![Page 1: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/1.jpg)
Internet Routing Registry (IRR) APNIC Tutorial in APNIC35
February 27, 2013, Singapore.
![Page 2: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/2.jpg)
Introduction
• Presenter
Nurul Islam Roman Senior Training Specialist [email protected] Specialties: Routing & Switching MPLS, IPv6 DNS/DNSSEC Internet Resource Management Network Security
![Page 3: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/3.jpg)
What is a Routing Registry?
• A repository (database) of Internet routing policy information • Autonomous Systems exchanges routing information via BGP • Exterior routing decisions are based on policy based rules • However BGP does not provides a mechanism to publish/
communicate the policies themselves • RR provides this functionality
• Routing policy information is expressed in a series of objects
![Page 4: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/4.jpg)
What is a Routing Registry?
• Global Internet Routing Registry database • http://www.irr.net/
• Uses RPSL • Stability and consistency of routing
• network operators share information
• Both public and private databases • These databases are independent
• but some exchange data • only register your data in one database
![Page 5: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/5.jpg)
RIPE
RADB CW
APNIC Connect
ARIN, ArcStar, FGC, Verio, Bconnex, Optus, Telstra, ...
IRR = APNIC RR + RIPE DB + RADB + C&W + ARIN + …
What is a Routing Registry?
![Page 6: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/6.jpg)
Routing Registry Objects
• Route, aut-num, inet-rtr, peering-set, AS-set, rtr-set, filter-set • Each object has its own purpose • Together express routing policies
• More details covered later
![Page 7: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/7.jpg)
What is Routing Policy?
• Description of the routing relationship between autonomous systems • Who are my BGP peers?
• Customer, peers, upstream • What routes are:
• Originated by each neighbour? • Imported from each neighbour? • Exported to each neighbour? • Preferred when multiple routes exist?
• What to do if no route exists? • What routes to aggregate?
![Page 8: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/8.jpg)
Representation of Routing Policy
AS1 AS2
In order for traffic to flow from NET2 to NET1 between AS1 and AS2:
NET1 NET2
AS1 has to announce NET1 to AS2 via BGP
Resulting in packet flow from NET2 to NET1
And AS2 has to accept this information and use it
![Page 9: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/9.jpg)
Representation of Routing Policy (cont.)
AS1 AS2
NET1 NET2
In order for traffic to flow towards from NET1 to NET2:
AS2 must announce NET2 to AS1
And AS1 has to accept this information and use it
Resulting in packet flow from NET 1 to NET2
![Page 10: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/10.jpg)
RPSL
• Routing Policy Specification Language • Object oriented language
• Based on RIPE-181 • Structured whois objects
• Higher level of abstraction than access lists
• Describes things interesting to routing policy: • Routes, AS Numbers … • Relationships between BGP peers • Management responsibility
• Relevant RFCs • Routing Policy Specification Language • Routing Policy System Security • Using RPSL in Practice
RFC 2622
RFC 2725
RFC 2650
![Page 11: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/11.jpg)
Routing Policy - Examples
AS 1 AS 2
aut-num: AS1 … import: from AS2
action pref= 100; accept AS2
export: to AS2 announce AS1
aut-num: AS2 … import: from AS1
action pref=100; accept AS1
export: to AS1 announce AS2
Basic concept
“action pref” - the lower the value, the preferred the route
![Page 12: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/12.jpg)
Routing Policy - Examples
AS 123 AS4 AS5
AS5
More complex example • AS4 gives transit to AS5, AS10 • AS4 gives local routes to AS123
AS10
![Page 13: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/13.jpg)
Routing Policy - Examples
AS 123 AS4 AS5 AS5
import: from AS123 action pref=100; accept AS123
aut-num: AS4
import: from AS5 action pref=100; accept AS5 import: from AS10 action pref=100; accept AS10 export: to AS123 announce AS4 export: to AS5 announce AS4 AS10 export: to AS10 announce AS4 AS5 Not a path
AS10
![Page 14: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/14.jpg)
Routing Policy - Examples
AS123 AS4
More complex example
• AS4 and AS6 private link1 • AS4 and AS123 main transit link2 • backup all traffic over link1 and link3 in event of link2 failure
AS6 private link1
link3
transit traffic over link2
![Page 15: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/15.jpg)
Routing Policy - Examples
AS123 AS4
AS6 private link1
link3
AS representation
transit traffic over link2
import: from AS123 action pref=100; accept ANY
aut-num: AS4
import: from AS6 action pref=50; accept AS6 import: from AS6 action pref=200; accept ANY export: to AS6 announce AS4
export: to AS123 announce AS4
full routing received
higher cost for backup route
![Page 16: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/16.jpg)
APNIC Database and the IRR
![Page 17: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/17.jpg)
APNIC Database & the IRR
• APNIC whois Database • Two databases in one
• Public Network Management Database • “whois” info about networks & contact persons
• IP addresses, AS numbers etc
• Routing Registry • contains routing information
• routing policy, routes, filters, peers etc.
• APNIC RR is part of the global IRR
![Page 18: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/18.jpg)
Integration of Whois and IRR
• Integrated APNIC Whois Database & Internet Routing Registry
APNIC Whois
IRR
IP, ASNs, reverse domains,
contacts, maintainers
etc routes, routing policy, filters,
peers etc inetnum, aut-num, domain, person, role, maintainer
route, aut-num, as-set, inet-rtr, peering-set etc.
Internet resources & routing information
![Page 19: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/19.jpg)
IRR Objects • route
• Specifies interAS routes
• aut-num • Represents an AS. Used to
describe external routing policy
• inet-rtr • Represents a router
• peering-set • Defines a set of peerings
• route-set • Defines a set of routes
• as-set • Defines a set of aut-num objects
• rtr-set • Defines a set of routers
• filter-set • Defines a set of routes that are
matched by its filter
www.apnic.net/db/ref/db-objects.html
![Page 20: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/20.jpg)
Using the Routing Registry
![Page 21: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/21.jpg)
IRRToolSet • Set of tools developed for using the Internet Routing
Registry (IRR)
• Work with Internet routing policies • These policies are stored in IRR in the Routing Policy
Specification Language (RPSL)
• The goal of the IRRToolSet is to make routing information more convenient and useful for network engineers • Tools for automated router configuration, • Routing policy analysis • On-going maintenance etc.
![Page 22: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/22.jpg)
IRRToolSet
• Now maintained by ISC: • http://irrtoolset.isc.org
• Download: ftp://ftp.isc.org/isc/IRRToolSet/ • Installation needs: lex, yacc and C++ compiler
![Page 23: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/23.jpg)
Use of RPSL - RtConfig
• RtConfig v4 • part of IRRToolSet
• Reads policy from IRR (aut-num, route & -set objects) and generates router configuration • vendor specific:
• Cisco, Bay's BCC, Juniper's Junos and Gated/RSd • Creates route-map and AS path filters • Can also create ingress / egress filters
• (documentation says Cisco only)
![Page 24: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/24.jpg)
Why use IRR and RtConfig?
• Benefits of RtConfig • Avoid filter errors (typos) • Expertise encoded in the tools that generate the policy rather than
engineer configuring peering session • Filters consistent with documented policy
• (need to get policy correct though)
![Page 25: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/25.jpg)
Using RPSL in practice
![Page 26: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/26.jpg)
Common Peering Policies
• AS45192 is your upstream provider • AS131107 is a private peer • Your AS is AS17821
Internet
AS131107
AS17821
AS45192
upstream
downstream
private peer
private peer
![Page 27: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/27.jpg)
How to write this in Aut-num aut-num: AS17821
…………………
remarks: AS45192 is your upstream provider
import: from AS45192 action pref=100; accept ANY
export: to AS45192 announce AS17821
remarks: AS131107 is a private peer
import: from AS131107 action pref=20; accept AS131107
export: to AS131107 announce AS17821
…………………
![Page 28: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/28.jpg)
Common Peering Policies
• AS45192 is your preferred upstream provider • AS131107 is your backup upstream provider • Your AS is AS17821
Internet
AS131107
AS17821
AS45192
upstream high
downstream
upstream low
downstream
![Page 29: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/29.jpg)
How to write this in Aut-num
aut-num: AS17821 ………………… remarks: AS45192 is your preferred upstream provider import: from AS45192 action pref=100; accept ANY export: to AS45192 announce AS17821 remarks: AS131107 is your backup upstream provider import: from AS131107 action pref=200; accept ANY export: to AS131107 action aspath.prepend (AS17821, AS17821);
announce AS17821 remarks: Optional extra import line to prefer direct remarks: connection to AS131107 from AS17821 import: from AS131107 action pref=20; accept AS131107 …………………
![Page 30: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/30.jpg)
Common Peering Policies
• AS45192 is your upstream provider • AS131107 is your upstream provider • Your AS is AS17821
Internet
AS131107
AS17821
AS45192
upstream
downstream
upstream
downstream
![Page 31: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/31.jpg)
How to write this in Aut-num
aut-num: AS17821
…………………
remarks: AS45192 is your upstream provider
import: from AS45192 action pref=100; accept ANY
export: to AS45192 announce AS17821
remarks: AS131107 is your upstream provider
import: from AS131107 action pref=100; accept ANY
export: to AS131107 announce AS131107
remarks: the pref is optional here
…………………
![Page 32: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/32.jpg)
Common Peering Policies
• AS45192 is your upstream provider • AS131107 gives you transit AND you give AS131107 transit as
well • Your AS is AS17821
Internet
AS131107
AS17821
AS45192
upstream
downstream
transit
transit
![Page 33: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/33.jpg)
How to write this in Aut-num
aut-num: AS17821
…………………
remarks: AS45192 is your upstream provider
import: from AS45192 action pref=100; accept ANY
export: to AS45192 announce AS17821
remarks: AS131107 is your transit provider
import: from AS131107 action pref=100; accept ANY
export: to AS131107 announce ANY
remarks: the pref is optional here
…………………
![Page 34: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/34.jpg)
Common Peering Policies
• Peering policies of an AS • Registered in an aut-num object
Internet
AS 1 AS 2 AS 3
ISP (Transit provider)
Customer
AS 4 AS 5
![Page 35: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/35.jpg)
Common Peering Policies • Policy for AS3 in the AS2 aut-num object
aut-num: AS2 as-name: SAMPLE-NET dsescr: Sample AS import: from AS1 accept ANY import: from AS3 accept <^AS3+$> export: to AS3 announce ANY export: to AS1 announce AS2 AS3 admin-c: CW89-AP tech-c: CW89-AP mtn-by: MAINT-SAMPLE-AP changed: [email protected]
![Page 36: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/36.jpg)
Filter List- Regular Expression
• Like Unix regular expressions . Match one character * Match any number of preceding expression + Match at least one of preceding expression ^ Beginning of line $ End of line \ Escape a regular expression character _ Beginning, end, white-space, brace | Or () Brackets to contain expression [] Brackets to contain number ranges
![Page 37: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/37.jpg)
ISP Customer – Transit Provider Policies • Policy for AS3 and AS4 in the AS2 aut-num object
aut-num: AS2 import: from AS1 accept ANY import: from AS3 accept <^AS3+$> import: from AS4 accept <^AS4+$> export: to AS3 announce ANY export: to AS4 announce ANY export: to AS1 announce AS2 AS3 AS4
![Page 38: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/38.jpg)
AS-set Object
• Describe the customers of AS2
as-set: AS2:AS-CUSTOMERS members: AS3 AS4 changed: [email protected] source: APNIC
![Page 39: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/39.jpg)
New Initiative
RIRs have been developing a new service for their members • APNIC has now launched Resource Certification for the AP region
• Improves the security of inter-domain routing and augmenting the information published in the APNIC Whois Database
39
![Page 40: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/40.jpg)
Terminology
Resource holders include: • Regional Internet Registries (RIRs) • Local Internet Registries (LIRs) • Internet Service Providers (ISPs) • End-user organizations
Internet resources are: • IPv4 and IPv6 address blocks • Autonomous System (AS) numbers
40
![Page 41: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/41.jpg)
Resource Certification Benefits
• Routing information corresponds to properly delegated address resources
• Resource Certification gives resource holders proof that they hold certain resources
• Resource holders can attest to those resources when distributing them
41
![Page 42: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/42.jpg)
Benefits (Cont.)
Resource users can 'sign' information with a digital signature, which essentially 'freezes' that information
• Any effort to alter that information results in the signature being invalidated
• Only resource holders with a properly delegated 'right of use' can generate a signature
42
![Page 43: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/43.jpg)
Benefits (cont.)
Routing advertisements are made with the explicit agreement of the current 'right of use' holder of the addresses being advertised.
43
![Page 44: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/44.jpg)
What is RPKI?
• Designed to secure the Internet's routing infrastructure
• Only the legitimate holder can advertise their prefix to the Internet
• Prevent those incidence of route hijacking (sometime by mistake)
![Page 45: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/45.jpg)
How It Works?
• Initially each RIR issued a self-signed trust anchors to the address they received from IANA
• Contains all resources from a single trust anchor managed by the RIR
• It was irrespective of their source
![Page 46: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/46.jpg)
How It Works?
http://www.ripe.net
RIPE Network Coordination Centre
Tim Bruijnzeels
RPKI Validation: Distributed Repositories
IANA
RIPE NCC
ARIN
BIG LIR
APNIC
Validation Tool
(rcynic/bbn)
validatedcache
AFRINIC
LACNIC
RPKI Validation: Distributed Repository
![Page 47: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/47.jpg)
How It Works?
RPKI Validation: RPKI-RTR protocol
http://www.ripe.net
RIPE Network Coordination Centre
Tim Bruijnzeels
validatedcache
RPKI RTR PROTOCOL
BGPDecisionProcess
RPKI Validation: RPKI-RTR protocol
router bgp 65000 bgp log-neighbor-changes bgp rpki server tcp 198.180.150.1 port 42420 refresh 60
How does it look in BGP table then?
![Page 48: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/48.jpg)
BGP Table
RPKI Validation: RPKI-RTR protocol RPKI Tools
From Soup toNuts
www.rpki.net
Introduction
Relying PartyOn The Router
IRR Hacks
rcynic
OpenSSL
Intermission
RPKIProductionrpkid
pubd
Back End
GUI
RelationshipManagement
Conclusion
Example: “Secure” Configuration
PlanDrop routes with status “invalid”Downpref routes with status “unknown”Default preference for status “valid”
Configurationroute-map validity-0
match rpki-invalid
drop
route-map validity-1
match rpki-not-found
set localpref 50
// Valid defaults to 100
RPKI ToolsFrom Soup to
Nuts
www.rpki.net
Introduction
Relying PartyOn The Router
IRR Hacks
rcynic
OpenSSL
Intermission
RPKIProductionrpkid
pubd
Back End
GUI
RelationshipManagement
Conclusion
Example: “Smaller Hammer” (After AS-Path)
PlanTweak “metric” rather than “localpref”Use metric 100 for status “valid,” 50 for status“unknown,” 25 for status “invalid”
Configurationroute-map validity-0
match rpki-unknown
set metric 50
route-map validity-1
match rpki-invalid
set metric 25
route-map validity-2
set metric 100
Use route-map to accept RPKI validated route
router1#sh bgp ipv4 unicast BGP table version is 45, local router ID is 203.176.189.15 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter, a additional-path Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path V0.0.0.0 0.0.0.0 0 i *> N67.21.36.0/24 199.238.113.10 0 3130 2914 293 3970 e *> V85.118.184.0/21 199.238.113.10 0 3130 2914 174 29485 29485 57785 i *> I98.128.0.0/24 199.238.113.10 0 0 3130 i *> V98.128.0.0/16 199.238.113.10 0 0 3130 i *> N98.128.1.0/24 199.238.113.10 0 0 3130 i *> N98.128.2.0/24 199.238.113.10 0 0 3130 i
![Page 49: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/49.jpg)
What Is The New Challenge?
• Inter RIR transfer process is implemented now
• It requires an efficient way to reflect the changes to an RIR’s resource holding
• Without revoking and reissuing the affected RIR trust anchor
• The split anchor model allows more granular updates, affecting only the certification path that covers the transferred resources
![Page 50: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/50.jpg)
New Split Anchor Model
• APNIC has published five new self-signed certificates
• One for those address space given by IANA for this region
• Four for other self-signed certificates for resource acquired from each other RIR
![Page 51: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/51.jpg)
What Changes For Operational Network? • Organizations that RPKI origin validation on their router
software need to make updates to their routing configuration
• If you already have the APNIC trust anchor you should refresh this with the complete new set of five
• Take note of any required configuration changes in your software
![Page 52: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/52.jpg)
Find More…..
• APNIC to Upgrade to Split Trust Anchor RPKI: http://www.apnic.net/publications/news/2012/apnic-to-upgrade-to-split-trust-anchor-rpki
• Resource Public Key Infrastructure (RPKI) FAQ: http://www.apnic.net/services/services-apnic-provides/helpdesk/faqs/rpki/
• Resource certification http://www.apnic.net/services/services-apnic-provides/resource-certification
![Page 53: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/53.jpg)
Current Stage of ResCert
• Origin validation code is engineering now, could deploy in next few years but requires production RPKI
• Path validation is still research
• Filter validation is still research
53
![Page 54: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/54.jpg)
MyAPNIC Home Page
![Page 55: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/55.jpg)
Resources Management
![Page 56: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/56.jpg)
Activate Certification
![Page 57: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/57.jpg)
Service Activated
![Page 58: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/58.jpg)
Create Route Origin Authorization
![Page 59: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/59.jpg)
Name ROA
![Page 60: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/60.jpg)
Add Resources
![Page 61: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/61.jpg)
Add Resources
![Page 62: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/62.jpg)
Add AS
![Page 63: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/63.jpg)
Advanced Management
![Page 64: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/64.jpg)
Route Origin Authorization (ROA)
![Page 65: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/65.jpg)
ROA Collection Management
![Page 66: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/66.jpg)
Add ROA Collection
![Page 67: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/67.jpg)
Add ROA Collection
![Page 68: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/68.jpg)
Add ROA Collection
![Page 69: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/69.jpg)
Add/Remove Resources
![Page 70: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/70.jpg)
View & Update Collections
![Page 71: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/71.jpg)
Download Certificate
![Page 72: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/72.jpg)
Download Certificate
![Page 73: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/73.jpg)
Questions?
![Page 74: Internet Routing Registry (IRR) · 2017-02-06 · RPKI Production rpkid pubd Back End GUI Relationship Management Conclusion Example: “Secure” Configuration Plan Drop routes](https://reader036.vdocuments.us/reader036/viewer/2022070916/5fb645ba89122e35d009cefa/html5/thumbnails/74.jpg)
Thank you! J