Securing the global routing system and the approach of operators

Securing the global routing system and the approach of operators

Sheryl Hermoso

Network Operations, APNIC

1

Incidents

Motivations!

Current practice

Receive request LOA check Create associate prefix / AS filter

Tools and techniques

LOA check

Manual Automated

RPKI

LoA check

• The system is sometimes overly complicated, and lacks sufficient examples

• End users cannot figure it out, which means another layer of support structure must be added, or proxy registration must be implemented

LoA check and RPSL

A publicly accessible description of every import and export policy to every transit, peer, and customer is difficult to maintain, and is not in the best business interests of many ISPs

RPKI implementation

Origin validation

Hosted CA Delegated CA

*upgrade at least ASBRs to RPKI capable code

Technology and learning curve

RPSL

June 1999

RPSLng

March 2005

RPKI

January 2013

But how are operators adopting and implementing it?

Total prefixes: 856654 /21 February 2017

Prefixes distribution

Violations: 107520 (22.64%)

Consistent: 367354 (77.36%)

Prefixes with IRR data

IRR data violations example

Prefixes with RPKI

RPKI data violation example• Most of the cases involve an invalid prefix (fixed length

mismatch)– Create ROA for a /22 but announce a /24

• Invalid origin AS is also visible

RPKI data violation example


17

49.144.64.0/22 AS9299

103.36.16.0/24 AS133623


18

How about South-east Asia?

ROAs in South-east Asia

20

https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html

ROAs in South-east AsiaCountry IPv4 prefixes covered IPv4 prefixes valid

Philippines 44.62% 29.02%Malaysia 20.62% 20.07%SingaporeThailand 4.31% 4.18%Laos 66.52% 20.7%Cambodia 13.82% 8.77%Indonesia 2.76% 2.76%Myanmar 44.67% 42.67%

source : https://lirportal.ripe.net/certification/content/static/statistics/world-roas.htmldate : 13 February 2017

https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html

Philippines

22

Total ASNs delegated by RIR: 372; Visible IPv4 routes: 484; Visible IPv6 routes: 87

28%

15%

57%

Valid Invalid NotFound

12; 24%

38; 76%


http://rpki.apnictraining.net/output/af.html

Singapore

23

Total ASNs delegated by RIR: 440; Visible IPv4 routes: 5,489; Visible IPv6 routes: 747

14%

2%

85%


17%

83%


Malaysia

24


17%

1%

82%


16%

1%

83%


Laos

25


21%

46%

33%


35%

65%


Indonesia

26


5%

95%


100%


Myanmar

27


44%

2%

54%


67%

33%


Thailand

28


4%0%

95%


2%

98%


Cambodia

29


9%

5%

86%


19%

81%


Summary• RPKI adoption is growing

– In most cases, operators create ROAs for min length and advertise the longest prefix

– Some ROAs are invalid due to further allocation to customers

• BGP operations and security – draft-ietf-opsec-bgp-security-07

Data collection• OpenBMP

– https://github.com/OpenBMP/openbmp

• RPKI Dashboard– https://github.com/remydb/RPKI-Dashboard

• RIPE RPKI Statistics– https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html

• RIPE Cache Validator API– http://rpki-validator.apnictraining.net:8080/export

Securing the global routing system and the approach of operators

Internet

Transcript of Securing the global routing system and the approach of operators