RPKI-Based Origin Validation Lab RPKI Lab Creative Commons: Attribution & Share Alike

Similar documents
RPKI-Based Origin Validation, Routers, & Caches

BGP Origin Validation

RPKI Workshop Routing Lab

Resource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018

Securing BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho

The RPKI and BGP Origin Validation

The RPKI & Origin Validation

Secure Routing with RPKI. APNIC44 Security Workshop

RPKI. Resource Pubic Key Infrastructure

Misdirection / Hijacking Incidents

The RPKI & Origin Validation

Deploying RPKI An Intro to the RPKI Infrastructure

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

Resource Public Key Infrastructure

BGP AS-Override Split-Horizon

Route Security for Inter-domain Routing

BGP Origin AS Validation

Configuring IPv6 Provider Edge over MPLS (6PE)

RPKI and Internet Routing Security ~ The regional ISP operator view ~

RPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager

BGP FlowSpec Route-reflector Support

Life After IPv4 Depletion

Introduction to BGP. ISP Workshops. Last updated 30 October 2013

Secure Inter-domain Routing with RPKI

BGP Persistence. Restrictions for BGP Persistence. Information About BGP Persistence

Idealized BGPsec: Formally Verifiable BGP


APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

Resource Certification

Introducción al RPKI (Resource Public Key Infrastructure)

IETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet

Multiprotocol BGP Extensions for IP Multicast Commands

APNIC elearning: BGP Basics. 30 September :00 PM AEST Brisbane (UTC+10) Revision: 2.0

RPKI in practice. Sebastian Wiesinger DE-CIX Technical Meeting June 2017

Contents. Introduction. Prerequisites. Configure. Requirements. Components Used

Implementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer

BGP Policy Lab - Partial Routing

Just give me a button!

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

Chapter 5: Maintaining and Troubleshooting Routing Solutions

Security in inter-domain routing

RPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

BGP Table Version. Contents. Introduction. Network Diagram. Best Path

BGP Support for 4-byte ASN

RPKI and Routing Security

Module 6 Implementing BGP

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Configuring a Basic BGP Network

ibgp Multipath Load Sharing

MPLS VPN Inter-AS Option AB

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

32-bit ASNs. Philip Smith. AfNOG rd April 1st May Abuja, Nigeria

BGP Enhancements for IPv6. ISP Training Workshops

MPLS VPN--Inter-AS Option AB

IOS Implementation of the ibgp PE CE Feature

Internetwork Expert s CCNP Bootcamp. Border Gateway Protocol (BGP) What Is BGP?

Contents. Introduction. Prerequisites. Requirements. Components Used

MPLS VPN Multipath Support for Inter-AS VPNs

Implementing DCI VXLAN Layer 3 Gateway

Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

Deploy VPLS. APNIC Technical Workshop October 23 to 25, Selangor, Malaysia Hosted by:

Introduction to BGP. ISP/IXP Workshops

Lessons learned running an RPKI service

IPv4 Run-Out, Trading, and the RPKI

2016/09/07 08:37 1/5 Internal BGP Lab. Set up Internal BGP (ibgp) within the each Group autonomous system to carry routing information within the AS.

Page1. Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.2(4)M1, DEVELOPMENT TEST SOFTWARE

IPv4 Run-Out, Trading, and the RPKI

Chapter 5 Lab 5-3, BGP

BGP security. 19 april 2018 Copenhagen

Chapter 7 Lab 7-1, Configuring BGP with Default Routing

Module 6 ibgp and Basic ebgp

BGP Link Bandwidth. Finding Feature Information. Prerequisites for BGP Link Bandwidth

SDN Workshop. Contact: WSDN01_v0.1

LAB1: BGP IPv4. BGP: Initial Config. Disclaimer

Golden Prefixes IRR Lockdown Job Snijders

Module 6x ibgp and Basic ebgp

scope scope {global vrf vrf-name} no scope {global vrf vrf-name} Syntax Description

BGP Origin Validation (RPKI)

Adventures in RPKI (non) deployment. Wes George

<36 th APNIC Meeting, XIAN CHINA> KISA(KRNIC) UPDATE. YOUNGSUN LA Korea Internet & Security Agency

BGP Link-State. Finding Feature Information. Overview of Link-State Information in BGP

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

RPKI Trust Anchor. Geoff Huston APNIC

Module 6 More ibgp, and Basic ebgp Configuration

How to Access and Use Quagga Shell using Avi CLI

Requirements for Resource Public Key Infrastructure (RPKI) Relying Parties (draft-madi-sidrops-rp-00) Di Ma & Stephen Kent.

Networkers 2001, Australia

BGP Dynamic Neighbors

address-family ipv4 vrf vrf-name - Selects a per-vrf instance of a routing protocol.

BGP Event-Based VPN Import

Troubleshooting Routing Solutions

Contents. Configuring MSDP 1

Contents. BGP commands 1

H3C BGP Configuration Examples

Segment Routing on Cisco Nexus 9500, 9300, 9200, 3200, and 3100 Platform Switches

How to Access and Use Quagga Shell using Avi CLI

- PIX Advanced IPSEC Lab -

Transcription:

RPKI-Based Origin Validation Lab 1

Issuing Parties Relying Parties GUI altca Publication Protocol Trust Anchor Resource PKI RCynic Gatherer Pseudo IRR route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net! mnt-by: MAINT-RPKI! changed: irr-hack@rpki.net 20110606! source: RPKI! GUI Up Down JPNIC Publication Protocol SIA Pointers Resource PKI Validated Cache NOC Tools GUI Up Down IIJ Publication Protocol SIA Pointers Resource PKI Our Focus Today BGP Decision Process 2

Today Register Our Prefixes in CA Issue ROAs Using CA s Web Portal Configure Routers to get ROAs from Caches 3 2-4-1 RPKI Lab Creative Commons: Attribution & Share Alike

Get Copy of This Preso https://psg.com/140118.pdf So You Can Copy and Paste 4

Lab Overview GUI django RPKI Engine RCynic Gatherer Cache RPKI to Rtr Protocol BGP Decision Process Publication Protocol Repository Mgt RPKI Repo 5

Lab Environment ubu01 ubu02 ubu03 ubu04 ubu05 ubu16 Ubuntu/KVM Server in Ashburn GUI RPKI-Rtr Protocol AS65000 AS65001 RP - cache0.vmini CA - ca0.vmini Mac Mini running Ubuntu KVM 6

DynaMIPS on MacMini 10.0.0.0/8 RPKI Cache RPKI-Rtr Protocol AS65000 202.144.137.27 Global Internet AS65001 98.128.0.0/16! 98.128.0.0/24! 98.128.1.0/24!! 98.128.31.0/24! AS3130 Seattle Dallas AS4128 98.128.0.0/16! 98.128.0.0/24! 98.128.1.0/24!! 98.128.31.0/24! 7

Student Routers r1 r16 default default vmini kvm host NATted 10.0.0.0/24 10.0.10.0/24 b0 default 10.0.0.1 IPTables NAT br0 etc ssh Tunnels 147.28.0.35 10.0.11.0/24 b1 default because BGP is often blocked by firewalls ca0 10.0.0.2 cache0 10.0.0.3

Issuing Parties Relying Parties GUI altca Publication Protocol Trust Anchor Resource PKI RCynic Gatherer Pseudo IRR route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net! mnt-by: MAINT-RPKI! changed: irr-hack@rpki.net 20110606! source: RPKI! GUI Up Down JPNIC Publication Protocol SIA Pointers Resource PKI Validated Cache Our NOC Tools GUI Up Down IIJ Publication Protocol SIA Pointers Resource PKI Focus Today BGP Decision Process 9

Today Trust Anchor GUI altca Publication Protocol Resource PKI Up Down SIA Pointers GUI workshop Publication Protocol Resource PKI Up Down SIA Pointers GUI not used Publication Protocol Resource PKI 10

IP Address Allocation 98.128.0.0/16 ARIN Experimental Allocation 98.128.0.0/24 Instructors Play 98.128.1.0/24 labuser01 98.128.2.0/24 labuser02 98.128.32.0/24 labuser32 11

GUI Accounts https://ca0.vmini.rpki.net/ UserID labuser01 labuser02 labuser03 labuser16 Password fnord fnord fnord fnord 12

https://ca0.vmini.rpki.net/ labusernn fnord 13

The Dashboard 14

Create a ROA 15

What Will Happen? 16

Routers Use Your Own! (in production images from C&J) 16 DynaMIPS 7200s in Lab 17

Be Careful! Some Caches Have a LOT of ROAs Do Not Configure DynaMIPS to a Server With RIR TALs Because RIPE Data Has Thousands of ROAs dfw0, 198.180.152.11 Has Full BGP Table if you want to crash DynaMIPS 18

In-Lab Router Accounts ssh rn@vmini.rpki.net rn@vmini's password: fnord user: isplab password: lab-pw # enable password: lab-pw (N is your user number) 19

BGP Configuration rn#conf t Enter configuration commands, one per line. End with CNTL/Z. rn(config)#router bgp 651NN rn(config-router)#bgp rpki server tcp 10.0.0.3 port \ 43779 refresh 60 rn(config-router)#end That s All 20

Cisco Adventure rn#show ip bgp rpki? servers Display RPKI cache server information table Display RPKI table entries 21

Check Server rn#show ip bgp rpki servers BGP SOVC neighbor is 10.0.0.3/43779 connected to port 43779 Flags 0, Refresh time is 600, Serial number is 1304239609 InQ has 0 messages, OutQ has 0 messages, formatted msg 345 Session IO flags 3, Session flags 4008 Neighbor Statistics: Nets Processed 624 Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled Mininum incoming TTL 0, Outgoing TTL 255 Local host: 199.238.113.10, Local port: 57932 Foreign host: 10.0.0.3, Foreign port: 43779 Connection tableid (VRF): 0 22

Look at Table rn#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory Network Maxlen Origin-AS Source Neighbor 98.128.0.0/24 24 3130 0 10.0.0.3/43779 98.128.0.0/16 16 3130 0 10.0.0.3/43779 98.128.6.0/24 24 4128 0 10.0.0.3/43779 98.128.9.0/24 24 3130 0 10.0.0.3/43779 98.128.30.0/24 24 1234 0 10.0.0.3/43779 128.224.1.0/24 24 3130 0 10.0.0.3/43779 129.6.0.0/17 17 49 0 10.0.0.3/43779 129.6.112.0/24 24 10866 0 10.0.0.3/43779 129.6.128.0/17 17 49 0 10.0.0.3/43779 147.28.0.0/16 16 3130 0 10.0.0.3/43779 23

Look at BGP Table rn#sh ip bgp Network Next Hop Metric LocPrf Weight Path * i I198.180.150.0 144.232.9.61 100 0 1239 3927 i *> I 199.238.113.9 0 2914 3927 i * I 129.250.11.41 0 2914 3927 i *> V198.180.152.0 199.238.113.9 0 2914 4128 i * V 129.250.11.41 0 2914 4128 i *> N198.180.155.0 199.238.113.9 0 2914 22773 i * N 129.250.11.41 0 2914 22773 i *> N198.180.160.0 199.238.113.9 0 2914 23308 13408 5752 i * N 129.250.11.41 0 2914 23308 13408 5752 i 24

Mis-Origination Caught RN#sh ip bgp 98.128.NN.0/24 BGP routing table entry for 98.128.0.0/24, version 94 Paths: (2 available, best #2, table default) Advertised to update-groups: 1 Refresh Epoch 1 65000 3130 10.0.0.1 from 10.0.0.1 (65.38.193.12) Origin IGP, localpref 100, valid, external path 6802D4DC RPKI State invalid Refresh Epoch 1 65001 4128 10.0.1.1 from 10.0.1.1 (65.38.193.13) Origin IGP, localpref 100, valid, external, best path 6802D7C8 RPKI State valid 25

Fat-Finger Detected ROA show ip bgp 98.128.0.0/16 98.128.0.0/16 AS65000 AS65001 AS 3130 Global Internet AS3130 AS4128 98.128.0.0/16! 98.128.0.0/16! Seattle Dallas 26

ROA Controls Validity ROA show ip bgp 98.128.0.0/16 98.128.0.0/16 AS65000 AS65001 AS 4128 Global Internet AS3130 AS4128 98.128.0.0/16! 98.128.0.0/16! Seattle Dallas 27

Try Your Own /24 ROA show ip bgp 98.128.0.0/16 show ip bgp 98.128.X.0/24 98.128.0.0/16 AS 4128 ROA AS65000 AS65001 98.128.X.0/24 AS 3130 Global Internet AS3130 AS4128 98.128.X.0/24! 98.128.X.0/24! 28

Now You Know How to Prevent YouTube Incident-2 And Stay Out of The Newspapers 29

Please Do Try This At Home 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback