RPKI and Internet Routing Security ~ The regional ISP operator view ~

Similar documents
Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

BGP Origin Validation

The RPKI and BGP Origin Validation

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Some Thoughts on Integrity in Routing

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC


Problem. BGP is a rumour mill.

Secure Routing with RPKI. APNIC44 Security Workshop

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

RPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager

Misdirection / Hijacking Incidents

RPKI and Routing Security

RPKI. Resource Pubic Key Infrastructure

Deploying RPKI An Intro to the RPKI Infrastructure

BGP Configuration Automation on Edge Routers

The RPKI & Origin Validation

Security in inter-domain routing

Resource Certification

The RPKI & Origin Validation

Resource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018

Introducción al RPKI (Resource Public Key Infrastructure)

Routing Security Workshop Internet Routing Registries

Decentralized Internet Resource Trust Infrastructure

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Just give me a button!

IPv4 Run-Out, Trading, and the RPKI

IPv4 Run-Out, Trading, and the RPKI

BGP Edge Security for Dummies. Layer , 2603, and others

Securing Routing Information

BGP Origin Validation (RPKI)

An Operational ISP & RIR PKI

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Resource Public Key Infrastructure

Some Lessons Learned from Designing the Resource PKI

Problem Statement and Considerations for ROA Mergence. 96 SIDR meeting

Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

IRR 101. Job Snijders, DKNOG 8 1 / 35

BGP Configuration for a Transit ISP

Implementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer

Route Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes

IETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet

Route Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes

Securing BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho

RTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.

Life After IPv4 Depletion

Policy Proposal Capturing AS Originations In Templates

Auto-Detecting Hijacked Prefixes?

Golden Prefixes IRR Lockdown Job Snijders

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

Networking 101 ISP/IXP Workshops

APNIC Activity Highlights

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

APNIC Trial of Certification of IP Addresses and ASes

TDC 375 Network Protocols TDC 563 P&T for Data Networks

APNIC Update TWNIC OPM 1 JUL George Kuo Manager, Member Services, APNIC

IETF Activities Update

ARIN Update. Mark Kosters CTO

Internet Routing Registry

Internet Number Certification

Adventures in RPKI (non) deployment. Wes George

RPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting

An Operational ISP & RIR PKI

Using RPKI secured data for existing routing policy tools. Rüdiger Volk, Deutsche Telekom IETF72 SIDR WG, Dublin

9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi

An ARIN Update. Susan Hamlin Director of Communications and Member Services

IETF Activities Update

BGP security. 19 april 2018 Copenhagen

Attacks on routing: IP hijacks

Route Security for Inter-domain Routing

LEA Workshop. Champika Wijayatunga & George Kuo, APNIC Wellington, New Zealand 09, May, 2013

Routing Security. Daniel Karrenberg RIPE NCC.

Network Working Group. Intended status: Informational Expires: January 9, 2014 July 8, 2013

Robust Inter-Domain Routing

<36 th APNIC Meeting, XIAN CHINA> KISA(KRNIC) UPDATE. YOUNGSUN LA Korea Internet & Security Agency

Secure Inter-domain Routing with RPKI

RPKI Trust Anchor. Geoff Huston APNIC

NIR February JPNIC Updates. Hiroki Kawabata Japan Network Information Center (JPNIC) Copyright 2016 Japan Network Information Center

Securing Routing: RPKI Overview. Mark Kosters Chief Technology Officer

Introduction to The Internet

Module 14 Transit. Objective: To investigate methods for providing transit services. Prerequisites: Modules 12 and 13, and the Transit Presentation

Routing Security Roadmap

How Complete and Accurate is the Internet Routing Registry (IRR)?

IPv6 Multi-Prefix Environment ~ Concept, Issues, and Solutions ~

MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!

Multi-Lateral Peering Agreement

APNIC Training and Technical Assistance

The Transition to BGP Security Is the Juice Worth the Squeeze?

BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs

MANRS How to behave on the internet

APNIC Trial of Certification of IP Addresses and ASes

Methods for Detection and Mitigation of BGP Route Leaks

RPKI-Based Origin Validation Lab RPKI Lab Creative Commons: Attribution & Share Alike

Internet Engineering Task Force (IETF) Category: Informational ISSN: February 2012

Inter-domain routing security and the role of Internet Routing Registries. August 1, 2004 Larry Blunk, Merit Network, Inc.

Introduction to The Internet

IETF Activities Update

APNIC & Internet Address Policy in the Asia Pacific

Transcription:

RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1

Agenda Routing practices of the regional ISP today How this may change with RPKI and what may improve

Question: Routing Infrastructure today What data sources do we trust, to keep my routing table a sensible one so I can route my customers packets to their rightful destination and not have angry calls at me? Is the data we rely on good enough? What actions do we take with those data? Are those methods/actions good enough to keep my customers happy?

My view What data sources do we trust for routing? Various IRRs RADB, ALTDB, NTTCOM, JPIRR Registry Databases Projects REX, Team Cymru, Route Views, etc e-mail web or ftp sites Sites provided by IANA, registries, etc. Social gatherings?

My view Is the data we rely on good enough? On a regional scale, maybe. JPIRR, an IRR run by JPNIC is very clean. Current methods, plus the effort to keep data sources clear and accurate may work in small countries. Maybe not enough on a global scale. Not all routed ASes are on IRRs. e-mails are full of typo s. IPv6 make things worse. (draft-ietf-6man-text-addr-representation) Many mistakes on IRRs. Resolving problems can be hard on global scale.

My view What actions do we take with those data? Mostly a static filter generation. (prefix, as-path, BGP community, etc) We tend to keep filters on the safe side. Are these methods/actions good enough to keep my customers happy? The time has come to go one step further. The possibility that data source may show incorrect data, is holding us from implementing a strong prevention against misuse.

7 But the internet has worked fine for me why would I need to do something different?

Why RPKI? Continuous routing incidents, with big impacts YouTube Hijacking, etc. attacks may come from anywhere. The hopes for a safe and secure internet as an infrastructure. Resources depleting. IPv4 address transfers. allows for divide and transfer. smaller route advertising, more bogus routes (not necessarily bogons). Reliability of resources and routes are in need. 8

What is RPKI? Resource Public Key Infrastructure X.509 certificate style Number resources (prefix, as-numers) SSL certs validate domains RPKI certs validate IP and ASN A simple way of understanding this. 9 A framework to use X.509 Certificates on AS numbers and IP address resources, to make Internet routing secure by means of a trustable data source.

Certificate types and functions at a glance Certificate types 1. Resource Certificate (CA or EE): - IPv4/IPv6 prefixes - AS numbers 10 Functions using the Certificates 1. Route Origin Authorization (ROA) - Ties between a prefix and an AS number that routes it. Signed by a Cert. There s more, see IETF SIDR-WG work for more.

Address Allocation and Routing today Allocation JPNIC/APNIC 203.136.0.0/16 Hand written updates to IRR objects Check and generate filters Mis-configuration Easily happens BIGLOBE Peering IRR register JPIRR, RADB, ALTDB, etc whois query Assignment 203.136.1.0/24 Cust A R ISP A Statically generated filters ISP C

Key aspects of the RPKI architecture RIRs will give you a Certificate showing you the rightful owner. Cannot transfer resource without proper transactions. The rightful prefix owner only, can associate an AS number with the prefix. No one else can do this. Requires a valid cert. Check against received routes. Router can query the RPKI data to see if the origin and AS number do actually match with a signed object. 12 Disclaimer : This hasn t happened yet. The following slides are my imagination of what may happen.

Imagination: So what s it going to be like? A DB of RPKI objects (Certs, ROAs, etc) JPNIC/APNIC 203.136.0.0/16 Allocations come with Certs!! not part of RPKI!! Static filtering data (Path filtering) Repository Origin Validation BIGLOBE Peering IRR register IRRs (JPIRR, RADB) Path Validation 13 Dynamically check origin against received routes R ISP A R ISP B ISP C

Imagination: What will change for ISPs? Address management teams will have to deal with certificates. If you have customers, then you may have to issue certs. Key management may become part of job. Routing team will have to create new objects (ROAs), manage them, and possibly create them for customers as well. Routers may have to be configured to accept data collected from the repositories to validate routes against ROAs. PIs will need Certificates and ROAs also.

Routing operators Imagination: Players involved If you use IRR as part of your job, you have something new to play with. IRR will stick around for a while, but we should stop the e-mail culture and rely more on these tools. Address management team Get used to PKI, or find someone who s good with it. Customer support If you have BGP customers, you may need to have a user interface to cover for RPKI. NOC The top level engineers should be aware of RPKI.

What should ISPs do? Don t panic NIRs have not even started. Just having a certificate will not do much just yet. Where is all the talk happening? IETF (sidr-wg) RIRs What should I do now? Do the best that you can do Use IRRs properly, don t hijack people s route, be aware of hijacked routes, be aware of reachability of your prefixes, use tools, etc Get interested in RPKI. Try it out.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback