Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry...
Transcript of Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry...
![Page 1: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/1.jpg)
Introduction to RPKI
RIPE NCC Learning & Development
Webinar
![Page 2: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/2.jpg)
2
This webinar is being recorded
![Page 3: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/3.jpg)
3
Agenda
Is BGP safe?
ROAs
Validation Tools
Validation
![Page 4: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/4.jpg)
Is BGP safe?
![Page 5: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/5.jpg)
RPKI Webinar 5
Routing on the Internet
A 193.x.x.x
B 194.x.x.x
![Page 6: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/6.jpg)
RPKI Webinar 5
Routing on the Internet
Routing table 194.x.x.x = B
A 193.x.x.x
B 194.x.x.x
B: “I have 194.x.x.x”
![Page 7: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/7.jpg)
RPKI Webinar 5
Routing on the Internet
“BGP protocol”
Routing table 194.x.x.x = B
Routing table 193.x.x.x = A
A 193.x.x.x
B 194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
![Page 8: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/8.jpg)
RPKI Webinar 5
Routing on the Internet
“BGP protocol”Can I
trust B?
Routing table 194.x.x.x = B
Routing table 193.x.x.x = A
Is A correct?
A 193.x.x.x
B 194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
![Page 9: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/9.jpg)
RPKI Webinar 5
Routing on the Internet
Can I trust B?
Routing table 194.x.x.x = B
Routing table 193.x.x.x = A
Is A correct?
A 193.x.x.x
B 194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
![Page 10: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/10.jpg)
RPKI Webinar 6
Routing on the Internet
Can I trust B?
Routing table 194.x.x.x = B
Routing table 193.x.x.x = A
Is A correct?
A 193.x.x.x
B 194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
![Page 11: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/11.jpg)
RPKI Webinar 6
Routing on the Internet
Can I trust B?
Routing table 194.x.x.x = B
Routing table 193.x.x.x = A
Is A correct?
A 193.x.x.x
B 194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
RIPE Database
“Internet Routing Registry”
![Page 12: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/12.jpg)
RPKI Webinar 6
Routing on the Internet
Can I trust B?
Routing table 194.x.x.x = B
Routing table 193.x.x.x = A
Is A correct?
A 193.x.x.x
B 194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
RIPE Database
“Internet Routing Registry”
![Page 13: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/13.jpg)
RPKI Webinar 6
Routing on the Internet
Routing table 194.x.x.x = B
Routing table 193.x.x.x = A
Is A correct?
A 193.x.x.x
B 194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
RIPE Database
“Internet Routing Registry”
![Page 14: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/14.jpg)
RPKI Webinar 6
Routing on the Internet
Routing table 194.x.x.x = B
Routing table 193.x.x.x = A
Is A correct?
A 193.x.x.x
B 194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
RIPE Database
“Internet Routing Registry”
![Page 15: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/15.jpg)
RPKI Webinar 6
Routing on the Internet
Routing table 194.x.x.x = B
Routing table 193.x.x.x = A
A 193.x.x.x
B 194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
RIPE Database
“Internet Routing Registry”
![Page 16: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/16.jpg)
RPKI Webinar 7
Accidents Happen
• Fat Fingers - 2 and 3 are really close on our keyboards….
• Policy Violations (leaks) - Oops, we did not want this to go on the public Internet
- Infamous incident with Pakistan Telecom and YouTube
![Page 17: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/17.jpg)
RPKI Webinar 8
Or Worse….
• April 2018 - BGP and DNS Hijack
- Targeting MyEtherWallet
- Unnoticed for two hours
![Page 18: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/18.jpg)
RPKI Webinar 9
Incidents Are Common
• 2019 Routing Security Review - 12,600 incidents
- 4,4% of all ASNs affected
- 3,000 ASNs are victims of at least one incident
- 1,300 ASNs caused at least one incident
Source: https://bgpstream.com
![Page 19: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/19.jpg)
RPKI Webinar 10
Internet Routing Registry
• Many exist, most widely used - RIPE Database
- RADB
• Verification of holdership over resources - RIPE Database for RIPE Region resources only
- RADB allows paying customers to create any object
- Lots of the other IRRs do not formally verify holdership
![Page 20: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/20.jpg)
RPKI Webinar 11
Problem Statement
• Some IRR data cannot be fully trusted - Accuracy
- Incomplete data
- Lack of maintenance
• Not every RIR has an IRR - Third party databases need to be used (RADB, Operators)
- No verification of who holds IPs/ASNs
![Page 21: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/21.jpg)
RPKI Webinar 12
Resource Public Key Infrastructure
• Ties IP addresses and ASNs to public keys
• Follows the hierarchy of the registries
• Authorised statements from resource holders - “ASN X is authorised to announce my Prefix Y”
- Signed, holder of Y
![Page 22: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/22.jpg)
RPKI Webinar 13
RPKI Chain of Trust
RIPE NCC Root Certificate
Self-signed
ALL Resources
Root’s private key
signature
public key
![Page 23: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/23.jpg)
RPKI Webinar 14
RPKI Chain of Trust
LIR Certificate
Signed by the Root private key
LIR’s Resources
Root’s private key
signature
public key
![Page 24: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/24.jpg)
ROAs
![Page 25: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/25.jpg)
RPKI Webinar 16
ROA (Route Origin Authorisation)
• A ROA is…
• LIRs can create a ROA for each one of their resources (IP address ranges)
• Multiple ROAs can be created for an IP range
• ROAs can overlap
![Page 26: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/26.jpg)
RPKI Webinar 17
What is in a ROA ?
Prefix The network for which you are creating the ROA
![Page 27: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/27.jpg)
RPKI Webinar 17
What is in a ROA ?
Prefix The network for which you are creating the ROA
The ASN that’s supposed to be originating the BGP Announcement
Origin ASN
![Page 28: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/28.jpg)
RPKI Webinar 17
What is in a ROA ?
Prefix The network for which you are creating the ROA
The ASN that’s supposed to be originating the BGP Announcement
Origin ASN
Max Length
The Maximum prefix length accepted for this ROA
![Page 29: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/29.jpg)
RPKI Webinar 18
RPKI Chain of Trust
ALL Resources
LIR’s Resources
Root’s private key signature
signature
public key
public key
![Page 30: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/30.jpg)
RPKI Webinar 19
Route Origin Authorisation
Prefix
is authorised to be announced by
AS Number
LIR’s private key
ROA
signature
![Page 31: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/31.jpg)
RPKI Webinar 20
RPKI Chain of Trust
ROA
signature
LIR’s Resources
signature
public key
ALL Resources
signature
public key
![Page 32: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/32.jpg)
RPKI Webinar 20
RPKI Chain of Trust
ROA
signature
LIR’s Resources
signature
public key
ALL Resources
signature
public key
![Page 33: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/33.jpg)
RPKI Webinar 20
RPKI Chain of Trust
ROA
signature
LIR’s Resources
signature
public key
ALL Resources
signature
public key
![Page 34: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/34.jpg)
RPKI Webinar 21
Hosted RPKI• Automatic signing and key roll overs
- One click setup of resource certificate
- User has a valid and published certificate for as long as they are the holder of the resources
- All the complexity is handled by the hosted system
• Lets you focus on creating and publishing ROAs - Match your intended BGP configuration
![Page 35: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/35.jpg)
RPKI Webinar 22
Delegated RPKI
• Run your own Certificate Authority - Dragon Research Labs, RPKI Toolkit
- NLnet Labs, Krill
• Setup connection with RIPE NCC CA
• Generate your LIR certificate and get it signed by parent CA
![Page 36: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/36.jpg)
23
First login to the dashboard
![Page 37: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/37.jpg)
RPKI Webinar 24
Creating ROAs
![Page 38: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/38.jpg)
RPKI Webinar 24
Creating ROAs
![Page 39: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/39.jpg)
RPKI Webinar 25
Reviewing changes
![Page 40: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/40.jpg)
RPKI Webinar 25
Reviewing changes
![Page 41: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/41.jpg)
RPKI Webinar 26
Checking the effects
![Page 42: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/42.jpg)
RPKI Webinar 26
Checking the effects
![Page 43: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/43.jpg)
RPKI Webinar 27
193.0.24.0/21 AS2121 Max Length: /21
ROA
![Page 44: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/44.jpg)
RPKI Webinar 27
193.0.24.0/21 AS2121 Max Length: /21
ROA
193.0.24.0/21 !
![Page 45: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/45.jpg)
RPKI Webinar
/23
27
193.0.24.0/21 AS2121 Max Length: /21
ROA
193.0.24.0/21
193.0.24.0/22 193.0.28.0/22 ✖✖
!
/23 /23 /23
/24 /24 /24 /24 /24 /24 /24 /24
![Page 46: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/46.jpg)
RPKI Webinar
/23
27
193.0.24.0/21 AS2121 Max Length: /21
ROA
193.0.24.0/21
193.0.24.0/22 193.0.28.0/22
193.0.24.0/23 AS2121 Max Length: /24
ROA
✖✖
!
/23 /23 /23
/24 /24 /24 /24 /24 /24 /24 /24
![Page 47: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/47.jpg)
RPKI Webinar
/23
27
193.0.24.0/21 AS2121 Max Length: /21
ROA
193.0.24.0/21
193.0.24.0/22 193.0.28.0/22
193.0.24.0/23 AS2121 Max Length: /24
ROA
✖✖
!
/23 /23 /23 /23
/24 /24 /24 /24 /24 /24 /24 /24/24 /24!
!
!
✖
✖ ✖
![Page 48: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/48.jpg)
RPKI Webinar
/23
27
193.0.24.0/21 AS2121 Max Length: /21
ROA
193.0.24.0/21
193.0.24.0/22 193.0.28.0/22
193.0.24.0/23 AS2121 Max Length: /24
ROA193.0.30.0/23 AS2121 Max Length: /23
ROA
✖✖
!
/23 /23 /23 /23
/24 /24 /24 /24 /24 /24 /24 /24/24 /24!
!
!
✖
✖ ✖
![Page 49: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/49.jpg)
RPKI Webinar
/23
27
193.0.24.0/21 AS2121 Max Length: /21
ROA
193.0.24.0/21
193.0.24.0/22 193.0.28.0/22
193.0.24.0/23 AS2121 Max Length: /24
ROA193.0.30.0/23 AS2121 Max Length: /23
ROA
✖✖
!
/23 /23 /23 /23/23
/24 /24 /24 /24 /24 /24 /24 /24/24 /24✖!
!
!
!✖
✖ ✖
✖
✖✖✖
![Page 50: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/50.jpg)
RPKI Webinar 28
Take the poll! You have a ROA for 193.0.24.0/23 with max-length /24.
Which announcements will be “Valid”?
![Page 51: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/51.jpg)
RPKI Webinar 28
Take the poll! You have a ROA for 193.0.24.0/23 with max-length /24.
Which announcements will be “Valid”?
![Page 52: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/52.jpg)
Validation Tools
![Page 53: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/53.jpg)
RPKI Webinar 30
Routing on the Internet
A 192.0.2.0/24
B 193.0.24.0/21
![Page 54: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/54.jpg)
RPKI Webinar 30
Routing on the Internet
Is A correct?
A 192.0.2.0/24
B 193.0.24.0/21
A: “I have 192.0.2.0/24”
BGP
![Page 55: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/55.jpg)
RPKI Webinar 30
Routing on the Internet
Is A correct?
A 192.0.2.0/24
B 193.0.24.0/21
A: “I have 192.0.2.0/24”
1. Create route authorisation record
(ROA)
RPKI RepositoryA is authorised to announce 192.0.2.0/24
BGP
![Page 56: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/56.jpg)
RPKI Webinar 30
Routing on the Internet
Is A correct?
A 192.0.2.0/24
B 193.0.24.0/21
A: “I have 192.0.2.0/24”
1. Create route authorisation record
(ROA)
2. Validate route
RPKI RepositoryA is authorised to announce 192.0.2.0/24
BGP
![Page 57: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/57.jpg)
RPKI Webinar 30
Routing on the Internet
A 192.0.2.0/24
B 193.0.24.0/21
A: “I have 192.0.2.0/24”
1. Create route authorisation record
(ROA)
2. Validate route
RPKI RepositoryA is authorised to announce 192.0.2.0/24
BGP
![Page 58: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/58.jpg)
RPKI Webinar 31
RPKI Validators
• Software that creates a local “validated cache” with all the valid ROAs - Downloads the RPKI repository from the RIRs
- Validates the chain of trust of all the ROAs and associated CAs
- Talks to your routers using the RPKI-RTR Protocol
![Page 59: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/59.jpg)
RPKI Webinar 32
Relying Party
RIPE NCC ARIN APNIC AFRINICLACNIC
Validator
![Page 60: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/60.jpg)
RPKI Webinar 33
Relying Party
ROAAS111 10.0.7.30/22AS222 10.0.6.10/24AS333 10.4.17.5/20AS111 10.0.7.30/22AS111 10.0.7.30/22AS111 10.0.7.30/22
BGP Announcements
BETTER ROUTING DECISIONS
![Page 61: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/61.jpg)
34
RPKI Validator Options
• RIPE NCC Validator 3.2
- Java based
• Routinator
- Built with Rust, built by NLNetlabs
• OctoRPKI
- Cloudflare’s Relying Party software, written in the Go
• Dragon Research Labs Validating Cache
- Written in Python
January 1, 2021 no new features!
July 1, 2021 end of support!
![Page 62: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/62.jpg)
RPKI Webinar 35
RPKI-RTRROAs
ROAs
VALIDATOR SOFTWARE
Verification
Validated Cache
RPKI-RTR
ROUTERS
RIR REPOSITORIES
![Page 63: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/63.jpg)
Validation
![Page 64: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/64.jpg)
37
Validation
![Page 65: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/65.jpg)
37
Validation
VALIDATOR
Rsync/RRDP
ROA ValidationRIR Repository
ROAs
Certificates
![Page 66: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/66.jpg)
37
Validation
VALIDATOR
Rsync/RRDP
ROA ValidationRIR Repository
ROAs
Certificates
RPKI-RTR Validated Cache
![Page 67: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/67.jpg)
AS 200AS 100
BGP Origin Validation
37
Validation
VALIDATOR
Rsync/RRDP
ROA ValidationRIR Repository
ROAs
Certificates
RPKI-RTR Validated Cache
![Page 68: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/68.jpg)
38
ROA Validation
LIR’s Resources
signature
public key
ALL Resources
signature
public key
ROA
signature
![Page 69: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/69.jpg)
38
ROA Validation
LIR’s Resources
signature
public key
ALL Resources
signature
public key
ROA
signature
![Page 70: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/70.jpg)
38
ROA Validation
LIR’s Resources
signature
public key
ALL Resources
signature
public key
ROA
signature
![Page 71: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/71.jpg)
39
BGP Prefix Origin Validation-RFC6811
AS 100
AS 200
VALIDATOR
RPKI-RTRROA
AS100 10.0.0.0/22
ROAs
![Page 72: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/72.jpg)
39
BGP Prefix Origin Validation-RFC6811
AS 100
AS 200
VALIDATOR
RPKI-RTRROA
AS100 10.0.0.0/22
ROAs
10.0.0.0/22
![Page 73: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/73.jpg)
39
BGP Prefix Origin Validation-RFC6811
AS 100
AS 200
VALIDATOR
RPKI-RTRROA
AS100 10.0.0.0/22
ROAs10.0.0.0/24
10.0.0.0/22
![Page 74: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/74.jpg)
39
BGP Prefix Origin Validation-RFC6811
AS 100
AS 200
VALIDATOR
RPKI-RTRROA
AS100 10.0.0.0/22
ROAs
10.0.0.0/22
10.0.0.0/24
10.0.0.0/22
![Page 75: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/75.jpg)
RPKI Webinar 40
• Routers receive data from the validated cache via RPKI-RTR
• Based on this and on BGP announcements, you have to make decisions - Accept or discard the BGP Announcement
- As temporary measure, you could influence other attributes, such as Local Preference
![Page 76: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/76.jpg)
RPKI Webinar 41
ROAs
ROAs
ROA Validation
BGP Validation
VALID INVALID
VALID INVALID UNKNOWN
NOT FOUND
![Page 77: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/77.jpg)
RPKI Webinar 42
Invalids
• Invalid ROA - The ROA in the repository cannot be validated by the client
(ISP) so it is not included in the validated cache
• Invalid BGP announcement - There is a ROA in validated cache for that prefix but for a
different AS.
- Or the max length doesn’t match.
• If no ROA in the cache then announcement is “unknown”
![Page 78: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/78.jpg)
RPKI Webinar 43
Whitelisting
• If there is an invalid ROA for a network that’s important for you or your customers, you can whitelist it
• This is done on your local validator software - It creates a “fake” ROA for the resources you want
• It allows you to contact the operator to fix their ROA - Think of e-mail, contact forms, etc…
![Page 79: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/79.jpg)
RPKI Webinar 44
How to whitelist
![Page 80: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/80.jpg)
RPKI Webinar 45
Adding a whitelist entry
![Page 81: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/81.jpg)
RPKI Webinar 46
Check your entries
![Page 82: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/82.jpg)
RPKI Webinar 47
Take the poll!
![Page 83: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/83.jpg)
RPKI Webinar 48
Where do we go from here ?
• RPKI is only one of the steps towards full BGP Validation - Paths are not validated
• We need more building blocks - BGPSec (RFC)
- ASPA (draft)
- AS-Cones (draft)
![Page 85: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/85.jpg)
What did you think about this session? Take our survey at: https://www.ripe.net/support/training/feedback/rpki/view
50
We Want your Feedback!
![Page 86: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/86.jpg)
51
Learn something new today!
academy.ripe.net
RIPE NCC Academy
![Page 87: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/87.jpg)
RIPE NCC Learning & Development
Presentation Subtitle
Presentation Title
Type Of Session
https://www.ripe.net/certifiedprofessionals
LAUNCHING SOON
![Page 88: Introduction to RPKI-Webinar-Slides · 2021. 2. 15. · RPKI Webinar 10 Internet Routing Registry •Many exist, most widely used - RIPE Database - RADB •Verification of holdership](https://reader036.fdocuments.net/reader036/viewer/2022071507/6128761412ad9c2fe36b9aee/html5/thumbnails/88.jpg)
Fin
Ende
KpajKonec
Son
Fine
Pabaiga
Einde
Fim
Finis
Koniec
Lõpp
Kрай
SfârşitКонeц
KrajVége
Kiнець
Slutt
Loppu
Τέλος
Y Diwedd
Amaia Tmiem
Соңы
Endir
Slut
Liðugt
An Críoch
Fund
הסוף
Fí
ËnnFinvezh
The End!
Beigas