SlideShare une entreprise Scribd logo

RPKI invalids aren't gone yet

Bangladesh Network Operators Group
Bangladesh Network Operators Group

This document discusses routing incidents and invalid routes in Bangladesh and reasons they still exist. It suggests implementing route origin validation at internet exchange points and internet gateway operators to filter invalid routes and make the country's routing table free of invalid routes. This involves transit providers and internet exchanges dropping invalid routes according to RPKI rather than propagating them. Creating accurate route origin authorizations and only announcing authorized routes in BGP is also encouraged to address invalid routes at their source.

Internet
1  sur  19
Télécharger pour lire hors ligne
RPKI invalids aren’t gone yet Md. Abdul Awal awal@nsrc.org
Routing Incidents in Bangladesh bdNOG12 2 Stats: observatory.manrs.org 0 5 10 15 20 25 Jul-19 Aug-19 Sep-19 Oct-19 Nov-19 Dec-19 Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20 Number of routing incidents in BD Incidents haven’t been reduced
RPKI Status of BGP Prefixes in Bangladesh bdNOG12 3 Stats: observatory.manrs.org 0 10 20 30 40 50 60 70 80 90 100 Jul-19 Aug-19 Sep-19 Oct-19 Nov-19 Dec-19 Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20 RPKI status of BGP announcements in BD Valid Not Found Invalid Invalids are not going away 1% of total BGP announcements in BD are still invalid, that’s about 50 prefixes in global BGP table
Prefix/Route Hijack: The Common Routing Incident bdNOG12 AS 65505 AS 64512 AS 64710 AS 65500 AS 64805 AS 64650 AS 65510 Prefix Hijacker 192.168.0.0/24 192.168.0.0/24 AS 65500 owns 192.168.0.0/24 AS 65510 does NOT own 192.168.0.0/24 AS 64805 takes wrong path to 192.168.0.0/24
RPKI could solve it bdNOG12 Signing prefixes a.k.a. creating ROA1 RIR CA RIR Resource DB Member Login Authentication 2001:db8::/32 192.0.2.0/24 AS 65000 ROA Validating ROAs a.k.a doing ROV2 RPKI Repository RPKI Validator BGP Router RTR Protocolrsync/RRDP
What makes a route RPKI Invalid?
Route Origin Authorization (ROA) bdNOG12 192.168.0.0/22 65500 /23 Prefix ASN Max Length 192.168.0.0/22 192.168.0.0/23 192.168.0.0/24 192.168.1.0/24 192.168.2.0/23 192.168.2.0/24 192.168.3.0/24 Prefixes covered by the ROA
Route Origin Validation (ROV) bdNOG12 192.168.0.0/22 65500 /23 192.168.0.0/24 ...65500 192.168.0.0/24 ...65520 192.168.0.0/23 ...65520 Max Length Invalid Max Length+Origin Invalid Origin Invalid VRP R1 BGP Routes
Let’s see some examples
Example: RPKI Invalids bdNOG12 10
Example: Invalid Origin bdNOG12 11
Example: Invalid Prefix Length bdNOG12 12
More Example: Invalid Prefix Length bdNOG12 13
So, why invalids exist in BD’s routing atmosphere?
Several reasons… • Incorrect ROAs § Mostly because of misconfigured Max Length § Sometimes because of wrong ASN § Lack of awareness? • Wrong BGP annoucements § Route advertised without checking its ROA § Old habit? • Most importantly, no origin validation § Transit providers and IXPs are missing this bit, any reason? bdNOG12 15
Fix it: Who and How bdNOG12 16 192.168.0.0/22 65500 /23 Create appropriate ROAs for your prefixes Announce only the correct prefix in BGP Implement origin validation i.e. drop RPKI Invalids
Route Origin Validation at NIX and IIG bdNOG12 17 AS 65505 AS 64512 AS 64710 AS 65500 Route Server NIX Switch No invalid routes towards peers Invalid routes droped by NIX AS 65505 AS 64512 AS 64710 International Transit IIG Router No invalid routes towards cliets Invalid routes droped by IIG AS 65530 AS 65500 Internet Exchange Point Transit Provider Network
Validation could make our routing table Invalid-free bdNOG12 18 International Transits Internet Routing Infrastructure of BD Without Validation International Transits Internet Routing Infrastructure of BD With Validation IIG NIX ISP IIGs can prevent Invalid route propagation to and from BD
Thanks! Questions? awal@nsrc.org

Recommandé

Routing diff
Routing diffRouting diff
Routing diff
Bangladesh Network Operators Group
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
IPv6 Deployment Update
IPv6 Deployment UpdateIPv6 Deployment Update
IPv6 Deployment Update
Bangladesh Network Operators Group
 
Bgp Basic Labs
Bgp Basic LabsBgp Basic Labs
Bgp Basic Labs
cisconetworker
 
Routing Security
Routing SecurityRouting Security
Routing Security
RIPE NCC
 
Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)
Nutan Singh
 
Border gateway protocol
Border gateway protocolBorder gateway protocol
Border gateway protocol
sahilnarvekar
 
B G P Part2
B G P Part2B G P Part2
B G P Part2
cisconetworker
 

Recommandé

Routing diff
Routing diffRouting diff
Routing diff
Bangladesh Network Operators Group
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
IPv6 Deployment Update
IPv6 Deployment UpdateIPv6 Deployment Update
IPv6 Deployment Update
Bangladesh Network Operators Group
 
Bgp Basic Labs
Bgp Basic LabsBgp Basic Labs
Bgp Basic Labs
cisconetworker
 
Routing Security
Routing SecurityRouting Security
Routing Security
RIPE NCC
 
Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)
Nutan Singh
 
Border gateway protocol
Border gateway protocolBorder gateway protocol
Border gateway protocol
sahilnarvekar
 
B G P Part2
B G P Part2B G P Part2
B G P Part2
cisconetworker
 
Part1
Part1Part1
Part1
cisconetworker
 
RPKI and Me
RPKI and MeRPKI and Me
RPKI and Me
MyNOG
 
Using BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsUsing BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet Connections
Rowell Dionicio
 
BGP Techniques for Network Operators
BGP Techniques for Network OperatorsBGP Techniques for Network Operators
BGP Techniques for Network Operators
APNIC
 
Bgp
BgpBgp
Bgp
Raghu Kiran
 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
ThousandEyes
 
BGP protocol presentation
BGP protocol presentationBGP protocol presentation
BGP protocol presentation
Gorantla Mohanavamsi
 
Bgp training
Bgp trainingBgp training
Bgp training
Aun Haider
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming Techniques
APNIC
 
BGP
BGP BGP
BGP
Reza Farahani
 
IPv6 at FPT Telecom
IPv6 at FPT TelecomIPv6 at FPT Telecom
IPv6 at FPT Telecom
APNIC
 
IPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
IPLC Analytic Dashboard - Mohd Rizal bin Mohd RamlyIPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
IPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
MyNOG
 
Resource Certification
Resource CertificationResource Certification
Resource Certification
RIPE NCC
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)
Vamsidhar Naidu
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
akg1330
 
CCNP Route 642 902 BGP
CCNP Route 642 902 BGPCCNP Route 642 902 BGP
CCNP Route 642 902 BGP
IT Tech
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
Smriti Tikoo
 
Engineering The New IP Transport
Engineering The New IP TransportEngineering The New IP Transport
Engineering The New IP Transport
MyNOG
 
Enterprise Multihoming - CTO Forum
Enterprise Multihoming - CTO ForumEnterprise Multihoming - CTO Forum
Enterprise Multihoming - CTO Forum
APNIC
 
Border gateway protocol
Border gateway protocolBorder gateway protocol
Border gateway protocol
azlerabby
 
RPKI Deployment Status in Bangladesh, presentation by Md Abdul Awal for bdNOG 15
RPKI Deployment Status in Bangladesh, presentation by Md Abdul Awal for bdNOG 15RPKI Deployment Status in Bangladesh, presentation by Md Abdul Awal for bdNOG 15
RPKI Deployment Status in Bangladesh, presentation by Md Abdul Awal for bdNOG 15
APNIC
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 

Contenu connexe

Tendances

IPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
IPLC Analytic Dashboard - Mohd Rizal bin Mohd RamlyIPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
IPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
MyNOG
 

Tendances (20)

Part1
Part1Part1
Part1
 
RPKI and Me
RPKI and MeRPKI and Me
RPKI and Me
 
Using BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsUsing BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet Connections
 
BGP Techniques for Network Operators
BGP Techniques for Network OperatorsBGP Techniques for Network Operators
BGP Techniques for Network Operators
 
Bgp
BgpBgp
Bgp
 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
 
BGP protocol presentation
BGP protocol presentationBGP protocol presentation
BGP protocol presentation
 
Bgp training
Bgp trainingBgp training
Bgp training
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming Techniques
 
BGP
BGP BGP
BGP
 
IPv6 at FPT Telecom
IPv6 at FPT TelecomIPv6 at FPT Telecom
IPv6 at FPT Telecom
 
IPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
IPLC Analytic Dashboard - Mohd Rizal bin Mohd RamlyIPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
IPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
 
Resource Certification
Resource CertificationResource Certification
Resource Certification
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
 
CCNP Route 642 902 BGP
CCNP Route 642 902 BGPCCNP Route 642 902 BGP
CCNP Route 642 902 BGP
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
 
Engineering The New IP Transport
Engineering The New IP TransportEngineering The New IP Transport
Engineering The New IP Transport
 
Enterprise Multihoming - CTO Forum
Enterprise Multihoming - CTO ForumEnterprise Multihoming - CTO Forum
Enterprise Multihoming - CTO Forum
 
Border gateway protocol
Border gateway protocolBorder gateway protocol
Border gateway protocol
 

Similaire à RPKI invalids aren't gone yet

Ip addressing 2014
Ip addressing 2014Ip addressing 2014
Ip addressing 2014
Anandita
 
Ip addressing
Ip addressing Ip addressing
Ip addressing
Anandita
 

Similaire à RPKI invalids aren't gone yet (20)

RPKI Deployment Status in Bangladesh, presentation by Md Abdul Awal for bdNOG 15
RPKI Deployment Status in Bangladesh, presentation by Md Abdul Awal for bdNOG 15RPKI Deployment Status in Bangladesh, presentation by Md Abdul Awal for bdNOG 15
RPKI Deployment Status in Bangladesh, presentation by Md Abdul Awal for bdNOG 15
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
The impact of an RPKI validator in Bangladesh and Lessons Learned
The impact of an RPKI validator in Bangladesh and Lessons Learned The impact of an RPKI validator in Bangladesh and Lessons Learned
The impact of an RPKI validator in Bangladesh and Lessons Learned
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
Ccnp enterprise workbook v1.0 bgp zero to hero
Ccnp enterprise workbook v1.0 bgp zero to heroCcnp enterprise workbook v1.0 bgp zero to hero
Ccnp enterprise workbook v1.0 bgp zero to hero
 
bgp-cum.pdf
bgp-cum.pdfbgp-cum.pdf
bgp-cum.pdf
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route Validity
 
bgp.ppt
bgp.pptbgp.ppt
bgp.ppt
 
Advanced multihoming
Advanced multihomingAdvanced multihoming
Advanced multihoming
 
Implementing Internet and MPLS BGP
Implementing Internet and MPLS BGPImplementing Internet and MPLS BGP
Implementing Internet and MPLS BGP
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
 
SANOG23-BGP-Techniques.pdf
SANOG23-BGP-Techniques.pdfSANOG23-BGP-Techniques.pdf
SANOG23-BGP-Techniques.pdf
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet Routing
 
Ip addressing 2014
Ip addressing 2014Ip addressing 2014
Ip addressing 2014
 
Ip addressing
Ip addressing Ip addressing
Ip addressing
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet Routing
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
AS15169 BGP IRR Filtering 2020 Update
AS15169 BGP IRR Filtering 2020 UpdateAS15169 BGP IRR Filtering 2020 Update
AS15169 BGP IRR Filtering 2020 Update
 

Plus de Bangladesh Network Operators Group

Plus de Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
 

Dernier

一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 

Dernier (20)

Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 

RPKI invalids aren't gone yet

  • 1. RPKI invalids aren’t gone yet Md. Abdul Awal awal@nsrc.org
  • 2. Routing Incidents in Bangladesh bdNOG12 2 Stats: observatory.manrs.org 0 5 10 15 20 25 Jul-19 Aug-19 Sep-19 Oct-19 Nov-19 Dec-19 Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20 Number of routing incidents in BD Incidents haven’t been reduced
  • 3. RPKI Status of BGP Prefixes in Bangladesh bdNOG12 3 Stats: observatory.manrs.org 0 10 20 30 40 50 60 70 80 90 100 Jul-19 Aug-19 Sep-19 Oct-19 Nov-19 Dec-19 Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20 RPKI status of BGP announcements in BD Valid Not Found Invalid Invalids are not going away 1% of total BGP announcements in BD are still invalid, that’s about 50 prefixes in global BGP table
  • 4. Prefix/Route Hijack: The Common Routing Incident bdNOG12 AS 65505 AS 64512 AS 64710 AS 65500 AS 64805 AS 64650 AS 65510 Prefix Hijacker 192.168.0.0/24 192.168.0.0/24 AS 65500 owns 192.168.0.0/24 AS 65510 does NOT own 192.168.0.0/24 AS 64805 takes wrong path to 192.168.0.0/24
  • 5. RPKI could solve it bdNOG12 Signing prefixes a.k.a. creating ROA1 RIR CA RIR Resource DB Member Login Authentication 2001:db8::/32 192.0.2.0/24 AS 65000 ROA Validating ROAs a.k.a doing ROV2 RPKI Repository RPKI Validator BGP Router RTR Protocolrsync/RRDP
  • 6. What makes a route RPKI Invalid?
  • 7. Route Origin Authorization (ROA) bdNOG12 192.168.0.0/22 65500 /23 Prefix ASN Max Length 192.168.0.0/22 192.168.0.0/23 192.168.0.0/24 192.168.1.0/24 192.168.2.0/23 192.168.2.0/24 192.168.3.0/24 Prefixes covered by the ROA
  • 8. Route Origin Validation (ROV) bdNOG12 192.168.0.0/22 65500 /23 192.168.0.0/24 ...65500 192.168.0.0/24 ...65520 192.168.0.0/23 ...65520 Max Length Invalid Max Length+Origin Invalid Origin Invalid VRP R1 BGP Routes
  • 9. Let’s see some examples
  • 12. Example: Invalid Prefix Length bdNOG12 12
  • 13. More Example: Invalid Prefix Length bdNOG12 13
  • 14. So, why invalids exist in BD’s routing atmosphere?
  • 15. Several reasons… • Incorrect ROAs § Mostly because of misconfigured Max Length § Sometimes because of wrong ASN § Lack of awareness? • Wrong BGP annoucements § Route advertised without checking its ROA § Old habit? • Most importantly, no origin validation § Transit providers and IXPs are missing this bit, any reason? bdNOG12 15
  • 16. Fix it: Who and How bdNOG12 16 192.168.0.0/22 65500 /23 Create appropriate ROAs for your prefixes Announce only the correct prefix in BGP Implement origin validation i.e. drop RPKI Invalids
  • 17. Route Origin Validation at NIX and IIG bdNOG12 17 AS 65505 AS 64512 AS 64710 AS 65500 Route Server NIX Switch No invalid routes towards peers Invalid routes droped by NIX AS 65505 AS 64512 AS 64710 International Transit IIG Router No invalid routes towards cliets Invalid routes droped by IIG AS 65530 AS 65500 Internet Exchange Point Transit Provider Network
  • 18. Validation could make our routing table Invalid-free bdNOG12 18 International Transits Internet Routing Infrastructure of BD Without Validation International Transits Internet Routing Infrastructure of BD With Validation IIG NIX ISP IIGs can prevent Invalid route propagation to and from BD