implementing rpki based origin validation one country at
play

Implementing RPKI-based origin validation one country at a time. - PowerPoint PPT Presentation

Aug 17, 2022 •174 likes •314 views

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabin Meja Why and who? BGP origin validation based on RPKI is in early stages of deployment. It is necessary to

  1. Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabián Mejía

  2. Why and who? � BGP origin validation based on RPKI is in early stages of deployment. It is necessary to create a success story that brings enough value to both: network operators and resource holders. � Multistakeholder Project: CISCO, LACNIC and AEPROVI.

  3. ABSTRACT I-D: draft-fmejia-opsec-origin-a-country-00.txt � One possible deployment strategy for BGP origin validation based on the Resource Public Key Infrastructure (RPKI) is the construction of islands of trust. This document describes the authors' experience deploying and maintaining a BGP origin validation island of trust in Ecuador. The authors want comments from this WG.

  4. Roles � POLICER NETWORK: NAP.EC (www.nap.ec). IXP in Ecuador (UIO and GYE). Mandatory multilateral routing policy. AEPROVI manages the NAP.EC infrastructure. � RESOURCE HOLDERS: a number of holders, including organizations like ISP, content providers, universities, .ec domain and root servers administrators. Local and foreign organizations. � RPKI CAs AND REPOSITORY: The LACNIC-hosted RPKI CA model was used for this project. � TECHNICAL SUPPORT: To involve trained people and train new ones is very important. Cisco and LACNIC staff collaborated.

  5. Objective � "Deploy RPKI-based BGP origin validation in NAP.EC's route servers. For the success of the project, 80% of the Ecuadorian prefixes (both IPv4 and IPv6) received by those routers should have a valid origin." � NAP.EC - GYE was taken as reference (because NAP.EC - UIO had non-Ecuadorian prefixes announced).

  6. Planning � Discussion points: 1. RPKI-based origin validation support in the route-servers equipments 2. How to deploy a RPKI cache into the Network 3. How to populate the RPKI database with the correct and necessary information 4. Action to take with NotFound and Invalid prefixes � About 3: It was decided to organize an event with two objectives: training and RPKI object signing. � Communication strategy should not be overlooked.

  7. Deployment RPKI Validation servers � Two VMs running GNU Linux. � VMs are within management AS and access to Internet and both NAP.EC locations (UIO , GYE). � Each VM runs 2 validating software: from RIPE and rpki.net project. � Different service ports. Origin validation setting � At the beginning, no action: marking each prefix with a BGP community based on its RPKI origin state. Some months later: dropping Invalid prefixes and setting a � lower local preference for NotFound prefixes.

  8. Training and RPKI signing event � Key planning activity: to create the list of participants and to make sure that at least one participant per network had the authentication credentials to create its RPKI signed objects. � Target community: Ecuadorian organizations that had received IP resources from LACNIC until mid-2013. � The attendance represented around 80% of the target prefixes. � Two days event. Theoretical and practical training. � Time slots to sign RPKI objects: at the end of the first day and during the second day. � Feedback before closing the event: applying an acceptable policy in order do not waste the successful effort.

  9. Outcome and post-event activities � Ecuadorian prefixes with RPKI origin state as Valid: � Less 1% before the event. � Less than 20% at the start of the second day, � Around 80% at the end of the event. � Almost 100% a few days after the event, after to contact some non-attending organizations. � After, some communication activities were performed. � Overall, management has been simple and without major problems.

  10. Lessons learned and best practices Implementation support needs to be verified in all target � platforms. The resource holders community need RPKI-based origin � validation training. Two days event is a better practice. The participants may � not be confident about their skills at the end of the first day or may need further authorization. Initial work to have the "right people" in the room is a key to � success. Operators are less conservative than original though by � organizers. When a new ISP wants to join NAP.EC, it receives information � about RPKI-based origin validation and it is invited to create its ROAs. The event was a great opportunity to assemble the local � community. Post event communication needs to be discussed ahead of � time.

  11. IMPACT – LAC REGION JULY 2013 OCTOBER 2013 Fuente: http://rpki.surfnet.nl/perrir.html

  12. IMPACT – COMPARATIVE OCTOBER 2013 Fuente: http://rpki.surfnet.nl/perrir.html

  13. Thanks Fabián Mejía NAP.EC Administrator fabian@aeprovi.org.ec

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

583 views • 43 slides
Towards new requirements on Country of Towards new requirements on Country of Origin Labelling:

Towards new requirements on Country of Towards new requirements on Country of Origin Labelling:

Towards new requirements on Country of Towards new requirements on Country of Origin Labelling: Consequences for the food chain The view of the EU Primary Food Processors From farmers gates to shelves PFP is the vital link in the EU food

517 views • 18 slides
Implementing CertPath Validation: Lessons Learned Steve Hanna Sun Microsystems, Inc.

Implementing CertPath Validation: Lessons Learned Steve Hanna Sun Microsystems, Inc.

Implementing CertPath Validation: Lessons Learned Steve Hanna Sun Microsystems, Inc. steve.hanna@sun.com Cert Path Validation & Building Widely needed S/MIME, TLS, IPsec, ... Very complex sonof2459 includes 18

155 views • 11 slides
Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

889 views • 51 slides
Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter

Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter

Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Whlisch PEERING The BGP Testbed The BGP

1.56k views • 52 slides
RPKI Tutorial MENOG 10, Dubai UAE Marco Hogewoning Trainer Goals Explain where it started

RPKI Tutorial MENOG 10, Dubai UAE Marco Hogewoning Trainer Goals Explain where it started

RPKI Tutorial MENOG 10, Dubai UAE Marco Hogewoning Trainer Goals Explain where it started Learn what resources certificates are Learn how to request a certificate Learn how to create a Route Origin Authorization Learn how to

977 views • 59 slides
Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1 Thursday, August 1, 13 RPKI Tools The authors believe the information already contained in the RPKI has value in itself, even for operators not

305 views • 11 slides
Rules of Origin Overview Chemicals Roadshow November/December 2018 1 What are rules of origin?

Rules of Origin Overview Chemicals Roadshow November/December 2018 1 What are rules of origin?

OFFICIAL SENSITIVE Rules of Origin Overview Chemicals Roadshow November/December 2018 1 What are rules of origin? Rules of origin (RoO) determine the economic nationality of a good. A product is considered originating in a country

560 views • 16 slides
AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

662 views • 54 slides
From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

660 views • 27 slides
Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania December 10, 2019 Research supported by NSF EAGER Award #1748362 Global RPKI Deployment ASes Validating Routes 5%, 5 3%, 3 9%, 8 12%, 11 71%, 65

216 views • 8 slides
Who are we? Baseline data on the MaCE team, 2018/19 N=27/40 About us Country of Origin

Who are we? Baseline data on the MaCE team, 2018/19 N=27/40 About us Country of Origin

Who are we? Baseline data on the MaCE team, 2018/19 N=27/40 About us Country of Origin Respondents Roles Higher Education Experience Age started secondary education 9 7 5 2 0 Eleven Twelve Thirteen Fourteen Fifteen Sixteen

869 views • 63 slides
Country Presentation Statistics Israel Item 13: Partner country Country of Origin and Last

Country Presentation Statistics Israel Item 13: Partner country Country of Origin and Last

ESA/STAT/AC.142.12 UNITED NATIONS UNITED NATIONS ECONOMIC COMMISSION DEPARTMENT OF ECONOMIC AND SOCIAL AFFAIRS FOR AFRICA STATISTICS DIVISION International Workshop on Country Practices in Compilation of International Merchandise Trade

386 views • 14 slides
RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI Overview Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 2 Simply put 3 parts - Create certificates - Install/run validator -

562 views • 17 slides
Country of origin labelling Perspectives and experiences from the European food and drink

Country of origin labelling Perspectives and experiences from the European food and drink

1 Country of origin labelling Perspectives and experiences from the European food and drink manufacturing sector Dirk Jacobs Deputy Director General Director Consumer Information, Diet and Health AGRI- ENVI Public Hearing on the Labelling

322 views • 18 slides
Improving CG-CAHPS in an Academic Medical Center Rick Evans, MA Senior Vice President &

Improving CG-CAHPS in an Academic Medical Center Rick Evans, MA Senior Vice President &

Improving CG-CAHPS in an Academic Medical Center Rick Evans, MA Senior Vice President & Chief Experience Officer Strategies for Improving CAHPS Clinician & Group (CG-CAHPS) Survey Scores A Webcast Presented by the AHRQ CAHPS User

801 views • 10 slides
Prst r t

Prst r t

Prst r t ttr r rs ttrsrrs

470 views • 42 slides
Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding with Free Tools Mike La

Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding with Free Tools Mike La

Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding with Free Tools Mike La Pilla Slide Warning These are draft slides, not the ones presented Most images have been removed from draft If you are reading these you

410 views • 38 slides
Defeat the Disruption of Assessment at a Distance: Too Much Data, Not Enough Time Alejandra

Defeat the Disruption of Assessment at a Distance: Too Much Data, Not Enough Time Alejandra

Defeat the Disruption of Assessment at a Distance: Too Much Data, Not Enough Time Alejandra Zertuche , MBA, MS Founder and CEO Enflux Dr. Annesha White , PharmD, MS, PhD Associate Dean for Assessment & Accreditation University of North

439 views • 14 slides
Interaction Vertex Imaging (IVI) for carbon ion therapy monitoring a feasibility study E. Testa 1

Interaction Vertex Imaging (IVI) for carbon ion therapy monitoring a feasibility study E. Testa 1

Ion range verification Interaction Vertex Imaging principles Simulation tools Results Conclusion and perspectives Interaction Vertex Imaging (IVI) for carbon ion therapy monitoring a feasibility study E. Testa 1 , D. Dauvergne 1 , G. Dedes 1

391 views • 16 slides
Image Segmentation Perceptual and Sensory Augmented Computing Marc Pollefeys Computer Vision WS

Image Segmentation Perceptual and Sensory Augmented Computing Marc Pollefeys Computer Vision WS

Image Segmentation Perceptual and Sensory Augmented Computing Marc Pollefeys Computer Vision WS 0/09 ETH Zurich Slide credits: V. Ferrari, K. Grauman, B. Leibe, S. Lazebnik, S. Seitz,Y Boykov, W. Freeman, P. Kohli Topics of This Lecture

1.73k views • 134 slides
Operational Changes and Enhancements resulting from INFINERA Deployment in GEANT Tony Barber

Operational Changes and Enhancements resulting from INFINERA Deployment in GEANT Tony Barber

Operational Changes and Enhancements resulting from INFINERA Deployment in GEANT Tony Barber Head of GEANT & DANTE Operations Centre connect communicate collaborate Summary 2012 & 2013 GEANT undertakes significant procurement

531 views • 19 slides
Announcements Homework 2: Due Thursday Feb 19 Project milestone due: Feb 24 4 Pages, NIPS

Announcements Homework 2: Due Thursday Feb 19 Project milestone due: Feb 24 4 Pages, NIPS

Active Learning and Optimized Information Gathering Lecture 13 Submodularity (contd) CS 101.2 Andreas Krause Announcements Homework 2: Due Thursday Feb 19 Project milestone due: Feb 24 4 Pages, NIPS format:

553 views • 42 slides

More recommend