Efficient Peroxydisulfate Activation Process Not Relying ...
Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying...
Transcript of Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying...
![Page 1: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/1.jpg)
2012.04.17
Randy Bush <[email protected]>
2012.04.17 pfx-validate 1
Relying / Issuing Parties and
ROA Validation
![Page 2: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/2.jpg)
2012.04.17 pfx-validate
RPKI Certificate
Engine
Resource PKI
IP Resource Certs ASN Resource Certs
Route Origin Attestations
Publication Protocol
Up / Down to Parent
Up / Down to Child
2
GUI
![Page 3: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/3.jpg)
2012.04.17 pfx-validate 3
Warning What ROA Will Do
![Page 4: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/4.jpg)
2012.04.17 pfx-validate
IANA
Resource PKI
Publication Protocol
APNIC
Resource
PKI Publication
Protocol
IIJ
Resource PKI
Publication Protocol
4
GUI
GUI
GUI
Please Issue My Cert Up/ Down
Please Issue My Cert Up/ Down
Please Issue My Cert Up/ Down Cert Issuance
Issuing Parties
Cert Issuance
Cert Issuance
![Page 5: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/5.jpg)
2012.04.17 pfx-validate 5
Issuing Parties
IANA
Resource PKI
Publication Protocol
Up Down
APNIC
Resource PKI
Publication Protocol
Up Down
IIJ
Resource
PKI Publication
Protocol
SIA Pointers
SIA Pointers
GUI
GUI
GUI
![Page 6: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/6.jpg)
2012.04.17 pfx-validate 6
IANA
Resource PKI
Publication Protocol
Up Down
APNIC
Resource PKI
Publication Protocol
Up Down
IIJ
Resource
PKI Publication
Protocol
RCynic Gatherer
BGP Decision Process
Validated Cache
SIA Pointers
SIA Pointers
Trust Anchor
GUI
GUI
GUI
Issuing Parties Relying Parties
route: 147.28.0.0/16!descr: 147.28.0.0/16-16!origin: AS3130!notify: [email protected]!mnt-by: MAINT-RPKI!changed: [email protected] 20110606!source: RPKI!
Pseudo IRR
NOC Tools
![Page 7: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/7.jpg)
2012.04.17 pfx-validate 7
BGP Peer
BGP Data
RPKI Cache
RPKI-Rtr Protocol
BGP Updates
RPKI VRPs
mark
Valid
Invalid
NotFound
Marking BGP Updates
![Page 8: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/8.jpg)
Result of Check • Valid – A matching/covering VRP was
found with a matching AS number • Invalid – A covering VRP was found, but
the AS number did not match, and there was no other matching one
• NotFound – No matching or covering VRP was found, same as today
2012.04.17 pfx-validate 8
![Page 9: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/9.jpg)
The Operator Tests the Marks
and then Applies Local Policy
2012.04.17 pfx-validate 9
![Page 10: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/10.jpg)
What are the BGP / VRP1
Matching Rules?
1 Validated ROA Payload 2012.04.17 pfx-validate 10
![Page 11: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/11.jpg)
2012.04.17 pfx-validate 11
• A Route is Covered by a VRP when the VRP prefix length is less than or equal to the Route prefix length
• Note: Covered does not use max-len
98.128.0.0/16
98.128.0.0/12-16
98.128.0.0/16-24
98.128.0.0/20-24
Covers
Covers
No. It’s Longer
BGP
VRP
VRP
VRP
![Page 12: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/12.jpg)
2012.04.17 pfx-validate 12
A Route is Matched by a VRP when • the Route is Covered by that VRP, • the Route’s length is less than or equal
to the VRP max-len, and • the Route’s Origin AS is equal to the
VRP’s AS 98.128.0.0/16 AS 42
98.128.0.0/12-16 AS 42
98.128.0.0/16-24 AS 666
98.128.0.0/20-24 AS 42
Matched
No. AS Mismatch
No. VRP Longer
BGP
VRP
VRP
VRP
![Page 13: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/13.jpg)
More Formally
2012.04.17 pfx-validate 13
ROA = (Rp, Rl, Ra) // prefix, length, AS VRPs = {Vp, Vl, Vm, Va} // prefix, len, max-len, AS cover(V,R) = intersect (Vp, Rp) and Vl <= Rl match(V,R) = cover(V,R) and Rl <= Vm and Ra = Va
![Page 14: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/14.jpg)
More Formality
2012.04.17 pfx-validate 14
Rl <= Vm Rl > Vm Ra=Va Ra~=Va Ra=Va Ra~=Va cover(V,R) Valid Invalid Invalid Invalid ~ cover(V,R) NotFound NotFound NotFound NotFound
![Page 15: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/15.jpg)
And if You Liked That
2012.04.17 pfx-validate 15
TE :== There Exists FA :== For All valid (R) :== TE V in VPRs such that Tag(V,R) = V invalid (R) :== ~valid(R) and TE V in VPRs such that Tag(V,R) = Invalid NotFound(R) :== ~valid(R) and ~invalid(R) expanded: valid(R) ==> TE V in VRPs such that intersect (Vp,Rp) and Vl <= Rl and Rl <= Vm and Ra=Va invalid(R) ==> ~valid(R) and TE V in VRPs such that intersect(Vp,Rp) and Vl <= Rl and (Rl > Vm or Ra ~= Va) notfound(R) ==> FA V in VRPs, ~intersect(Vp,Rp) or Vl > Rl
![Page 16: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/16.jpg)
Had Enough?
J
2012.04.17 pfx-validate 16
![Page 17: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/17.jpg)
2012.04.17 pfx-validate 17
98.128.0.0/16-24 AS 6
BGP
VRP0
98.128.0.0/16-20 AS 42 VRP1
98.128.0.0/12 AS 42 NotFound, not covered by any VRP
BGP 98.128.0.0/16 AS 42 Valid, Matches VRP1
BGP 98.128.0.0/20 AS 6 Valid, Matches VRP0
BGP 98.128.0.0/22 AS 42 Invalid, length within VRP1 but AS mismatch
BGP 98.128.0.0/24 AS 6 Valid, Matches VRP0
Matching and Validity
BGP 98.128.0.0/24 AS 42 Invalid, longer than VRP1 although AS matches
![Page 18: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/18.jpg)
VRP with AS0 • It is supposed to mark a prefix as
always invalid • But what happens when there is a
VRP for AS0 and another VRP which matches the announcement?
• The announcement is matched, and is therefore Valid
2012.04.17 pfx-validate 18
![Page 19: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/19.jpg)
2012.04.17 pfx-validate 19
• Router implementations do not accept announcements with AS0.
• So, you will mark as Invalid when a VRP with AS0 covers as long as there is no matching VRP.
• But think of the case where a court order causes RIPE to issue a VRP with AS0 for you, but a ‘rescue’ trust anchor published a matching VRP. You are saved!
![Page 20: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/20.jpg)
Don’t Accept Invalid
2012.04.17 pfx-validate 20
• If your policy accepts Invalid, • A more specific prefix hijack will
be marked as Invalid • But it will still be accepted • Because it is the only candidate
for the more specific prefix
• So maybe you don’t want to accept Invalids?
![Page 21: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/21.jpg)
Just Closed Issue(s) • Should updates learned via iBGP be
marked? • Should updates injected into BGP on
this router be marked? • My bottom line:
• Yes, to support incremental deployment • I do not want to find out I am announcing
garbage when my neighbor’s NOC calls 2012.04.17 pfx-validate 21
![Page 22: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/22.jpg)
Allowing Holes
• Big Provider announces 10.0.0.0/8
• Wants to issue ROA for 10/8 before ensuring ROAs are issued for customers
• So signal hole-punching is allowed by max-len==0
2012.04.17 pfx-validate 22
![Page 23: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/23.jpg)
2012.04.17 pfx-validate 23
10.0.0.0/8-0 42 10.0.0.0/9-0 42 10.128.0.0/9-0 42 would cause the marking of the following as Valid 10.0.0.0/8 42 10.0.0.0/9 42 10.128.0.0/9 42 and the following as NotFound 10.42.0.0/24 42 10.42.0.0/16 666 10.77.0.0/24 666 but would cause the marking of the following as Invalid 10.0.0.0/8 666 10.0.0.0/9 666 10.128.0.0/9 666
![Page 24: Relying / Issuing Parties and ROA Validation · Trust Anchor GUI GUI Issuing Parties Relying Parties route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net!](https://reader036.fdocuments.us/reader036/viewer/2022071000/5fbcba1ee0c4fb338f3459ee/html5/thumbnails/24.jpg)
Pfui! • This protects 10/8 but nothing else,
pretty useless
• Generate temporary customer ROAs from BGP table, get real protection
2012.04.17 pfx-validate 24