deployment factors and current status

Deployment factors and Current status

Tomoya Yoshida<[email protected]>

2015/3/3

Agenda

• RPKI deployment factors

• ROA cache in JP

• Issues

12015/3/3

RPKI deployment factors

2

RPKIservice

Operationalpractice

Router’simplementation

variety oftools

Motivation / impact

RPKI hackathon/hands-on

RPKI Tools andweb-based tools

5RIRs have. JPNIC’sservice is coming soon

Similar to KaminskyDNS vulnerability?

Cisco, Juniper, Alcatel etc..getting enhanced

2015/3/3


3

RPKIservice

Operationalpractice

Router’simplementation

variety oftools

Motivation / impact



5RIRs have. JPNIC’sservice is coming soon



2015/3/3

Background

42015/3/3

• In Asia (incl. Japan), the speed of RPKI deployment seems MUCH slower than RIPE region....

http://certification-stats.ripe.net/

RIPE

APNIC

We want to accelarate the deployment of RPKI in Japan!

Fig. Number of ROAs

RPKI hands-on in Jul. 2014

2015/3/3 5

• RPKI Hands-on seminar with JPNIC• Made a survey of RPKI trend

2015/3/3 6

2015/3/3 7

Seminar participants’ voice

2015/3/3 8

• “I can understand how important RPKI is.”

• “But, it is difficult to make my bosses and/or managers understand the cost of introducing it.”

• “I felt it is a bit difficult for small ISPs/networks to manage ROA cache server, both technically and operationally. We want a public one.”

JPNAP/JPNIC launched RPKI ROA Public cache

9

Internet Multifeed(JPNAP)

JPNIC

RPKIROAcache

RPKIROAcache

RPKI ROA Service Segment

AS

BGPRouter

Prefix-Maxlen: 192.0.2.0/24-24OriginAS: 64500

ROA Information

Using rpki-rtr Protocol you can receiveRPKI ROA cache Information from thoseServers.

ROA cache server

IMF RPKI Project Pagehttp://www.jpnap.net/rpki/

102015/3/3

2015/3/3 11

2015/3/3 12

2015/3/3 13

Issues

2015/3/3 14

• We cannot provide RPKI information from ARIN• ARIN RPA (Relying Party Agreement) prohibits to provide their

data to a third party now.

• TLS encryption of RPKI-RTR(tcp:323) is not supported well for now

• In case of using public cache, it is important to encrypt the transferred data.

• Currently, Cisco, Juniper and Alcatel doesn't support rpki-rtr-tlsprotocol

• Strange behavior on JUNOS devices• When you enable validation on JUNOS routers it unexpectedly

starts listening on tcp:2222.• It’s intended for router internal use only(?)

• Be sure to filter out access to above port from the Internet. Otherwise your router will suffer from scans/attacks targeting sshport 2222, and may crash in the worst case. Horrible.

Issues

2015/3/3 15

• Strange behavior on Cisco CSRs• “show ip bgp/show ip bgp ipv6 unicast” shows that all routes are

VALID (which should be NOT FOUND) when• 1. your router has one ore more BGP routes, and

• 2. you first enable RPKI, and

• 3. no ROA record received from ROA cache server.

• Once ANY ROA is received, all validation states are correctly shown as expected.

• Cf. JUNOS shows those routes as “Unverified”

• Weird. May be a bug?

• Observed on Cisco CSR/IOS-XE version 03.12.00.S

• Workarounds:• Router reload

• BGP reset

• Shutdown BGP before configuring RPKI

Step by Step RPKI deployment on JPNAP

2015/3/3 1616

1-2 . At initial stage, ISP use JPNAP ROA cache ( for people who think it’s difficult to operate by themselves)

Internet

ISPISP

JPNAP

ISPISP

RFEED route-server

ARIN

RIPE

APNIC

LACNIC

AFRINIC

AS7521

RPKI testbed segment

JuniperCisco ROA cache server

2-1. How to see our routes at RPKI router?

2-2. How to see our routes at Juniper RPKI validated router?

1-1. Main : ISP’s ROA cacheSecondary : JPNAP ROA cache for backup

STEP1STEP2 STEP2

STEP1

STEP2

STEP3

STEP3

3. RPKI validation at JPNAP route-server


17

RPKIservice

Operationalpractice

Routersimplementation

variety oftools

Motivation / impact



5RIR have. JPNIC’s pilot,service is coming sonn



2015/3/3

Thank you!

2015/3/3 18