RPKI Deployment Status in Bangladesh

1. RPKI Deployment Status in Bangladesh Md. Abdul Awal Network Startup Resource Center https://nsrc.org

2. Why Should We Care About RPKI? 2 #bdNOG13

3. Long ago, people were living in peace • Network engineers were innocent and trustworthy • Global routing table only had valid prefixes • But the perfect world can’t exist: – Someone made mistake in BGP announcements – Someone hijacked other’s prefixes – Global routing table becomes vulnerable of incorrect routes • Internet operations get affected • The core of Internet can’t be left vulnerable like that #bdNOG13 3

4. A route is not bad unless proved guilty • How to prove it? – By validating • How can we validate? – Cross-match with VRPs • What makes the VRPs? – ROAs • How to collect all the ROAs? – Resource PKI (RPKI) • Who does what? – Resource holders create ROA – Network operators do ROV #bdNOG13 4

5. RPKI is about 2 things: ROA and ROV Signing prefixes a.k.a. creating ROAs 1 RIR CA RIR Resource DB Member Login Authentication 2001:db8::/32 192.0.2.0/24 AS 65000 ROA #bdNOG13 5

6. RPKI is about 2 things: ROA and ROV Validating ROAs a.k.a doing ROV 2 RPKI Repository RPKI Validator BGP Router RTR Protocol rsync/RRDP #bdNOG13 6

7. What Makes a Route RPKI Invalid? 192.168.0.0/24 ...65500 192.168.0.0/24 ...65520 192.168.0.0/23 ...65520 Max Length Invalid Max Length+Origin Invalid Origin Invalid R1 192.168.2.0/23 ...65500 100.100.0.0/24 ...65500 Valid Not Found 192.168.0.0/22 65500 /23 Prefix ASN Max Length 192.168.0.0/22 192.168.0.0/23 192.168.0.0/24 192.168.1.0/24 192.168.2.0/23 192.168.2.0/24 192.168.3.0/24 Prefixes covered by the ROA 7 VRP

8. RPKI deployment in Bangladesh 8 #bdNOG13

9. RPKI ROA Adoption Source: https://observatory.manrs.org/ #bdNOG13 9

10. RPKI Validation https://stats.labs.apnic.net/rpki/BD #bdNOG13 10

11. RPKI Validation https://stats.labs.apnic.net/rpki/BD #bdNOG13 11

12. RPKI Invalids Source: https://observatory.manrs.org/ Source: https://rpki.anuragbhatia.com/ #bdNOG13 12

13. RPKI Invalid Types #bdNOG13 13 Source: https://rpki.anuragbhatia.com/ (last updated on 8-Jun-2021) 15 101 Invalids per Address Family IPv4 IPv6 0 20 40 60 80 100 120 IPv4 IPv6 # of Invalid Routes RPKI Invalid Types Origin Invalid Max Length Invalid

14. Top Contributors of RPKI Invalids #bdNOG13 14 3 3 3 3 3 5 5 8 16 39 0 10 20 30 40 137823 137935 141439 131216 24342 63969 38071 136516 134204 58715 # of RPKI Invalid BGP Announcements AS Number Source: https://rpki.anuragbhatia.com/ (last updated on 8-Jun-2021) 0 5 10 15 20 25 IPv4 IPv6 # of ASN ASNs Announcing Invalid Routes Origin Invalid Max Length Invalid

15. What Goes Wrong? 15

16. Routing Incidents Source: https://observatory.manrs.org/ #bdNOG13 16

17. Invalid Routes are Getting Rejected • More and more operators are deploying RPKI and ROV – BCC/NDC – Telia – NTT – Cogent – HE – Cloudflare – Netflix – AMS-IX – DE-CIX and many more #bdNOG13 17

18. Considerations about ROA and ROV 18 #bdNOG13

19. Creating ROA Not a good idea to create ROAs up to /24 (v4) or /48 (v6). Better to create ROAs for specific prefixes that are announced in BGP 19 #bdNOG13 VS

20. Creating ROA VS You may sign same prefix with multiple ASNs but do if you really really have to 20 #bdNOG13

21. Doing ROV Validation without dropping RPKI Invalids Validation with dropping RPKI Invalids 21 #bdNOG13 VS

22. Recommendations on RPKI Deployment 22 #bdNOG13

23. General Recommendations • Only create ROAs for prefixes that are announced in BGP – Signing unannounced prefixes can lead to “validated hijack” – Add to standard operating procedure: if it is originated, sign it! • Check your ROAs and announcements from external sources • Deploy at least two reliable Validator Caches – Two different implementations, for software independence • Needs to avoid default route on the border routers #bdNOG13 23

24. General Recommendations • While validating: – If Valid: ALLOW – If Invalid: DROP – If Not Found: ALLOW with lower preference • For fully supported Route Origin Validation across the network – EBGP speaking routers need talk with a validator – IBGP speaking routers do not need to talk with a validator • Train the engineers with toolsets and debugging techniques #bdNOG13 24

25. ROA for Small ISPs and Enterprises • Have own Internet resources? – Creating ROA is straightforward using RIR’s resource management portal • Got assignment for LIR? – Have public ASN? • Ask the LIR to create ROA with your ASN and verify – Don’t have public ASN? • Ask the LIR to create ROA for the assigned prefix and verify #bdNOG13 25

26. ROV for Small ISPs and Enterprises • Have BGP with transits and peers? – Receive full routes from neighbors? • Implementing ROV using validator cache is straightforward – Receive partial routes with default from neighbors? • Ask transits to do ROV for you • Implement ROV using validator cache to validate peer and IX routes – Receive only the default route • ROV wouldn’t fit, however, you may ask transits to do ROV on their network J • Have static routing with transits? – ROV wouldn’t fit, however, you may ask transits to do ROV on their network #bdNOG13 26

27. Thanks awal@nsrc.org

RPKI Deployment Status in Bangladesh

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

RPKI Deployment Status in Bangladesh

Plus De Contenu Connexe

Diaporamas pour vous (20)

Similaire à RPKI Deployment Status in Bangladesh (20)

Plus par Bangladesh Network Operators Group (20)

Plus récents (20)