Download - RPKI Tutorial and Hands-On
Copyright © 2015 Japan Network Information Center
RPKI basics
• What is RPKI?
• Why? and how much?
• How it works?
3
Copyright © 2015 Japan Network Information Center
RPKI
5
RPKI (Resource PKI)
Resource Public-Key Infrastructure
Why infrastructure?
Public-Key?
Resource?
PKI?
Copyright © 2015 Japan Network Information Center
Resource Certificate
6
Resource Certificate
What is different from SSL/TLS certificates?
Resources?
Copyright © 2015 Japan Network Information Center
Resource certificate
Resource certificate = digital certificate which certifies allocation/assignment of number resources
Registry or resource allocatorResource holder
Resource certificate
7
Copyright © 2015 Japan Network Information Center
Contents in resource certificates
8
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=D5BBADA3
Validity
Not Before: Apr 15 10:24:39 2014 GMT
Not After : Apr 14 10:24:39 2019 GMT
Subject: CN=D5BBADA3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
18:CE:ED:52:F0:99:02:8A:58:3C:F1:7B:53:71:0E:1F:5D:37:4F:8D
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Subject Information Access:
CA Repository - URI:rsync://rpki01.nic.ad.jp/repository/
1.3.6.1.5.5.7.48.10 - URI:rsync://rpki01.nic.ad.jp/repository/jpnic-ta-03.mft
sbgp-autonomousSysNum: critical
Autonomous System Numbers:
0-4294967295
sbgp-ipAddrBlock: critical
IPv4:
0.0.0.0/0
IPv6:
::/0
Copyright © 2015 Japan Network Information Center
Registries and resource certificate
• In internet registries (RIR or NIR ..)
9
WHOIS database↓
Allocation/assignment data(IP address and AS number)
↓Digital certificate with Allocation/assignment
data = Resource certificate
Copyright © 2015 Japan Network Information Center
Registry tree and resource certificate
RIR: Regional Internet Registry
NIRs
NIR: National Internet Registry
ICANN/IANA
ISPISP
LIR: Local Internet Registry
RIPE NCC
AfriNIC APNIC ARIN LACNIC
Allocation
Allocation
Allocation
WHOIS Database
User network
Assignment
IP address
Reso
urc
e c
ertific
ate
10
Copyright © 2015 Japan Network Information Center
Tree structure
11
NIRs
ICANN/IANA
ISP
User net
Issuer: (APNIC)Subject: (JPNIC)IPaddr:
192.0.0.0/8
Issuer: (JPNIC)Subject: (ISP)IPaddr
192.168.0.0/16
Issuer: (ISP)Subject: (User net)IPaddr:
192.168.64.0/22
ROA – Route Origination Authorization(digital signature by User net)- means route announcing authorization
from AS65535 on 192.168.64.0/24
AS65535
RIPE NCC
AfriNIC APNIC ARIN LACNIC
Copyright © 2015 Japan Network Information Center
YouTube mis-origin route
13
YouTube Hijacking: A RIPE NCC RIS case study, 17 Mar 2008, RIPE NCC,
http://www.ripe.net/internet-coordination/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study
Copyright © 2015 Japan Network Information Center
BitCoin mining pool
14
BGP Hijacking for Cryptocurrency Profit, 7 August 2014Pat Litke and Joe Stewart, Dell SecureWorks Counter Threat Unithttp://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/
Copyright © 2015 Japan Network Information Center
Motivation to the infrastructure
• To find misused IP address in routers
• Internet registries having database on IP address can certify allocations/assignments.
• Internet reachability is getting serious for Web services.
15
Copyright © 2015 Japan Network Information Center
Fee
• No additional fee are on resource certification in RIR (and JPNIC).
• To use origin validation, capable routers and “RPKI cache server” are needed.
• Free to ‘watch’ what is happening in the world…
16
Copyright © 2015 Japan Network Information Center
Unintended use of IP address
• Configuring IP address which is allocated to other
network
?
?
192.168.100.0/24
192.168.150.0/24
192.168.100.0/24
18
AS1
AS2
AS3
Copyright © 2015 Japan Network Information Center
Route Origin Authorization
• Authorizations from IP address holders to AS to use allocated IP address prefix.
• ROA is useful to check whether BGP routing information is intended one or misoriginated.
• ROA has IP address prefix and AS number with digital signature by the address holder’s key.
19
Copyright © 2015 Japan Network Information Center
Origin Validation
20
!
!
192.168.100.0/24
192.168.150.0/24
192.168.100.0/24
ROA –Route Origin Authorization
ROA –Route Origin Authorization
AS1
AS2
AS3
Copyright © 2015 Japan Network Information Center
Subject InformationAccess
Trust anchor and validation
21
Repository A
RPKI (validation) cache server
URL
Repository B
192.0.0.0/8
192.168.0.0/16
SIA(URI)
192.168.64.0/22
SIA(URI)
ROA(192.168.64.0/24)
SIA(URI)
Repository C
Trust anchorlocator
(.tal file)
(1)
(2)
(3)
Trust anchor locator
(TAL) is used to
specify your trust
anchor
Issuer’s certificates has
wider range of resources
Copyright © 2015 Japan Network Information Center
World Wide
23
http://en.wikipedia.org/wiki/File:Regional_Internet_Registries_world_map.svg
Copyright © 2015 Japan Network Information Center
Number of resource certificate
24
http://certification-stats.ripe.net/
RIPE region
Copyright © 2015 Japan Network Information Center
Number of ROA
25
http://certification-stats.ripe.net/
RIPE Region
Copyright © 2015 Japan Network Information Center
What is going on in the world?
• RIPE region has much more number of
ROA and Resource certificates
– RIPE NCC launches experimental Web site for RPKI
brought good discussions in RIPE meeting
• LACNIC region has increase at the 2012th
– LACNIC XVIII Nov. 2012
– Email notified to all ISP in LACNIC region
– Over 90% covering certificates are issued in Ecuador.
26
Copyright © 2015 Japan Network Information Center
Visualizing tools
27
・ RPKI Origin Validation Looking Glass
http://www.labs.lacnic.net/rpkitools/looking_glass/
Copyright © 2015 Japan Network Information Center
Summary
• RPKI(Resource Public-Key Infrastructure)
– Resource certificate certifies allocation/assignment of IP address and AS number
– BGPSEC – security mechanism for BGP routing is being implemented
• World Wide
– Resource certificates and ROA are issued by all 5 RIR. Number of resource certificate is increasing continuously.
28
Copyright © 2015 Japan Network Information Center
What’s up in Japan
• JANOG RPKI routing WG
– RPKI tutorials by Randy
– RPKI hackathon
• Technical seminar
• Inviting Oliver Borchert (NIST)
• MULTIFEED (June 2014)
• RPKI Public RPKI cache server
• With MULTIFEED (Oct 2014)
29
Copyright © 2015 Japan Network Information Center
RPKI Hackathon
30
Attendees
JPNIC
Click
Resource Cert.
and
ROA
RPKI cache
validated prefix
BGP RouterToday’s special