Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only...

RPKIResourcePubicKeyInfrastructure

PurposeofRPKI

• RPKIreplacesIRRorlivessidebyside?• Sidebyside:differentadvantages• Security,almostrealtime,simpleinterface:RPKI

• PurposeofRPKI• IsthatASNauthorizedtooriginatethataddressrange?

2

ASPath

3

2001:DB8::/32 655516555065549i

65551

Ihave2001:DB8::/32

Sendapacketto2001:DB8::1

65553 65549

65550

65536Ihave2001:DB8::/32

2001:DB8::/32 6555265536i

65552

VALID

INVALID

RPKIDeployment

4

Phase1OriginValidation

Phase2PathValidation

Ihave2001:DB8::/32

Sendapacketto2001:DB8::1

65552 65549

65551 65550

InternetRegistry(IR)/RIR

• MaintainsInternetResourcessuchasIPaddressesandASNs,andpublishtheregistrationinformation• AllocationsforLocalInternetRegistries• Assignmentsforend-users

• APNICistheRegionalInternetRegistry(RIR)intheAsiaPacificregion• NationalInternetRegistry(NIR)existsinseveraleconomies

5

TheEco-System

6

GoalsofRPKI

• AbletoauthoritativelyprovewhoownsanIPPrefixandwhatAS(s)mayAnnounceIt• Reducingroutingleaks• Attachingdigitalcertificatestonetworkresources(ASNumber&IPAddress)

• PrefixOwnershipFollowstheAllocationHierarchyIANA,RIRs,ISPs,…

7

AdvantageofRPKI

• Useabletoolset• Noinstallationrequired• Easytoconfiguremanualoverrides

• Tightintegrationwithrouters• SupportedroutershaveawarenessofRPKIvaliditystates

• SteppingstoneforAS-PathValidation• PreventAttacksonBGP

8

RPKIImplementation

• TwoRPKIimplementationtype• Delegated:EachparticipatingnodebecomesaCAandrunstheirownRPKIrepository,delegatedbytheparentCA.• Hosted:TheRIRrunstheCAfunctionalityforinterestedparticipants.

9

TwoComponents

• CertificateAuthority(CA)• InternetRegistries(RIR,NIR,LargeLIR)• Issuecertificatesforcustomers• AllowcustomerstousetheCA’sGUItoissueROAsfortheirprefixes

• RelyingParty(RP)• SoftwarewhichgathersdatafromCAs

10

IssuingParty

• InternetRegistries(RIR,NIR,LargeLIRs)• ActsasaCertificateAuthorityandissuescertificatesforcustomers• ProvidesawebinterfacetoissueROAsforcustomerprefixes• PublishestheROArecords

11

APNICRPKIEngine

publication

MyAPNIC GUI

rpki.apnic.net

Repository

RelyingParty(RP)

12

IANARepo

APNICRepo RIPERepo

LIRRepo LIRRepo

RPCache(gather) Validated

Cache

RPKI-Rtr Protocol

rpki.ripe.net

SoftwarewhichgathersdatafromCAsAlsocalledRPcacheorvalidator

rpki.apnic.net

RPKIBuildingBlocks

1. TrustAnchors(RIR’s)2. RouteOriginationAuthorizations(ROA)3. Validators

13

1.PKI&TrustAnchors

PublicKeyConcept

• Privatekey:Thiskeymustbeknownonlybyitsowner.• Publickey:Thiskeyisknowntoeveryone(itispublic)• Relationbetweenbothkeys:Whatonekeyencrypts,theotheronedecrypts,andviceversa.Thatmeansthatifyouencryptsomethingwithmypublickey(whichyouwouldknow,becauseit'spublic:-),Iwouldneedmyprivatekeytodecryptthemessage.• SamealikehttpwithSSLakahttps

15

RPKIProfile

CertificatesareX.509certificatesthatconformtothePKIXprofile[PKIX].Theyalsocontainan

extensionfieldthatlistsacollectionofIPresources(IPv4addresses,IPv6

addressesandASNumbers)[RFC3779]

16

X.509Cert

RFC3779Extension

Describes IPResources(Addr &ASN)

SIA– URIforwherethisPublishes

Owner’sPublicKey

CA

Signed

byParent’sPrivateKey

X.509Certificates3779EXT

TrustAnchor

IANA

AFRINIC RIPE NCC ARIN APNIC LACNIC

NIR NIR

ISP ISP ISP ISP ISP

Trust Anchor CertificateResourceAllocationHierarchy

Issued Certificates

matchallocation actions

17

Source:http://isoc.org/wp/ietfjournal/?p=2438

RPKIChainofTrust

• TheRIRsholdaself-signedrootcertificateforalltheresourcesthattheyhaveintheregistry• Theyarethetrustanchorforthesystem

• Thatrootcertificateisusedtosignacertificatethatlistsyourresources• Youcanissuechildcertificatesforthoseresourcestoyourcustomers• Whenmakingassignmentsorsuballocations

18

2.ROARouteOriginAuthorizations

RouteOriginationAuthorizations(ROA)

• AROAisadigitallysignedobject thatprovidesameansofverifyingthatanIPaddressblockholder hasauthorized anAutonomousSystem(AS) tooriginateroutestooneormoreprefixes withintheaddressblock.• WithaROA,theresourceholderisattesting thattheoriginASnumberisauthorized toannounce theprefix(es).TheattestationcanbeverifiedcryptographicallyusingRPKI.

20

RouteOriginationAuthorizations(ROA)

• NexttotheprefixandtheASNwhichisallowedtoannounceit,theROAcontains:• Aminimumprefixlength• Amaximumprefixlength• Anexpirydate• OriginASN

• MultipleROAscanexistforthesameprefix• ROAscanoverlap

21

3.Validators

OriginValidation• RoutergetsROAinformationfromtheRPKICache• RPKIverificationisdonebytheRPKICache

• TheBGPprocesswillcheckeachannouncementwiththeROAinformationandlabeltheprefix

23

ValidatedRPKICache

RPKItoRTRprotocol

ResultofCheck

• Valid – IndicatesthattheprefixandASpairarefoundinthedatabase.• Invalid – Indicatesthattheprefixisfound,buteitherthecorrespondingASreceivedfromtheEBGPpeerisnottheASthatappearsinthedatabase,ortheprefixlengthintheBGPupdatemessageislongerthanthemaximumlengthpermittedinthedatabase.• NotFound /Unknown– Indicatesthattheprefixisnotamongtheprefixesorprefixrangesinthedatabase.

Valid>Unknown>Invalid

24

ROAExample

25

Prefix:10.0.0.0/16ASN:65420

ROA 65420 10.0.0.0/16 /18

OriginAS Prefix MaxLength

VALID AS65420 10.0.0.0/16

VALID AS65420 10.0.128.0/17

INVALID AS65421 10.0.0.0/16

INVALID AS65420 10.0.10.0/24

UNKNOWN AS65430 10.0.0.0/8

LocalPolicy

• Youcandefineyourpolicybasedontheoutcomes• Donothing• Justlogging• LabelBGPcommunities• Modifypreferencevalues• Rejectingtheannouncement

26

Insummary

• Asanannouncer/LIR• Youchooseifyouwantcertification• YouchooseifyouwanttocreateROAs• YouchooseAS,maxlength

• AsaRelyingParty• Youcanchooseifyouusethevalidator• YoucanoverridethelistsofvalidROAsinthecache,addingorremovingvalidROAslocally• YoucanchoosetomakeanyroutingdecisionsbasedontheresultsoftheBGPVerification(valid/invalid/unknown)

27

RPKICaveats

• WhenRTRsessiongoesdown,theRPKIstatuswillbenotfoundforallthebgp routeafterawhile• Invalid=>notfound• weneedseveralRTRsessionsorcareyourfilteringpolicy

• Incaseoftherouterreload,whichoneisfaster,receivingROAsorreceivingBGProutes?• IfreceivingBGPismatchfasterthanROA,therouterpropagatetheinvalidroutetoothers• WeneedtoputourCachevalidatorwithinourIGPscope

28

RPKIFurtherReading

• RFC5280:X.509PKICertificates• RFC3779:ExtensionsforIPAddressesandASNs• RFC6481-6493:ResourcePublicKeyInfrastructure

29

RPKIConfiguration

RPKIConfiguration

• Resources:• AS:131107[APNICTRAINING-DC]• IPv4:202.125.96.0/24• IPv6:2001:df2:ee00::/48

• Process• CreateROA• Setupcachevalidationserver• ValidatetheROA

31

ImplementationScenario

32

ASBR

{rtr}

DNS

Trust Anchors

DNS

Trust AnchorsDNS

Trust Anchors

DNS

RPKI Cache Validator

{rsync}{bgp4}

repository

upstream

• {bgp4}RoutersvalidateupdatesfromotherBGPpeers

• {rtr}CachesfeedsroutersusingRTRprotocolwithROAinformation

• {rsync}Cachesretrievesandcryptographicallyvalidatescertificates&ROAsfromrepositories

PhaseI- PublishingROA

33

• LogintoyourMyAPNIC portal• Requiredvalidcertificate• GotoResources>CertificationTab


34


• ShowavailableprefixforwhichyoucancreateROA

35


36

PhaseI- CheckyourROA

37

# whois -h whois.bgpmon.net 2001:df2:ee00::/48

Prefix: 2001:df2:ee00::/48Prefix description: APNICTRAINING-DCCountry code: AUOrigin AS: 131107Origin AS Name: ASN for APNICTRAINING LAB DCRPKI status: ROA validation successfulFirst seen: 2016-06-30Last seen: 2017-01-03Seen by #peers: 160

PhaseI- CheckyourROA

38

# whois -h whois.bgpmon.net " --roa 131107 2001:df2:ee00::/48"

0 – Valid------------------------ROA Details------------------------Origin ASN: AS131107Not valid Before: 2016-09-07 02:10:04Not valid After: 2020-07-30 00:00:00 Expires in 3y208d1h39m28.7999999821186sTrust Anchor: rpki.apnic.netPrefixes: 2001:df2:ee00::/48 (max length /48) 202.125.96.0/24 (max length /24)

PhaseII- RPKIValidator

• Twooptions:

A.RIPENCCRPKIValidator• https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources

B.DragonResearchLabsRPKIToolkit• https://github.com/dragonresearch/rpki.net

39


A.RIPENCCRPKIValidator

• DownloadRPKIValidator• http://www.ripe.net/lir-services/resource-management/certification/tools-and-resources

• Installation

40

# tar -zxvf rpki-validator-app-2.21-dist.tar.gz# cd rpki-validator-app-2.21# ./rpki-validator.sh start


41

A.RIPENCCRPKIValidator

http://rpki-validator.apnictraining.net:8080/


B.DragonResearchLabsRPKIToolkit

• InstallationprocessinUbuntuXenial 16.04• https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-rp.md

• Installation

42

# wget -q -O /etc/apt/sources.list.d/rpki.listhttps://download.rpki.net/APTng/rpki.xenial.list# wget -q -O /etc/apt/trusted.gpg.d/rpki.asc https://download.rpki.net/APTng/apt-gpg-key.asc# apt update# apt install rpki-rp


• B.DragonResearchLabsRPKIToolkit

43

http://rpki-dragonresearch.apnictraining.net/rcynic/

PhaseIII- RouterConfiguration(JunOS)

http://pastebin.com/50bmnv9F

PhaseIII- RouterConfiguration(IOS)

http://pastebin.com/p30nWu0R

PhaseIII- RouterConfiguration(GoBGP)

http://pastebin.com/DwQbdq7A

Checkyourprefix

rpki-junos>show route protocol bgp 202.125.96.46/24

202.125.96.0/24 *[BGP/170] 3w5d 16:57:33, MED 0, localpref 110AS path: 3333 4608 131107 I, validation-state:

verified> to 193.0.19.254 via xe-1/3/0.0

• Junos

Checkyourprefix

rpki-ios>show ip bgp 202.125.96.0/24

BGP routing table entry for 202.125.96.0/24, version 70470025Paths: (2 available, best #2, table default)Not advertised to any peerRefresh Epoch 13333 1273 4637 1221 4608 131107 193.0.19.254 from 193.0.3.5 (193.0.0.56)Origin IGP, localpref 110, valid, externalCommunity: 83449328 83450313path 287058B8 RPKI State valid

• IOS

Checkyourprefix

fakrul@gobgp:~$ gobgp global rib 202.125.96.0/24

Network Next Hop AS_PATH Age Attrs

V*> 202.125.96.0/24 202.12.29.113 4608 1221 4826 131107 00:13:29 [{Origin: i} {Med: 0} {LocalPref: 110} {Communities: 4608:11101}]

• GoBGP

Commands

• Checksessionstatusofcachevalidatorservershow validation session detail

show bgp ipv4 unicast rpki servers

gobgp rpki server

JunOS

IOS

GoBGP

show validation database

show bgp ipv4 unicast rpki table

gobgp rpki table

JunOS

IOS

GoBGP

• Fullvalidationdatabase

!Caution!

51

Testbed

• Cisco(hostedbytheRIPENCC)• PublicCiscorouter:rpki-rtr.ripe.net• Telnetusername:ripe/Nopassword

• Juniper(hostedbyKaia GlobalNetworks)• PublicJuniperrouters:193.34.50.25,193.34.50.26• Telnetusername:rpki /Password:testbed

52

Configuration- ReferenceLink

• Cisco• http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html#wp3677719851

• Juniper• http://www.juniper.net/techpubs/en_US/junos12.2/topics/topic-map/bgp-origin-as-validation.html

53

54

www.apnic.net/roa

Thanks

Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only...

Documents

Transcript of Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only...