to originate the address ● Secured Routing Table ● Dynamic LOA checking ● Maintaining a Dynamic Chain of Trust ● Digitally Signed Resources Certificate (X.509 Certificates - RFC5280) RPKI can ● prevent route hijacks/mis-origination/misconfiguration 10
  • 11. ROA (Route Origin Authorization) Legitimate holder of a block of IP addresses can use their resource certificate to make an authoritative, signed statement about which BGP AS is authorized to originate their prefix in BGP ● LIRs can create a ROA for each one of their resource (IP address ranges). ● Multiple ROAs can be created for an IP range ● ROAs can overlap 11 Prefix 103.229.0.0/23 Max-Length /24 Origin ASN AS10075
  • 12. What can RPKI do? Authoritatively proof: ● Who is the legitimate owner of an address, and ● Identify which ASNs have the permission from the holder to originate the address RPKI can ● prevent route hijacks/mis-origination/misconfiguration 12
  • 13. RPKI Implementation ● Origin validation uses X.509 certificates with extensions specified in RFC 3779 ● RPKI Cache server (RPKI Validator) synchronizes its local database with TAs ● RPKI Validator exports a simplified version of ROAs as Route Validation (RV) records ● An RV record is a (prefix, maximum length, origin AS) triple ● Router interacts with cache server to query the RV status for a given route ● Router implements BGP policy based on validation status indicated in the RV record for the route 13
  • 14. RPKI Validation States Valid ● the prefix (prefix length) and AS pair found in the database. Invalid ● prefix is found, but origin AS is wrong ● the prefix length is longer than the maximum length Not Found ● No valid ROA found ● Neither valid nor invalid (perhaps not created) 14
  • 15. RPKI Components Issuing Party – Internet Registries (*IRs) ● Certificate Authority (CA) that issues resource certificates to end-holders ● Publishes the objects (ROAs) signed by the resource certificate holders 15
  • 16. RPKI Components Relying Party (RP) ● RPKI Validator that gathers data (ROA) from the distributed RPKI repositories ● Validates each entry’s signature against the TA to build a “Validated cache” 16
  • 18. Relying Party 18 RIPE NCC ARIN APNIC AFRINIC LACNIC Validator
  • 19. Validator Software ● NLNetLabs Routinator - https://github.com/NLnetLabs/routinator/ ● FORT Validator - https://github.com/NICMx/FORT-validator/ ● Cloudflare OctoRPKI - https://github.com/cloudflare/cfrpki ● RPKI-Client - https://rpki-client.org/ ● Prover - https://github.com/lolepezy/rpki-prover ● Rpstir2 - https://github.com/bgpsecurity/rpstir2 19
  • 20. How to Install Relying Party Software MANRS - How to Videos OctoRPKI https://youtu.be/3Lx5wL7oG0c Routinator https://youtu.be/0dpmejgkTcs Fort Validator https://youtu.be/lCfUbJhnq3Q 20
  • 21. Creating ROAs in MyAPNIC 21 MyAPNIC Resources page.
  • 22. Creating ROA (IPv6 Prefix) 22
  • 23. Creating ROA (IPv4 Prefix) 23
  • 24. RTR Validator Global RPKI Repository 65537 65536 65538 65540 65541 65542 2001:db8::/48 65540 65541 65542 i VALID 2001:db8::/48 65537 65536 i INVALID 2001:db8::/48 2001:db8::/48 2001:db8::/32 - 48 65542 2001:db8::/32 - 48 65542 ROA RFC 3849 : 2001:db8::/32 Route Origin Validation (ROV)
  • 25. 25
  • 26. How to Videos ~ Creating ROAs MyAPNIC: https://youtu.be/NLG2siznuu4 AFRINIC: https://youtu.be/jBWCdfM0jcM ARIN: https://youtu.be/dueSmJwWzQ4 LACNIC: https://youtu.be/VLcvfEJ8T4Y RIPE-NCC: https://youtu.be/KgUXsTKW2b4 26 https://www.manrs.org/resources/how-to-videos/
  • 27. Origin Validation Configuration (Cisco) 27 (config)# conf t (config)# router bgp 64500 (config-router)# bgp rpki server tcp 100.64.1.1 port 8323 refresh 300 (config-router)# bgp rpki server tcp 100.64.1.1 port 3323 refresh 300
  • 28. Origin Validation Configuration (Juniper) 28 routing-options { autonomous-system 64500; validation { group rpki-validator { session 100.64.1.1 { refresh-time 120; hold-time 180; port 8282; local-address 100.64.1.2; }}}}
  • 29. 29 ROAs ROAs ROA Validation BGP Validation VALID INVALID VALID INVALID Prefix Validation Status
  • 30. Origin Validation on CISCO (Low pref to invalids) 30 (config)# route-map RPKI-VALIDATION permit 10 (route-map)# match rpki valid (route-map)# set local-preference 100 ! (route-map)# route-map RPKI-VALIDATION permit 20 (route-map)# match rpki not-found (route-map)# set local-preference 80 ! (route-map)# route-map RPKI-VALIDATION permit 30 (route-map)# match rpki invalid (route-map)# set local-preference 60 High preference valid ROAs Medium preference for routes ROAs not found Very low preference to invalids. Most operators started dropping invalids
  • 31. Origin Validation on CISCO (Drop invalids) 31 (config-router)# route-map RPKI-VALIDATION permit 10 (route-map)# match rpki valid (route-map)# set local-preference 100 ! (route-map)# route-map RPKI-VALIDATION permit 20 (route-map)# match rpki not-found (route-map)# set local-preference 80 ! (route-map)# route-map RPKI-VALIDATION deny 30 (route-map)# match rpki invalid High preference valid ROAs Medium preference for routes ROAs not found Invalids are dropped
  • 32. Origin Validation Configuration (Cisco) 32 (config)# router bgp 64511 (config)# address-family ipv4 (config)# neighbor 192.168.1.254 route-map RPKI-VALIDATION in ! (config)# address-family ipv6 (config)# neighbor 2001:db8:12::2 route-map RPKI-VALIDATION in Applying the route-map to the BGP sessions
  • 33. Origin Validation Configuration (Juniper) 33 policy-statement send-direct { from protocol direct; then accept;} policy-statement RPKI-VALIDATION { term valid { from { protocol bgp; validation-database valid; } then { local-preference 100; validation-state valid; community add origin-validation-state-valid; accept; }} High preference valid ROAs
  • 34. Origin Validation Configuration (Juniper) 34 term unknown { from protocol bgp; then { local-preference 80; validation-state unknown; community add origin-validation-state-unknown; accept; }} Medium preference for routes ROAs not found
  • 35. Origin Validation Configuration (Juniper) 35 term invalid { from { protocol bgp; validation-database invalid;} then { local-preference 60; validation-state invalid; community add origin-validation-state-invalid; accept; }} Very low preference to invalids.
  • 36. Origin Validation Configuration (Juniper) 36 term invalid { from { protocol bgp; validation-database invalid;} then { validation-state invalid; reject; }} Invalids are dropped
  • 38. RPKI Verification (Server) 38 Courtesy: routeserver@ATT AS7018
  • 43. RPKI State (Not Found) 43 Courtesy: Routeviews.org
  • 44. Route Origin Validation (ROV) – Implementations ● Cisco IOS – available from release 15.2 ● Cisco IOS/XR – available from release 4.3.2 ● Juniper – available from release 12.2 ● Nokia – available from release R12.0R4 ● Huawei – available from release V800R009C10 ● FRR – available from release 4.0 ● BIRD – available from release 1.6 ● OpenBGPD – available from OpenBSD release 6.4 ● GoBGP – available since 2018 ● VyOS – available from release 1.2.0-RC11 ● Mikrotik ROS – available from release v7 source: nsrc 44
  • 45. Implement Origin Validation (ROV) ~ Cisco (IOS-XE, IOS-XR), Juniper, Arista MANRS - How to Videos Cisco Router ROV configuration https://youtu.be/82O_CvW6T8c Juniper JunOS ROV configuration https://youtu.be/NtQ4sqLmw18 Arista ROV configuration https://youtu.be/rXLtZcSY6gc 45 https://www.manrs.org/resources/how-to-videos/
  • 47. Implementing MANRS Actions 47 ● Signals an organization’s security-forward posture and can eliminate SLA violations that reduce profitability or cost customer relationships. ● Reduces routing incidents, helping networks readily identify and address problems with customers or peers. ● Improves network’s operations by establishing better and cleaner peering communication pathways, while also providing granular insight for troubleshooting. ● Addresses many concerns of security-focused enterprises and other customers.
  • 48. Everyone Benefits 48 ● Joining MANRS means joining a community of security-minded organizations committed to making the global routing infrastructure more robust and secure. ● Consistent MANRS adoption yields steady improvement, but we need more networks to implement the actions and more customers to demand routing security best practices. ● The more networks apply MANRS actions, the fewer incidents there will be, and the less damage they can do.
  • 49. MANRS is an important step 49 Security is a process, not a state. MANRS provides a structure and a consistent approach to solving security issues facing the Internet. MANRS is the minimum a network should consider, with low risk and cost-effective actions. MANRS is not a one-stop solution to all the Internet’s routing woes, but it is an important step toward a globally robust and secure routing infrastructure.
  • 50. MANRS Participants (September 2021) ● 576 Network Operators https://www.manrs.org/isps/participants/ • DeeNet Services (AS 136308, 138794) ● 91 Internet eXchange Points (IXP) • Kolkata IX / India Internet Foundation (AS132921) ● 17 CDN and Cloud Providers ● Operators, IX, REN (South Asia) • BdREN, Fiber@Home, Bangladesh Computer Council, BDConnect.net • Cherry World Communication, Cyber Internet, Cybergate 50
  • 51. MANRS - CDN and Cloud Participants 51 https://www.manrs.org/cdn-cloud-providers/participants/
  • 52. Join Us 52 Visit https://www.manrs.org • Fill out the sign up form with as much detail as possible. • We may ask questions and run tests Get Involved in the Community • Members support the initiative and implement the actions in their own networks • Members maintain and improve the document and promote MANRS objectives https://www.manrs.org/join/
  • 53. MANRS Network Operator Application form 53
  • 56. Action 3: Global Coorindation 56
  • 57. Action 4: Global Validation (IRR/RPKI) 57
  • 58. Upcoming Sessions 58 MANRS Hands on Workshop (Cisco Platform) 11, September 2021 (Saturday) 11 am IST (GMT+5.30) https://us02web.zoom.us/meeting/register/tZEvdeqoqz4uG9AwimUhPQ10oZhxpg8yhxRK MANRS for Network Operators (Tutorial) 2 hrs session APNIC 52 (Online) | 13, September 2021 (Monday) 11 am IST (GMT+5.30) | 13.30 Local Conference Time (GMT+8) https://conference.apnic.net/52/program/schedule/#/day/1/manrs-for-network-operators
  • 59. MANRS Implementation Guide 59 If you’re not ready to join yet, implementation guidance is available to help you. • Based on Best Current Operational Practices deployed by network operators, IXPs, CDNs and Cloud providers around the world https://www.manrs.org/isps/bcop/ https://www.manrs.org/ixps/ https://www.manrs.org/cdn-cloud- providers
  • 61. MANRS Observatory | Data Access 61 ● Current access policy: Public will be able to view Overall, Regional and Economy aggregated data ● Only MANRS Participants will have access to detailed data about their network
  • 63. 63
  • 65. MANRS Hands on Lab (ISOC Hosted) 65
  • 66. MANRS Lab Modules 66 Lab guide is based on https://www.manrs.org/isps/bcop/ Tutorial is a mix of lectures and hands-on lab sessions to deploy MANRS actions based on best current operational practices. Lab runs on dual-stack infrastructure. MANRS Actions Agenda (Lab Configuration | Cisco IOS Platform) ● Anti-Spoofing (uRPF) ○ BCP38/uRPF Strict Mode ● Filtering (Preventing propagation of incorrect routing information) ○ Specific-prefix outbound filtering of your network to peers and upstreams/transits.
  • 67. Anti Spoofing Technique (uRPF) 67 ● uRPF is a technique where the router can discard packets with invalid/fake/incorrect source addresses by a simple check against the Forwarding Table (FIB) ○ More efficient than implementing ingress packet filters ● uRPF is a very effective tool to assist with defeating DoS/DDoS attacks, at source ○ Implemented by network operators on access devices, where end- users and end-devices connect to their network