introduction to rpki by sheryl (shane) hermoso
DESCRIPTION
TRANSCRIPT
![Page 1: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/1.jpg)
Issue Date:
Revision:
Resource Public Key Infrastructure (RPKI) MyNOG 4 Conference 2014
2014/08
2
![Page 2: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/2.jpg)
Overview
• Routing “incidents”
• RPKI Technical Details
• RPKI and BGPsec
• Components and Implementation
• Deployment Status in the RIRs
• APNIC Resource Certification
2
![Page 3: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/3.jpg)
Misdirection / Hijacking Incidents
• YouTube Incident – Occurred 24 Feb 2008 (for about 2 hours) – Pakistan Telecom announced YT block
• Google (AS15169) services downed – Occurred 5 Nov 2012 (for 30 minutes) – Moratel Indonesia (AS23947)
3
How frequent do these hijacking incidents happen?
![Page 4: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/4.jpg)
How we address this…
• A network should only originate his own prefix – How do we verify? – How do we avoid false advertisement?
• A provider should filter prefixes they propagate from customers – Check the legitimacy of address (LoA) – Transitive trust; BGP is a trust-based system
4
![Page 5: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/5.jpg)
WHOIS DB – Legitimacy of Address
5
![Page 6: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/6.jpg)
What is RPKI?
• Resource Public Key Infrastructure (RPKI)
• A robust security framework for verifying the association between resource holder and their Internet resources
• Created to address the issues in RFC 4593 “Generic Threats to Routing Protocols”
• Helps to secure Internet routing by validating routes – Proof that prefix announcements are coming from the legitimate
holder of the resource
RFC 6480 – An Infrastructure to Support Secure Internet Routing (Feb 2012)
6
![Page 7: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/7.jpg)
Benefits of RPKI - Routing
• Prevents route hijacking – A prefix originated by an AS without authorization – Reason: malicious intent
• Prevents mis-origination – A prefix that is mistakenly originated by an AS which does not own it – Also route leakage – Reason: configuration mistake / fat finger
7
![Page 8: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/8.jpg)
BGP Security (BGPsec)
• Extension to BGP that provides improved security for BGP routing
• Currently an IETF Internet draft
• Implemented via a new optional non-transitive BGP path attribute that contains a digital signature
• Two things: – BGP Prefix Origin Validation (using RPKI) – BGP Path Validation
• Similar efforts in the early days – IDR working group, S-BGP
8
![Page 9: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/9.jpg)
“Right” to Resources
• ISP gets their resources from the RIR
• ISP notifies its upstream of the prefixes to be announced
• Upstream must check the WHOIS database if resource has been delegated to customer ISP
We need to be able to authoritatively prove who owns an IP Prefix and what AS(s) may announce it.
9
![Page 10: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/10.jpg)
RPKI Infrastructure
• A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents
• Main Components: – Certificate Authority (CA) – Relying Party (RP) – Routers with RPKI support
10
![Page 11: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/11.jpg)
Issuing Party
• Internet Registries (RIR, NIR, Large LIRs)
• Acts as a Certificate Authority and issues certificates for customers
• Provides a web interface to issue ROAs for customer prefixes
• Publishes the ROA records
APNIC RPKI
Engine
publication
MyAPNIC GUI
rpki.apnic.net
Repository
11
![Page 12: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/12.jpg)
Route Origin Authorization (ROA)
• A digital object that contains a list of address prefixes and one AS number
• It is an authority created by a prefix holder to authorize an AS Number to originate one or more specific route advertisements
• Publish an ROA using MyAPNIC
12
![Page 13: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/13.jpg)
X.509 Certificate with 3779 Extension
• Resource certificates are based on the X.509 v3 certificate format (RFC 5280)
• Extended by RFC 3779 – binds a list of resources (IP, ASN) to the subject of the certificate
• SIA – Subject Information Access; contains a URI that references the directory
X.509 Certificate
RFC 3779Extension
SIA
Owner's Public Key
13
![Page 14: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/14.jpg)
Relying Party (RP)
IANA Repo
APNIC Repo
RIPE Repo
LIR Repo LIR Repo
RP Cache (gather) Validated
Cache
RPKI-Rtr Protocol
rpki.ripe.net
Software which gathers data from CAs Also called RP cache or validator
14
![Page 15: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/15.jpg)
RPKI Components
15
Trust Anchor
RP CACHE
Trust Anchor
RPKI-Rtr Protocol
APNIC RPKI
Engine
Trust Anchor
publication MyAPNIC GUI rpki.apnic.net
ca0.rpki.net
rpki.ripe.net
![Page 16: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/16.jpg)
Router Origin Validation
• Router must support RPKI
• Checks an RP cache / validator
• Validation returns 3 states: – Valid = when authorization is found for prefix X – Invalid = when authorization is found for prefix X but not from ASN Y – Unknown = when no authorization data is found
• Vendor support: – Cisco IOS – solid in 15.2 – Cisco IOS/XR – shipped in 4.3.2 – Juniper – shipped in 12.2 – Alcatel Lucent – in development
16
![Page 17: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/17.jpg)
RIR Statistics
17
Ref: http://rpki.surfnet.nl/perrir.html
Based on RIS Database dumps from RIPE-NCC
![Page 18: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/18.jpg)
RPKI Monitor
18
Ref: NIST RPKI Monitor
![Page 19: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/19.jpg)
APNIC RPKI Service
• Enhancement to the RIRs – Offers verifiable proof of resource holdings
• Resource certification is an opt-in service – Resource holders choose to request a certificate and profice their
public key to be certified
• APNIC has integrated the RPKI management service into MyAPNIC for APNIC Member use
19
![Page 20: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/20.jpg)
What you need to know
• You are encouraged to experiment, test, play and develop
• RPKI standards are still being developed, and the operating environment for RPKI use is still fragile
• It’s ready for testing and prototyping, but is probably not ready for production use just yet
• Please tell us what you find but don’t rely on it in your network yet
20
![Page 21: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/21.jpg)
What You Can Do Now?
• Create ROA records in MyAPNIC
• Build an RP cache
• Configure your router to use the cache (or a public one)
• Create BGP policies
Best to do it in a test environment for now! J
21
![Page 22: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/22.jpg)
Build an RP Cache
• Download and install from rpki.net – Instructions here: https://trac.rpki.net/wiki/doc/RPKI/Installation/
UbuntuPackages
22
The RP cache has a web interface
![Page 23: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/23.jpg)
Configure Router to Use Cache
router bgp 651nn
…
bgp rpki server tcp 10.0.0.3 port 43779 refresh 60
bgp rpki server tcp 147.28.0.84 port 93920 refresh 60
…
23
RPKI Lab – Randy Bush
![Page 24: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/24.jpg)
BGP Table r0.sea#sh ip bgp
Network Next Hop Metric LocPrf Weight Path
* i I198.180.150.0 144.232.9.61 100 0 1239 3927 i
*> I 199.238.113.9 0 2914 3927 i
* I 129.250.11.41 0 2914 3927 i
*> V198.180.152.0 199.238.113.9 0 2914 4128 i
* V 129.250.11.41 0 2914 4128 i
*> N198.180.155.0 199.238.113.9 0 2914 22773 i
* N 129.250.11.41 0 2914 22773 i
*> N198.180.160.0 199.238.113.9 0 2914 23308 13408 5752 i
* N 129.250.11.41 0 2914 23308 13408 5752 i
RPKI Lab – Randy Bush
24
![Page 25: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/25.jpg)
More References
• Securing BGP – The Internet Protocol Journal, Volume 14, No. 2
• An Infrastructure to Support Secure Internet Routing – RFC6480
• A Reappraisal of Validation in the RPKI – Labs.apnic.net/blabs
• An Introduction to Routing Security (and RPKI Tools)
• MyAPNIC Resource Certification Guide
25
![Page 26: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/26.jpg)
Questions
26
![Page 27: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/27.jpg)
You’re Invited! • APNIC 38: Brisbane, Australia, 9-19 Sep 2014
• APRICOT 2015: Fukuoka, Japan, 24 Feb-6 Mar 2015
27
![Page 28: Introduction to RPKI by Sheryl (Shane) Hermoso](https://reader035.vdocuments.us/reader035/viewer/2022081413/546256faaf79597c138b49b5/html5/thumbnails/28.jpg)
THANK YOU www.facebook.com/APNIC
www.twitter.com/apnic
www.youtube.com/apnicmultimedia
www.flickr.com/apnic
www.weibo.com/APNICrir
28