Securing the global routing system and the approach of operators
Transcript of Securing the global routing system and the approach of operators
Securing the global routing system and the approach of operators
Sheryl Hermoso
Network Operations, APNIC
1
Incidents
Motivations!
Current practice
Receive request LOA check Create associate prefix / AS filter
Tools and techniques
LOA check
Manual Automated
RPKI
LoA check
• The system is sometimes overly complicated, and lacks sufficient examples
• End users cannot figure it out, which means another layer of support structure must be added, or proxy registration must be implemented
LoA check and RPSL
A publicly accessible description of every import and export policy to every transit, peer, and customer is difficult to maintain, and is not in the best business interests of many ISPs
RPKI implementation
Origin validation
Hosted CA Delegated CA
*upgrade at least ASBRs to RPKI capable code
Technology and learning curve
RPSL
June 1999
RPSLng
March 2005
RPKI
January 2013
But how are operators adopting and implementing it?
Total prefixes: 856654 /21 February 2017
Prefixes distribution
Violations: 107520 (22.64%)
Consistent: 367354 (77.36%)
Prefixes with IRR data
IRR data violations example
Prefixes with RPKI
RPKI data violation example• Most of the cases involve an invalid prefix (fixed length
mismatch)– Create ROA for a /22 but announce a /24
• Invalid origin AS is also visible
RPKI data violation example
RPKI data violation example
17
49.144.64.0/22 AS9299
103.36.16.0/24 AS133623
RPKI data violation example
18
How about South-east Asia?
ROAs in South-east Asia
20
https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html
ROAs in South-east AsiaCountry IPv4 prefixes covered IPv4 prefixes valid
Philippines 44.62% 29.02%Malaysia 20.62% 20.07%SingaporeThailand 4.31% 4.18%Laos 66.52% 20.7%Cambodia 13.82% 8.77%Indonesia 2.76% 2.76%Myanmar 44.67% 42.67%
source : https://lirportal.ripe.net/certification/content/static/statistics/world-roas.htmldate : 13 February 2017
Philippines
22
Total ASNs delegated by RIR: 372; Visible IPv4 routes: 484; Visible IPv6 routes: 87
28%
15%
57%
Valid Invalid NotFound
12; 24%
38; 76%
Valid Invalid NotFound
http://rpki.apnictraining.net/output/af.html
Singapore
23
Total ASNs delegated by RIR: 440; Visible IPv4 routes: 5,489; Visible IPv6 routes: 747
14%
2%
85%
Valid Invalid NotFound
17%
83%
Valid Invalid NotFound
Malaysia
24
Total ASNs delegated by RIR: 220; Visible IPv4 routes: 2,513; Visible IPv6 routes: 179
17%
1%
82%
Valid Invalid NotFound
16%
1%
83%
Valid Invalid NotFound
Laos
25
Total ASNs delegated by RIR: 21; Visible IPv4 routes: 225; Visible IPv6 routes: 49
21%
46%
33%
Valid Invalid NotFound
35%
65%
Valid Invalid NotFound
Indonesia
26
Total ASNs delegated by RIR: 194; Visible IPv4 routes: 7,329; Visible IPv6 routes: 271
5%
95%
Valid Invalid NotFound
100%
Valid Invalid NotFound
Myanmar
27
Total ASNs delegated by RIR: 45; Visible IPv4 routes: 145; Visible IPv6 routes: 3
44%
2%
54%
Valid Invalid NotFound
67%
33%
Valid Invalid NotFound
Thailand
28
Total ASNs delegated by RIR: 439; Visible IPv4 routes: 6,409; Visible IPv6 routes: 732
4%0%
95%
Valid Invalid NotFound
2%
98%
Valid Invalid NotFound
Cambodia
29
Total ASNs delegated by RIR: 67; Visible IPv4 routes: 1,037; Visible IPv6 routes: 62
9%
5%
86%
Valid Invalid NotFound
19%
81%
Valid Invalid NotFound
Summary• RPKI adoption is growing
– In most cases, operators create ROAs for min length and advertise the longest prefix
– Some ROAs are invalid due to further allocation to customers
• BGP operations and security – draft-ietf-opsec-bgp-security-07
Data collection• OpenBMP
– https://github.com/OpenBMP/openbmp
• RPKI Dashboard– https://github.com/remydb/RPKI-Dashboard
• RIPE RPKI Statistics– https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html
• RIPE Cache Validator API– http://rpki-validator.apnictraining.net:8080/export
32
3333