practical rpki deployment at fpt telecom...bgp & internet o the border gateway protocol (bgp) is the...
TRANSCRIPT
-
Practical RPKI Deployment at
FPT TELECOM
1
-
BGP & Internet
2
Agenda
o BGP insecurity
o Overview of RPKI and its benefits
o RPKI deployment experience on FTEL
EL
o Q & A on FTEL
-
BGP insecurity
3
-
BGP & Internet
o The Border Gateway Protocol (BGP) is the protocol used throughout the global Internet to exchangerouting information between networks
BGP ~ ”Two Napkin Protocol”
4
-
5
BGP & Internet
-
BGP Incidents
Number of BGP hijack and BGP leak events occurring each month in 2019 Source: https://bgpstream.com/
6
-
7
BGP Incidents
-
Routing Registry
8
o Internet Routing Registry (IRR)
o RADB
o APNIC
o ....
-
9
• No verification of holdership over resources
• The RPSL language and supporting tools are too complex toconsistently transpose policy into router configuration language
• Obsolete or incorrect data affect operator incentives to use theIRR
o Internet Routing Registry (IRR)
o RADB
o APNIC
o ....
Routing Registry
-
Overview of RPKI and its benefits
10
-
RPKI
11
o RPKI is a standardized public key infrastructure (PKI) framework by the IETF that provides extensive tools to verify whether an Autonomous System (AS) is authorized to announce a specific prefix
-
Increasing trend in adoption of RPKI
12
-
13
Increasing trend in adoption of RPKI
-
14
The fraction of announced IPv4 and IPv6 prefixes in BGP covered by RPKI ROAsSource: https://www.nlnetlabs.nl
Increasing trend in adoption of RPKI
-
15
Benefits
o Routing information corresponds to verified delegated resources, giving resource holders proof that they hold certain resources and have the right to use an IP address or ASN
o Resource holders can demonstrate their holdership of their resources when distributing them to customers/users
o Each operator or organization can develop RPKI routing filtering policy with accurate information
Signing your Route Origin Authorization (ROA)
-
• Cloudflare RPKI Validator (OctoRPKI & GoRTR).
• Dragon Research Labs RPKI Toolkit
• NIC Mexico and LACNIC FORT validator
• NLnet Labs Routinator 3000
• RIPE NCC RPKI Validator version 3 & version 2
• rpki-client by OpenBSD
16
RPKI to Router Protocol (RFC 6810)
Benefits
o The routing policy enforcement using RPKI data on network devices is complete both in design and in practice
Deploying RPKI on your network
https://github.com/cloudflare/cfrpkihttps://github.com/cloudflare/gortrhttps://github.com/dragonresearch/rpki.nethttps://fortproject.net/validatorhttps://github.com/NLnetLabs/routinatorhttps://github.com/RIPE-NCC/rpki-validator-3https://medium.com/@jobsnijders/a-proposal-for-a-new-rpki-validator-openbsd-rpki-client-1-15b74e7a3f65https://tools.ietf.org/html/rfc6810
-
RPKI deployment experience on FTEL
17
-
18
RPKI deployment experience on FTEL
RPKI deployment timeline
1/8/2019
Coordinate with VNNIC to create full ROA records for the allocated FTEL network address ranges
4/202010/2019 11/2019
-
19
RPKI deployment experience on FTEL
o Pre-deployment• Select and test some the relying-party software ( Routinator, RPKI validator 2 & 3 , Octo RPKI & GoRTR )
• Consult with vendors to clarify device support and stability levels when enable RPKI on the device for BGP Route Origin validation
• A certain proportion of valid ROAs inconsistent with the BGP routes announced and used for a long time
Source: https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids
-
20
RPKI deployment experience on FTEL
o Pre-deployment• Can establish a local view of exceptions to RPKI data in some specific situations
-
21
RPKI deployment experience on FTEL
o Pre-deployment• Can establish a local view of exceptions to RPKI data in some specific situations
-
22
1/8/2019 4/202010/2019 11/2019
Establish internal RPKI Validator clusters and make RPKI-based filter policies based on RPKI data
Edge Router
RPKI VALIDATOR Node 2
RPKI VALIDATOR Node 1
RPKI/RTRProtocol
ROA
ROA
Global RPKI RIR
APNIC ARIN RIPE AFRINIC LACNIC
Repository
Rsync/RRDP
RPKI deployment experience on FTEL
RPKI deployment timeline
-
23
1/8/2019 4/202010/2019 11/2019
Completion of policy enforcement with FTEL's international upstream peers
Completely set up routing filter according to RPKI between FTEL and domestic peers VNPT, Viettel, VNNIX, CMC, etc….
RPKI deployment experience on FTEL
term Invalid-Route {from {
protocol bgp;validation-database invalid;
}then {
validation-state invalid;reject;
}}term Valid-Route {
from {protocol bgp;validation-database valid;
}then {
metric 0;validation-state valid;next policy;
}}term Unknown-Route {
from protocol bgp;then {
metric 0;validation-state unknown;next policy;
}}
-
24
RPKI deployment experience on FTEL
FTEL's international and domestic outbound traffic ratio by RPKI route status
Default routes are kept for some important services to upstream that have RPKI enabled during deployment
-
25
RPKI deployment experience on FTEL
1/8/2019 4/2020 11/202010/2019 11/2019
Dropping all RPKI-invalid route received from FTEL BGP customer
We encourage every partner peering with FTEL to creat your Route Origin Authorization (ROA) objects as the first step towards securing your routes from misuse and hijacks
-
26
Conclusion
We encourage every partner peering with FTEL to creat your Route Origin Authorization (ROA) objects as the first step towards securing your routes from misuse and hijacks
o RPKI is a mechanism to prevent BGP hijacking, not all internet routing security issues
o The approach to prevent BGP hijack events from happening regularly due to the improvement of the solution and high applicability.
o The first action of creating your own ROA records is also a way to protect you and others connecting to you
o The implementation of route filtering according to RPKI data is not the same for each network due to size and design. However, early reinforcement with security mechanisms including RPKI is a necessary requirement and responsibility of major carriers in each country, and region.
-
Q & A
27