RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII.

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

LACNIC Policy Update Roque Gagliano LACNIC. Current Policies Proposals - LACNIC As a result of the Open Policy Forum at LACNIC XI four policy proposals.
A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
ARIN Update NANOG 55 – 6 June 2012 Mark Kosters Chief Technology Officer, ARIN.
BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery 1IETF 802/12/2014.
RPKI Certificate Policy Status Update Stephen Kent.
Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.
IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)
December 2013 Internet Number Resource Report. December 2013 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 December.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
March 2014 Internet Number Resource Report. March 2014 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 March 2014 Prepared.
1 Overview of policy proposals Policy SIG Wednesday 26 August 2009 Beijing, China.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Sofía Silva Berenguer lacnic.net IETF 88 – Vancouver RPKI and Origin Validation Deployment in Ecuador.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
IPv4 Depletion and IPv6 Adoption Today Community Use Slide Deck Courtesy of ARIN May 2014.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.
RIS Resource Allocations A special report on an endangered species …
1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
The Resource Public Key Infrastructure Geoff Huston APNIC.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
IETF81 Secure IDR Rollup – TREX Workshop 2011 David Freedman, Claranet.
IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)
Database Update Paul Palse Database Manager, RIPE NCC.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
RPKI Tutorial Andy Newton Chief Engineer, ARIN. Agenda Resource Public Key Infrastructure(RPKI) Route Origin Authorizations (ROAs) Certificate Authorities.
Measuring IPv6 Deployment Geoff Huston George Michaelson
RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
Netlantis - SwiNOG7 - Bern 1/12 THE NETLANTIS PROJECT Speaker: Pascal Gloor.
Using Resource Certificates Progress Report on the Trial of Resource Certification November 2006 Geoff Huston APNIC.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Updates to the RPKI Certificate Policy I-D Steve Kent BBN Technologies.
1 LACNIC Update November 4th, Vienna, Austria Luisa Villa y Battenberg Customer Manager.
Resource Quality Assurance in LACNIC Arturo L. Servin APNIC 31.
BGPSEC : A BGP Extension to Support AS-Path Validation Matt Lepinski BBN Technologies.
LACNIC UPDATE ARIN 32 OCTOBER 2013 Elisa Peirano
4 Byte AS Number Update Geoff Huston August 2008.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Internet Protocol Addresses What are they like and how are the managed? Paul Wilson APNIC.
Current Policy Topics Emilio Madaio RIPE NCC RIPE November 2010, Rome.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
Wed 24 Mar 2010SIDR IETF 77 Anaheim, CA1 SIDR Working Group IETF 77 Anaheim, CA Wednesday, Mar 24, 2010.
Draft-ietf-sidr-roa-format draft-ietf-sidr-arch Matt Lepinski BBN Technologies.
LACNIC UPDATE RIPE 67 OCTOBER 2013 Prepared by: Elisa Peirano Hostmaster Presented by: Luisa Villa Customer Manager.
LACNIC REPORT ARIN 33 CHICAGO APRIL 2014 Sergio Rojas
A RPKI RTR Client C Lib (RTRlib) - Implementation Update & First, Preliminary Performance Results Fabian Holler, Thomas C. Schmidt, and Matthias Wählisch.
Recent Progress in Routing Standardization An IETF update for UKNOF 23 Old Dog Consulting Adrian
Technical Area Priorities and Highlights APNIC 27 Manila, Philippines Byron Ellacott.
IP Address Management The RIR System Nurani Nimpuno APNIC.
BGP Validation Russ White Rule11.us.
AS Numbers - Again Geoff Huston APNIC October 2009
November 2006 Geoff Huston APNIC
Technical Info, BCOP, DNSSEC Coordination, ION Conferences
Non optimal routing caused by incompatibility of 32-bit ASN with the old router software. KazRENA case study.
INTERNET NUMBER RESOURCE STATUS REPORT Regional Internet Registries
Non optimal routing caused by incompatibility of 32-bit ASN with the old router software. KazRENA case study.
July 2016 Internet Number Resource Report.
INTERNET NUMBER RESOURCE STATUS REPORT Regional Internet Registries
Improving global routing security and resilience
APNIC Solving problems for our community
Validating MANRS of a network
APNIC Solving problems for our community
Presentation transcript:

RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII

What is RPKI?  RPKI (Resource Public Key Infrastructure) allows the validation of an organization right to use of a certain resource (IPv4, IPv6, ASN)  RPKI combines the hierarchy of the Internet resource assignment model through RIRs with the use of digital certificates based on standard X.509  RPKI is standardized in the IETF through the SIDR WG. It has produced RFCs 6480 – 6492

Application of RPKI  One of the threats to the routing system is the forging of the origin autonomous system in BGP.  To reduce monkey-in-the-middle attacks and misconfiguration errors in BGP we use RPKI to validate the autonomous system that originates a prefix

RPKI Architecture and Origin Validation Cache RPKI Management System Repository

Types of users  Prefix holder  You want to certify your prefixes and create ROAs  Router operator  You want to validate prefixes using RPKI and origin- validation  You are both

Prefix Holder  You need to create and publish your resource certificate and your ROAs  One way is to use RIRs systems already deployed  Run your own CA and repository

Router Operator  You need an origin-validation capable router, an RPKI cache and at least one trust anchor  Cisco, Juniper and Quagga (srx-module) are capable routers  RIPE NCC and others have cache implementations  Each RIR is the trust anchor of the resources (IPv6 and IPv4) that they have allocated

Router Operator (2)  Configure your cache to pull the TALs from RIRs  Configure your router and cache to speak RTR  Configure policies in your router  Check your BGP routes

Validation Cache  RIPE NCC  Java, runs almost anywhere, supports (RPKI routing protocol  Download: rpki-validator.zip/viewhttp://labs.ripe.net/Members/agowland/ripencc- rpki-validator.zip/view  Rcynic  Runs in unix like systems  Download:  BBN  Written in C++, tested in linux but it may run in other unix like systems

Routers  Cisco  Production software for ASR1000, 7600, ASR903 and ASR901 – releases 15.2(1)S or XE 3.5  Juniper  Beta versions in JunOS  Production version sometime in 2012  Quagga  Quagga SRX, developed by NIST US  3 rd -party patch, merge into mainline Quagga planned for later in 2012

RPKI in the LAC Region This segment of the talk is biased – It covers operational experience from our service region only (LACNIC) – I assume people should know what their network is actually doing – So take all this with a grain of salt It is not meant to be hard on early adopters – Early adopters always get burnt, but they gather and provide extremely valuable experience

RPKI in the LACNIC Service Region Where are we? – Slowly getting there – There is a lot of interest in the community – A bit of disappointment due to lack of router software This should change later this year Noticeable increments in usage after our conferences ~200** prefixes, 6% of announced IPv4 covered by ROAs 2 nd place among all regions behind RIPE-NCC by some measurements

RPKI Evolution Prefixes Signed IPv4 Space Covered by ROAs (in % of total)

Nice, right? Or... … perhaps not Statistics show that the quality of the ROAs created tends to be not-very-good Quality in this context means 'first do no harm' – Your ROAs should not create 'artificial' invalids, otherwise trust in the system will be quickly undermined once BGP speakers start validating Our region was creating almost ~1500 invalids

How we figured it out? 

Why ? What is Going On ? Network-related issues – Lack of awareness on how a 'complex' network is actually, well, 'networking' with its peers 'Complex' as in 'I use more than one AS' Failure to properly identify correct originating AS – Flabbergasting levels of de-aggregation Sometimes for TE needs, sometimes hard-to-explain Make creation of proper ROAs impractical with currently available tools System-related

Why ? What is Going On ? (ii) System-related – Lack of 'previewing' or 'prototyping' tools Leading to 'blind' ROA creation and lots of trial & error – Lack of awareness of tools like RIS

What Now? What Should We Do? Act now: – We contacted our worst offenders and reduced our count of invalids by 75% while keeping them using the system Plan for the future: – Provide better tools Ways of 'previewing' the effect of a ROA – RIS data invaluable for this purpose Batch-creation of ROAs Up/Down – Integrate them with the hosted system BGP Training Remember the BGP BoF later today

Thank you ! lacnic.net lacnic.net

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.