Upload File

rpki deployment at afrinic status update · arin ripe ncc apnic afrinic lacnic lir1 lir2 isp1 isp2...

  • Home
  • Documents
  • RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key
18
RPKI deployment at AfriNIC Status Update AfriNIC-14 Dar El Salaam, 09/06/2011 Alain P. AINA RPKI Project Manager/Spokesman Amreesh Phokeer Project member/Deputy Speaker

Upload: others

Post on 05-Oct-2020

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

RPKI deployment at AfriNIC Status Update

AfriNIC-14Dar El Salaam, 09/06/2011

Alain P. AINARPKI Project Manager/Spokesman

Amreesh Phokeer Project member/Deputy Speaker

Page 2: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

Motivations for RPKI

Facilitate better routes filtering

Prepare for a secure routing

Solve the chicken-and-egg problem

Provide trusted data Better than the current Whois and IRR data

Post IPv4 exhaustion data accuracy Resource transfers

Page 3: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

Resource Certificates

ARIN RIPE NCC APNIC AFRINIC LACNIC

LIR1 LIR2

ISP1 ISP2 ISP3 ISP4 ISP ISP ISP

Issuer: AFRINICSubject: LIR2Resources: 192.2.0.0/16Key Info: <LIR2-key-pub>Signed: <AFRINIC-key-priv>

Issuer: AFRINICSubject: LIR2Resources: 192.2.0.0/16Key Info: <LIR2-key-pub>Signed: <AFRINIC-key-priv>

Issued Certificates

Resource Allocation Hierarchy

IANA

Page 4: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

Resource Certificates

ARIN RIPE NCC APNIC AFRINIC LACNIC

ISP1 ISP2

ISP ISP ISP ISP4 ISP ISP ISP

Issuer: AFRINICSubject: LIR2Resources: 192.2.0.0/16Key Info: <LIR2-key-pub>Signed: <afrinic-key-priv>

Issuer: AFRINICSubject: LIR2Resources: 192.2.0.0/16Key Info: <LIR2-key-pub>Signed: <afrinic-key-priv>

Issued Certificates

Resource Allocation Hierarchy

Issuer: LIR2Subject: ISP4Resources: 192.2.200.0/24Key Info: <isp4-key-pub>Signed: <LIR2-key-priv>

Issuer: LIR2Subject: ISP4Resources: 192.2.200.0/24Key Info: <isp4-key-pub>Signed: <LIR2-key-priv>

IANA

Page 5: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

Resource Certificates

ARIN RIPE NCC APNIC AFRINIC LACNIC

ISP1 ISP2

ISP ISP ISP ISP4 ISP ISP ISP

Issuer: AFRINICSubject: LIR2Resources: 192.2.0.0/16Key Info: <LIR2-key>Signed: <afrinic-key-priv>

Issuer: AFRINICSubject: LIR2Resources: 192.2.0.0/16Key Info: <LIR2-key>Signed: <afrinic-key-priv>

Issued Certificates

Resource Allocation Hierarchy

Issuer: LIR2Subject: ISP4Resources: 192.2.200.0/22Key Info: <isp4-key>Signed: <nir2-key-priv>

Issuer: LIR2Subject: ISP4Resources: 192.2.200.0/22Key Info: <isp4-key>Signed: <nir2-key-priv>

Issuer: ISP4Subject: ISP4-EEResources: 192.2.200.0/24Key Info: <isp4-ee-key>Signed: <isp4-key-priv>

Issuer: ISP4Subject: ISP4-EEResources: 192.2.200.0/24Key Info: <isp4-ee-key>Signed: <isp4-key-priv>

Page 6: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

Services for the RPKI

Intended AfriNIC services for LIRs Certify LIR resources using the AfriNIC’s RPKIE Provide hosted RPKI services for LIRs:

- A full managed RPKIE for LIR- Run the LIR’s RPKIE et give real control to LIRs

Deploy the UP-Down protocol to talk to LIR willing to run their own RPKIE Provide the necessary public repositoryAccess to these services:

- Through the normal channels (MyAFRINIC) - With strong authenticationX509 Auth with BPKI certs

Page 7: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

RPKI Roadmap to Production – 4 Phases by the NRO• Phase 1: Pilot

– Operational since 15/6/2010• Phase 2: Initial Production

– 01/01/2011• Phase 3: Global Consistency

– 01/09/2011• Phase 4: Single Trust Anchor

– 01/01/2012

Page 8: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

Phase 1: Pilot• Independent deployment• Not necessarily consistent

– May overclaim resources (e.g. 0/0)• Standard

– Resource Certificates• Transfers are handled manually

Page 9: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

Phase 2: Initial Production• 5 independent Trust Anchors

• One per RIR• Split

• Extended Trust Anchor (ETA)• Resource Trust Anchor (RTA)

• RTA reflects allocated resources– Minimal overclaiming

• Standard– Resource Certificates– Repositories– ETA/RTA– CP & consistent CPS’s

• Inter-RIR transfers handled manually

Page 10: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

Phase 3: Global Consistency• 5 independent ETAs• RTAs are congruent with the IANA registry

– No overclaiming, majority RIR for the ERX space– Visible consistency

• Standard– Resource Certificates – Repositories– ETA– Up-Down protocol– CP & consistent CPS’s

• Inter-RIR transfers can be automated

Page 11: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

Phase 4: Single TA• One Single TA

– May be a natural 0/0• Standard

– Resource Certificates – Repositories– Up-Down protocol– CP & consistent CPS’s

• Changes to the global registry and transfers can be automated

Page 12: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

RIR Deployment Status• Each RIR has completed Phase 1 and 2• Implemented the TAL

– http://tools.ietf.org/wg/sidr/draft-ietf-sidr-ta/• Working on Phase 3

http://tools.ietf.org/wg/sidr/draft-ietf-sidr-ta/
Page 13: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

AFRINIC’s RPKI System• Based on APNIC code • Integrated into myAfriNIC• Current TA cover

– IPv4: (41-196-197)/8– IPv6:2001:4200::/23 ; 2C00:0000::/12– ASNs: all listed “assigned by AfriNIC” at

http://www.iana.org/assignments/as-numbers/as-numbers.xml

• Open for the community– http://www.afrinic.net/membership/certification.

htm

Page 14: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

14

14

Page 15: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

15

15

Page 16: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

16

16

Page 17: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

17

17

Also available through rsyncrsync://rpki.afrinic.net

Page 18: RPKI deployment at AfriNIC Status Update · ARIN RIPE NCC APNIC AFRINIC LACNIC LIR1 LIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP Issuer: AFRINIC Subject: LIR2 Resources: 192.2.0.0/16 Key

Questions ?


Resource Certification...AFRINIC APNIC ARIN RIPE NCC LACNIC LIR1 LIR2 ISP ISP ISP ISP4 ISP ISP ISP Issued Certificates Resource Allocation Hierarchy Route Origination Authority “ISP4

Afrinic Training

African Network Information centre August 30, 2006 © AfriNIC - 2006 AfriNIC Update APNIC-22

BGP Multihoming Techniques - NANOG Archive...BGP •Obtained from upstream ISP or Regional Registry (RIR) AfriNIC, APNIC, ARIN, LACNIC, RIPE NCC •Necessary when you have links to

Afrinic CCWG Update

AFRINIC Update Adiel A. Akplogan CEO, AFRINIC RIPE-68, Warsaw (Poland) May 2014

AFRINIC Update - RIPE 65 · AFRINIC Update Adiel A. Akplogan. CEO, AFRINIC RIPE65 - Amsterdam September 2012 . e Page 2 . AFRINIC at Glance ... Proposal Status Definition of “Core

Using Resource Certificates...Attachment: Signed, ISP4 RIPE NCC Trust Anchor Validation Outcomes 1. ISP4 authorized this Authority document

AFRINIC Internet Routing Registry Public Guide · AFRINIC announced and showcased its intended Internet Routing Registry during its AFRINIC-18 meeting in 2013 in Lusaka, Zambia and

AFRINIC Final Report March 2019 · Cyber security training, CERT/CSIRT trainings to be included as part of outreaches. Overall AFRINIC Outreaches Professionali sm of AFRINIC staff

AFRINIC Update · AFRINIC Update Alan Barrett CEO Thursday 1 June 2017 Nairobi . AFRINIC at a Glance • RegionalInternetRegistry(RIR)forAfrica. ... AFRINIC Government Working Group

AFRINIC Update - RIPE Network Coordination Centre · AFRINIC Update Arthur Carindal N. Head of Member Services, AFRINIC RIPE 67, Athens October 2013

Mwirima Byaruhanga-AfriNIC Update.R0ao

AfriNIC Updatearchive.apnic.net/meetings/23/archive/presentations/amm-pres-akplo… · AfriNIC Update Hisham Rojoa Membership and Comms, AfriNIC APNIC-23 Bali, 2 Mar 2007. 2 March

Afrinic Update-After AfriNIC7 aa - American Registry for ......AfriNIC-7 Meeting Update – Top countries: ZA, NG, GH, KE, MU, SN, – 22% ISP, 14% Telcos, 11% Govts • We tried a

APNIC Update - AFRINIC 25

AfriNIC Update - ripe60.ripe.net · AfriNIC Update Adiel A. Akplogan CEO, AfriNIC RIPE 60, Prague 3-7 May 2010 . AfriNIC AT GLANCE (FEB-2010) • 17 Employees (15 FTE equivalent)

AFRINIC 24 - APNIC Update

African Network Information centre March 2 nd, 2007 © AfriNIC - 2006 AfriNIC Update Adiel A. Akplogan CEO, AfriNIC LACNIC-X Isla Margarita, May 2007

AFRINIC HUMAN RESOURCES PRESENTATION

AfriNIC Background and Evolution

AfriNIC corporate updatemeeting.afrinic.net/afrinic-10/corporate_update.pdf · update Adiel A. Akplogan, CEO, AfriNIC AfriNIC-10 Cairo 20-21 May 2009. Content

Renewal theory and its applications - win.tue.nlresing/isp/ISP4.pdfRenewal theory and its applications Definition of a Renewal process Poisson process Definition The counting process

AfriNIC Activity Update

AfriNIC 6/24/2004

AFRINIC Stakeholder Satisfaction Survey 2012

Route Hijacking and the role of RPKI in Securing …...RPKI Trust Anchor 10 IANA AFRINIC RIPE NCC ARIN APNIC LACNIC NIR NIR ISP ISP ISP ISP ISP Resource Trust Anchor Certificate Allocation

AFRINIC Update

AFRINIC Update - RIPE Network Coordination Centre · Projects/Initiatives Page 8 • New WHOIS, based on RIPE java code. • AFRINIC IRR, Open to AFRINIC members Assistance to members

AFRINIC Update AFRINIC APRICOT, Fukuoka, Japan 4 March 2015

Spearheading Internet technology and policy development in the African Region AfriNIC corporate update Adiel A. Akplogan, CEO, AfriNIC AfriNIC-10 Cairo

AfriNIC corporate update

Deploying*IPv6*for*an*African*ISP* · How*did*this*all*started?* • AfriNIC*15*meeEng*held*in*Yaoundé,*Cameroon*in* November2011 • Presentaons*of*IPv6*deployments*in*Egypt,*South*

AfriNIC Activity Update Adiel A. Akplogan CEO, AfriNIC APNIC-30, Gold Coast, Australia August, 2010

AfriNIC Update Adiel A. Akplogan CEO, AfriNIC Kula Lumpur, APNIC-29