34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Operators Approach
0 likes663 views
This document discusses securing the global routing system and the approaches taken by network operators. It provides examples of tools and techniques used for route origin validation, including manual lookup of IP addresses in databases to verify customer ownership, and automated checks using RPKI and RPSL. Statistics are presented on adoption of RPKI by network operators, showing the majority of prefixes have consistent origin validation, though some violations still exist. Adoption in Indonesia is reviewed, finding most autonomous systems have not yet implemented RPKI. The challenges of maintaining routing policies and implementing RPKI technologies are also summarized.
![Issue Date:
Revision:
Securing the Global Routing
System and the Approach of
Operators
Fakrul Alam
Senior Training Officer
fakrul@apnic.net
[20 July 2016]
[2.0]
IDNOG3
28 July 2016, Jakarta, Indonesia](https://image.slidesharecdn.com/34-idnog03-fakrulalamapnic-securingglobalroutingsystemandoperatorsapproach-160730004703/85/34-IDNOG03-Fakrul-Alam-APNIC-Securing-Global-Routing-System-and-Operators-Approach-1-320.jpg)
34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Operators Approach
- 1. Issue Date: Revision: Securing the Global Routing System and the Approach of Operators Fakrul Alam Senior Training Officer fakrul@apnic.net [20 July 2016] [2.0] IDNOG3 28 July 2016, Jakarta, Indonesia
- 2. Incidents 2
- 5. Tools & techniques • Manual LoA Check – Whois search on the customer’s IP address from the IRR database – Find the admin-c / tech-c contact email address from the database search and email them for verification – Check corresponding “route objects” • Automated LoA Check – Fetch the routing policy from the IRR Database – Generate associate prefix/AS filter – Mostly done using RPSL • RPKI – Check and validate prefix origin cryptographically 5
- 6. LoA check 6 • The system is sometimes overly complicated, and lacks sufficient examples • End users cannot figure it out, which means another layer of support structure must be added, or proxy registration must be implemented
- 7. LoA check & RPSL 7 A publicly accessible description of every import and export policy to every transit, peer, and customer is difficult to maintain, and is not in the best business interests of many ISPs
- 8. RPKI implementation • Origin validation • Hosted CA – Easy to deploy, but have to trust a third party with your private key • Delegated – Complexity in installing the CA, generating ROAs, and publishing URI and point TA • Upgrade at least ASBRs to RPKI capable code 8
- 9. Technology & learning curve 9 RPSL RFC2622 RPSLng RFC4012 RPKI RFC6810
- 10. But how are operators adopting and implementing? 10
- 11. Distribution of prefixes 11 Total Prefixes : 650772 / 6th July 2016
- 12. Prefixes with IRR data 12 Violations: 80794 (19.53%) Consistent: 332981 (80.47%)
- 13. IRR data violations example 13
- 14. Prefixes with RPKI 14 Violations: 775 (3.82%) Consistent: 19522 (96.18%) Violations: 2398 (13.56%) Consistent: 15289 (86.44%)
- 15. RPKI data violation example • Most of the cases involve an invalid prefix (fixed length mismatch) – Create ROA for /22 but announce 24 • Invalid origin AS is also visible 15
- 16. RPKI data violation example 16
- 18. Indonesia 18 http://rpki.apnictraining.net/output/id.html Total ASNs delegated by RIR: 166 Visible IPv4 routes: 7305 Visible IPv6 routes: 299
- 19. IPv4 prefixes announcement 19 source : http://www.ris.ripe.net/dumps/riswhoisdump.IPv4.gz date : 21 June 2016 1 1 5 10 75 12 36 68 340 533 981 1243 3995 1 1 3 0 500 1000 1500 2000 2500 3000 3500 4000 4500 SUBNET 11 13 14 15 16 17 18 19 20 21 22 23 24 26 27 29 IPV4 PREFIXES DISTRIBUTION BY SUBNET
- 20. IPv6 prefixes announcement 20 source : http://www.ris.ripe.net/dumps/riswhoisdump.IPv6.gz date : 21 June 2016 1 26 5 2 5 27 13 2 3 114 5 23 4 50 3 16 0 20 40 60 80 100 120 SUBNET 31 32 33 34 36 38 40 44 47 48 60 64 125 126 127 128 IPV6 PREFIXES DISTRIBUTION BY SUBNET
- 21. Summary • RPKI adoption is growing – In most cases, operators create ROAs for min length and advertise the longest prefix – Some ROAs are invalid due to further allocation to customers • BGP operations and security – draft-ietf-opsec-bgp-security-07 21
- 22. Data collection • OpenBMP – https://github.com/OpenBMP/openbmp • RPKI Dashboard – https://github.com/remydb/RPKI-Dashboard • RIPE NCC RPKI Statistics – https://lirportal.ripe.net/certification/content/static/statistics/world- roas.html • RIPE NCC RPKI Validator API – http://rpki-validator.apnictraining.net:8080/export 22
- 23. Thank You
- 24. Your views matter! Closes 5 August 2016 Your views guide the future direction of APNIC https://survey.apnic.net 24