the rpki & origin validation - nanog archive · resource public key infrastructure (rpki)...
TRANSCRIPT
![Page 1: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/1.jpg)
The RPKI & Origin Validation
NANOG / Denver 2011.06.12
Randy Bush <[email protected]> Rob Austein <[email protected]>
Steve Bellovin <[email protected]> Michael Elkins <[email protected]>
And a cast of thousands! Well, dozens :) 2011.06.12 RPKI Origin 1
![Page 2: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/2.jpg)
2
Routing is Very Fragile
• How long can we survive on The Web as Random Acts of Kindness, TED Talk by Jonathan Zittrain?
• 99% of mis-announcements are accidental originations of someone else’s prefix -- Google, UU, IIJ, ...
2011.06.12 RPKI Origin 2
![Page 3: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/3.jpg)
Why Origin Validation? • Prevent YouTube accident • Prevent 7007 accident, UU/Sprint 2 days! • Prevents most accidental announcements • Does not prevent malicious path attacks
such as the Kapela/Pilosov DefCon attack • That requires “Path Validation” and locking
the data plane to the control plane, the next steps, last talk today
2011.06.12 RPKI Origin 3
![Page 4: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/4.jpg)
4
The Goal • Keep the Internet working!!! • Seriously reduce routing damage from mis-configuration, mis-origination
Non-Goals • Prevent Malicious Attacks • Keep RIRs in business by selling X.509 Certificates
2011.06.12 RPKI Origin 4
![Page 5: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/5.jpg)
Resource Public Key
Infrastructure (RPKI)
2011.06.12 RPKI Origin 5 5
![Page 6: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/6.jpg)
Public-Key Concept • Private key: This key must be known only by its owner.
• Public key: This key is known to everyone (it is public)
• Relation between both keys: What one key encrypts, the other one decrypts, and vice versa. That means that if you encrypt something with my public key (which you would know, because it's public :-), I would need my private key to decrypt the message.
2011.06.12 RPKI Origin 6 6
![Page 7: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/7.jpg)
Key Generation
2011.06.12 RPKI Origin
Stolen from - http://gdp.globus.org/gt4-tutorial/multiplehtml/ch09s03.html
7 7
![Page 8: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/8.jpg)
En/DeCryption
2011.06.12 RPKI Origin 8 8
![Page 9: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/9.jpg)
Digital Signature
2011.06.12 RPKI Origin 9 9
![Page 10: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/10.jpg)
Certificate
2011.06.12 RPKI Origin 10 10
![Page 11: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/11.jpg)
X.509 RPKI Being Developed & Deployed
by IANA, RIRs, and
Operators 2011.06.12 RPKI Origin 11 11
![Page 12: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/12.jpg)
RFC 3779 Extension
Describes IP
Resources (Addr & ASN)
X.509 Cert
Owner’s Public Key
X.509 Certificate w/ 3779 Ext CA
SIA – URI for where this Publishes
2011.06.12 RPKI Origin 12 12
![Page 13: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/13.jpg)
98.128.0.0/16
Public Key
98.128.0.0/20
Public Key
98.128.16.0/20
Public Key
98.128.32.0/19
Public Key
98.128.16.0/24
Public Key
98.128.17.0/24
Public Key
Cert/RGnet
Cert/Rob Cert/Randy
Cert/ISC Cert/PSGnet
Cert/ARIN CA
CA CA CA
CA CA
Certificate Hierarchy follows
Allocation Hierarchy
SIA
2011.06.12 RPKI Origin 13 13
![Page 14: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/14.jpg)
That’s Who Owns It but
Who May Route It?
2011.06.12 RPKI Origin 14 14
![Page 15: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/15.jpg)
98.128.0.0/16
Public Key
98.128.0.0/16
AS 42
EE Cert
ROA
Route Origin Authorization (ROA)
98.128.0.0/16 147.28.0.0/16
Public Key
Owning Cert CA End Entity Cert
can not sign certs. can sign other things e.g. ROAs
This is not a Cert It is a signed blob
2011.06.12 RPKI Origin 15 15
![Page 16: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/16.jpg)
0/0
Public Key
98.0.0.0/8 AS 0-4000
Public Key
98.128.0.0/16 AS 3130
Public Key
PSGnet
ARIN
IANA
98.128.0.0/24
AS 3130
ROA
98.128.1.0/24
AS 3130
ROA
98.128.2.0/24
AS 3130
ROA
98.128.3.0/24
AS 3130
ROA
98.128.4.0/24
AS 3130
ROA
Too Many EE Certs and ROAs, Yucchhy!
Announces 256 /24s
PSGnet /16 Experimental Allocation from ARIN
CA
CA
CA
98.128.0.0/24
Public Key
EE Cert 98.128.1.0/24
Public Key
EE Cert 98.128.2.0/24
Public Key
EE Cert 98.128.30/24
Public Key
EE Cert 98.128.4.0/24
Public Key
EE Cert
2011.06.12 RPKI Origin 16 16
![Page 17: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/17.jpg)
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
PSGnet
ARIN
IANA
98.128.0.0/16-24
AS 3130
ROA
ROA Aggregation Using Max Length 98.128.0.0/16
Public Key
EE Cert
CA
CA
CA
2011.06.12 RPKI Origin 17 17
![Page 18: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/18.jpg)
Allocation in Reality
My Infrastructure
Unused Static (non BGP) Cust
BGP Cust
2011.06.12 RPKI Origin 18 18
![Page 19: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/19.jpg)
ROA Use
My Aggregate ROA
Customer ROAs
I Generate for ‘Lazy’ Customer My Infrastructure
Unused Static (non BGP) Cust
BGP Cust
2011.06.12 RPKI Origin 19 19
![Page 20: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/20.jpg)
Running Code
And the Three RPKI Protocols
2011.06.12 RPKI Origin 20 20
![Page 21: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/21.jpg)
ARIN Back End
ARIN RPKI
Engine Internal Protocol
ISP IR Back End
ISP RPKI
Engine Internal Protocol
Parent and Child
ARIN’s Resources
ISPs’ Resources
ISP’s Resources
Children’s Resources
Up / Down Protocol
Registry Back Ends
Up / Down to IANA
Up / Down to Smart Customer
2011.06.12 RPKI Origin 21 21
![Page 22: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/22.jpg)
LIR Back End
[Hardware] Signing Module
IR RPKI
Priv Keys
Private RPKI Keys
Issued ROAs
My Misc Config
Options
Public RPKI Keys
ID=Me ID=Me
RPKI Engine
Resource PKI
IP Resource Certs ASN Resource Certs
Route Origin Attestations
Internal CA Data
Internal CA Data
XML Object Transport & Handler
Business Key/Cert
Management
Private IR Biz Trust Anchor Internal
CA Data
Keys for Talking to
IR BackEnd
Certs Issued to
DownStreams
My Resources
My RightsToRoute
Repo Mgt
Up / Down Protocol
Up / Down Protocol
Publication Protocol
Internal
Protocol
Prototype of Basic Back End
Up/Down EE Public Keys
Biz EE Signing
Key
2011.06.12 RPKI Origin 22
Delegations to Custs
22
![Page 23: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/23.jpg)
Big, Centralized, & Scary We Don’t Do This
RPKI DataBase
IP Resource Certs ASN Resource Certs
Route Origin Attestations
2011.06.12 RPKI Origin 23 23
![Page 24: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/24.jpg)
Distributed RPKI DataBase IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
A Player (CA) Publishes All Certificates Which
They Generate in Their Own Unique
Publication Point
SIA
SIA
SIA
SIA
Running Code
Repository
2011.06.12 RPKI Origin 24 24
![Page 25: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/25.jpg)
RCynic Cache Gatherer
RCynic Gatherer Validated
Cache
Trust Anchor
(cynical rsync)
IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
SIA
SIA
SIA
SIA
2011.06.12 RPKI Origin 25 25
![Page 26: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/26.jpg)
Reliability Issue Expensive To Fetch & Unreliable
RCynic Gatherer Validated
Cache
Trust Anchor IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
SIA
SIA
SIA
SIA
2011.06.12 RPKI Origin 26 26
![Page 27: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/27.jpg)
UUcust
Reliability Via Hosted Publication
Reducing the Number of Publication Points Makes RCynic
More Efficient
Repository with
Multiple Publication
Points
IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet
PSGnet
UUcust
IIJ IIJ
2011.06.12 RPKI Origin 27 27
![Page 28: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/28.jpg)
2011.06.12 RPKI Origin
Mac
Publication Point
Issued ROAs
My Misc Config Options
Public RPKI Keys
ID=Me
Internal CA Data
Keys for Talking to
IR BackEnd
Certs Issued to
DownStreams
Up/Down EE Public Keys
Front End GUI &
Management
RPKI Engine
Contract Out To Google
A Usage Scenario
Resources [OrgID]
My RightsToRoute
Delegations to Custs
User Web GUI
98% of an RIR’s Users 10% of an RIR’s IP Space
Up / Down Protocol
2% of an RIR’s Users 90% of an RIR’s IP Space
Publication Protocol
IR’s Database(s)
Internal
Protocol
28 28
![Page 29: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/29.jpg)
Origin Validation • Cisco IOS and IOS-XR test code have
Origin Validation now
• Juniper has early test code now
• Work continues daily in test routers
• Compute load much less than ACLs from IRR data, 10µsec per update!
29 2011.06.12 RPKI Origin 29
![Page 30: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/30.jpg)
Global RPKI
RPKI -> Router`
RCynic Gatherer
RPKI to Rtr
Protocol
Near/In PoP
BGP Decision Process
The Third Protocol (origin validation only)
Cache / Server
Object Security RCynic
30 2011.06.12 RPKI Origin 30
![Page 31: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/31.jpg)
Typical Exchange Cache Router | <----- Reset Query -------- | R requests data | | | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial ~ ~ | -------- Notify ----------> | (optional) | | | <----- Serial Query ------- | R requests data | | | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial ~ ~
31 2011.06.12 RPKI Origin 31
![Page 32: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/32.jpg)
Reset Query
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 2 | | +-------------------------------------------+ | | | Length=8 | | | `-------------------------------------------'
2011.06.12 RPKI Origin 32 32
![Page 33: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/33.jpg)
Cache Response
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | Cache Nonce | | 0 | 3 | | +-------------------------------------------+ | | | Length=8 | | | `-------------------------------------------'
2011.06.12 RPKI Origin 33 33
![Page 34: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/34.jpg)
IPv4 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 4 | | +-------------------------------------------+ | | | Length=20 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..32 | 0..32 | | +-------------------------------------------+ | | | IPv4 prefix | | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
2011.06.12 RPKI Origin 34 34
![Page 35: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/35.jpg)
IPv6 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 6 | | +-------------------------------------------+ | | | Length=40 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..128 | 0..128 | | +-------------------------------------------+ | | +--- ---+ | | +--- IPv6 prefix ---+ | | +--- ---+ | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
2011.06.12 RPKI Origin 35 35
![Page 36: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/36.jpg)
End of Data 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | Cache Nonce | | 0 | 7 | | +-------------------------------------------+ | | | Length=12 | | | +-------------------------------------------+ | | | Serial Number | | | `-------------------------------------------'
2011.06.12 RPKI Origin 36 36
![Page 37: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/37.jpg)
Notify (Think DNS) 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | Cache Nonce | | 0 | 0 | | +-------------------------------------------+ | | | Length=12 | | | +-------------------------------------------+ | | | Serial Number | | | `-------------------------------------------'
2011.06.12 RPKI Origin 37 37
![Page 38: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/38.jpg)
Serial Query
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | Cache Nonce | | 0 | 1 | | +-------------------------------------------+ | | | Length=12 | | | +-------------------------------------------+ | | | Serial Number | | | `-------------------------------------------'
2011.06.12 RPKI Origin 38 38
![Page 39: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/39.jpg)
Error Response 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | Error Number | | 0 | 10 | | +-------------------------------------------+ | | | Length | | | +-------------------------------------------+ | | | Length of Encapsulated PDU | | | +-------------------------------------------+ | | ~ Copy of Erroneous PDU ~ | | +-------------------------------------------+ | | | Length of Error Text | | | +-------------------------------------------+ | | | Arbitrary Text | | of | ~ Error Diagnostic Message ~ | | `-------------------------------------------' 2011.06.12 RPKI Origin 39 39
![Page 40: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/40.jpg)
2011.06.12 RPKI Origin
Global RPKI
Asia Cache
NoAm Cache
Euro Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
Cust Facing
Cust Facing
Cust Facing
Cust Facing
Cust Facing
High Priority
Lower Priority
Extremely Large ISP Deployment
40 40
![Page 41: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/41.jpg)
Configure router bgp 3130
…
bgp rpki server tcp 198.180.150.1 port 42420 refresh 120
bgp bestpath prefix-validate allow-invalid
41 2011.06.12 RPKI Origin 41
![Page 42: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/42.jpg)
Result of Check • Valid – A matching/covering ROA was
found with a matching AS number • Invalid – A matching or covering ROA
was found, but AS number did not match, and there was no valid one
• Not Found – No matching or covering ROA was found
42 2011.06.12 RPKI Origin 42
![Page 43: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/43.jpg)
Policy Override Knobs • Disable Validity Check Completely • Disable Validity Check for a Peer • Disable Validity Check for Prefixes
When check is disabled, the result is “Not Found,” i.e. as if there was no ROA
2011.06.12 RPKI Origin 43 43
![Page 44: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/44.jpg)
Look at Table r0.sea#show ip bgp rpki table
76 BGP sovc network entries using 6688 bytes of memory
422 BGP sovc record entries using 8440 bytes of memory
Network Maxlen Origin-AS Source Neighbor
67.21.36.0/24 24 3970 0 198.180.150.1/424
98.128.0.0/24 24 4128 0 198.180.150.1/424
98.128.0.0/16 16 3130 0 198.180.150.1/424
98.128.6.0/24 24 4128 0 198.180.150.1/424
98.128.9.0/24 24 3130 0 198.180.150.1/424
98.128.30.0/24 24 1234 0 198.180.150.1/424
129.6.128.0/17 17 49 0 198.180.150.1/424
147.28.0.0/16 16 3130 0 198.180.150.1/424
147.28.224.0/19 19 4128 0 198.180.150.1/424
2011.06.12 RPKI Origin 44
![Page 45: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/45.jpg)
Defaults • Origin Validation is Enabled if you have
configured a cache server peering
• Default Poll Interval is 30 Minutes
• No Effect on Policy unless you have configured it
2011.06.12 RPKI Origin 45 45
![Page 46: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/46.jpg)
Good Dog! r0.sea#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24, version 3043542 Paths: (3 available, best #1, table default) 6939 27318 206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid 2914 4459 27318 199.238.113.9 from 199.238.113.9 (129.250.0.19) Origin IGP, metric 43, localpref 100, valid, external Community: 2914:410 2914:1005 2914:3000 3130:380 path 09AF35CC RPKI State valid
46 2011.06.12 RPKI Origin 46
![Page 47: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/47.jpg)
Bad Dog! r0.sea#show bgp 198.180.150.0 BGP routing table entry for 198.180.150.0/24, version 2546236 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 8 Refresh Epoch 1 1239 3927 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid
47 2011.06.12 RPKI Origin 47
![Page 48: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/48.jpg)
Strange Dog! r0.sea#show bgp 64.9.224.0 BGP routing table entry for 64.9.224.0/20, version 35201 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 Refresh Epoch 1 1239 3356 36492 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 4, localpref 100, valid, internal Community: 3130:370 path 11861AA4 RPKI State not found
48 2011.06.12 RPKI Origin 48
![Page 49: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/49.jpg)
49
iBGP Hides Validity State
2011.06.12 RPKI Origin
iBGP Full Mesh
p p
p
valid invalid
unknown
which do i choose? why do i choose it? 49
![Page 50: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/50.jpg)
50
The Solution is to
Allow Operator to Test and then Set Local Policy
2011.06.12 RPKI Origin 50
![Page 51: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/51.jpg)
51
Fairly Secure route-map validity-0
match rpki valid
set local-preference 100
route-map validity-1
match rpki not-found
set local-preference 50
! invalid is dropped
2011.06.12 RPKI Origin 51
![Page 52: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/52.jpg)
52
Paranoid
route-map validity-0
match rpki valid
set local-preference 110
! everything else dropped
2011.06.12 RPKI Origin 52
![Page 53: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/53.jpg)
53
After AS-Path route-map validity-0 match rpki not-found
set metric 50
route-map validity-1
match rpki invalid
set metric 25
route-map validity-2
set metric 100 2011.06.12 RPKI Origin 53
![Page 54: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/54.jpg)
The Open TestBed
*ARIN ARIN
ISC
ISC
Google RGnet
RGnet JPNIC
JPNIC
Mesh Mesh IIJ IIJ
Cristel
Cristel
*APNIC APNIC
BWC
BWC
Trust Anchor
Trust Anchor
runs own RPKI to keep private key private and control own fate, but publishes at IIJ
until we get IANA to act as the parent
until we get IANA to act as the parent
* APNIC and ARIN are simulations constructed from public data
chocolate
Running Code
Repository
54 2011.06.12 RPKI Origin 54
Level(3)
Level(3)
runs own RPKI to keep private key private and control own fate, but publishes at ARIN
54
![Page 55: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/55.jpg)
55
The Big Speedbump
2011.06.12 RPKI Origin 55
![Page 56: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/56.jpg)
56
But Who Do We Trust?
2011.06.12 RPKI Origin
http://news.cnet.com/2100-1001-254586.html
56
![Page 57: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/57.jpg)
57
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
RGnet
ARIN
IANA
98.128.0.0/1724
AS 3130
ROA
98.128.0.0/17
Public Key
EE Cert
CA
CA
CA
2011.06.12 RPKI Origin
Up-Chain Expiration
98.128.0.0/17
Public Key
PSGnet CA
Sloppy Admin, Cert Soon to Expire!
These are not Identity Certs
So My ROA will become
Invalid! 57
![Page 58: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/58.jpg)
58
ROA Invalid but I Can Route The ROA will become Invalid
My announcement will just become NotFound, not Invalid
Unless my upstream has a ROA for the covering prefix, which is likely
2011.06.12 RPKI Origin 58
![Page 59: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/59.jpg)
59 2011.06.12 RPKI Origin
59
So Who Do You Call?
![Page 60: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/60.jpg)
60 2011.06.12 RPKI Origin 60
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
RGnet
ARIN
IANA
98.128.0.0/17-24
AS 3130
ROA
98.128.0.0/17
Public Key
EE Cert
CA
CA
CA
Ghostbusters!
98.128.0.0/17
Public Key
PSGnet CA
BEGIN:vCard VERSION:3.0 FN:Human's Name N:Name;Human's;Ms.;Dr.;OCD;ADD ORG:Organizational Entity ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern; WA; 98666;U.S.A. TEL;TYPE=VOICE,MSG,WORK:+1-666-555-1212 TEL;TYPE=FAX,WORK:+1-666-555-1213 EMAIL;TYPE=INTERNET:[email protected] END:vCard
Ghostbusters Record
draft-ietf-sidr-ghostbusters
![Page 61: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/61.jpg)
61
But in the End, You Control Your Policy “Announcements with Invalid origins MAY be used, but SHOULD be less preferred than those with Valid or NotFound.” -- draft-ietf-sidr-origin-ops But if I do not reject Invalid, what is all this for?
2011.06.12 RPKI Origin 61
![Page 62: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/62.jpg)
62
Open Source (BSD Lisc) Running Code https://rpki.net/
Test Code in Routers Talk to C & J
2011.06.12 RPKI Origin 62 62
![Page 63: The RPKI & Origin Validation - NANOG Archive · Resource Public Key Infrastructure (RPKI) 2011.06.12 RPKI Origin 5 5 . Public-Key Concept](https://reader034.vdocuments.net/reader034/viewer/2022042713/5fb2d79589e41535e0444e90/html5/thumbnails/63.jpg)
Work Supported By • US Government
THIS PROJECT IS SPONSORED BY THE DEPARTMENT OF HOMELAND SECURITY UNDER AN INTERAGENCY AGREEMENT WITH THE AIR FORCE RESEARCH LABORATORY (AFRL). [0]
[0] – they Take your Scissors Away and we turn them into plowshares
• ARIN
• Internet Initiative Japan & ISC
• Cisco, Juniper, Google, NTT, Equinix
63 2011.06.12 RPKI Origin 63