Upload File

rpki certification tutorial

19
Resource Certification (RPKI) Making BGP more secure SEE2 - Macedonia

Upload: ripe-ncc

Post on 25-May-2015

393 views

Category:

Technology


0 download

Report

Tags:

DESCRIPTION

Presentation given by Alex Band at SEE 2, Skopje, Macedonia on 22 April 2013.

TRANSCRIPT

Page 1: RPKI Certification Tutorial

Resource Certification (RPKI)Making BGP more secure

SEE2 - Macedonia

Page 2: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

The RIPE NCC involvement in RPKI• The authority on who is the registered holder of

an Internet Number Resource in our region– IPv4 and IPv6 Address Blocks– Autonomous System Numbers

• Information is kept in the Registry

• Accuracy and completeness are key

2

Page 3: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

Digital Resource Certificates• Based on open IETF standards (sidr)

– RFC 5280: X.509 PKI Certificates– RFC 3779: Extensions for IP Addresses and ASNs– RFC 6481-6493: Resource Public Key Infrastructure

• Issued by the RIRs since 1 January 2011

• State that an Internet number resource hasbeen registered by the RIPE NCC

3

http://www.rfc-editor.org/rfc/rfc5280.txt
http://www.rfc-editor.org/rfc/rfc5280.txt
http://www.rfc-editor.org/rfc/rfc3779.txt
http://www.rfc-editor.org/rfc/rfc3779.txt
Page 4: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

Digital Resource Certificates• Resource Certification is a free, opt-in service

– Your choice to request a certificate– Linked to registration– Renewed every 12 months

• Enhancement to our Registry– Offers validatable proof of holdership

4

Page 5: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

Management: Your Choice• Open Source Software to run a member CA

– Use the RIPE NCC as parent CA (trust anchor)– Generate and publish Certificate yourself

• RIPE NCC Hosted Platform– All processes are secured and automated– One click set-up of Resource Certificate– WebUI to manage Certificates in LIR Portal

5

Page 6: RPKI Certification Tutorial

Using RPKI forBGP Origin Validation

Page 7: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

Certification to Secure Internet Routing• Members can use their resource certificate to

make statements about their BGP Routing

• Also in the ROA: Maximum Prefix Length– The smallest prefix the ASN may announce

7

Route Origin Authorisation (ROA):“I authorise this Autonomous System

to originate these IP prefixes”

Page 8: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

Route Origin Authorisations• A ROA affects the RPKI validity of a BGP route:

– VALID: ROA found, authorised announcement– INVALID: ROA found, unauthorised announcement– UNKNOWN: No ROA found (resource not yet signed)

8

Every operator is free to base any routing decision on these three validity states

Page 9: RPKI Certification Tutorial

DemoUsing the hosted system...

Page 10: RPKI Certification Tutorial

Making routing decisionsusing the RIPE NCC RPKI Validator

Page 11: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

Validation in Practice• All certificates and ROAs are published in a

repository and available for download

• Software running on your own machine will periodically retrieve and verify the information– Cryptographic tools check all the signatures

• The result is a list of all valid combinations of ASN and prefix, the “validated cache”

11

Page 12: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

The RIPE NCC RPKI Validator toolset• http://ripe.net/certification/tools-and-resources

• Requires Sun Java 1.6 and rsync• No installation required

– Unzip the package– Run the program: ./bin/rpki-validator

• Web-interface available on localhost port 8080

12

http://ripe.net/certification/tools-and-resources
http://ripe.net/certification/tools-and-resources
Page 13: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

The RIPE NCC RPKI Validator toolset

13

Page 14: RPKI Certification Tutorial

DemoUsing the RPKI Validator...

Page 15: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

RPKI support in routers• The RPKI-RTR Protocol is an IETF Internet Draft• Production Cisco Support:

– ASR1000, 7600, ASR903 and ASR901 in releases 15.2(1)S or XE 3.5

• Cisco Early Field Trial (EFT):– ASR9000, CRS1, CRS3 and c12K (IOS-XR)

• Juniper has support since version 12.2• Quagga has support through BGP-SRX

15

Page 16: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

Router Configuration – Cisco

!

route-map rpki-loc-pref permit 10

match rpki invalid

set local-preference 90

!

route-map rpki-loc-pref permit 20

match rpki not-found

set local-preference 100

!

route-map rpki-loc-pref permit 30

match rpki valid

set local-preference 110

16

Page 17: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

Public Testbeds• RIPE NCC has a Cisco:

– Telnet to rpki-rtr.ripe.net– Username: ripe, no password

• Kaia Global Networks have a Juniper:– Telnet to 193.34.50.25– Username: rpki, password: testbed

• http://ripe.net/certification/router-configuration

17

http://ripe.net/certification/router-configuration
http://ripe.net/certification/router-configuration
Page 18: RPKI Certification Tutorial

Resource Certification (RPKI) – SEE2 Macedonia

http://ripe.net/certification #RPKI

Information and Announcements

18

http://ripe.net/certification
http://ripe.net/certification
Page 19: RPKI Certification Tutorial

Questions?

[email protected]@alexander_band

[email protected]

mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
mailto:[email protected]

BGP Resource Public Key Infrastructure (RPKI) … Resource Public Key Infrastructure (RPKI) Origin Validation . ... Overview of RPKI ... Figure 5 shows the high-level network diagram

RPKI Tutorial(PDF)

CertProto RPKI Project

RPKI Tutorial and hands-on - APNIC · 2018. 1. 23. · –BGPSEC –security mechanism for BGP routing is being implemented ... What’s up in Japan •JANOG RPKI routing WG –RPKI

Introduction to RPKI

RPKI Tutorial Andy Newton Chief Engineer, ARIN. Agenda Resource Public Key Infrastructure(RPKI) Route Origin Authorizations (ROAs) Certificate Authorities

Intro to RPKI - APNIC Training...RFCs on RPKI • RFC 6810 – The Resource Public Key Infrastructure (RPKI) to Router Protocol (January 2013) - Standard • RFC 6480 – An Infrastructure

SCTE Certification Tutorial Revised: June 4, 2009

RPKI Tutorial - MENOG · RPKI Tutorial MENOG 10, Dubai UAE Marco Hogewoning Trainer Goals •Explain where it started •Learn what resources certificates are •Learn how to request

Internet Resource Certification (RPKI)slides.lacnic.net/wp-content/themes/slides/docs/...RPKI cer;ficates and rou;ng informaon objects: – The cryptographic validity of the RPKI

Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Technical Report · Infrastructure (RPKI), where the key element is resource certification. RPKI itself will not solve all interdomain routing problems, but it does provide the building

Introduction to RPKI - MyNOG

RPKI Tutorial

Resource Certification (RPKI) · Resource Certification (RPKI), MENOG 10 The RIPE NCC involvement in RPKI • The authority on who is the registered holder of an Internet Number

Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust

Online JavaScript | Online Programming Course | Tutorial & Certification

RPKI->RTR Protocol

RPKI Tutorial · Delegated RPKI Requirements 9 9 • Once you become a participant, you must: – Exchange your public key associated with your Delegated RPKI private key with ARIN

RPKI Deployment Panel

RPKI Engineering Update

SCTE Certification Tutorial Updated January 21, 2010

IP Address Certification (RPKI)

UpDown RPKI LACNIC

The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept

RPKI with rpki.net ToolS · 2 RPKI: Introduction Tutorial Target audience Knowledge of Internet Routing(specially BGP) Familiar with any IRR Database No need to know Cryptography

Zend Certification Preparation Tutorial

RPKI – Resource Public Key Infrastructure Validación de ...slides.lacnic.net/.../lunes/rpki-basico-gc.pdf · • RPKI (Resource Public Key Infrastructure) permite la validación

Resource Certification · RIPE 63 – Resource Certification (RPKI) Session, Alex Band Publication of cryptographic objects • Each RIR has a public repository – Holds certificates,

RPKI PRÁCTICO - LACNIC

RPKI Tutorial and Hands-On

Let’s adopt RPKI

LAB: RPKI - BKNIX

Java Certification - SCBCD - IBM Tutorial

Google Adwords Tutorial | google adwords certification