rpki tutorial
play

RPKI Tutorial MENOG 10, Dubai UAE Marco Hogewoning Trainer Goals - PowerPoint PPT Presentation

Jun 21, 2023 •380 likes •977 views

RPKI Tutorial MENOG 10, Dubai UAE Marco Hogewoning Trainer Goals Explain where it started Learn what resources certificates are Learn how to request a certificate Learn how to create a Route Origin Authorization Learn how to

  1. RPKI Tutorial MENOG 10, Dubai UAE Marco Hogewoning Trainer

  2. Goals • Explain where it started • Learn what resources certificates are • Learn how to request a certificate • Learn how to create a Route Origin Authorization • Learn how to integrate ROAs in your workflow • Making BGP decisions based on the RPKI • Lots of live demonstrations 2

  3. Certification

  4. Current Practices in Filtering • Filtering limited to the edges facing the customer • Filters on peering and transit sessions are often too complex or take too many resources – Do you filter? • A lot depends on trusting each other – Daily examples show this is no longer enough 4

  5. Limitations of the Routing Registry • A lot of different registries exist, operated by a number of different parties: – Not all of them mirror the other registries – How trust worthy is the information they provide? • The IRR system is far from complete • Resulting filters are hard to maintain and can take a lot of router memory 5

  6. Securing BGP Routing • SIDR working group in the IETF looking for a solution: – Is a specific AS authorised to originate an IP prefix? • Based on open standards: – RFC 5280: X.509 Public Key Infrastructure – RFC 3779: Extensions for IP addresses and ASNs 6

  7. The RIPE NCC Involvement in RPKI • The authority who is the holder of an Internet Number Resource in our region – IPv4 and IPv6 address ranges – Autonomous System Numbers • Information is kept in the registry • Accuracy and completeness are key 7

  8. Digital Resource Certificates • Issue digital certificates along with the registration of Internet Resources • Two main purposes: – Make the registry more robust – Making Internet Routing more secure • Added value comes with validation 8

  9. Using Certificates • Certification is a free, opt-in service – Your choice to request a certificate – Linked to your membership – Renewed every 12 months • Certificate does not list any identity information – That information is in the RIPE Database • Digital proof you are the holder of a resource 9

  10. The PKI System • The RIRs hold a self-signed root certificate for all the resources that they have in the registry – They are the trust anchor for the system • That root certificate is used to sign a certificate that lists your resources • You can issue child certificates for those resources to your customers – When making assignments or sub allocations 10

  11. Certificate Authority (CA) Structure Root CA (RIPE NCC) Member CA (LIR) Customer CA 11

  12. Validation • All certificates are published in publicly accessible repositories – RIPE NCC operates one of them • You can download all certificates and associated public keys • Using cryptographic tools to verify yourself that all certificates are valid and linked to the root CA 12

  13. Which Resources Are Certified? • Everything for which we are 100% sure who the owner is: – Provider Aggregatable (PA) IP addresses – Provider Independent (PI) addresses marked as “Infrastructure” • Other resources will be added over time: – PI addresses for which we have a contract – ERX resources 13

  14. Legacy Address Space • A project has started to bring legacy resources into the registry system • Makes the registry more robust and complete: – Holders are verified to be legit – Information published in the RIPE Database – Resources can be certified • Free service for legacy holders – Contact legacy@ripe.net for more information 14

  15. Demo Setting up certification in the LIR Portal

  16. Enabling Access To RPKI 16

  17. Setting Up a Certificate Authority 17

  18. Your Resource Certificate 18

  19. ROA Route Origination Authorisation

  20. Making a Statement • You as the certified holder of the IP addresses can decide who should announce these prefixes to the Internet: – They can originate from your own ASN – Or by a third party on your behalf – Maybe a part will be announced by somebody else • You can use the certificate to “sign” this statement, to prove this is really you 20

  21. Route Origination Authorisation (ROA) • Next to the prefix and the ASN which is allowed to announce it, the ROA contains: – A minimum prefix length – A maximum prefix length – An expiry date • Multiple ROAs can exist for the same prefix • ROAs can overlap 21

  22. Publication and Validation • ROAs are published in the same repositories as the certificates and they keys • You can download them and use software to verify all the cryptographic signatures are valid – Was this really the owner of the prefix? • You will end up with a list of prefixes and the ASN that is expected to originate them – And you can be sure the information comes from the holder of the resources 22

  23. Demo Creating a ROA

  24. S A N My ROA Specifications D B O X 24

  25. S A N Add ROA Specification D B O X 25

  26. S A N Adding a ROA D B O X 26

  27. S A N Your New ROA D B O X 27

  28. S A N The ROA Repository D B O X 28

  29. Validator

  30. ROA Validation • All the certificates, public keys and ROAs which form the RPKI are available for download • Software running on your own machine can retrieve and then verify the information – Cryptographic tools can check all the signatures • The result is a list of all valid combinations of ASN and prefix, the “validated cache” 30

  31. ROA Validation Workflow Cert's ROAs Keys ARIN Afrinic Sandbox repositories APNIC Lacnic RIPE NCC processing Validator network equipment http view and RPKI-RTR modify protocol validated cache 31

  32. Validation • Every certificate and ROA is signed using the private key of the issuer • The public keys in the repository allow you to verify the signature was made using the correct private key • You can walk the whole RPKI tree structure up to the Root Certificates of the RIRs 32

  33. Reasons For a ROA To Be Invalid • The start date is in the future – Actually this is flagged as an error • The end date is in the past – It is expired and the ROA will be ignored • The signing certificate or key pair has expired or has been revoked • It does not validate back to a configured trust anchor 33

  34. Modifying the Validated Cache • The RIPE NCC Validator allows you to manually override the validation process • Adding an ignore filter will ignore all ROAs for a given prefix – The end result is the validation state will be “unknown” • Creating a whitelist entry for a prefix and ASN will locally create a valid ROA – The end result is the validation state becomes “valid” 34

  35. The Decision Process • When you receive a BGP announcement from one of your neighbors you can compare this to the validated cache • There are three possible outcomes: – Unknown : there is no covering ROA for this prefix – Valid : a ROA matching the prefix and ASN is found – Invalid : There is a ROA but it does not match the ASN or the prefix length 35

  36. Router-RPKI Protocol • Routers can download the validated cache from the validator and have it available in memory • The BGP process will check each announcement and label the prefix • You can instruct your router to look at those labels and make a decision based on it – Modify preference values – Filter the announcement – ... 36

  37. The Decision is Yours • The Validator is a tool which can help you making informed decisions about routing • Using it properly can enhance the security and stability of the Internet • It is your network and you make the final decision 37

  38. Exercise/Demo Using the RIPE NCC Validator

  39. Download the Validator • http://www.ripe.net/certification -> tools • Requires Java 1.6 and rsync • No Installation required – Unzip the package – Run the program • Interface available on localhost port 8080 39

  40. Starting the Validator 40

  41. The Web Interface 41

  42. Trust Anchors 42

  43. Listing All Validated ROAs 43

  44. Add an Ignore Filter Insert the prefix and click “add” The overview shows if there is a match 44

  45. Creating a Whitelist Add the origin, prefix and maximum length This locally creates a valid (but fake) ROA 45

  46. BGP Preview • The validator downloads a copy of the RIS – Allows you to get a hint of what would happen – RIS view might be different from your routing table 46

  47. BGP Preview Detail 47

  48. Exporting the Validated Cache • Router sessions – Validator listens on 8282 for RPKI-RTR Protocol – Routers can connect and download the cache • Export function – Allows you to download a CSV with the cache – Can be integrated with your internal workflow – Use for statistics or spotting anomalies 48

  49. Router Integration

  50. Open Standards • The RPKI-RTR Protocol is an IETF standard • All router vendors can implement it – Cisco has beta images available – Juniper expects it to be in 12.2 (Q312) – Quagga has support for it • Ask your favorite sales person for more information – And tell them you like this 50

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

583 views • 43 slides
Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

889 views • 51 slides
Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1 Thursday, August 1, 13 RPKI Tools The authors believe the information already contained in the RPKI has value in itself, even for operators not

305 views • 11 slides
AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

662 views • 54 slides
From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

660 views • 27 slides
Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania December 10, 2019 Research supported by NSF EAGER Award #1748362 Global RPKI Deployment ASes Validating Routes 5%, 5 3%, 3 9%, 8 12%, 11 71%, 65

216 views • 8 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI Overview Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 2 Simply put 3 parts - Create certificates - Install/run validator -

562 views • 17 slides
Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Applied Networking Research Workshop 2020 acm sigcomm Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer SIT Motivation - Resource Public Key Infrastructure (RPKI) secures the interdomain routing

586 views • 39 slides
Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0 Project: New RPKI system DNSSEC v2.0 Project: New DNSSEC signer IETF activities: Identity and join key WGs and RGs African Internet Resources

308 views • 13 slides
A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Validator http://rpki.net/ A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts Connection Counts Objects/Connection Seconds/Object Rob Austein

663 views • 32 slides
Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabin Meja Why and who? BGP origin validation based on RPKI is in early stages of deployment. It is necessary to

314 views • 13 slides
MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston University Outline Background How does BGP work? How does RPKI work? What is the maxLength? How maxLength causes problems

741 views • 34 slides
Key Rollover for the RPKI Steve Kent (Channeling Geoff

Key Rollover for the RPKI Steve Kent (Channeling Geoff

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston ) Key Rollover Document New doc: draC-huston-sidr-aao-profile-0-

494 views • 14 slides
Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of

Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of

Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of Connec2cut, Bar Ilan Univ, Fraunhofer SIT Joint project with Tomas Hlavacek, Yafim Kazak, Rafi Peretz, Fabian Sauer and Haya Shulman Route-Hijacking:

687 views • 36 slides
BGP Joeri de Ruiter Agenda BGP recap BGP security RPKI / ROA BGPsec

BGP Joeri de Ruiter Agenda BGP recap BGP security RPKI / ROA BGPsec

Advanced Network Security BGP Joeri de Ruiter Agenda BGP recap BGP security RPKI / ROA BGPsec Startng (almost) from scratch 2 Autonomous systems (AS) Internet is divided into Autonomous Systems (AS) Controlled by

815 views • 39 slides
ASN resolution 2012-DC-0283 of 26 June 2012 instructing lectricit de France Socit

ASN resolution 2012-DC-0283 of 26 June 2012 instructing lectricit de France Socit

F RENCH R EPUBLIC ASN resolution 2012-DC-0283 of 26 June 2012 instructing lectricit de France Socit Anonyme (EDF-SA) to comply with additional requirements applicable to the Flamanville NPP (Manche dpartement) in the light of the

180 views • 17 slides
Measurement Data on AS_SET and AGGREGATOR: Implications for {Prefix, Origin} Validation

Measurement Data on AS_SET and AGGREGATOR: Implications for {Prefix, Origin} Validation

Measurement Data on AS_SET and AGGREGATOR: Implications for {Prefix, Origin} Validation Algorithms NIST BGP Security Team July 2010 National Institute of Standards and Technology National Institute of Standards and Technology Contact:

103 views • 7 slides
Local Internet Registry Training Course March 2019 Schedule 09:00 - 09:30 Coffee, Tea 11:00 -

Local Internet Registry Training Course March 2019 Schedule 09:00 - 09:30 Coffee, Tea 11:00 -

Local Internet Registry Training Course March 2019 Schedule 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break 13:00 - 14:00 Lunch 15:30 - 15:45 Break 17:30 End 2 Introductions Name Number on the list Experience with the

1.61k views • 119 slides
Induction, Transitive Closure and Cycles Liron Cohen, Cornell University, Reuben Rowe, University

Induction, Transitive Closure and Cycles Liron Cohen, Cornell University, Reuben Rowe, University

Induction, Transitive Closure and Cycles Liron Cohen, Cornell University, Reuben Rowe, University of Kent ASL North American Annual Meeting, 2018 Verification Database Complexity Applications MKM of Logic in CS Type Theory Knowledge

1.04k views • 100 slides
Site and Subgrantee Management High Quality Performance Measures Overview of the e-Course Series

Site and Subgrantee Management High Quality Performance Measures Overview of the e-Course Series

High Quality Performance Measures Site and Subgrantee Management High Quality Performance Measures Overview of the e-Course Series AmeriCorps Prohibited Activities AmeriCorps Allowable/Unallowable Activities Demonstrating the Impact

385 views • 35 slides
www.asn.am Journal #5 The start of World War One has often been stated to start with

www.asn.am Journal #5 The start of World War One has often been stated to start with

www.asn.am Journal #5 The start of World War One has often been stated to start with www.asn.am Doolally www.asn.am Vile highly offensive, unpleasant, or objectionable; morally debased, depraved, or despicable www.asn.am Bloke

373 views • 9 slides
Formally-Verified ASN.1 Protocol C-language Stack 1 Carnegie Mellon University 2 Digamma.ai Vadim

Formally-Verified ASN.1 Protocol C-language Stack 1 Carnegie Mellon University 2 Digamma.ai Vadim

Formally-Verified ASN.1 Protocol C-language Stack 1 Carnegie Mellon University 2 Digamma.ai Vadim Zaliva 1 Nika Pona 2 What is ASN.1? At Digamma.ai we are verifying a compiler for ASN.1 The ASN.1 is a language for defining data

215 views • 21 slides
Measuring IPv6 with adver3sements for fun and profit George

Measuring IPv6 with adver3sements for fun and profit George

Measuring IPv6 with adver3sements for fun and profit George Michaelson, APNIC how to measure the Internet What do we mean when we say

596 views • 59 slides

More recommend