plnog14: quo vadis rpki - andrzej wolski

PLNOG14, Warsaw, Poland

Quo Vadis RPKI?

Andrzej Wolski Training Services RIPE NCC

Andrzej Wolski – PLNOG 14 – Warsaw, Poland

Internet Registry System 2

IANA

AFRINIC Africa

APNIC Asia Pacific

ARIN North America

LACNIC Latin America

RIPE NCC Eurasia

Middle East


Who we are? 3

• RIPE NCC

• Located in Amsterdam

• Not for profit membership organisation

• One of five RIRs

• RIPE Community

• Open community

• Develops policies

• Organised in Working Groups


What we do? 4

• Distribute IP addresses and AS numbers

• Support RIPE community

• RIPE Database

• Resource Certification (RPKI)

• Reverse DNS and K-root server

• Training

• Research and Statistics

• Tools and measurements (RIPE Atlas, RIPEstat)

• Resource Certification (RPKI)


The State of the Global Routing 5

• Largely a trust-based system

• Maximum prefix lists

• Static prefix lists

• IRR sourced

• Often unfiltered

• Auditing is almost impossible


Types of Routing Incidents 6

• Misconfiguration

• No malicious intentions

• Software bugs

• Malicious

• Competition

• Claiming “unused” space

• Targeted Traffic Misdirection

• Collect and/or temper with data


BGP Hijacking events in 2014

• Turkey Censorship - Affected open DNS resolvers: Google / Open DNS / Level3

• Syrian Telecom - 1480 prefixes- 206 ASNs

• The Bitcoin Hijack - 51 prefixes- 19 ASNs

7


Fly-By Spammers 8


The Case for BGP Origin Validation 9

“Would you like a reliable way of telling whether a BGP Route Announcement is authorised by the

legitimate holder of the address space?”


That Should Be Easy, Right?!

• Current legitimate holder should be able to make a statement to protect it resources that:

- specifies which AS can originate your prefix, and- what the maximum length of that prefix is…

10

AS Number Prefix Maximum Length

Submit

Route Origin Authorization


RPKI: Ultra Quick Intro

• RIR becomes a Certificate Authority- Puts IPs and ASNs on a digital certificate; issues to LIRs- LIRs use certificate to make statements about their IPs- Statement is called a Route Origin Authorization (ROA)

• BGP Origin Validation- Out-of-band solution (whitelisting)- Operators validate and compare ROAs to real-world BGP

• Authorised announcements make them happy 😊

• Unauthorised announcements make them sad 😡

PLNOG 10: "BGP Origin Validation with RPKI" Alex Band

11


Slow start

• RIPE NCC worked on a prototype since 2006• Launched an open beta mid-2010

- Get operational experience and feedback before launch

• A limited production service on 1 January 2011- Only LIR’s address space (no PI, no Legacy)- Only hosted system available with a web interface- No production grade support for Delegated RPKI- First version of RIPE NCC Validator

• Other types of address space added with time

12


Keeping It Simple

• Conscious decision to keep it simple- Offer a stable and robust service- Gain operational experience- Gather user feedback - Automate all crypto complexity

• Mantra: Simplicity will spur on adoption- RPKI is a new technology- Small to no gains for early adopters- Avoid making users jump through burning hoops

13


Certification v1 14


Certification v2 15


Certification v3 16


Less Functionality, More Usability

• Automate signing and key roll overs- One click setup of resource certificate- User has a valid and published certificate for as long as

they are the holder of the resources- Changes in resource holdership are handled automatically

• Hide all the crypto complexity from the UI- Hashes, SIA and AIA pointers, etc.

• Just focus on creating and publishing ROAs- Match you intended BGP configuration

17


18

The current global reality…


People Requesting a Certificate 19

Source: http://certification-stats.ripe.net

http://certification-stats.ripe.net


People Actually Creating ROAs 20




Results 21




Results 22

Source: http://www.potaroo.net/ispcol/2015-01/bgp2014.html

http://www.potaroo.net/ispcol/2015-01/bgp2014.html


Results 23

Source: http://rpki.surfnet.pl/

http://rpki.surfnet.pl/


A Success Story

• Ecuador Internet Exchange (NAP.EC)- two Cisco ASR-1001 route servers in different locations- two redundant servers installed

• each one with two different validators- RIPE NCC and rpki.net

24

• Origin validation was implemented in the route servers

• No action was taken regarding RPKI validity status

http://rpki.net


What Operators Tell Us…

• Give me new data faster!• Running the delegated model is not interesting

- They prefer an API into the hosted system for now

• Used to have stale route objects, now stale ROAs• The various relying party tools are not that mature• There are different flavours of invalid announcement

but I can’t filter on them in my router- “Unauthorized AS” and “Too specific prefix”

25


Our Future Plans

• Merge IRR ‘route’ object management in RPKI UI• Replace rsync as protocol for fetching data

- something faster and more scalable (HTTP)

• Support Inter-RIR transfers• Aligning efforts between RIRs• Production support for the delegated model

- Yes, really… 😉

• End Goal: Path Validation (BGPSEC)• Major change to BGP msgs (on-line crypto)

26


Why Should You Care?

• Your inbound and outbound traffic can be passively intercepted

• Your data can be:• stored

• dropped

• filtered

• modified

• It’s unlikely to be noticed, unless you’re looking for it

27


What Should You DO?

• Go to LIR Portal > Resource Certification• create your CA

• create a Route Origin Authorisations (ROAs) for your announcements

28

• Feedback button and live chat in the mgmt UI• Monthly webinars dedicated to RPKI• Integral part of RIPE NCC Routing Security course


You decide 29

• As an announcer/LIR • You choose if you want certification• You choose if you want to create ROAs• You choose AS, max length

• As a Relying Party • You can choose if you use the validator• You can override the lists of valid ROAs in the cache,

adding or removing valid ROAs locally• You can choose to make any routing decisions based on

the results of the BGP Verification (valid/invalid/unknown)


RPKI Support in Routers 30

• RPKI and RPKI-RTR Protocol are an IETF standard

• All router vendors can implement it

• Cisco support:• XR 4.2.1 (CRS-x, ASR9000, c12K) / XR 5.1.1 (NCS6000, XRv)• XE 3.5 (C7200, c7600, ASR1K, CSR1Kv, ASR90x, ME3600…)• IOS15.2(1)S

• Juniper has support since version 12.2

• Quagga has support through BGP-SRX

• BIRD has support for ROA but does not do RPKI-RTR


Community Activity

• Open source RPKI Tools- rpki.net

• SURFnet RPKI Dashboard- rpki.surfnet.nl

• BGPMon Route Monitoring- bgpmon.net/services/route-monitoring/

• RIPE NCC Github- github.com/RIPE-NCC

31

Questions?


32

ripe.net/certification #RPKI

http://ripe.net/certification