Presentation is loading. Please wait.

Presentation is loading. Please wait.

RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII.

Published byProsper McGee Modified over 8 years ago

Similar presentations

Presentation on theme: "RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII."— Presentation transcript:

1 RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII

2 What is RPKI?  RPKI (Resource Public Key Infrastructure) allows the validation of an organization right to use of a certain resource (IPv4, IPv6, ASN)  RPKI combines the hierarchy of the Internet resource assignment model through RIRs with the use of digital certificates based on standard X.509  RPKI is standardized in the IETF through the SIDR WG. It has produced RFCs 6480 – 6492

3 Application of RPKI  One of the threats to the routing system is the forging of the origin autonomous system in BGP.  To reduce monkey-in-the-middle attacks and misconfiguration errors in BGP we use RPKI to validate the autonomous system that originates a prefix

4 RPKI Architecture and Origin Validation Cache RPKI Management System Repository

5 Types of users  Prefix holder  You want to certify your prefixes and create ROAs  Router operator  You want to validate prefixes using RPKI and origin- validation  You are both

6 Prefix Holder  You need to create and publish your resource certificate and your ROAs  One way is to use RIRs systems already deployed  Run your own CA and repository

7 Router Operator  You need an origin-validation capable router, an RPKI cache and at least one trust anchor  Cisco, Juniper and Quagga (srx-module) are capable routers  RIPE NCC and others have cache implementations  Each RIR is the trust anchor of the resources (IPv6 and IPv4) that they have allocated

8 Router Operator (2)  Configure your cache to pull the TALs from RIRs  Configure your router and cache to speak RTR  Configure policies in your router  Check your BGP routes

9 Validation Cache  RIPE NCC  Java, runs almost anywhere, supports (RPKI routing protocol  Download: http://labs.ripe.net/Members/agowland/ripencc- rpki-validator.zip/viewhttp://labs.ripe.net/Members/agowland/ripencc- rpki-validator.zip/view  Rcynic  Runs in unix like systems  Download: http://rpki.nethttp://rpki.net  BBN  Written in C++, tested in linux but it may run in other unix like systems

10 Routers  Cisco  Production software for ASR1000, 7600, ASR903 and ASR901 – releases 15.2(1)S or XE 3.5  Juniper  Beta versions in JunOS  Production version sometime in 2012  Quagga  Quagga SRX, developed by NIST US  3 rd -party patch, merge into mainline Quagga planned for later in 2012

11 RPKI in the LAC Region This segment of the talk is biased – It covers operational experience from our service region only (LACNIC) – I assume people should know what their network is actually doing – So take all this with a grain of salt It is not meant to be hard on early adopters – Early adopters always get burnt, but they gather and provide extremely valuable experience

12 RPKI in the LACNIC Service Region Where are we? – Slowly getting there – There is a lot of interest in the community – A bit of disappointment due to lack of router software This should change later this year Noticeable increments in usage after our conferences ~200** prefixes, 6% of announced IPv4 covered by ROAs 2 nd place among all regions behind RIPE-NCC by some measurements

13 RPKI Evolution Prefixes Signed IPv4 Space Covered by ROAs (in % of total)

14 Nice, right? Or... … perhaps not Statistics show that the quality of the ROAs created tends to be not-very-good Quality in this context means 'first do no harm' – Your ROAs should not create 'artificial' invalids, otherwise trust in the system will be quickly undermined once BGP speakers start validating Our region was creating almost ~1500 invalids

15 How we figured it out?  http://www.labs.lacnic.net/rpkitools/looking_glass/

16 Why ? What is Going On ? Network-related issues – Lack of awareness on how a 'complex' network is actually, well, 'networking' with its peers 'Complex' as in 'I use more than one AS' Failure to properly identify correct originating AS – Flabbergasting levels of de-aggregation Sometimes for TE needs, sometimes hard-to-explain Make creation of proper ROAs impractical with currently available tools System-related

17 Why ? What is Going On ? (ii) System-related – Lack of 'previewing' or 'prototyping' tools Leading to 'blind' ROA creation and lots of trial & error – Lack of awareness of tools like RIS

18 What Now? What Should We Do? Act now: – We contacted our worst offenders and reduced our count of invalids by 75% while keeping them using the system Plan for the future: – Provide better tools Ways of 'previewing' the effect of a ROA – RIS data invaluable for this purpose Batch-creation of ROAs Up/Down – Integrate them with the hosted system BGP Training Remember the BGP BoF later today

19 Thank you ! carlos @ lacnic.net aservin @ lacnic.net

Download ppt "RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII."

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
LACNIC Policy Update Roque Gagliano LACNIC. Current Policies Proposals - LACNIC As a result of the Open Policy Forum at LACNIC XI four policy proposals.

LACNIC Policy Update Roque Gagliano LACNIC. Current Policies Proposals - LACNIC As a result of the Open Policy Forum at LACNIC XI four policy proposals.
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
ARIN Update NANOG 55 – 6 June 2012 Mark Kosters Chief Technology Officer, ARIN.

ARIN Update NANOG 55 – 6 June 2012 Mark Kosters Chief Technology Officer, ARIN.
BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery 1IETF 802/12/2014.

BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery 1IETF 802/12/2014.
RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.

Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.
IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)

IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)
December 2013 Internet Number Resource Report. December 2013 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 December.

December 2013 Internet Number Resource Report. December 2013 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 December.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
March 2014 Internet Number Resource Report. March 2014 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 March 2014 Prepared.

March 2014 Internet Number Resource Report. March 2014 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 March 2014 Prepared.
1 Overview of policy proposals Policy SIG Wednesday 26 August 2009 Beijing, China.

1 Overview of policy proposals Policy SIG Wednesday 26 August 2009 Beijing, China.
RPKI and Routing Security ICANN 44 June 2012. Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.

RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Sofía Silva Berenguer lacnic.net IETF 88 – Vancouver RPKI and Origin Validation Deployment in Ecuador.

Sofía Silva Berenguer lacnic.net IETF 88 – Vancouver RPKI and Origin Validation Deployment in Ecuador.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
IPv4 Depletion and IPv6 Adoption Today Community Use Slide Deck Courtesy of ARIN May 2014.

IPv4 Depletion and IPv6 Adoption Today Community Use Slide Deck Courtesy of ARIN May 2014.

Similar presentations

Ads by Google