deployment factors and current status
TRANSCRIPT
RPKI deployment factors
2
RPKIservice
Operationalpractice
Router’simplementation
variety oftools
Motivation / impact
RPKI hackathon/hands-on
RPKI Tools andweb-based tools
5RIRs have. JPNIC’sservice is coming soon
Similar to KaminskyDNS vulnerability?
Cisco, Juniper, Alcatel etc..getting enhanced
2015/3/3
RPKI deployment factors
3
RPKIservice
Operationalpractice
Router’simplementation
variety oftools
Motivation / impact
RPKI hackathon/hands-on
RPKI Tools andweb-based tools
5RIRs have. JPNIC’sservice is coming soon
Similar to KaminskyDNS vulnerability?
Cisco, Juniper, Alcatel etc..getting enhanced
2015/3/3
Background
42015/3/3
• In Asia (incl. Japan), the speed of RPKI deployment seems MUCH slower than RIPE region....
http://certification-stats.ripe.net/
RIPE
APNIC
We want to accelarate the deployment of RPKI in Japan!
Fig. Number of ROAs
RPKI hands-on in Jul. 2014
2015/3/3 5
• RPKI Hands-on seminar with JPNIC• Made a survey of RPKI trend
Seminar participants’ voice
2015/3/3 8
• “I can understand how important RPKI is.”
• “But, it is difficult to make my bosses and/or managers understand the cost of introducing it.”
• “I felt it is a bit difficult for small ISPs/networks to manage ROA cache server, both technically and operationally. We want a public one.”
JPNAP/JPNIC launched RPKI ROA Public cache
9
Internet Multifeed(JPNAP)
JPNIC
RPKIROAcache
RPKIROAcache
RPKI ROA Service Segment
AS
BGPRouter
Prefix-Maxlen: 192.0.2.0/24-24OriginAS: 64500
ROA Information
Using rpki-rtr Protocol you can receiveRPKI ROA cache Information from thoseServers.
ROA cache server
Issues
2015/3/3 14
• We cannot provide RPKI information from ARIN• ARIN RPA (Relying Party Agreement) prohibits to provide their
data to a third party now.
• TLS encryption of RPKI-RTR(tcp:323) is not supported well for now
• In case of using public cache, it is important to encrypt the transferred data.
• Currently, Cisco, Juniper and Alcatel doesn't support rpki-rtr-tlsprotocol
• Strange behavior on JUNOS devices• When you enable validation on JUNOS routers it unexpectedly
starts listening on tcp:2222.• It’s intended for router internal use only(?)
• Be sure to filter out access to above port from the Internet. Otherwise your router will suffer from scans/attacks targeting sshport 2222, and may crash in the worst case. Horrible.
Issues
2015/3/3 15
• Strange behavior on Cisco CSRs• “show ip bgp/show ip bgp ipv6 unicast” shows that all routes are
VALID (which should be NOT FOUND) when• 1. your router has one ore more BGP routes, and
• 2. you first enable RPKI, and
• 3. no ROA record received from ROA cache server.
• Once ANY ROA is received, all validation states are correctly shown as expected.
• Cf. JUNOS shows those routes as “Unverified”
• Weird. May be a bug?
• Observed on Cisco CSR/IOS-XE version 03.12.00.S
• Workarounds:• Router reload
• BGP reset
• Shutdown BGP before configuring RPKI
Step by Step RPKI deployment on JPNAP
2015/3/3 1616
1-2 . At initial stage, ISP use JPNAP ROA cache ( for people who think it’s difficult to operate by themselves)
Internet
ISPISP
JPNAP
ISPISP
RFEED route-server
ARIN
RIPE
APNIC
LACNIC
AFRINIC
AS7521
RPKI testbed segment
JuniperCisco ROA cache server
2-1. How to see our routes at RPKI router?
2-2. How to see our routes at Juniper RPKI validated router?
1-1. Main : ISP’s ROA cacheSecondary : JPNAP ROA cache for backup
STEP1STEP2 STEP2
STEP1
STEP2
STEP3
STEP3
3. RPKI validation at JPNAP route-server
RPKI deployment factors
17
RPKIservice
Operationalpractice
Routersimplementation
variety oftools
Motivation / impact
RPKI hackathon/hands-on
RPKI Tools andweb-based tools
5RIR have. JPNIC’s pilot,service is coming sonn
Similar to KaminskyDNS vulnerability?
Cisco, Juniper, Alcatel etc..getting enhanced
2015/3/3