trends in rpki deployment · 21 why run a delegated ca? run a single ca under multiple rirs...
TRANSCRIPT
![Page 1: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/1.jpg)
Trends in RPKI deploymentLACNIC 33
![Page 2: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/2.jpg)
2
• Non-profit foundation: Open Source, Open Standards, Open Internet
• Specialised in DNS & Routing: Security, Stability, Privacy
• DNS: NSD, Unbound, OpenDNSSEC
• RPKI: Routinator, Krill, Analytics
![Page 3: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/3.jpg)
3
• Paper at Internet Measurement Conference 2019 • Using routing information from various sources:
- RIPE RIS - Routeviews - Akamai
• Historic information on RPKI repositories: https://ftp.ripe.net/rpki/
• Read more: https://dl.acm.org/authorize?N695009
RPKI is Coming of Age A Longitudinal Study of RPKI Deployment and Invalid Route Origins
![Page 4: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/4.jpg)
4
• Routing information from Routeviews
• Historic information on RPKI repositories: https://ftp.ripe.net/rpki/
• Historic information RIR assignments to regions: https://www.nro.net/about/rirs/statistics/
ROA Uptake and Accuracy Maps
![Page 5: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/5.jpg)
5
Coverage April 2018
![Page 6: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/6.jpg)
6
Accuracy April 2018
![Page 7: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/7.jpg)
INVALID == REJECT
2018
![Page 8: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/8.jpg)
8
![Page 9: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/9.jpg)
Use of ROAs in routing decisions
9
• Before mid 2018 there were early adopters: • Colombia was very active, as were others in Latin
America • Small networks in Europe, especially the
Netherlands
• The route53 leak was a pivotal moment • enough is enough
![Page 10: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/10.jpg)
ASNs dropping invalids
10
• Ben Cox did active probing measurements: • September 2018: 50 ASNs • September 2019: 616 ASNs
https://www.youtube.com/watch?v=fn9xrCoRYLQ
• Many public announcements, including tier-1
![Page 11: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/11.jpg)
11
https://twitter.com/JobSnijders/status/1256326712347881473
C. Testart, P. Richter, A. King, A. Dainotti, and D. Clark, "To Filter or not to Filter: Measuring the Benefits of Registering in the RPKI Today", in Passive and Active
Measurement Conference (PAM), Jan 2020.
![Page 12: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/12.jpg)
12
Accuracy April 2020
![Page 13: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/13.jpg)
13
Accuracy 90-100% Trend
Accuracy below 90% is shown as white! https://nlnetlabs.nl/static/rpki_maps/accuracy-90-latam.mp4 https://nlnetlabs.nl/static/rpki_maps/accuracy-90-world.mp4
![Page 14: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/14.jpg)
14
Coverage Trend
Coverage keeps increasing https://nlnetlabs.nl/static/rpki_maps/coverage-latam.mp4 https://nlnetlabs.nl/static/rpki_maps/coverage-world.mp4
![Page 15: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/15.jpg)
ASNs dropping invalids
15
• General advice: Monitor before dropping
• Train your help desk if you start dropping! ➡ Educate your customers and peers ➡ Put in temporary exceptions
• Very strong incentive to keep ROAs up to date!
• Coverage keeps rising
![Page 16: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/16.jpg)
2019
![Page 17: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/17.jpg)
17
Delegated RPKI CAs under NIC.BR
ACME.BRACME.BRACME.BR
LACNIC
NIC.BR
ACME.BR
REPOSITORY.BR
certificate
certificate
publish ROAs etc
➡ nic.br does not have a hosted service (yet), users run their own CA ➡ nic.br provides a publication service
![Page 18: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/18.jpg)
18
Delegated RPKI CAs under RIRs
ACME.BRACME.BRACME.BR
ACME INT'L
ACME SOKOVIA
ACME REPO
certificates
certificate
publish ROAs etc
publish
RIR BRIR A
➡ RIRs also have the option to run your delegated CAs ➡ APNIC has a repository service, other RIRs not yet
![Page 19: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/19.jpg)
19
Tools
• RPKID by Dragon Research Labs • In use at several NIRs and some delegated CAs
![Page 21: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/21.jpg)
21
Why Run a Delegated CA?
✓ Run a single CA under multiple RIRs
✓ Delegate space to others (customers, teams)
✓ Use API to integrate with routing work flow (ipam)
✓ Local control of who can access, rather than web portal
- Hardware requirements are low, but needs to be maintained
- Need to host an RPKI repository (unless under nic.br)
![Page 22: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/22.jpg)
22
Running Krill
• Build it yourself: https://rpki.readthedocs.io/en/latest/krill/installation.html
• Docker: https://rpki.readthedocs.io/en/latest/krill/docker.html
• Looking at Krill packages (debian, FreeBSD, others)
• Use 'krillmanager' • Digital Ocean Marketplace: https://youtu.be/qunvH2t6rqU • AWS coming • Looking at generic (own infrastructure) support
![Page 23: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/23.jpg)
23
Some Statistics
• NIC.BR - December 2019: Launch of service - May 1 2020:
- 113 Delegations to members - 523 Prefixes in ROAs - Coverage 2.7% - Accuracy 99.1%
• RIRs - May 2020: ARIN 3, RIPE 3, APNIC 2
![Page 24: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/24.jpg)
24
Issues Found
• Publishing to 'localhost' • Fixed in Krill 0.5.0 (February 2020)
• Some operators stop their CA • Their repository goes stale, then expires • NIC.BR is monitoring
![Page 25: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/25.jpg)
25
Conclusions
• Delegated CAs are seeing uptake: • nic.br members do not have a portal • early adopters in other regions
• Some initial issues, getting fixed
• Good uptake and data quality
• Managed repositories needed!
![Page 26: Trends in RPKI deployment · 21 Why Run a Delegated CA? Run a single CA under multiple RIRs Delegate space to others (customers, teams) Use API to integrate with routing work flow](https://reader035.vdocuments.us/reader035/viewer/2022071000/5fbce5b5ff2cbe3afb4803a3/html5/thumbnails/26.jpg)
Questions?! https://rpki.nl
! https://github.com/nlnetlabs/routinator
! https://github.com/nlnetlabs/krill