aaron murrihy aaron murrihy reannz co nz
play

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb - PowerPoint PPT Presentation

Mar 07, 2024 •120 likes •662 views

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

  1. SECURING THE INTERNET – VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI – Feb 20

  2. ABOUT US 2 Apricot 2020 RPKI – Feb 20

  3. ABOUT REANNZ New Zealand’s NREN • Engineering team of 7 • AS38022 • Peering points in 3 countries • – NZ, Australia, US 100G backbone • 3 Apricot 2020 RPKI – Feb 20

  4. THE PROBLEM 4 Apricot 2020 RPKI – Feb 20

  5. PROBLEM ROUTE HIJACKING 192.168.0.0/20 BGP has no mechanism for ensuring trust! 192.168.0.0/21 192.168.8.0/21 5 Apricot 2020 RPKI – Feb 20

  6. PROBLEM ROUTE HIJACKING 192.168.0.0/20 192.168.0.0/20 6 Apricot 2020 RPKI – Feb 20

  7. PROBLEM ROUTE HIJACKING 192.168.0.0/20 g n i r e e P Can be malicious or accidental 7 Apricot 2020 RPKI – Feb 20

  8. PROBLEM MITIGATIONS Route filters based on IRR information • – Which registry? – What about transit providers? – Still no mechanism for ensuring trust Or… • 8 Apricot 2020 RPKI – Feb 20

  9. RPKI 9 Apricot 2020 RPKI – Feb 20

  10. RPKI ABOUT RPKI R esource P ublic K ey I nfrastructure RFC6480 (and many others) • Binds route prefix to origin ASN • – Signed cryptographically – Ensures trust (sort of) Recommended for MANRS compliance • – https://www.manrs.org Signed prefixes stored (and distributed) by the 5 RIRs • https://blog.cloudflare.com/rpki/ 10 Apricot 2020 RPKI – Feb 20

  11. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super Fun Time Party 11 Apricot 2020 RPKI – Feb 20

  12. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super Fun Time Can I join Party the party? 12 Apricot 2020 RPKI – Feb 20

  13. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super What’s your Fun Time name? Party 13 Apricot 2020 RPKI – Feb 20

  14. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super Fun Time Party Jamie 14 Apricot 2020 RPKI – Feb 20

  15. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super From Fun Time Wellington? Party 15 Apricot 2020 RPKI – Feb 20

  16. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super Fun Time Na, from Party Sydney 16 Apricot 2020 RPKI – Feb 20

  17. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super Sorry, buddy. You’re not on Fun Time my list Party 17 Apricot 2020 RPKI – Feb 20

  18. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Another ASN advertising your routes Super Fun Time Party 18 Apricot 2020 RPKI – Feb 20

  19. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Party 19 Apricot 2020 RPKI – Feb 20

  20. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Can I join Party the party? 20 Apricot 2020 RPKI – Feb 20

  21. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super What’s your Fun Time name? Party 21 Apricot 2020 RPKI – Feb 20

  22. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Party Jamie 22 Apricot 2020 RPKI – Feb 20

  23. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super From Fun Time Wellington? Party 23 Apricot 2020 RPKI – Feb 20

  24. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Party Yep 24 Apricot 2020 RPKI – Feb 20

  25. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Jamie Senior? Party 25 Apricot 2020 RPKI – Feb 20

  26. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Party No, Jamie Junior 26 Apricot 2020 RPKI – Feb 20

  27. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Sorry, buddy. I’ve been specifically asked by your Fun Time Dad to only let him in. Party 27 Apricot 2020 RPKI – Feb 20

  28. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) The same or a different ASN advertising a more specific route Super Fun Time Party 28 Apricot 2020 RPKI – Feb 20

  29. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super Fun Time Party 29 Apricot 2020 RPKI – Feb 20

  30. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super Fun Time Can I join Party the party? 30 Apricot 2020 RPKI – Feb 20

  31. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super What’s your Fun Time name? Party 31 Apricot 2020 RPKI – Feb 20

  32. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super Fun Time Party Jamie 32 Apricot 2020 RPKI – Feb 20

  33. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super From Fun Time Wellington? Party 33 Apricot 2020 RPKI – Feb 20

  34. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super Fun Time Party Umm… OK, Sure 34 Apricot 2020 RPKI – Feb 20

  35. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super That’s good enough Fun Time for me. Come on in! Party 35 Apricot 2020 RPKI – Feb 20

  36. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Malicious party forging your ASN as the origin Super Fun Time Party 36 Apricot 2020 RPKI – Feb 20

  37. RPKI TLDR Protects against • – accidental advertisement of incorrect routes – route hijacking with more specific prefixes Doesn’t protect against • – malicious advertisement of routes with impersonated origin ASN – accidental transit of peer routes Validating the AS path is a whole other kettle of cryptographic fish 37 Apricot 2020 RPKI – Feb 20

  38. RPKI IMPLEMENTATION 38 Apricot 2020 RPKI – Feb 20

  39. RPKI IMPLEMENTATION RPKI ARCHITECTURE RSYNC RPKI-RTR ROA Validator BGP Routers 39 Apricot 2020 RPKI – Feb 20

  40. RPKI IMPLEMENTATION ROA https://myapnic.net -> Resources -> (Route Management) Routes 40 Apricot 2020 RPKI – Feb 20

  41. RPKI IMPLEMENTATION ROA Just tick the ROA option - trivial 41 Apricot 2020 RPKI – Feb 20

  42. RPKI IMPLEMENTATION VALIDATOR (RELYING PARTY) RIPE RPKI Validator – Infrastructure Java • 2 x containers • Ansible-managed • Memory-hungry (~6GB) • – Capability Downloads ROAs with RSYNC • Validates ROAs cryptographically • ROA overrides (Ignore, Whitelist) • Performs the RTR transfer to your BGP routers • Validated data can be exposed via JSON API • https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/ 42 Apricot 2020 RPKI – Feb 20

  43. RPKI IMPLEMENTATION VALIDATOR (RELYING PARTY) 43 Apricot 2020 RPKI – Feb 20

  44. RPKI IMPLEMENTATION ADVERTISE VALIDATED DATA TO NETWORK RPKI to Router (RTR) protocol – RFC6810 – Unencrypted filter protect-re { term rpki-rtr { routing-options { from { validation { notification-rib [ some-inet.0 some-inet6.0 ]; source-prefix-list { rpki-rtr-validators; group rpki-wlg { session 203.0.113.14 { } protocol tcp; port 8282; source-port 8282; local-address 192.0.2.1 } } then accept; } } } } } 44 Apricot 2020 RPKI – Feb 20

  45. RPKI IMPLEMENTATION ENABLING RPKI POLICY Just add an import filter to your peering policy term valid { term invalid { term unknown { from { from { from { protocol bgp; protocol bgp; protocol bgp; validation-database valid; validation-database invalid; validation-database unknown; } } } then { then { then { validation-state valid; validation-state invalid; validation-state unknown; next policy; reject; next policy; } } } } } } 45 Apricot 2020 RPKI – Feb 20

  46. RPKI IMPLEMENTATION REANNZ RPKI BEST PRACTICE Apply on external BGP feeds • – Peerings, Transit Providers, R&E Not applying to customers • – Exact route filters already in place (built from IPAM) Begin by logging invalid routes • Then act on RPKI validation • – Valid == Accept – Invalid == Reject – Unknown == Accept 46 Apricot 2020 RPKI – Feb 20

  47. RPKI IMPLEMENTATION REANNZ RPKI BEST PRACTICE Use exact prefix lengths for ROAs • Automate regular checks of your configured ROAs • aaron@nms-wlg:~$ check_reannz_roas Missing ROAs: 140.200.0.0/24 AS38022 140.200.1.0/24 AS38299 Extra ROA's: 140.200.1.0/24 AS38022 47 Apricot 2020 RPKI – Feb 20

  48. RPKI IMPLEMENTATION SHOULD I ENABLE RPKI VALIDATION? Pro • – Gain benefit without full (internet-wide) implementation – Security improves as adoption increases – BGP performance/reliability unaffected – Cleanly handles failure – Operationally, pretty simple to implement/run Con • – Requires ensuring ROAs are kept up-to-date – Some extra training for the NOC 48 Apricot 2020 RPKI – Feb 20

  49. RPKI IMPLEMENTATION SHOULD I ENABLE RPKI VALIDATION? Pro • N o – Gain benefit without full (internet-wide) implementation t i f y o – Security improves as adoption increases u r e c – BGP performance/reliability unaffected e i v e – Cleanly handles failure t h e d – Operationally, pretty simple to implement/run e f a u l t r o u t e Con • ! – Requires ensuring ROAs are kept up-to-date – Some extra training for the NOC 49 Apricot 2020 RPKI – Feb 20

  50. RPKI IMPLEMENTATION Number of reported faults: 0 http://sg-pub.ripe.net/jasper/rpki-web-test 50 Apricot 2020 RPKI – Feb 20

  51. RPKI IMPLEMENTATION Number of reported faults: 2 http://sg-pub.ripe.net/jasper/rpki-web-test 51 Apricot 2020 RPKI – Feb 20

  52. RPKI IMPLEMENTATION LESSONS LEARNED Keep your WHOIS contact details up-to-date • Automate checks of validity of your ROAs • – https://github.com/taiji-k/roamon-verify Implement a check of what IP space disappears when rejecting invalid • routes – Ignore where there is a valid covering route – https://nusenu.github.io/RPKI-Observatory/unreachable-networks.html 52 Apricot 2020 RPKI – Feb 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UNLEASHING THE HIVEMIND BUILDING SCALABLE NETWORKS AARON MURRIHY SENIOR NETWORK ENGINEER

UNLEASHING THE HIVEMIND BUILDING SCALABLE NETWORKS AARON MURRIHY SENIOR NETWORK ENGINEER

REANNZ LUNCHTIME SESSION 17 JULY 2019 UNLEASHING THE HIVEMIND BUILDING SCALABLE NETWORKS AARON MURRIHY SENIOR NETWORK ENGINEER aaron.murrihy@reannz.co.nz 1 REANNZ Lunch 19 Scalable Networks 4 STAGES OF NETWORK PROGRESSION 2 REANNZ

198 views • 19 slides
IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start

IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start

IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start security research since 15 th Community Experience CHROOT/HITCON (security group) - member III,CSIST (government organizations) - training course

1.36k views • 110 slides
AARON INDUSTRIES LIMITED H2FY19 EARNINGS PRESENTATION JUNE 2019 NSE: AARON | BLOOMBERG:

AARON INDUSTRIES LIMITED H2FY19 EARNINGS PRESENTATION JUNE 2019 NSE: AARON | BLOOMBERG:

AARON INDUSTRIES LIMITED H2FY19 EARNINGS PRESENTATION JUNE 2019 NSE: AARON | BLOOMBERG: AARON:IN | CIN: L31908GJ2013PLC077306 COMPANY OVERVIEW FOUNDATION 1 Aaron Industries Limited was founded by Mr. Amar Doshi in 2013, involved in the

426 views • 13 slides
Aaron Booker, Albertville, AL Aaron will be demonstrating his skills and approach to finishing

Aaron Booker, Albertville, AL Aaron will be demonstrating his skills and approach to finishing

Aaron Booker, Albertville, AL Aaron will be demonstrating his skills and approach to finishing sculptures using painting techniques. Aaron Booker, 38, from Albertville Alabama, began carving in 2001. He has always been very artistic since a

180 views • 17 slides
Aaron Pulkka 2 Evolving International Partnerships from Outsourcing to Exporting Aaron

Aaron Pulkka 2 Evolving International Partnerships from Outsourcing to Exporting Aaron

Aaron Pulkka 2 Evolving International Partnerships from Outsourcing to Exporting Aaron Pulkka | Director of Production | Activision 3 Overview Aaron Pulkka Key Ideas My Background Development Outsourcing Game Exporting

549 views • 52 slides
Physician Drug Selection in Oncology Aaron Mitchell, MD Aaron Winn, MPP Stacie Dusetzina, PhD 1

Physician Drug Selection in Oncology Aaron Mitchell, MD Aaron Winn, MPP Stacie Dusetzina, PhD 1

Pharmaceutical Industry Payments and Physician Drug Selection in Oncology Aaron Mitchell, MD Aaron Winn, MPP Stacie Dusetzina, PhD 1 Background: conflicts of interest Common in US Potential unintended consequences DeJong et al, JAMA

472 views • 28 slides
Olsr.Org // FunkFeuer // Freifunk Aaron Kaplan <aaron@lo-res.org> Henning Rogge

Olsr.Org // FunkFeuer // Freifunk Aaron Kaplan <aaron@lo-res.org> Henning Rogge

Olsr.Org // FunkFeuer // Freifunk Aaron Kaplan <aaron@lo-res.org> Henning Rogge <hrogge@fgan.de> Oct 2008 Presentation at OLSR Interop 08, Ottawa, CA Disclaimer can only speak about Freifunk out of experience and I know the

1.17k views • 87 slides
Design Patterns for Large Scale Data Movement Aaron Lee aaron.lee@solacesystems.com Data

Design Patterns for Large Scale Data Movement Aaron Lee aaron.lee@solacesystems.com Data

Design Patterns for Large Scale Data Movement Aaron Lee aaron.lee@solacesystems.com Data Movement Patterns o The right solution depends on the problem youre solving Real-time or intermittent? Update rates? Any weird networks?

518 views • 25 slides
J2EE Development with Apache Geronimo Aaron Mulder Chariot Solutions Speaker Aaron Mulder

J2EE Development with Apache Geronimo Aaron Mulder Chariot Solutions Speaker Aaron Mulder

J2EE Development with Apache Geronimo Aaron Mulder Chariot Solutions Speaker Aaron Mulder Geronimo Developer Works on deployment, management, console, kernel, ... Online Geronimo book at http:// chariotsolutions.com/geronimo/

638 views • 62 slides
INTERNATIONAL NETWORK DAN TWOHILL daniel.twohill@reannz.co.nz 2 REANNZ Lunch 19

INTERNATIONAL NETWORK DAN TWOHILL daniel.twohill@reannz.co.nz 2 REANNZ Lunch 19

REANNZ LUNCH 19 14TH AUG INTERNATIONAL NETWORK DAN TWOHILL daniel.twohill@reannz.co.nz 2 REANNZ Lunch 19 International Network TRAFFIC TYPES 1. International R&E 2. Domestic 3. Caches 4. Commodity Internet 5 REANNZ

444 views • 22 slides
Next Level DSLs Configure your app the Kotlin way! Aaron Sarazan CTO - Stencil Ltd.

Next Level DSLs Configure your app the Kotlin way! Aaron Sarazan CTO - Stencil Ltd.

Next Level DSLs Configure your app the Kotlin way! Aaron Sarazan CTO - Stencil Ltd. https://gitlab.com/asarazan/kotlinconf18 aaron@stencil.ltd Isolated Feature Development A Plugin Its like an app, just smaller Android Manifest Plugin

856 views • 62 slides
Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and

Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and

Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and Zohar Manna Stanford University (Aaron is visiting EPFL and will be at CU Boulder) Benchmark: intel_005 #latch vars: 170 #coi vars: 69 Solved:

207 views • 17 slides
The Calculus of Computation Decision Procedures with Applications to Verification Aaron R.

The Calculus of Computation Decision Procedures with Applications to Verification Aaron R.

The Calculus of Computation Decision Procedures with Applications to Verification Aaron R. Bradley and Zohar Manna Stanford University (Aaron is visiting EPFL and will soon be at CU Boulder) The Calculus of Computation 1/17 The Calculus of

587 views • 17 slides
Building an Elastic Main-Memory Database: E-Store AARON J. ELMORE AELMORE@CS.UCHICAGO.EDU

Building an Elastic Main-Memory Database: E-Store AARON J. ELMORE AELMORE@CS.UCHICAGO.EDU

Building an Elastic Main-Memory Database: E-Store AARON J. ELMORE AELMORE@CS.UCHICAGO.EDU Collaboration Between Many Rebecca Taft, Vaibhav Arora, Essam Mansour, Marco Serafini, Jennie Duggan, Aaron J. Elmore, Ashraf Aboulnaga, Andy Pavlo, Amr

1.26k views • 79 slides
Aaron T Wolf, PhD Program in Water Conflict Management Oregon State University, USA

Aaron T Wolf, PhD Program in Water Conflict Management Oregon State University, USA

Aaron T Wolf, PhD Program in Water Conflict Management Oregon State University, USA International Symposium on Water Diplomacy Stockholm, Sweden 16-17 November 2016 EMAIL: WOLFA@GEO.ORST.EDU WWW.TRANSBOUNDARYWATERS.ORST.EDU Aaron T Wolf, PhD

839 views • 48 slides
Aaron Rizzuto GSPS Dec-2014 A Bit About Me

Aaron Rizzuto GSPS Dec-2014 A Bit About Me

Aaron Rizzuto GSPS Dec-2014 A Bit About Me Undergrad at University of Sydney Physics + Maths Famous USyd Jacaranda PhD at

924 views • 27 slides
CS 457 Lecture 18 Global Internet Fall 2011 Solution: Path Vectors Each routing update

CS 457 Lecture 18 Global Internet Fall 2011 Solution: Path Vectors Each routing update

CS 457 Lecture 18 Global Internet Fall 2011 Solution: Path Vectors Each routing update carries the entire path Loops are detected as follows: when AS gets route check if AS already in path if yes, reject route if no, add

448 views • 29 slides
R. Ferdinand P-E. Bernaudin, P. Bosland, M. Di Giacomo, Y. Gmez Martnez, G. Olry 1978 Today

R. Ferdinand P-E. Bernaudin, P. Bosland, M. Di Giacomo, Y. Gmez Martnez, G. Olry 1978 Today

R. Ferdinand P-E. Bernaudin, P. Bosland, M. Di Giacomo, Y. Gmez Martnez, G. Olry 1978 Today Tomorrow Strong demand of radioactive beams by the nuclear and astrophysics communities (Prod) Establish a bridge between nuclei-nuclei

1.13k views • 47 slides
BGP ERROR HANDLING. DEVELOPING AN OPERATOR-LED APPROACH IN THE IETF. Rob Shakir, Cable&Wireless

BGP ERROR HANDLING. DEVELOPING AN OPERATOR-LED APPROACH IN THE IETF. Rob Shakir, Cable&Wireless

BGP ERROR HANDLING. DEVELOPING AN OPERATOR-LED APPROACH IN THE IETF. Rob Shakir, Cable&Wireless Worldwide. NANOG 51 Feb. 01, 2011 MIAMI, FL A Typical SP Network? CUSTOMER PE PE TRANSIT PEER PE P P PE P PE PE BGP IGP

297 views • 19 slides
1 Challenges faced by network engineers Explosion in the complexity of the overall system

1 Challenges faced by network engineers Explosion in the complexity of the overall system

Investigating the Recursive InterNetwork Architecture as the next generation GANT and NREN network architecture Sander Vrijders, Dimitri Staessens, Didier Colle Ghent University - iMinds GN3plus JRA1 and TERENA 3rd Network Architects

384 views • 35 slides
XORP and Virtual Routers Mark Handley Professor of Networked Systems, University College London.

XORP and Virtual Routers Mark Handley Professor of Networked Systems, University College London.

XORP and Virtual Routers Mark Handley Professor of Networked Systems, University College London. Building Blocks This talk is bottom up. Well start with what weve got, explore what we can build with that, and speculate about where

284 views • 26 slides
Introduction to RenderMan CSCD 470 Slide 1 3/24/09 The RenderMan Interface A scene

Introduction to RenderMan CSCD 470 Slide 1 3/24/09 The RenderMan Interface A scene

Introduction to RenderMan CSCD 470 Slide 1 3/24/09 The RenderMan Interface A scene description API RenderMan is intended to be an Interface description NOT a specific program The RenderMan Interface specification: originally intended to

348 views • 12 slides
Super-FRS Experiments by Isao Tanihata At WASA at GSI/FAIR workshop 27 November 2017 Darmstadt,

Super-FRS Experiments by Isao Tanihata At WASA at GSI/FAIR workshop 27 November 2017 Darmstadt,

Super-FRS Experiments by Isao Tanihata At WASA at GSI/FAIR workshop 27 November 2017 Darmstadt, May 26 th , 2014 Uniqueness FAIR Uniqueness: High-energy primary and secondary nuclear beams >400 A MeV only at FAIR in the world. Provides

343 views • 18 slides
SPOTLIGHT 2017 Singing with Expression Moving with Intention Gaynor Schofield Chantel Parsons

SPOTLIGHT 2017 Singing with Expression Moving with Intention Gaynor Schofield Chantel Parsons

SPOTLIGHT 2017 Singing with Expression Moving with Intention Gaynor Schofield Chantel Parsons VIVA Acappella Chorus WELCOME A bit about us. Our chorus is Viva Acappella and was formed by me in 2009 and since then we have been lucky

430 views • 19 slides

More recommend