rpki tutorial and hands-on

Copyright © 2015 Japan Network Information Center

RPKI Tutorial and hands-on

1


Contents

• RPKI basics

• RPKI hands-on

2


RPKI basics

• What is RPKI?

• Why? and how much?

• How it works?

3


What is RPKI?

4


RPKI

5

RPKI (Resource PKI)

Resource Public-Key Infrastructure

Why infrastructure?

Public-Key?

Resource?

PKI?


Resource Certificate

6

Resource Certificate

What is different from SSL/TLS certificates?

Resources?


Resource certificate

Resource certificate = digital certificate which certifies allocation/assignment of number resources

Registry or resource allocatorResource holder

Resource certificate

7


Contents in resource certificates

8

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1 (0x1)

Signature Algorithm: sha256WithRSAEncryption

Issuer: CN=D5BBADA3

Validity

Not Before: Apr 15 10:24:39 2014 GMT

Not After : Apr 14 10:24:39 2019 GMT

Subject: CN=D5BBADA3

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

X509v3 extensions:

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Subject Key Identifier:

18:CE:ED:52:F0:99:02:8A:58:3C:F1:7B:53:71:0E:1F:5D:37:4F:8D

X509v3 Key Usage: critical

Certificate Sign, CRL Sign

Subject Information Access:

CA Repository - URI:rsync://rpki01.nic.ad.jp/repository/

1.3.6.1.5.5.7.48.10 - URI:rsync://rpki01.nic.ad.jp/repository/jpnic-ta-03.mft

sbgp-autonomousSysNum: critical

Autonomous System Numbers:

0-4294967295

sbgp-ipAddrBlock: critical

IPv4:

0.0.0.0/0

IPv6:

::/0


Registries and resource certificate

• In internet registries (RIR or NIR ..)

9

WHOIS database↓

Allocation/assignment data(IP address and AS number)

↓Digital certificate with Allocation/assignment

data = Resource certificate


Registry tree and resource certificate

RIR: Regional Internet Registry

NIRs

NIR: National Internet Registry

ICANN/IANA

ISPISP

LIR: Local Internet Registry

RIPE NCC

AfriNIC APNIC ARIN LACNIC

Allocation

Allocation

Allocation

WHOIS Database

User network

Assignment

IP address

Reso

urc

e c

ertific

ate

10


Tree structure

11

NIRs

ICANN/IANA

ISP

User net

Issuer： (APNIC)Subject： (JPNIC)IPaddr:

192.0.0.0/8

Issuer： (JPNIC)Subject： (ISP)IPaddr

192.168.0.0/16

Issuer： (ISP)Subject： (User net)IPaddr：

192.168.64.0/22

ROA – Route Origination Authorization(digital signature by User net)- means route announcing authorization

from AS65535 on 192.168.64.0/24

AS65535

RIPE NCC

AfriNIC APNIC ARIN LACNIC


Why? and how much?

12


YouTube mis-origin route

13

YouTube Hijacking: A RIPE NCC RIS case study, 17 Mar 2008, RIPE NCC,

http://www.ripe.net/internet-coordination/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study


BitCoin mining pool

14

BGP Hijacking for Cryptocurrency Profit, 7 August 2014Pat Litke and Joe Stewart, Dell SecureWorks Counter Threat Unithttp://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/


Motivation to the infrastructure

• To find misused IP address in routers

• Internet registries having database on IP address can certify allocations/assignments.

• Internet reachability is getting serious for Web services.

15


Fee

• No additional fee are on resource certification in RIR (and JPNIC).

• To use origin validation, capable routers and “RPKI cache server” are needed.

• Free to ‘watch’ what is happening in the world…

16


How it works?

17


Unintended use of IP address

• Configuring IP address which is allocated to other

network

？

？

192.168.100.0/24

192.168.150.0/24

192.168.100.0/24

18

AS1

AS2

AS3


Route Origin Authorization

• Authorizations from IP address holders to AS to use allocated IP address prefix.

• ROA is useful to check whether BGP routing information is intended one or misoriginated.

• ROA has IP address prefix and AS number with digital signature by the address holder’s key.

19


Origin Validation

20

！

！

192.168.100.0/24

192.168.150.0/24

192.168.100.0/24

ROA –Route Origin Authorization

ROA –Route Origin Authorization

AS1

AS2

AS3


Subject InformationAccess

Trust anchor and validation

21

Repository A

RPKI (validation) cache server

URL

Repository B

192.0.0.0/8

192.168.0.0/16

SIA(URI)

192.168.64.0/22

SIA(URI)

ROA(192.168.64.0/24)

SIA(URI)

Repository C

Trust anchorlocator

(.tal file)

(1)

(2)

(3)

Trust anchor locator

(TAL) is used to

specify your trust

anchor

Issuer’s certificates has

wider range of resources


Some updates

22


World Wide

23

http://en.wikipedia.org/wiki/File:Regional_Internet_Registries_world_map.svg


Number of resource certificate

24

http://certification-stats.ripe.net/

RIPE region


Number of ROA

25

http://certification-stats.ripe.net/

RIPE Region


What is going on in the world?

• RIPE region has much more number of

ROA and Resource certificates

– RIPE NCC launches experimental Web site for RPKI

brought good discussions in RIPE meeting

• LACNIC region has increase at the 2012th

– LACNIC XVIII Nov. 2012

– Email notified to all ISP in LACNIC region

– Over 90% covering certificates are issued in Ecuador.

26


Visualizing tools

27

・ RPKI Origin Validation Looking Glass

http://www.labs.lacnic.net/rpkitools/looking_glass/


Summary

• RPKI（Resource Public-Key Infrastructure）

– Resource certificate certifies allocation/assignment of IP address and AS number

– BGPSEC – security mechanism for BGP routing is being implemented

• World Wide

– Resource certificates and ROA are issued by all 5 RIR. Number of resource certificate is increasing continuously.

28


What’s up in Japan

• JANOG RPKI routing WG

– RPKI tutorials by Randy

– RPKI hackathon

• Technical seminar

• Inviting Oliver Borchert (NIST)

• MULTIFEED (June 2014)

• RPKI Public RPKI cache server

• With MULTIFEED (Oct 2014)

29


RPKI Hackathon

30

Attendees

JPNIC

Click

Resource Cert.

and

ROA

RPKI cache

validated prefix

BGP RouterToday’s special


RPKI Hands-on

31


Hands-on agenda

1. Resource certificates and ROA management

• APNIC

• JPNIC

2. RPKI BGP Hands-on (basics)

3. (Use of MyAPNIC)

32