SlideShare a Scribd company logo

Routing Security

RIPE NCC, profile picture
RIPE NCC

This document provides an introduction to BGP routing security and the Resource Public Key Infrastructure (RPKI). It explains that RPKI ties IP addresses and autonomous system numbers (ASNs) to public keys to validate route origination. It details how RPKI uses certificates signed by regional internet registries to establish a chain of trust from root certificates to route origin authorization (ROA) files created by network operators. It also discusses tools for validating ROAs and using the results to make routing decisions, as well as ongoing efforts to fully validate the security of inter-domain routing.

Technology
Related topics:
RIPE NCC
1 of 58
Download to read offline
1
2
3
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Nathalie Trenaman| 13 April 2021 | Lebanese University, Faculty of Sciences Routing Security
Introduction to BGP routing
3 Internet building blocks ASN (Autonomous System Number)
4 ASN (Autonomous System Number) Internet building blocks ASN Addresses Interconnect Autonomous System
5 Routing on the Internet “BGP protocol” Can I trust AS2? Routing table 
 194.x.x.x = AS2 Routing table 
 193.x.x.x = AS1 Is AS1 correct? AS1 
 193.x.x.x AS2 
 194.x.x.x AS2: “I have 194.x.x.x” AS1: “I have 193.x.x.x”
6 Route Propagation AS15 AS756 R1 AS33 AS164 66.2.9.0/24 M ED=700 MED=500 LP=100 LP=50 AS25 AS5 R2 LP=40 tra ffi c route
7 Accidents Happen • Fat Fingers - 2 and 3 are really close on our keyboards…. • Policy Violations (leaks) - Oops, we did not want this to go on the public Internet - Infamous incident with Pakistan Telecom and YouTube
8 Incidents Are Common • 2019 Routing Security Review - 12,600 incidents - 4,4% of all ASNs affected - 3,000 ASNs are victims of at least one incident - 1,300 ASNs caused at least one incident Source: https://bgpstream.com
9 How Bad Is It?
10 Routing on the Internet Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” RIPE Database “Internet Routing Registry”
11 Problem Statement • Some IRR data can not be fully trusted - Accuracy - Incomplete data - Lack of maintenance • Not every RIR has an IRR - Third party databases need to be used - No verification of who holds IPs/ASNs
• Problem Statement
13 Internet Routing Registry • Many exist, most widely used - RIPE Database - RADB • Verification of holdership over resources - RIPE Database for RIPE Region resources only - RADB allows paying customers to create any object - Lots of the other IRRs do not formally verify holdership
Introduction to RPKI
15 Resource Public Key Infrastructure • Ties IP addresses and ASNs to public keys • Follows the hierarchy of the registries • Authorised statements from resource holders - “ASN X is authorised to announce my Prefix Y” - Signed, holder of Y
16 RPKI Certificate Structure Member Member Member ROA ROA ROA Certificate hierarchy follows allocation hierarchy ARIN APNIC RIPE LACNIC AFRINIC
17 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
18 RPKI Chain of Trust RIPE NCC Root Certificate Self-signed ALL Resources Root’s private key signature public key
19 RPKI Chain of Trust LIR Certificate Signed by the Root private key LIR’s Resources Root’s private key signature public key
20 RPKI Adoption
21 Two elements of RPKI Signing Create your ROAs Validating Verifying others
ROAs
23 ROA (Route Origin Authorisation) • A ROA is… • LIRs can create a ROA for each one of their resources (IP address ranges) • Multiple ROAs can be created for an IP range • ROAs can overlap
24 What is in a ROA ? Prefix The network for which you are creating the ROA The ASN that’s supposed to be originating the BGP Announcement Origin ASN Max Length The Maximum prefix length accepted for this ROA
25 RPKI Chain of Trust ALL Resources LIR’s Resources Root’s private key signature signature public key public key
26 Route Origin Authorisation Prefix is authorised to be announced by AS Number LIR’s private key ROA signature
27 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
28 Hosted or Delegated RPKI RIPE ROA ROA ROA ROA ROA Member Member Member ROA Member-X CA Member-Y CA RIPE NCC Hosted System
29 Hosted RPKI • Automatic signing and key roll overs - One click setup of resource certificate - User has a valid and published certificate for as long as they are the holder of the resources - All the complexity is handled by the hosted system • Lets you focus on creating and publishing ROAs - Match your intended BGP configuration
30 Delegated RPKI • Run your own Certification Authority software - Dragon research Labs, RPKI toolkit - NLNetLabs, Krill • Setup connection with RIPE NCC CA • Generate a certificate and get it signed by the parent CA • Run your own repository
31 First login to the dashboard
32 Creating ROAs
33 Reviewing changes
34 Checking the effects
/23 35 193.0.24.0/21 AS2121 Max Length: /21 ROA 193.0.24.0/21 193.0.24.0/22 193.0.28.0/22 193.0.24.0/23 AS2121 Max Length: /24 ROA 193.0.30.0/23 AS2121 Max Length: /23 ROA ✖ ✖ ✔︎ /23 /23 /23 /23 /23 /24 /24 /24 /24 /24 /24 /24 /24 /24 /24 ✖ ✔︎✔︎✔︎✔︎ ✖ ✖ ✖ ✖ ✖ ✖ ✖
36 RPKI Adoption
37 ROA Adoption
38 ROA Accuracy
Validation Tools
40 Two elements of RPKI Signing Create your ROAs Validating Verifying others
41 Routing on the Internet Is A correct? A 
 192.0.2.0/24 B 
 193.0.24.0/21 A: “I have 192.0.2.0/24” 1. Create route authorisation record (ROA) 2. Validate route RPKI Repository A is authorised to announce 192.0.2.0/24 BGP
42 Trust Anchor Locator (TAL) RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository • Location of RIR repositories • Root’s public key TAL TAL TAL TAL List of ROAs Cerfificates
43 RPKI Validators • Software that creates a local “validated cache” with all the valid ROAs - Downloads the RPKI repository from the RIRs - Validates the chain of trust of all the ROAs and associated CAs - Talks to your routers using the RPKI-RTR Protocol
44 Relying Party RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository List of ROAs Cerfificates
45 RPKI-RTR ROAs ROAs VALIDATOR SOFTWARE Verification Validated Cache RPKI-RTR ROUTERS RIR REPOSITORIES
46 Relying Party ROA AS111 10.0.7.30/22 AS222 10.0.6.10/24 AS333 10.4.17.5/20 AS111 10.0.7.30/22 AS111 10.0.7.30/22 AS111 10.0.7.30/22 BGP Announcements BETTER ROUTING DECISIONS
47 RIPE NCC Validator • https://github.com/RIPE-NCC/rpki-validator • Version 3.1 • Java-based, web interface, white-list functionality • Can speak RPKI-RTR
48 Alternatives • All are open source: - Routinator - https://github.com/NLnetLabs/ routinator/ - FORT - https://github.com/NICMx/FORT-validator/ - OctoRPKI - https://github.com/cloudflare/cfrpki - RPKI-client - https://rpki-client.org/ - Prover - https://github.com/lolepezy/rpki-prover - Rpstir2 - https://github.com/bgpsecurity/rpstir2
ROA Validation
50 Two elements of RPKI Signing Create your ROAs Validating Verifying others
51 ROA Validation • Routers receive data from the validated cache via RPKI-RTR • Based on this and on BGP announcements, you have to make decisions - Accept or discard the BGP Announcement - As temporary measure, you could influence other attributes, such as Local Preference
52 ROAs ROAs ROA Validation BGP Validation VALID INVALID VALID INVALID UNKNOWN NOT FOUND
53 Invalid ROA • Invalid ROA - The ROA in the repository cannot be validated by the client (ISP) so it is not included in the validated cache • Invalid BGP announcement - There is a ROA in validated cache for that prefix but for a different AS. - Or the max length doesn’t match. • If no ROA in the cache then announcement is “unknown”
54 Whitelisting • If there is an invalid ROA for a network that’s important for you or your customers, you can whitelist it • This is done on your local validator software - It creates a “fake” ROA for the resources you want • It allows you to contact the operator to fix their ROA - Think of e-mail, contact forms, etc…
55 Take the Poll!
Status of RPKI ROV Name Type Details Status Telia Transit Signed & Filtering Safe Cogent Transit Signed & Filtering Safe GTT Transit Signed & Filtering Safe NTT Transit Signed & Filtering Safe Hurricane Electric Transit Signed & Filtering Safe Tata Transit Signed & Filtering Safe PCCW Transit Signed & Filtering Safe RETN Transit Partially Signed & Filtering Safe Cloud fl are Cloud Signed & Filtering Safe Amazon Cloud Signed & Filtering Safe Net fl ix Cloud Signed & Filtering Safe Wikimedia Foundation Cloud Signed & Filtering Safe Scaleway Cloud Signed & Filtering Safe • Source: isbgpsafeyet.com
57 Where do we go from here ? • RPKI is only one of the steps towards full BGP Validation - Paths are not validated • We need more building blocks - BGPSec (RFC) - ASPA (draft) - AS-Cones (draft)
Questions nathalie@ripe.net rpki@ripe.net

More Related Content

PDF
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
PDF
RPKI with rpki.net Tools
Bangladesh Network Operators Group
 
PDF
RPKI invalids aren't gone yet
Bangladesh Network Operators Group
 
PDF
Routing diff
Bangladesh Network Operators Group
 
PPTX
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
akg1330
 
PDF
BGP Flexibility and Its Consequences
APNIC
 
PDF
A week with analysing RPKI status
APNIC
 
PDF
Resource Certification
RIPE NCC
 
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
RPKI with rpki.net Tools
Bangladesh Network Operators Group
 
RPKI invalids aren't gone yet
Bangladesh Network Operators Group
 
Routing diff
Bangladesh Network Operators Group
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
akg1330
 
BGP Flexibility and Its Consequences
APNIC
 
A week with analysing RPKI status
APNIC
 
Resource Certification
RIPE NCC
 

What's hot (16)

PDF
Certification
RIPE NCC
 
PPTX
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
APNIC
 
PDF
Route Hijaking and the role of RPKI
APNIC
 
PDF
How You Will Get Hacked Ten Years from Now
julievreeland
 
PDF
RPKI Tutorial
Bangladesh Network Operators Group
 
PDF
RPKI
RIPE NCC
 
PDF
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Bangladesh Network Operators Group
 
PDF
Service Function Chaining with SRv6
Ahmed AbdelSalam
 
PDF
PCTA e-Tech Show 2021: Securing Internet Routing
APNIC
 
PDF
RPKI Certification Tutorial
RIPE NCC
 
PDF
RPKI Trust Anchor
APNIC
 
PDF
I Pv6 Enabling Menog 0.4
Hussein Elmenshawy
 
PDF
Is IPv6 Really Faster?
APNIC
 
ODP
C Cpres
ramya5a
 
PPTX
APRICOT 2015 - NetConf for Peering Automation
Tom Paseka
 
PDF
Traffic Engineering Using Segment Routing
Cisco Canada
 
Certification
RIPE NCC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
APNIC
 
Route Hijaking and the role of RPKI
APNIC
 
How You Will Get Hacked Ten Years from Now
julievreeland
 
RPKI Tutorial
Bangladesh Network Operators Group
 
RPKI
RIPE NCC
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Bangladesh Network Operators Group
 
Service Function Chaining with SRv6
Ahmed AbdelSalam
 
PCTA e-Tech Show 2021: Securing Internet Routing
APNIC
 
RPKI Certification Tutorial
RIPE NCC
 
RPKI Trust Anchor
APNIC
 
I Pv6 Enabling Menog 0.4
Hussein Elmenshawy
 
Is IPv6 Really Faster?
APNIC
 
C Cpres
ramya5a
 
APRICOT 2015 - NetConf for Peering Automation
Tom Paseka
 
Traffic Engineering Using Segment Routing
Cisco Canada
 
Ad

Similar to Routing Security (20)

PDF
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
RIPE NCC
 
PDF
Resource Public Key Infrastructure (RPKI)
Bangladesh Network Operators Group
 
PDF
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 
PDF
Introduction to RPKI - MyNOG
Siena Perry
 
PDF
RPKI (Resource Public Key Infrastructure)
Fakrul Alam
 
PDF
Securing BGP
RIPE NCC
 
PPTX
Rpki -manrs_(7_september)
NaveenLakshman
 
PDF
Rpki with rpki.net tools
Muhammad Moinur Rahman
 
PDF
npNOG 5: Securing Internet Routing
APNIC
 
PDF
Introduction to RPKI
APNIC
 
PDF
Securing BGP with RPKI - Ondřej Caletka, RIPE NCC
RIPE NCC
 
PDF
PacNOG 23: Secure routing with RPKI
APNIC
 
PDF
btNOG 6: Securing Internet Routing
APNIC
 
PPTX
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
APNIC
 
PDF
LkNOG 3: Securing Internet Routing
APNIC
 
PDF
SANOG 34: Securing Internet Routing
APNIC
 
PDF
mnNOG 1: Securing internet Routing
APNIC
 
PDF
Routing Security, Another Elephant in the Room
RIPE NCC
 
PDF
MMIX Peering Forum: Securing Internet Routing
APNIC
 
PDF
BKNIX Peering Forum 2019: Securing Internet Routing
APNIC
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
RIPE NCC
 
Resource Public Key Infrastructure (RPKI)
Bangladesh Network Operators Group
 
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 
Introduction to RPKI - MyNOG
Siena Perry
 
RPKI (Resource Public Key Infrastructure)
Fakrul Alam
 
Securing BGP
RIPE NCC
 
Rpki -manrs_(7_september)
NaveenLakshman
 
Rpki with rpki.net tools
Muhammad Moinur Rahman
 
npNOG 5: Securing Internet Routing
APNIC
 
Introduction to RPKI
APNIC
 
Securing BGP with RPKI - Ondřej Caletka, RIPE NCC
RIPE NCC
 
PacNOG 23: Secure routing with RPKI
APNIC
 
btNOG 6: Securing Internet Routing
APNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
APNIC
 
LkNOG 3: Securing Internet Routing
APNIC
 
SANOG 34: Securing Internet Routing
APNIC
 
mnNOG 1: Securing internet Routing
APNIC
 
Routing Security, Another Elephant in the Room
RIPE NCC
 
MMIX Peering Forum: Securing Internet Routing
APNIC
 
BKNIX Peering Forum 2019: Securing Internet Routing
APNIC
 
Ad

More from RIPE NCC (20)

PDF
A Look at a Root Cause for DNS Latency - APRICOT 2025
RIPE NCC
 
PDF
Internet Landscape and Network Resiliency in South East Europe
RIPE NCC
 
PDF
ondrej-caletka-INEX-Deploying_IPv6_mostly.pdf
RIPE NCC
 
PDF
jelena-cosic-internet-landscape-and-network-resiliency-in-south-east-europe.pdf
RIPE NCC
 
PDF
RIPE Atlas & other RIPE NCC Internet Measurement Tools
RIPE NCC
 
PDF
Minimising Impact before incidents occur with RIPE Atlas
RIPE NCC
 
PDF
Know Your Network: Utilising RIS and RIPE Atlas to your advantage
RIPE NCC
 
PDF
Know Your Network: Why every network operator should host a RIPE Atlas probe
RIPE NCC
 
PDF
Know Your Network; why every network operator should host a RIPE Atlas probe
RIPE NCC
 
PDF
Taiwan's Digital Landscape with RIPE NCC Tools
RIPE NCC
 
PDF
Navigating IP Addresses: Insights from your Regional Internet Registry
RIPE NCC
 
PDF
Traces of Power: Internet Governance and Climate Action
RIPE NCC
 
PDF
Governing Environmental Sustainability in Tech
RIPE NCC
 
PDF
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
RIPE NCC
 
PDF
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
RIPE NCC
 
PDF
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
RIPE NCC
 
PDF
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
RIPE NCC
 
PDF
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
RIPE NCC
 
PDF
RIPE NCC Internet Measurement Tools
RIPE NCC
 
PDF
IPv6 in Central Europe and the Baltics
RIPE NCC
 
A Look at a Root Cause for DNS Latency - APRICOT 2025
RIPE NCC
 
Internet Landscape and Network Resiliency in South East Europe
RIPE NCC
 
ondrej-caletka-INEX-Deploying_IPv6_mostly.pdf
RIPE NCC
 
jelena-cosic-internet-landscape-and-network-resiliency-in-south-east-europe.pdf
RIPE NCC
 
RIPE Atlas & other RIPE NCC Internet Measurement Tools
RIPE NCC
 
Minimising Impact before incidents occur with RIPE Atlas
RIPE NCC
 
Know Your Network: Utilising RIS and RIPE Atlas to your advantage
RIPE NCC
 
Know Your Network: Why every network operator should host a RIPE Atlas probe
RIPE NCC
 
Know Your Network; why every network operator should host a RIPE Atlas probe
RIPE NCC
 
Taiwan's Digital Landscape with RIPE NCC Tools
RIPE NCC
 
Navigating IP Addresses: Insights from your Regional Internet Registry
RIPE NCC
 
Traces of Power: Internet Governance and Climate Action
RIPE NCC
 
Governing Environmental Sustainability in Tech
RIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
RIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
RIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
RIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
RIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
RIPE NCC
 
RIPE NCC Internet Measurement Tools
RIPE NCC
 
IPv6 in Central Europe and the Baltics
RIPE NCC
 

Recently uploaded (20)

PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
KodekX | Application Modernization Development
KodekX
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 

Routing Security

  • 1. Nathalie Trenaman| 13 April 2021 | Lebanese University, Faculty of Sciences Routing Security
  • 3. 3 Internet building blocks ASN (Autonomous System Number)
  • 4. 4 ASN (Autonomous System Number) Internet building blocks ASN Addresses Interconnect Autonomous System
  • 5. 5 Routing on the Internet “BGP protocol” Can I trust AS2? Routing table 
 194.x.x.x = AS2 Routing table 
 193.x.x.x = AS1 Is AS1 correct? AS1 
 193.x.x.x AS2 
 194.x.x.x AS2: “I have 194.x.x.x” AS1: “I have 193.x.x.x”
  • 7. 7 Accidents Happen • Fat Fingers - 2 and 3 are really close on our keyboards…. • Policy Violations (leaks) - Oops, we did not want this to go on the public Internet - Infamous incident with Pakistan Telecom and YouTube
  • 8. 8 Incidents Are Common • 2019 Routing Security Review - 12,600 incidents - 4,4% of all ASNs affected - 3,000 ASNs are victims of at least one incident - 1,300 ASNs caused at least one incident Source: https://bgpstream.com
  • 10. 10 Routing on the Internet Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” RIPE Database “Internet Routing Registry”
  • 11. 11 Problem Statement • Some IRR data can not be fully trusted - Accuracy - Incomplete data - Lack of maintenance • Not every RIR has an IRR - Third party databases need to be used - No verification of who holds IPs/ASNs
  • 13. 13 Internet Routing Registry • Many exist, most widely used - RIPE Database - RADB • Verification of holdership over resources - RIPE Database for RIPE Region resources only - RADB allows paying customers to create any object - Lots of the other IRRs do not formally verify holdership
  • 15. 15 Resource Public Key Infrastructure • Ties IP addresses and ASNs to public keys • Follows the hierarchy of the registries • Authorised statements from resource holders - “ASN X is authorised to announce my Prefix Y” - Signed, holder of Y
  • 16. 16 RPKI Certificate Structure Member Member Member ROA ROA ROA Certificate hierarchy follows allocation hierarchy ARIN APNIC RIPE LACNIC AFRINIC
  • 17. 17 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
  • 18. 18 RPKI Chain of Trust RIPE NCC Root Certificate Self-signed ALL Resources Root’s private key signature public key
  • 19. 19 RPKI Chain of Trust LIR Certificate Signed by the Root private key LIR’s Resources Root’s private key signature public key
  • 21. 21 Two elements of RPKI Signing Create your ROAs Validating Verifying others
  • 22. ROAs
  • 23. 23 ROA (Route Origin Authorisation) • A ROA is… • LIRs can create a ROA for each one of their resources (IP address ranges) • Multiple ROAs can be created for an IP range • ROAs can overlap
  • 24. 24 What is in a ROA ? Prefix The network for which you are creating the ROA The ASN that’s supposed to be originating the BGP Announcement Origin ASN Max Length The Maximum prefix length accepted for this ROA
  • 25. 25 RPKI Chain of Trust ALL Resources LIR’s Resources Root’s private key signature signature public key public key
  • 26. 26 Route Origin Authorisation Prefix is authorised to be announced by AS Number LIR’s private key ROA signature
  • 27. 27 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
  • 28. 28 Hosted or Delegated RPKI RIPE ROA ROA ROA ROA ROA Member Member Member ROA Member-X CA Member-Y CA RIPE NCC Hosted System
  • 29. 29 Hosted RPKI • Automatic signing and key roll overs - One click setup of resource certificate - User has a valid and published certificate for as long as they are the holder of the resources - All the complexity is handled by the hosted system • Lets you focus on creating and publishing ROAs - Match your intended BGP configuration
  • 30. 30 Delegated RPKI • Run your own Certification Authority software - Dragon research Labs, RPKI toolkit - NLNetLabs, Krill • Setup connection with RIPE NCC CA • Generate a certificate and get it signed by the parent CA • Run your own repository
  • 31. 31 First login to the dashboard
  • 35. /23 35 193.0.24.0/21 AS2121 Max Length: /21 ROA 193.0.24.0/21 193.0.24.0/22 193.0.28.0/22 193.0.24.0/23 AS2121 Max Length: /24 ROA 193.0.30.0/23 AS2121 Max Length: /23 ROA ✖ ✖ ✔︎ /23 /23 /23 /23 /23 /24 /24 /24 /24 /24 /24 /24 /24 /24 /24 ✖ ✔︎✔︎✔︎✔︎ ✖ ✖ ✖ ✖ ✖ ✖ ✖
  • 40. 40 Two elements of RPKI Signing Create your ROAs Validating Verifying others
  • 41. 41 Routing on the Internet Is A correct? A 
 192.0.2.0/24 B 
 193.0.24.0/21 A: “I have 192.0.2.0/24” 1. Create route authorisation record (ROA) 2. Validate route RPKI Repository A is authorised to announce 192.0.2.0/24 BGP
  • 42. 42 Trust Anchor Locator (TAL) RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository • Location of RIR repositories • Root’s public key TAL TAL TAL TAL List of ROAs Cerfificates
  • 43. 43 RPKI Validators • Software that creates a local “validated cache” with all the valid ROAs - Downloads the RPKI repository from the RIRs - Validates the chain of trust of all the ROAs and associated CAs - Talks to your routers using the RPKI-RTR Protocol
  • 44. 44 Relying Party RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository List of ROAs Cerfificates
  • 46. 46 Relying Party ROA AS111 10.0.7.30/22 AS222 10.0.6.10/24 AS333 10.4.17.5/20 AS111 10.0.7.30/22 AS111 10.0.7.30/22 AS111 10.0.7.30/22 BGP Announcements BETTER ROUTING DECISIONS
  • 47. 47 RIPE NCC Validator • https://github.com/RIPE-NCC/rpki-validator • Version 3.1 • Java-based, web interface, white-list functionality • Can speak RPKI-RTR
  • 48. 48 Alternatives • All are open source: - Routinator - https://github.com/NLnetLabs/ routinator/ - FORT - https://github.com/NICMx/FORT-validator/ - OctoRPKI - https://github.com/cloudflare/cfrpki - RPKI-client - https://rpki-client.org/ - Prover - https://github.com/lolepezy/rpki-prover - Rpstir2 - https://github.com/bgpsecurity/rpstir2
  • 50. 50 Two elements of RPKI Signing Create your ROAs Validating Verifying others
  • 51. 51 ROA Validation • Routers receive data from the validated cache via RPKI-RTR • Based on this and on BGP announcements, you have to make decisions - Accept or discard the BGP Announcement - As temporary measure, you could influence other attributes, such as Local Preference
  • 52. 52 ROAs ROAs ROA Validation BGP Validation VALID INVALID VALID INVALID UNKNOWN NOT FOUND
  • 53. 53 Invalid ROA • Invalid ROA - The ROA in the repository cannot be validated by the client (ISP) so it is not included in the validated cache • Invalid BGP announcement - There is a ROA in validated cache for that prefix but for a different AS. - Or the max length doesn’t match. • If no ROA in the cache then announcement is “unknown”
  • 54. 54 Whitelisting • If there is an invalid ROA for a network that’s important for you or your customers, you can whitelist it • This is done on your local validator software - It creates a “fake” ROA for the resources you want • It allows you to contact the operator to fix their ROA - Think of e-mail, contact forms, etc…
  • 56. Status of RPKI ROV Name Type Details Status Telia Transit Signed & Filtering Safe Cogent Transit Signed & Filtering Safe GTT Transit Signed & Filtering Safe NTT Transit Signed & Filtering Safe Hurricane Electric Transit Signed & Filtering Safe Tata Transit Signed & Filtering Safe PCCW Transit Signed & Filtering Safe RETN Transit Partially Signed & Filtering Safe Cloud fl are Cloud Signed & Filtering Safe Amazon Cloud Signed & Filtering Safe Net fl ix Cloud Signed & Filtering Safe Wikimedia Foundation Cloud Signed & Filtering Safe Scaleway Cloud Signed & Filtering Safe • Source: isbgpsafeyet.com
  • 57. 57 Where do we go from here ? • RPKI is only one of the steps towards full BGP Validation - Paths are not validated • We need more building blocks - BGPSec (RFC) - ASPA (draft) - AS-Cones (draft)