Developments in Routing Security
Transcript of Developments in Routing Security
4 June 2019 | ENOG 16
Developments in Routing Security
Oleg Muravskiy
Oleg Muravskiy | ENOG 16 | June 2019
bull We manage IP and ASN allocations in Europe the Middle East and parts of Central Asia
bull Ensure unique holdership bull Document holdership in the RIPE Database (whois) bull Enable operators to document use of their address space
Who We Are
2
Oleg Muravskiy | ENOG 16 | June 2019
bull In 1994 RIPE-181 was the first document published that used a common language to describe routing policies
bull We co-developed standards for IRR and RPKI
bull We are one of the five RPKI Trust Anchors
bull Our Validator tool was the first tool to do Origin Validation
Routing Security is in Our DNA
3
Oleg Muravskiy | ENOG 16 | June 2019 4
Routing on the Internet
A1010xx
B1020xx
B ldquoI have 1020xxrdquo
A ldquoI have 1010xxrdquo
Can I trust B
Is A correct
BGP
Oleg Muravskiy | ENOG 16 | June 2019
bull 2017 Routing Security Review by the Internet Society bull 14k incidents bull 10 of all ASes affected
bull 3k ASNs victims of at least one incident bull 15k ASNs caused at least one incident
Incidents Are Common
5
Oleg Muravskiy | ENOG 16 | June 2019
bull April 2018 bull BGP and DNS hijack targeting
Amazon and MyEtherWalletcom
bull August 2018 bull Same technique used against
several payment systems
Or Worsehellip
6
Oleg Muravskiy | ENOG 16 | June 2019 7
How to Secure Routing
A1010xx
B1020xx
B ldquoI have 1020xxrdquo
A ldquoI have 1010xxrdquo
Can I trust B
Is A correct
A announces 1010xx to BB announces 1020xx to ACD
Internet Routing Registry
BGP
Oleg Muravskiy | ENOG 16 | June 2019
bull IRRs exist for many years
bull RIPE DB NTTCOM RADB ALTDB ARIN IRR BBOI BELL LEVEL3 RGNET TC CANARIE hellip
bull But their accuracy is not great bull The RIPE Database verifies holdership for the RIPE region
resources only
bull The RADB allows paying customers to create any object
bull Many IRRs do not formally verify holdership
Internet Routing Registry (IRR)
8
Oleg Muravskiy | ENOG 16 | June 2019 9
Accuracy ndash RIPE DB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019 10
Accuracy ndash RADB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019
bull Ties IP addresses and ASNs to digital certificates (X509)
bull Digitally sign statements from resource holders bull AS X is authorised to announce my IP prefix Y bull Signed by the holder of Y
bull Operated since 2011 by all RIRs
bull Supported by IETF standards
Resource Public Key Infrastructure (RPKI)
11
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull We manage IP and ASN allocations in Europe the Middle East and parts of Central Asia
bull Ensure unique holdership bull Document holdership in the RIPE Database (whois) bull Enable operators to document use of their address space
Who We Are
2
Oleg Muravskiy | ENOG 16 | June 2019
bull In 1994 RIPE-181 was the first document published that used a common language to describe routing policies
bull We co-developed standards for IRR and RPKI
bull We are one of the five RPKI Trust Anchors
bull Our Validator tool was the first tool to do Origin Validation
Routing Security is in Our DNA
3
Oleg Muravskiy | ENOG 16 | June 2019 4
Routing on the Internet
A1010xx
B1020xx
B ldquoI have 1020xxrdquo
A ldquoI have 1010xxrdquo
Can I trust B
Is A correct
BGP
Oleg Muravskiy | ENOG 16 | June 2019
bull 2017 Routing Security Review by the Internet Society bull 14k incidents bull 10 of all ASes affected
bull 3k ASNs victims of at least one incident bull 15k ASNs caused at least one incident
Incidents Are Common
5
Oleg Muravskiy | ENOG 16 | June 2019
bull April 2018 bull BGP and DNS hijack targeting
Amazon and MyEtherWalletcom
bull August 2018 bull Same technique used against
several payment systems
Or Worsehellip
6
Oleg Muravskiy | ENOG 16 | June 2019 7
How to Secure Routing
A1010xx
B1020xx
B ldquoI have 1020xxrdquo
A ldquoI have 1010xxrdquo
Can I trust B
Is A correct
A announces 1010xx to BB announces 1020xx to ACD
Internet Routing Registry
BGP
Oleg Muravskiy | ENOG 16 | June 2019
bull IRRs exist for many years
bull RIPE DB NTTCOM RADB ALTDB ARIN IRR BBOI BELL LEVEL3 RGNET TC CANARIE hellip
bull But their accuracy is not great bull The RIPE Database verifies holdership for the RIPE region
resources only
bull The RADB allows paying customers to create any object
bull Many IRRs do not formally verify holdership
Internet Routing Registry (IRR)
8
Oleg Muravskiy | ENOG 16 | June 2019 9
Accuracy ndash RIPE DB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019 10
Accuracy ndash RADB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019
bull Ties IP addresses and ASNs to digital certificates (X509)
bull Digitally sign statements from resource holders bull AS X is authorised to announce my IP prefix Y bull Signed by the holder of Y
bull Operated since 2011 by all RIRs
bull Supported by IETF standards
Resource Public Key Infrastructure (RPKI)
11
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull In 1994 RIPE-181 was the first document published that used a common language to describe routing policies
bull We co-developed standards for IRR and RPKI
bull We are one of the five RPKI Trust Anchors
bull Our Validator tool was the first tool to do Origin Validation
Routing Security is in Our DNA
3
Oleg Muravskiy | ENOG 16 | June 2019 4
Routing on the Internet
A1010xx
B1020xx
B ldquoI have 1020xxrdquo
A ldquoI have 1010xxrdquo
Can I trust B
Is A correct
BGP
Oleg Muravskiy | ENOG 16 | June 2019
bull 2017 Routing Security Review by the Internet Society bull 14k incidents bull 10 of all ASes affected
bull 3k ASNs victims of at least one incident bull 15k ASNs caused at least one incident
Incidents Are Common
5
Oleg Muravskiy | ENOG 16 | June 2019
bull April 2018 bull BGP and DNS hijack targeting
Amazon and MyEtherWalletcom
bull August 2018 bull Same technique used against
several payment systems
Or Worsehellip
6
Oleg Muravskiy | ENOG 16 | June 2019 7
How to Secure Routing
A1010xx
B1020xx
B ldquoI have 1020xxrdquo
A ldquoI have 1010xxrdquo
Can I trust B
Is A correct
A announces 1010xx to BB announces 1020xx to ACD
Internet Routing Registry
BGP
Oleg Muravskiy | ENOG 16 | June 2019
bull IRRs exist for many years
bull RIPE DB NTTCOM RADB ALTDB ARIN IRR BBOI BELL LEVEL3 RGNET TC CANARIE hellip
bull But their accuracy is not great bull The RIPE Database verifies holdership for the RIPE region
resources only
bull The RADB allows paying customers to create any object
bull Many IRRs do not formally verify holdership
Internet Routing Registry (IRR)
8
Oleg Muravskiy | ENOG 16 | June 2019 9
Accuracy ndash RIPE DB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019 10
Accuracy ndash RADB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019
bull Ties IP addresses and ASNs to digital certificates (X509)
bull Digitally sign statements from resource holders bull AS X is authorised to announce my IP prefix Y bull Signed by the holder of Y
bull Operated since 2011 by all RIRs
bull Supported by IETF standards
Resource Public Key Infrastructure (RPKI)
11
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 4
Routing on the Internet
A1010xx
B1020xx
B ldquoI have 1020xxrdquo
A ldquoI have 1010xxrdquo
Can I trust B
Is A correct
BGP
Oleg Muravskiy | ENOG 16 | June 2019
bull 2017 Routing Security Review by the Internet Society bull 14k incidents bull 10 of all ASes affected
bull 3k ASNs victims of at least one incident bull 15k ASNs caused at least one incident
Incidents Are Common
5
Oleg Muravskiy | ENOG 16 | June 2019
bull April 2018 bull BGP and DNS hijack targeting
Amazon and MyEtherWalletcom
bull August 2018 bull Same technique used against
several payment systems
Or Worsehellip
6
Oleg Muravskiy | ENOG 16 | June 2019 7
How to Secure Routing
A1010xx
B1020xx
B ldquoI have 1020xxrdquo
A ldquoI have 1010xxrdquo
Can I trust B
Is A correct
A announces 1010xx to BB announces 1020xx to ACD
Internet Routing Registry
BGP
Oleg Muravskiy | ENOG 16 | June 2019
bull IRRs exist for many years
bull RIPE DB NTTCOM RADB ALTDB ARIN IRR BBOI BELL LEVEL3 RGNET TC CANARIE hellip
bull But their accuracy is not great bull The RIPE Database verifies holdership for the RIPE region
resources only
bull The RADB allows paying customers to create any object
bull Many IRRs do not formally verify holdership
Internet Routing Registry (IRR)
8
Oleg Muravskiy | ENOG 16 | June 2019 9
Accuracy ndash RIPE DB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019 10
Accuracy ndash RADB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019
bull Ties IP addresses and ASNs to digital certificates (X509)
bull Digitally sign statements from resource holders bull AS X is authorised to announce my IP prefix Y bull Signed by the holder of Y
bull Operated since 2011 by all RIRs
bull Supported by IETF standards
Resource Public Key Infrastructure (RPKI)
11
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull 2017 Routing Security Review by the Internet Society bull 14k incidents bull 10 of all ASes affected
bull 3k ASNs victims of at least one incident bull 15k ASNs caused at least one incident
Incidents Are Common
5
Oleg Muravskiy | ENOG 16 | June 2019
bull April 2018 bull BGP and DNS hijack targeting
Amazon and MyEtherWalletcom
bull August 2018 bull Same technique used against
several payment systems
Or Worsehellip
6
Oleg Muravskiy | ENOG 16 | June 2019 7
How to Secure Routing
A1010xx
B1020xx
B ldquoI have 1020xxrdquo
A ldquoI have 1010xxrdquo
Can I trust B
Is A correct
A announces 1010xx to BB announces 1020xx to ACD
Internet Routing Registry
BGP
Oleg Muravskiy | ENOG 16 | June 2019
bull IRRs exist for many years
bull RIPE DB NTTCOM RADB ALTDB ARIN IRR BBOI BELL LEVEL3 RGNET TC CANARIE hellip
bull But their accuracy is not great bull The RIPE Database verifies holdership for the RIPE region
resources only
bull The RADB allows paying customers to create any object
bull Many IRRs do not formally verify holdership
Internet Routing Registry (IRR)
8
Oleg Muravskiy | ENOG 16 | June 2019 9
Accuracy ndash RIPE DB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019 10
Accuracy ndash RADB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019
bull Ties IP addresses and ASNs to digital certificates (X509)
bull Digitally sign statements from resource holders bull AS X is authorised to announce my IP prefix Y bull Signed by the holder of Y
bull Operated since 2011 by all RIRs
bull Supported by IETF standards
Resource Public Key Infrastructure (RPKI)
11
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull April 2018 bull BGP and DNS hijack targeting
Amazon and MyEtherWalletcom
bull August 2018 bull Same technique used against
several payment systems
Or Worsehellip
6
Oleg Muravskiy | ENOG 16 | June 2019 7
How to Secure Routing
A1010xx
B1020xx
B ldquoI have 1020xxrdquo
A ldquoI have 1010xxrdquo
Can I trust B
Is A correct
A announces 1010xx to BB announces 1020xx to ACD
Internet Routing Registry
BGP
Oleg Muravskiy | ENOG 16 | June 2019
bull IRRs exist for many years
bull RIPE DB NTTCOM RADB ALTDB ARIN IRR BBOI BELL LEVEL3 RGNET TC CANARIE hellip
bull But their accuracy is not great bull The RIPE Database verifies holdership for the RIPE region
resources only
bull The RADB allows paying customers to create any object
bull Many IRRs do not formally verify holdership
Internet Routing Registry (IRR)
8
Oleg Muravskiy | ENOG 16 | June 2019 9
Accuracy ndash RIPE DB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019 10
Accuracy ndash RADB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019
bull Ties IP addresses and ASNs to digital certificates (X509)
bull Digitally sign statements from resource holders bull AS X is authorised to announce my IP prefix Y bull Signed by the holder of Y
bull Operated since 2011 by all RIRs
bull Supported by IETF standards
Resource Public Key Infrastructure (RPKI)
11
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 7
How to Secure Routing
A1010xx
B1020xx
B ldquoI have 1020xxrdquo
A ldquoI have 1010xxrdquo
Can I trust B
Is A correct
A announces 1010xx to BB announces 1020xx to ACD
Internet Routing Registry
BGP
Oleg Muravskiy | ENOG 16 | June 2019
bull IRRs exist for many years
bull RIPE DB NTTCOM RADB ALTDB ARIN IRR BBOI BELL LEVEL3 RGNET TC CANARIE hellip
bull But their accuracy is not great bull The RIPE Database verifies holdership for the RIPE region
resources only
bull The RADB allows paying customers to create any object
bull Many IRRs do not formally verify holdership
Internet Routing Registry (IRR)
8
Oleg Muravskiy | ENOG 16 | June 2019 9
Accuracy ndash RIPE DB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019 10
Accuracy ndash RADB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019
bull Ties IP addresses and ASNs to digital certificates (X509)
bull Digitally sign statements from resource holders bull AS X is authorised to announce my IP prefix Y bull Signed by the holder of Y
bull Operated since 2011 by all RIRs
bull Supported by IETF standards
Resource Public Key Infrastructure (RPKI)
11
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull IRRs exist for many years
bull RIPE DB NTTCOM RADB ALTDB ARIN IRR BBOI BELL LEVEL3 RGNET TC CANARIE hellip
bull But their accuracy is not great bull The RIPE Database verifies holdership for the RIPE region
resources only
bull The RADB allows paying customers to create any object
bull Many IRRs do not formally verify holdership
Internet Routing Registry (IRR)
8
Oleg Muravskiy | ENOG 16 | June 2019 9
Accuracy ndash RIPE DB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019 10
Accuracy ndash RADB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019
bull Ties IP addresses and ASNs to digital certificates (X509)
bull Digitally sign statements from resource holders bull AS X is authorised to announce my IP prefix Y bull Signed by the holder of Y
bull Operated since 2011 by all RIRs
bull Supported by IETF standards
Resource Public Key Infrastructure (RPKI)
11
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 9
Accuracy ndash RIPE DB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019 10
Accuracy ndash RADB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019
bull Ties IP addresses and ASNs to digital certificates (X509)
bull Digitally sign statements from resource holders bull AS X is authorised to announce my IP prefix Y bull Signed by the holder of Y
bull Operated since 2011 by all RIRs
bull Supported by IETF standards
Resource Public Key Infrastructure (RPKI)
11
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 10
Accuracy ndash RADB IRR
Valid announcements covered announcements
Oleg Muravskiy | ENOG 16 | June 2019
bull Ties IP addresses and ASNs to digital certificates (X509)
bull Digitally sign statements from resource holders bull AS X is authorised to announce my IP prefix Y bull Signed by the holder of Y
bull Operated since 2011 by all RIRs
bull Supported by IETF standards
Resource Public Key Infrastructure (RPKI)
11
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull Ties IP addresses and ASNs to digital certificates (X509)
bull Digitally sign statements from resource holders bull AS X is authorised to announce my IP prefix Y bull Signed by the holder of Y
bull Operated since 2011 by all RIRs
bull Supported by IETF standards
Resource Public Key Infrastructure (RPKI)
11
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 12
RPKI Needs Two Actions
AS A1010xx
AS B 1020xx
AS A is authorisedto announce10100016
RPKI Repository
1 Create route authorisation record
2 Validate route
Is A correct
A ldquoI have 1010xxrdquo
BGP
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 13
Creating RPKI Objects Certificate Hierarchy
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 14
Creating RPKI Objects Hosted vs Non-Hosted
RIPE NCC TA
RIPE NCC RESOURCES
MEMBER A RESOURCES
MEMBER B RESOURCES
END USER C RESOURCES
END USER A RESOURCES
END USER B RESOURCES
MEMBER Z RESOURCEShellip
Member ZCA
Member ACA
End User ACA
RIPE NCCHosted System
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bullDragon Research Labs rpkinet RPKI toolkit bullNLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
Creating RPKI Objects Running Non-Hosted CA
15
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 16
Enable Non-Hosted CA on the LIR Portal
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 17
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 18
Setup Connection With the RIPE NCC CA
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull Install RPKI CA software bull Dragon Research Labs rpkinet RPKI toolkit bull NLnet Labs Krill
bull Enable non-hosted CA on LIR Portal
bull Setup connection with RIPE NCC CA
bull Generate your resource certificate and get it signed
bull Create your ROA objects
bull Publish your resource certificate and ROA objects in your RPKI repository
bull Keep re-publishing your objects (every 24 hours) (from another AS)
Creating RPKI Objects Running non-Hosted CA
19
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on the LIR Portal
bull Create your ROA objects
Creating RPKI Objects Using Hosted CA
20
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 21
Create Your ROA Objects in a Hosted CA
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 22
Create Your ROA Objects in a Hosted CA
httpsyoutubegLwHp12wOGw
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull Enable Hosted CA on LIR Portal
bull Create your ROA objects
bull We will publish your objects in our RPKI repository
bull We will keep your objects up-to-date
Creating RPKI Objects Using Hosted CA
23
45 seconds (if you know your
RIPE NCC Access password)
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull By default RPKI for PI resources is managed by the sponsoring LIR
bull Your sponsoring LIR could make you a maintainer of an inetnum object for your resources in RIPE DB
bull Then you could link your RIPE NCC Access account to that maintainer
bull hellipand enable your own RPKI CA
bull Documentation
Hosted CA for PI End-Users
24
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 25
Hosted CA for PI End-UsersYour account
Your organisation
Linked maintainers
Authenticate
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Routing validation
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 27
Validating Route Announcements
RPKI Repository
X
RPKI Repository
Y
RPKI Repository
Z
BGP
Valid ROAs
RPKI-to-Router
Your router
RPKI Validator
Your peer
You
Policies
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull RIPE NCC RPKI Validator - Version 2
- Version 3
bull Dragon Research Labs rpkinet RPKI toolkit
bull NLnet Labs Routinator
bull Cloudflarersquos OctoRPKI
RPKI Validators
28
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 29
Validating Route Announcements
BGPValid ROAs
Your router Your peer
You
Policies
PrefixOrigin AS
Prefix AS Path
VALID UNKNOWN
INVALID
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull Prefer VALID over others
bull Prefer UNKNOWN over INVALID
bull Drop INVALID
Validating Route Announcements Policies
30
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull What breaks if you reject invalids bull ldquoMostly nothingrdquo ndash ATampT bull ldquo5 customer calls in 6 months all resolved quicklyrdquo ndash
medium Dutch ISP bull ldquoCustomers appreciate a provider who takes security
seriouslyrdquo ndash medium Dutch ISP bull ldquoThere are many invalids but very little traffic is
impactedrdquo ndash very large cloud provider
Invalid == reject
31
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull ROA-based validation covers only part of the problem
bull BGPsec could solve it but canrsquot
bull Autonomous System Provider Authorization (ASPA)
- Work in progress
bull Donrsquot wait start now
Origin Validation vs Path Validation
32
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 33
Number of Certificates
httpscertification-statsripenet
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 34
Coverage ndash RPKI (all RIRs)
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 35
Accuracy ndash RPKI (all RIRs)
IPv4 addresses in valid announcements covered announcementshttpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 36
RPKI in some regional countriesCountry ROA Coverage ROA Accuracy
AM 4283 100 AZ 325 100 BY 6137 100EE 192 100GE 2725 100 KG 705 100 KZ 235 100 LT 2037 100 LV 2434 9976 MD 6557 100 RU 78 9983 IR 6722 9915TR 6691 9948TM 182 100TJ 0 mdashUA 769 9959UZ 2431 100
httpslirportalripenetcertificationcontentstaticstatisticsworld-roashtml
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019 37
Yesterdayrsquos ROA signing result
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull Analysis by Job Snijders Samer Abdel-Hafez Marty Strong httppeeringexposed
bull 9 out of top 10 IXPs already filtering
bull Of all analysed IXPs 68 filtering 12 not filtering 55 unknown
bull Only 3 IXPs from ENOG region
RPKI Filtering at IXPs
38
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull Create Your ROAs bull ldquomy network becomes safer if you implement both
signing and validationrdquo bull Pay attention to the Max Length
bull Download a Validator or two
bull Check validation status manually which routes are invalid
bull Set up monitoring for example pmacct
Recommendations
39
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Oleg Muravskiy | ENOG 16 | June 2019
bull Is routing security on your agenda
bull Initiate the conversation with providers and colleagues
bull Are you leading by example
Making the Difference
40
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you
Email addressTwitter handle
Questions
Tell us and you could win an iPad
wwwripenetsurvey
What can we do better for you