[PPT] - AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb PowerPoint Presentation

SLIDE 1

1 Apricot 2020 RPKI – Feb 20

SECURING THE INTERNET – VALIDATING ROUTING WITH RPKI

AARON MURRIHY aaron.murrihy@reannz.co.nz

SLIDE 2

2 Apricot 2020 RPKI – Feb 20

ABOUT US

SLIDE 3

3 Apricot 2020 RPKI – Feb 20

ABOUT

REANNZ

New Zealand’s NREN
Engineering team of 7
AS38022
Peering points in 3 countries

– NZ, Australia, US

100G backbone

SLIDE 4

4 Apricot 2020 RPKI – Feb 20

THE PROBLEM

SLIDE 5

5 Apricot 2020 RPKI – Feb 20

PROBLEM

ROUTE HIJACKING

192.168.0.0/21 192.168.8.0/21 192.168.0.0/20

BGP has no mechanism for ensuring trust!

SLIDE 6

6 Apricot 2020 RPKI – Feb 20

PROBLEM

ROUTE HIJACKING

192.168.0.0/20 192.168.0.0/20

SLIDE 7

7 Apricot 2020 RPKI – Feb 20

PROBLEM

ROUTE HIJACKING

192.168.0.0/20 P e e r i n g

Can be malicious or accidental

SLIDE 8

8 Apricot 2020 RPKI – Feb 20

PROBLEM

MITIGATIONS

Route filters based on IRR information

– Which registry? – What about transit providers? – Still no mechanism for ensuring trust

Or…

SLIDE 9

9 Apricot 2020 RPKI – Feb 20

RPKI

SLIDE 10

10 Apricot 2020 RPKI – Feb 20

RPKI

ABOUT RPKI

Resource Public Key Infrastructure

RFC6480 (and many others)
Binds route prefix to origin ASN

– Signed cryptographically – Ensures trust (sort of)

Recommended for MANRS compliance

– https://www.manrs.org

Signed prefixes stored (and distributed) by the 5 RIRs

https://blog.cloudflare.com/rpki/

SLIDE 11

11 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#1)

Super Fun Time Party

SLIDE 12

12 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#1)

Super Fun Time Party

Can I join the party?

SLIDE 13

13 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#1)

Super Fun Time Party

What’s your name?

SLIDE 14

14 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#1)

Super Fun Time Party

Jamie

SLIDE 15

15 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#1)

Super Fun Time Party

From Wellington?

SLIDE 16

16 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#1)

Super Fun Time Party

Na, from Sydney

SLIDE 17

17 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#1)

Super Fun Time Party

Sorry, buddy. You’re not on my list

SLIDE 18

18 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#1)

Another ASN advertising your routes

Super Fun Time Party

SLIDE 19

19 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#2)

Super Fun Time Party

SLIDE 20

20 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#2)

Super Fun Time Party

Can I join the party?

SLIDE 21

21 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#2)

Super Fun Time Party

What’s your name?

SLIDE 22

22 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#2)

Super Fun Time Party

Jamie

SLIDE 23

23 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#2)

Super Fun Time Party

From Wellington?

SLIDE 24

24 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#2)

Super Fun Time Party

Yep

SLIDE 25

25 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#2)

Super Fun Time Party

Jamie Senior?

SLIDE 26

26 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#2)

Super Fun Time Party

No, Jamie Junior

SLIDE 27

27 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#2)

Super Fun Time Party

Sorry, buddy. I’ve been specifically asked by your Dad to only let him in.

SLIDE 28

28 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOES RPKI PROTECT AGAINST (#2)

The same or a different ASN advertising a more specific route

Super Fun Time Party

SLIDE 29

29 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOESN’T RPKI PROTECT AGAINST

Super Fun Time Party

SLIDE 30

30 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOESN’T RPKI PROTECT AGAINST

Super Fun Time Party

Can I join the party?

SLIDE 31

31 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOESN’T RPKI PROTECT AGAINST

Super Fun Time Party

What’s your name?

SLIDE 32

32 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOESN’T RPKI PROTECT AGAINST

Super Fun Time Party

Jamie

SLIDE 33

33 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOESN’T RPKI PROTECT AGAINST

Super Fun Time Party

From Wellington?

SLIDE 34

34 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOESN’T RPKI PROTECT AGAINST

Super Fun Time Party

Umm… OK, Sure

SLIDE 35

35 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOESN’T RPKI PROTECT AGAINST

Super Fun Time Party

That’s good enough for me. Come on in!

SLIDE 36

36 Apricot 2020 RPKI – Feb 20

RPKI

WHAT DOESN’T RPKI PROTECT AGAINST

Malicious party forging your ASN as the origin

Super Fun Time Party

SLIDE 37

37 Apricot 2020 RPKI – Feb 20

RPKI

TLDR

Protects against

– accidental advertisement of incorrect routes – route hijacking with more specific prefixes

Doesn’t protect against

– malicious advertisement of routes with impersonated origin ASN – accidental transit of peer routes Validating the AS path is a whole other kettle of cryptographic fish

SLIDE 38

38 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

SLIDE 39

39 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

RPKI ARCHITECTURE

ROA Validator BGP Routers

RSYNC RPKI-RTR

SLIDE 40

40 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

ROA

https://myapnic.net -> Resources -> (Route Management) Routes

SLIDE 41

41 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

ROA

Just tick the ROA option - trivial

SLIDE 42

42 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

VALIDATOR (RELYING PARTY)

RIPE RPKI Validator

– Infrastructure

Java
2 x containers
Ansible-managed
Memory-hungry (~6GB)

– Capability

Downloads ROAs with RSYNC
Validates ROAs cryptographically
ROA overrides (Ignore, Whitelist)
Performs the RTR transfer to your BGP routers
Validated data can be exposed via JSON API

https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/

SLIDE 43

43 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

VALIDATOR (RELYING PARTY)

SLIDE 44

44 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

ADVERTISE VALIDATED DATA TO NETWORK

RPKI to Router (RTR) protocol

– RFC6810 – Unencrypted

routing-options { validation { notification-rib [ some-inet.0 some-inet6.0 ]; group rpki-wlg { session 203.0.113.14 { port 8282; local-address 192.0.2.1 } } } } filter protect-re { term rpki-rtr { from { source-prefix-list { rpki-rtr-validators; } protocol tcp; source-port 8282; } then accept; } }

SLIDE 45

45 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

ENABLING RPKI POLICY

Just add an import filter to your peering policy

term invalid { from { protocol bgp; validation-database invalid; } then { validation-state invalid; reject; } } term valid { from { protocol bgp; validation-database valid; } then { validation-state valid; next policy; } } term unknown { from { protocol bgp; validation-database unknown; } then { validation-state unknown; next policy; } }

SLIDE 46

46 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

REANNZ RPKI BEST PRACTICE

Apply on external BGP feeds

– Peerings, Transit Providers, R&E

Not applying to customers

– Exact route filters already in place (built from IPAM)

Begin by logging invalid routes
Then act on RPKI validation

– Valid == Accept – Invalid == Reject – Unknown == Accept

SLIDE 47

47 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

REANNZ RPKI BEST PRACTICE

Use exact prefix lengths for ROAs
Automate regular checks of your configured ROAs

aaron@nms-wlg:~$ check_reannz_roas Missing ROAs: 140.200.0.0/24 AS38022 140.200.1.0/24 AS38299 Extra ROA's: 140.200.1.0/24 AS38022

SLIDE 48

48 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

SHOULD I ENABLE RPKI VALIDATION?

Pro

– Gain benefit without full (internet-wide) implementation – Security improves as adoption increases – BGP performance/reliability unaffected – Cleanly handles failure – Operationally, pretty simple to implement/run

Con

– Requires ensuring ROAs are kept up-to-date – Some extra training for the NOC

SLIDE 49

49 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

SHOULD I ENABLE RPKI VALIDATION?

Pro

– Gain benefit without full (internet-wide) implementation – Security improves as adoption increases – BGP performance/reliability unaffected – Cleanly handles failure – Operationally, pretty simple to implement/run

Con

– Requires ensuring ROAs are kept up-to-date – Some extra training for the NOC

N

t

i f y

u

r e c e i v e t h e d e f a u l t r

u

t e !

SLIDE 50

50 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

http://sg-pub.ripe.net/jasper/rpki-web-test

Number of reported faults:

SLIDE 51

51 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

http://sg-pub.ripe.net/jasper/rpki-web-test

Number of reported faults:

2

SLIDE 52

52 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

LESSONS LEARNED

Keep your WHOIS contact details up-to-date
Automate checks of validity of your ROAs

– https://github.com/taiji-k/roamon-verify

Implement a check of what IP space disappears when rejecting invalid

routes

– Ignore where there is a valid covering route – https://nusenu.github.io/RPKI-Observatory/unreachable-networks.html

SLIDE 53

53 Apricot 2020 RPKI – Feb 20

RPKI IMPLEMENTATION

IT ALL KINDA JUST WORKED

SLIDE 54

54 Apricot 2020 RPKI – Feb 20