the rpki & origin validation€¦ · arin arin apnic apnic uunet uunet psgnet psgnet uucust...
TRANSCRIPT
![Page 1: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/1.jpg)
The RPKI & Origin Validation
1
RIPE / Praha 2010.05.03
Randy Bush <[email protected]> Rob Austein <[email protected]>
Steve Bellovin <[email protected]> And a cast of thousands! Well, dozens :)
2010.05.03 RIPE RPKI 1
![Page 2: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/2.jpg)
2
Routing is Very Fragile • How long can we survive on The Web as
Random Acts of Kindness, TED Talk by Jonathan Zittrain?
2010.05.03 RIPE RPKI 2
![Page 3: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/3.jpg)
3
Routing Mistakes • Routing errors are significant and have very high customer impact
• We need to fix this before we are crucified in the WSJ a la Toyota
• 99% of mis-announcements are accidental originations of someone else’s prefix -- Google, UU, IIJ, ...
2010.05.03 RIPE RPKI 3
![Page 4: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/4.jpg)
Why Origin Validation? • Prevent YouTube accident • Prevent 7007 accident, UU/Sprint 2 days! • Prevents most accidental announcements • Does not prevent malicious path attacks
such as the Kapela/Pilosov DefCon attack • That requires “Path Validation” and locking
the data plane to the control plane, the next steps, by my children
2010.05.03 RIPE RPKI 4
![Page 5: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/5.jpg)
5
This is Not New • 1986 – Bellovin identifies vulnerability • 2000 – S-BGP – X.509 PKI to support
Secure BGP - Kent, Lynn, et al. • 2003 – NANOG S-BGP Workshop • 2006 – ARIN & APNIC start work on
RPKI. RIPE starts in 2008. • 2009 – RPKI Open Testbed and running
code in test routers • 2009 – ISOC discovers problem
2010.05.03 RIPE RPKI 5
![Page 6: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/6.jpg)
6
The Goal • Keep the Internet working!!! • Seriously reduce routing damage from mis-configuration, mis-origination
Non-Goals • Prevent Malicious Attacks • Keep RIRs in business by selling X.509 Certificates
2010.05.03 RIPE RPKI 6
![Page 7: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/7.jpg)
Resource Public Key
Infrastructure (RPKI)
7 7 2010.05.03 RIPE RPKI 7
![Page 8: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/8.jpg)
8
RFC 3779 Extension
Describes IP Resources (Addr & ASN)
X.509 Cert
Owner’s Public Key
X.509 Certificate w/ 3779 Ext CA
SIA – URI for where this Publishes
8 2010.05.03 RIPE RPKI 8
![Page 9: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/9.jpg)
Being Developed & Deployed
by RIRs and Operators
9 9 2010.05.03 RIPE RPKI 9
![Page 10: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/10.jpg)
10
98.128.0.0/16
Public Key
98.128.0.0/20
Public Key
98.128.16.0/20
Public Key
98.128.32.0/19
Public Key
98.128.16.0/24
Public Key
98.128.17.0/24
Public Key
Cert/RGnet
Cert/Rob Cert/Randy
Cert/ISC Cert/PSGnet
Cert/ARIN CA
CA CA CA
CA CA
Certificate Hierarchy follows
Allocation Hierarchy
SIA
10 2010.05.03 RIPE RPKI 10
![Page 11: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/11.jpg)
That’s Who Owns It but
Who May Route It?
11 11 2010.05.03 RIPE RPKI 11
![Page 12: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/12.jpg)
12
98.128.0.0/16
Public Key
98.128.0.0/16
AS 42
EE Cert
ROA
Route Origin Authorization (ROA)
98.128.0.0/16 147.28.0.0/16
Public Key
Owning Cert CA End Entity Cert
can not sign certs. can sign other things e.g. ROAs
This is not a Cert It is a signed blob
12 2010.05.03 RIPE RPKI 12
![Page 13: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/13.jpg)
0/0
Public Key
98.0.0.0/8 AS 0-4000
Public Key
98.128.0.0/16 AS 3130
Public Key
PSGnet
ARIN
IANA
98.128.0.0/24
AS 3130
ROA
98.128.1.0/24
AS 3130
ROA
98.128.2.0/24
AS 3130
ROA
98.128.3.0/24
AS 3130
ROA
98.128.4.0/24
AS 3130
ROA
Too Many EE Certs and ROAs, Yucchhy!
Announces 256 /24s
PSGnet /16 Experimental Allocation from ARIN
CA
CA
CA
98.128.0.0/24
Public Key
EE Cert 98.128.1.0/24
Public Key
EE Cert 98.128.2.0/24
Public Key
EE Cert 98.128.30/24
Public Key
EE Cert 98.128.4.0/24
Public Key
EE Cert
13 13 2010.05.03 RIPE RPKI 13
![Page 14: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/14.jpg)
14
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
PSGnet
ARIN
IANA
98.128.0.0/16-24
AS 3130
ROA
ROA Aggregation Using Max Length 98.128.0.0/16
Public Key
EE Cert
CA
CA
CA
14 2010.05.03 RIPE RPKI 14
![Page 15: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/15.jpg)
15
Allocation in Reality
My Infrastructure
Unused Static (non BGP) Cust
BGP Cust
15 2010.05.03 RIPE RPKI 15
![Page 16: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/16.jpg)
16
ROA Use
My Aggregate ROA
Customer ROAs
I Generate for ‘Lazy’ Customer My Infrastructure
Unused Static (non BGP) Cust
BGP Cust
16 2010.05.03 RIPE RPKI 16
![Page 17: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/17.jpg)
Running Code
And the Three RPKI Protocols
17 17 2010.05.03 RIPE RPKI
![Page 18: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/18.jpg)
18
LIR Back End
[Hardware] Signing Module
IR RPKI
Priv Keys
Private RPKI Keys
Issued ROAs
My Misc Config Options
Public RPKI Keys
ID=Me ID=Me
RPKI Engine
Resource PKI IP Resource Certs
ASN Resource Certs Route Origin Attestations
Internal CA Data
Internal CA Data
XML Object Transport & Handler
Business Key/Cert
Management
Private IR Biz Trust Anchor Internal
CA Data
Keys for Talking to
IR BackEnd
Certs Issued to
DownStreams
My Resources
My RightsToRoute
Repo Mgt
Up / Down Protocol
Up / Down Protocol
Publication Protocol
Internal
Protocol
Prototype of Basic Back End
Up/Down EE Public Keys
Biz EE Signing
Key
18 2010.05.03 RIPE RPKI 18
Delegations to Custs
![Page 19: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/19.jpg)
Big, Centralized, & Scary We Don’t Do This
19
RPKI DataBase
IP Resource Certs ASN Resource Certs
Route Origin Attestations
19 2010.05.03 RIPE RPKI 19
![Page 20: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/20.jpg)
Distributed RPKI DataBase IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
A Player (CA) Publishes All Certificates Which
They Generate in Their Own Unique
Publication Point
SIA
SIA
SIA
SIA
Running Code
Repository
20 20 2010.05.03 RIPE RPKI 20
![Page 21: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/21.jpg)
RCynic Cache Gatherer
RCynic Gatherer Validated
Cache
Trust Anchor
(cynical rsync)
IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
SIA
SIA
SIA
SIA
21 21 2010.05.03 RIPE RPKI 21
![Page 22: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/22.jpg)
Reliability Issue Expensive To Fetch & Unreliable
RCynic Gatherer Validated
Cache
Trust Anchor IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
SIA
SIA
SIA
SIA
22 22 2010.05.03 RIPE RPKI 22
![Page 23: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/23.jpg)
UUcust
Reliability Via Hosted Publication
Reducing the Number of Publication Points Makes RCynic
More Efficient
Repository with
Multiple Publication
Points
IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet
PSGnet
UUcust
IIJ IIJ
23 23 2010.05.03 RIPE RPKI 23
![Page 24: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/24.jpg)
2010.05.03 RIPE RPKI 24
Mac
Publication Point
Issued ROAs
My Misc Config
Options
Public RPKI Keys
ID=Me
Internal CA Data
Keys for Talking to
IR BackEnd
Certs Issued to
DownStreams
Up/Down EE Public Keys
Front End GUI &
Management
RPKI Engine
Contract Out To Google
A Usage Scenario
Resources [OrgID]
My RightsToRoute
Delegations to Custs
User Web GUI
98% of an RIR’s Users 10% of an RIR’s IP Space
Up / Down Protocol
2% of an RIR’s Users 90% of an RIR’s IP Space
Publication Protocol
IR’s Database(s)
Internal
Protocol
![Page 25: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/25.jpg)
Origin Validation
• Cisco IOS and IOS-XR test code have Origin Validation now
• Work continues daily in test routers • Compute load much less than ACLs
from IRR data, 10µsec per update! • Expect other vendor soon
25 25 2010.05.03 RIPE RPKI 25
![Page 26: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/26.jpg)
Global RPKI
RPKI -> Router
RCynic Gatherer
RPKI to Rtr
Protocol
Near/In PoP
BGP Decision Process
The Third Protocol (origin validation only)
Cache / Server
Object Security RCynic
Transport Security
ssh
26 26 2010.05.03 RIPE RPKI 26
![Page 27: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/27.jpg)
Typical Exchange
27
Cache Router | <----- Reset Query -------- | R requests data | | | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial ~ ~ | -------- Notify ----------> | (optional) | | | <----- Serial Query ------- | R requests data | | | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial ~ ~
27 2010.05.03 RIPE RPKI 27
![Page 28: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/28.jpg)
IPv4 Prefix
28
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | Color | | 0 | 4 | | +-------------------------------------------+ | | | Length=20 | | | +-------------------------------------------+ | | Prefix | Max | Data | | Flags | Length | Length | Source | | | 0..32 | 0..32 | RPKI/IRR | +-------------------------------------------+ | | | IPv4 prefix | | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
28 2010.05.03 RIPE RPKI 28
![Page 29: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/29.jpg)
IPv6 Prefix
29
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | Color | | 0 | 6 | | +-------------------------------------------+ | | | Length=40 | | | +-------------------------------------------+ | | Prefix | Max | Data | | Flags | Length | Length | Source | | | 0..128 | 0..128 | RPKI/IRR | +-------------------------------------------+ | | +--- ---+ | | +--- IPv6 prefix ---+ | | +--- ---+ | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
29 2010.05.03 RIPE RPKI 29
![Page 30: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/30.jpg)
2010.05.03 RIPE RPKI 30
Global RPKI
Asia Cache
NoAm Cache
Euro Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
Cust Facing
Cust Facing
Cust Facing
Cust Facing
Cust Facing
High Priority
Lower Priority
Extremely Large ISP Deployment
![Page 31: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/31.jpg)
Configure
router bgp 4128 bgp router-id 198.180.152.251
bgp rpki cache 198.180.150.1 42420 refresh-time 600
address-family ipv4 unicast
bgp dampening collect-statistics ebgp
redistribute static route-policy vb-ebgp-out
...
31 31 2010.05.03 RIPE RPKI 31
![Page 32: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/32.jpg)
Result of Check • Valid – A matching/covering ROA was
found with a matching AS number • Invalid – A matching or covering ROA
was found, but AS number did not match, and there was no valid one
• Not Found – No matching or covering ROA was found
32 32 2010.05.03 RIPE RPKI 32
![Page 33: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/33.jpg)
33 33 2010.05.03 RIPE RPKI 33
![Page 34: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/34.jpg)
Policy Override Knobs • Disable Validity Check Completely • Disable Validity Check for a Peer • Disable Validity Check for Prefixes
When check is disabled, the result is “Not Found,” i.e. as if there was no ROA
2010.05.03 RIPE RPKI 34
![Page 35: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/35.jpg)
35 35 2010.05.03 RIPE RPKI 35
![Page 36: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/36.jpg)
Defaults • Origin Validation is Enabled if you have
configured a cache server peering
• RPKI Poll Interval is 30 Minutes
• No Effect on Policy unless you have configured it
2010.05.03 RIPE RPKI 36
![Page 37: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/37.jpg)
An ISP’s ROAs # <prefix>/<length>-<maxlength> <asn> <group> # 64.9.224.0/19-24 15169 ARIN 74.125.0.0/16-24 15169 ARIN-3 72.14.192.0/18-24 15169 ARIN-3 72.14.224.0/24-24 36384 ARIN-3 72.14.230.0/24-24 36384 ARIN3 64.233.160.0/19-24 15169 ARIN-3 64.9.224.0/19-24 36492 ARIN 66.102.0.0/20-24 15169 ARIN-3 66.249.64.0/19-24 15169 ARIN-3 66.249.80.0/20-24 15169 ARIN-3 72.14.192.0/18-24 15169 ARIN-3 74.125.0.0/16-24 15169 ARIN-3 173.194.0.0/16-24 15169 ARIN-3 209.85.128.0/17-24 15169 ARIN-3 216.239.32.0/19-24 15169 ARIN-3 2001:4860::/32-64 15169 ARIN-3
37 37 2010.05.03 RIPE RPKI 37
![Page 38: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/38.jpg)
Good Dog! RP/0/1/CPU0:r0.dfw#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24 Versions: Process bRIB/RIB SendTblVer Speaker 132327 132327 Last Modified: Oct 2 01:06:47.630 for 13:33:12 Paths: (6 available, best #3) Advertised to peers (in unique update groups): 204.69.200.26 Path #1: Received by speaker 0 2914 1299 6939 6939 27318 157.238.224.149 from 157.238.224.149 (129.250.0.85) Origin IGP, metric 0, localpref 100, valid, external, \ origin validity state: valid Community: 2914:420 2914:2000 2914:3000 4128:380 Path #2: Received by speaker 0 ...
38 38 2010.05.03 RIPE RPKI 38
![Page 39: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/39.jpg)
Bad Dog! RP/0/1/CPU0:r0.dfw#sh bgp 64.9.224.0 BGP routing table entry for 64.9.224.0/20 Versions: Process bRIB/RIB SendTblVer Speaker 0 0 Last Modified: Oct 2 17:38:27.630 for 4d22h Paths: (6 available, no best path) Not advertised to any peer Path #1: Received by speaker 0 2914 3356 36492 157.238.224.149 from 157.238.224.149 (129.250.0.85) Origin IGP, metric 2, localpref 100, valid, external,\ origin validity state: invalid Community: 2914:420 2914:2000 2914:3000 4128:380
39 39 2010.05.03 RIPE RPKI 39
![Page 40: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/40.jpg)
Strange Dog! RP/0/1/CPU0:r0.dfw#sh bgp 147.28.0.0 BGP routing table entry for 147.28.0.0/16 Versions: Process bRIB/RIB SendTblVer Speaker 337691 337691 Last Modified: Oct 2 17:40:16.630 for 4d22h Paths: (6 available, best #1) Advertised to peers (in unique update groups): 204.69.200.26 Path #1: Received by speaker 0 2914 3130 157.238.224.149 from 157.238.224.149 (129.250.0.85) Origin IGP, metric 68, localpref 100, valid, external, \ origin validity state: not found Community: 2914:410 2914:2000 2914:3000 4128:380
40 40 2010.05.03 RIPE RPKI 40
![Page 41: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/41.jpg)
41
iBGP Hides Validity State
2010.05.03 RIPE RPKI 41
iBGP Full Mesh
p p
p
valid invalid
unknown
which do i choose? why do i choose it?
![Page 42: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/42.jpg)
42
Unknown Beat Valid! r1.iad#sh ip bg 198.180.152.0!
BGP routing table entry for 198.180.152.0/24, version 324176!
Paths: (2 available, best #1, table default)!
Not advertised to any peer!
2914 4128!
129.250.10.157 (metric 1) from 198.180.150.253 (198.180.150.253)!
Origin IGP, metric 51, localpref 100, valid, internal, best!
Community: 2914:410 2914:2000 2914:3000 3927:380!
1239 2914 4128!
144.232.18.81 from 144.232.18.81 (144.228.241.254)!
Origin IGP, metric 0, localpref 100, valid, external!
Community: 3927:380!
Sovc state valid!
2010.05.03 RIPE RPKI 42
![Page 43: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/43.jpg)
43
MED Beat Valid r1.iad#sh ip bg 147.28.0.0!
BGP routing table entry for 147.28.0.0/16, version 142233!
Paths: (2 available, best #1, table default)!
Not advertised to any peer!
2914 3130!
129.250.10.157 (metric 1) from 198.180.150.253 (198.180.150.253)!
Origin IGP, metric 105, localpref 100, valid, internal, best!
Community: 2914:410 2914:2000 2914:3000 3927:380!
1239 3130!
144.232.18.81 from 144.232.18.81 (144.228.241.254)!
Origin IGP, metric 653, localpref 100, valid, external!
Community: 3927:380!
Sovc state valid!
2010.05.03 RIPE RPKI 43
![Page 44: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/44.jpg)
The Solution is to
Allow Operator to Test and then Set Local Policy
2010.05.03 RIPE RPKI 44
![Page 45: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/45.jpg)
45
Secure route-map validity-0!
! match rpki-invalid!
! drop!
route-map validity-1!
! match rpki-not-found!
! set localpref 50!
// valid defaults to 100!
2010.05.03 RIPE RPKI 45
![Page 46: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/46.jpg)
46
Paranoid
route-map validity-0!
! match rpki-valid!
! set localpref 110!
route-map validity-1!
! drop!
2010.05.03 RIPE RPKI 46
![Page 47: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/47.jpg)
47
After AS-Path route-map validity-0 ! match rpki-unknown!
! set metric 50!
route-map validity-1!
match rpki-invalid!
! set metric 25!
// valid defaults to 100!
2010.05.03 RIPE RPKI 47
![Page 48: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/48.jpg)
The Open TestBed
*ARIN ARIN
ISC
ISC
Google RGnet
RGnet JPNIC
JPNIC
Mesh Mesh IIJ IIJ
Cristel
Cristel
*APNIC APNIC
BWC
BWC
Trust Anchor
Trust Anchor
runs own RPKI to keep private key private and control own fate, but publishes at IIJ
until we get IANA to act as the parent
until we get IANA to act as the parent
* APNIC and ARIN are simulations constructed from public data
chocolate
Running Code
Repository
48 48 2010.05.03 RIPE RPKI 48
Level(3)
Level(3)
runs own RPKI to keep private key private and control own fate, but publishes at ARIN
![Page 49: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/49.jpg)
49
The Big Speedbump
2010.05.03 RIPE RPKI 49
![Page 50: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/50.jpg)
50
But Who Do We Trust?
2010.05.03 RIPE RPKI 50
http://news.cnet.com/2100-1001-254586.html
![Page 51: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/51.jpg)
RPKI Full Implementation Available as Open Source
https://subvert-rpki.hactrn.net/
and there is a mailing list
51 51 2010.05.03 RIPE RPKI 51
![Page 52: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/52.jpg)
Work Supported By
• US Government
THIS PROJECT IS SPONSORED BY THE DEPARTMENT OF HOMELAND SECURITY UNDER AN INTERAGENCY AGREEMENT WITH THE AIR FORCE RESEARCH LABORATORY (AFRL).
• ARIN
• Internet Initiative Japan
• Cisco, Google, NTT, Equinix
52 52 2010.05.03 RIPE RPKI 52
![Page 53: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/53.jpg)
53
IR Back End
RPKI Engine
Internal Protocol
IR Back End
RPKI Engine
Internal Protocol
Simple Parent and
Simple Child
My Resources
Childs’ Resources
My Resources
Childs’ Resources
Up / Down Protocol
Registry Back Ends
Up / Down Protocol
Up / Down Protocol
53 2010.05.03 RIPE RPKI 53
![Page 54: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/54.jpg)
54
IR Back End
[Hardware] Signing Module
IR RPKI
Priv Keys
Private RPKI Keys
Issued ROAs
My Misc Config Options
Public RPKI Keys
ID=Me ID=Me
RPKI Engine
Resource PKI IP Resource Certs
ASN Resource Certs Route Origin Attestations
Stub Provided
to be Hacked
Internal CA Data
Internal CA Data
XML Object Transport & Handler
Business Key/Cert
Management
Private IR Biz Trust Anchor Internal
CA Data
Up/Down EE Public Keys
Keys for Talking to
IR BackEnd
Certs Issued to
DownStreams
My Resources
My RightsToRoute
Repo Mgt
Up / Down Protocol
Up / Down Protocol
Publication Protocol
Internal
Protocol Biz EE Signing Key(s)
54 2010.05.03 RIPE RPKI 54
![Page 55: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/55.jpg)
55
IR Back End
Signing Engine
IR RPKI
Priv Keys
Private RPKI Keys
Issued ROAs
Cust’s Preferences
Public RPKI Keys
Cust ID Cust ID
RPKI Engine
Stub Provided
to be Hacked
Internal CA Data
Internal CA Data
XML Object Transport & Handler
Business Key/Cert
Management
Private IR Biz Trust Anchor Internal
CA Data
Keys for Talking to
IR BackEnd
Certs Issued to
DownStreams
Resources [OrgID]
RightsToRoute [OrgID]
Repo Mgt
Up / Down Protocol
Up / Down Protocol
Publication Protocol
Resource PKI IP Resource Certs
ASN Resource Certs Route Origin Attestations
Internal
Protocol
Up/Down EE Public Keys
Biz EE Signing Key(s)
55 2010.05.03 RIPE RPKI 55
![Page 56: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/56.jpg)
Serial Query
56
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 1 | | +-------------------------------------------+ | | | Length=12 | | | +-------------------------------------------+ | | | Serial Number | | | `-------------------------------------------'
56 2010.05.03 RIPE RPKI 56
![Page 57: The RPKI & Origin Validation€¦ · ARIN ARIN APNIC APNIC UUNET UUNET PSGnet PSGnet UUcust UUcust IIJ IIJ A Player (CA) ... 10µsec per update! • Expect other vendor soon 2010.05.03](https://reader033.vdocuments.us/reader033/viewer/2022042917/5f5c79bdb12ecc6bb9409614/html5/thumbnails/57.jpg)
End of Data
57
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 7 | | +-------------------------------------------+ | | | Length=12 | | | +-------------------------------------------+ | | | Serial Number | | | `-------------------------------------------'
57 2010.05.03 RIPE RPKI 57