SlideShare uma empresa Scribd logo

Introduction to RPKI - MyNOG

S
Siena Perry

Presentation at MyNOG-4 on Introduction to RPKI by Shane Hermoso

Tecnologia
1 de 28
Baixar para ler offline
Issue Date: Revision: Resource Public Key Infrastructure (RPKI) MyNOG 4 Conference 2014 2014/08 2
Overview •  Routing “incidents” •  RPKI Technical Details •  RPKI and BGPsec •  Components and Implementation •  Deployment Status in the RIRs •  APNIC Resource Certification 2
Misdirection / Hijacking Incidents •  YouTube Incident –  Occurred 24 Feb 2008 (for about 2 hours) –  Pakistan Telecom announced YT block •  Google (AS15169) services downed –  Occurred 5 Nov 2012 (for 30 minutes) –  Moratel Indonesia (AS23947) 3 How frequent do these hijacking incidents happen?
How we address this… •  A network should only originate his own prefix –  How do we verify? –  How do we avoid false advertisement? •  A provider should filter prefixes they propagate from customers –  Check the legitimacy of address (LoA) –  Transitive trust; BGP is a trust-based system 4
WHOIS DB – Legitimacy of Address 5
What is RPKI? •  Resource Public Key Infrastructure (RPKI) •  A robust security framework for verifying the association between resource holder and their Internet resources •  Created to address the issues in RFC 4593 “Generic Threats to Routing Protocols” •  Helps to secure Internet routing by validating routes –  Proof that prefix announcements are coming from the legitimate holder of the resource RFC 6480 – An Infrastructure to Support Secure Internet Routing (Feb 2012) 6
Benefits of RPKI - Routing •  Prevents route hijacking –  A prefix originated by an AS without authorization –  Reason: malicious intent •  Prevents mis-origination –  A prefix that is mistakenly originated by an AS which does not own it –  Also route leakage –  Reason: configuration mistake / fat finger 7
BGP Security (BGPsec) •  Extension to BGP that provides improved security for BGP routing •  Currently an IETF Internet draft •  Implemented via a new optional non-transitive BGP path attribute that contains a digital signature •  Two things: –  BGP Prefix Origin Validation (using RPKI) –  BGP Path Validation •  Similar efforts in the early days – IDR working group, S- BGP 8
“Right” to Resources •  ISP gets their resources from the RIR •  ISP notifies its upstream of the prefixes to be announced •  Upstream must check the WHOIS database if resource has been delegated to customer ISP We need to be able to authoritatively prove who owns an IP Prefix and what AS(s) may announce it. 9
RPKI Infrastructure •  A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents •  Main Components: –  Certificate Authority (CA) –  Relying Party (RP) –  Routers with RPKI support 10
Issuing Party •  Internet Registries (RIR, NIR, Large LIRs) •  Acts as a Certificate Authority and issues certificates for customers •  Provides a web interface to issue ROAs for customer prefixes •  Publishes the ROA records APNIC RPKI Engine publication MyAPNIC GUI rpki.apnic.net Repository 11
Route Origin Authorization (ROA) •  A digital object that contains a list of address prefixes and one AS number •  It is an authority created by a prefix holder to authorize an AS Number to originate one or more specific route advertisements •  Publish an ROA using MyAPNIC 12
X.509 Certificate with 3779 Extension •  Resource certificates are based on the X.509 v3 certificate format (RFC 5280) •  Extended by RFC 3779 – binds a list of resources (IP, ASN) to the subject of the certificate •  SIA – Subject Information Access; contains a URI that references the directory X.509 Certificate RFC 3779 Extension SIA Owner's Public Key 13
Relying Party (RP) IANA Repo APNIC Repo RIPE Repo LIR Repo LIR Repo RP Cache (gather) Validated Cache RPKI-Rtr Protocol rpki.ripe.net Software which gathers data from CAs Also called RP cache or validator 14
RPKI Components 15 Trust Anchor RP CACHE Trust Anchor RPKI-Rtr Protocol APNIC RPKI Engine Trust Anchor publicationMyAPNIC GUI rpki.apnic.net ca0.rpki.net rpki.ripe.net
Router Origin Validation •  Router must support RPKI •  Checks an RP cache / validator •  Validation returns 3 states: –  Valid = when authorization is found for prefix X –  Invalid = when authorization is found for prefix X but not from ASN Y –  Unknown = when no authorization data is found •  Vendor support: –  Cisco IOS – solid in 15.2 –  Cisco IOS/XR – shipped in 4.3.2 –  Juniper – shipped in 12.2 –  Alcatel Lucent – in development 16
RIR Statistics 17 Ref: http://rpki.surfnet.nl/perrir.html Based on RIS Database dumps from RIPE-NCC
RPKI Monitor 18 Ref: NIST RPKI Monitor
APNIC RPKI Service •  Enhancement to the RIRs –  Offers verifiable proof of resource holdings •  Resource certification is an opt-in service –  Resource holders choose to request a certificate and profice their public key to be certified •  APNIC has integrated the RPKI management service into MyAPNIC for APNIC Member use 19
What you need to know •  You are encouraged to experiment, test, play and develop •  RPKI standards are still being developed, and the operating environment for RPKI use is still fragile •  It’s ready for testing and prototyping, but is probably not ready for production use just yet •  Please tell us what you find but don’t rely on it in your network yet 20
What You Can Do Now? •  Create ROA records in MyAPNIC •  Build an RP cache •  Configure your router to use the cache (or a public one) •  Create BGP policies Best to do it in a test environment for now! J 21
Build an RP Cache •  Download and install from rpki.net –  Instructions here: https://trac.rpki.net/wiki/doc/RPKI/Installation/ UbuntuPackages 22 The RP cache has a web interface
Configure Router to Use Cache router bgp 651nn … bgp rpki server tcp 10.0.0.3 port 43779 refresh 60 bgp rpki server tcp 147.28.0.84 port 93920 refresh 60 … 23 RPKI Lab – Randy Bush
BGP Table r0.sea#sh ip bgp Network Next Hop Metric LocPrf Weight Path * i I198.180.150.0 144.232.9.61 100 0 1239 3927 i *> I 199.238.113.9 0 2914 3927 i * I 129.250.11.41 0 2914 3927 i *> V198.180.152.0 199.238.113.9 0 2914 4128 i * V 129.250.11.41 0 2914 4128 i *> N198.180.155.0 199.238.113.9 0 2914 22773 i * N 129.250.11.41 0 2914 22773 i *> N198.180.160.0 199.238.113.9 0 2914 23308 13408 5752 i * N 129.250.11.41 0 2914 23308 13408 5752 i RPKI Lab – Randy Bush 24
More References •  Securing BGP –  The Internet Protocol Journal, Volume 14, No. 2 •  An Infrastructure to Support Secure Internet Routing –  RFC6480 •  A Reappraisal of Validation in the RPKI –  Labs.apnic.net/blabs •  An Introduction to Routing Security (and RPKI Tools) •  MyAPNIC Resource Certification Guide 25
Questions 26
You’re Invited! •  APNIC 38: Brisbane, Australia, 9-19 Sep 2014 •  APRICOT 2015: Fukuoka, Japan, 24 Feb-6 Mar 2015 27
THANK YOU www.facebook.com/APNIC www.twitter.com/apnic www.youtube.com/apnicmultimedia www.flickr.com/apnic www.weibo.com/APNICrir 28

Recomendados

IDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaIDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaAPNIC
 
APNIC Update: btNOG 3
APNIC Update: btNOG 3APNIC Update: btNOG 3
APNIC Update: btNOG 3APNIC
 
Route Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIAPNIC
 
APNIC's Resource Certification Service
APNIC's Resource Certification ServiceAPNIC's Resource Certification Service
APNIC's Resource Certification ServiceAPNIC
 
IANA: Who, What, Why?
IANA: Who, What, Why?IANA: Who, What, Why?
IANA: Who, What, Why?APNIC
 
Whois - Addressing the Asia Pacifc
Whois - Addressing the Asia PacifcWhois - Addressing the Asia Pacifc
Whois - Addressing the Asia PacifcAPNIC
 
34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...
34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...
34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...Indonesia Network Operators Group
 
APNIC Member Services
APNIC Member ServicesAPNIC Member Services
APNIC Member ServicesAPNIC
 

Recomendados

IDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaIDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaAPNIC
 
APNIC Update: btNOG 3
APNIC Update: btNOG 3APNIC Update: btNOG 3
APNIC Update: btNOG 3APNIC
 
Route Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIAPNIC
 
APNIC's Resource Certification Service
APNIC's Resource Certification ServiceAPNIC's Resource Certification Service
APNIC's Resource Certification ServiceAPNIC
 
IANA: Who, What, Why?
IANA: Who, What, Why?IANA: Who, What, Why?
IANA: Who, What, Why?APNIC
 
Whois - Addressing the Asia Pacifc
Whois - Addressing the Asia PacifcWhois - Addressing the Asia Pacifc
Whois - Addressing the Asia PacifcAPNIC
 
34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...
34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...
34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...Indonesia Network Operators Group
 
APNIC Member Services
APNIC Member ServicesAPNIC Member Services
APNIC Member ServicesAPNIC
 
Apnic IPv6 Deployment
Apnic IPv6 DeploymentApnic IPv6 Deployment
Apnic IPv6 DeploymentAPNIC
 
Internet Resource Transfer Policy: what can you learn from them?
Internet Resource Transfer Policy: what can you learn from them?Internet Resource Transfer Policy: what can you learn from them?
Internet Resource Transfer Policy: what can you learn from them?APNIC
 
BdNOG 3: A closer look at IPv4 transfers
BdNOG 3: A closer look at IPv4 transfersBdNOG 3: A closer look at IPv4 transfers
BdNOG 3: A closer look at IPv4 transfersAPNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Government
Government Government
Government APNIC
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4APNIC
 
The IANA Stewardship Transition Overview & Background
The IANA Stewardship Transition Overview & Background The IANA Stewardship Transition Overview & Background
The IANA Stewardship Transition Overview & Background APNIC
 
IDNOG 2: IPv4 Transfers
IDNOG 2: IPv4 TransfersIDNOG 2: IPv4 Transfers
IDNOG 2: IPv4 TransfersAPNIC
 
Myanmar Member Gathering
Myanmar Member GatheringMyanmar Member Gathering
Myanmar Member GatheringAPNIC
 
APNIC Update for ARIN 35
APNIC Update for ARIN 35APNIC Update for ARIN 35
APNIC Update for ARIN 35APNIC
 
HKNOG1.1 presentation
HKNOG1.1 presentationHKNOG1.1 presentation
HKNOG1.1 presentationAPNIC
 
How the Internet works...and why
How the Internet works...and whyHow the Internet works...and why
How the Internet works...and whyAPNIC
 
05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi Kawamura
05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi Kawamura05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi Kawamura
05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi KawamuraIndonesia Network Operators Group
 
IPv6 at 6connect, PTC17
IPv6 at 6connect, PTC17IPv6 at 6connect, PTC17
IPv6 at 6connect, PTC17APNIC
 
IPv6 Adoption by ASEAN Government Agencies
IPv6 Adoption by ASEAN Government AgenciesIPv6 Adoption by ASEAN Government Agencies
IPv6 Adoption by ASEAN Government AgenciesAPNIC
 
How APNIC can support law enforcement agencies in cybercrime investigtaion
How APNIC can support law enforcement agencies in cybercrime investigtaionHow APNIC can support law enforcement agencies in cybercrime investigtaion
How APNIC can support law enforcement agencies in cybercrime investigtaionAPNIC
 
APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5APNIC
 
npNOG 2: APNIC activity report
npNOG 2: APNIC activity reportnpNOG 2: APNIC activity report
npNOG 2: APNIC activity reportAPNIC
 
Internet infrastructure in South Asia
Internet infrastructure in South AsiaInternet infrastructure in South Asia
Internet infrastructure in South AsiaAPNIC
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approachAPNIC
 
An introduction to APNIC
An introduction to APNICAn introduction to APNIC
An introduction to APNICAPNIC
 
Measuring latency from the browser
Measuring latency from the browserMeasuring latency from the browser
Measuring latency from the browserAPNIC
 

Mais conteúdo relacionado

Mais procurados

Apnic IPv6 Deployment
Apnic IPv6 DeploymentApnic IPv6 Deployment
Apnic IPv6 DeploymentAPNIC
 
Internet Resource Transfer Policy: what can you learn from them?
Internet Resource Transfer Policy: what can you learn from them?Internet Resource Transfer Policy: what can you learn from them?
Internet Resource Transfer Policy: what can you learn from them?APNIC
 
BdNOG 3: A closer look at IPv4 transfers
BdNOG 3: A closer look at IPv4 transfersBdNOG 3: A closer look at IPv4 transfers
BdNOG 3: A closer look at IPv4 transfersAPNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Government
Government Government
Government APNIC
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4APNIC
 
The IANA Stewardship Transition Overview & Background
The IANA Stewardship Transition Overview & Background The IANA Stewardship Transition Overview & Background
The IANA Stewardship Transition Overview & Background APNIC
 
IDNOG 2: IPv4 Transfers
IDNOG 2: IPv4 TransfersIDNOG 2: IPv4 Transfers
IDNOG 2: IPv4 TransfersAPNIC
 
Myanmar Member Gathering
Myanmar Member GatheringMyanmar Member Gathering
Myanmar Member GatheringAPNIC
 
APNIC Update for ARIN 35
APNIC Update for ARIN 35APNIC Update for ARIN 35
APNIC Update for ARIN 35APNIC
 
HKNOG1.1 presentation
HKNOG1.1 presentationHKNOG1.1 presentation
HKNOG1.1 presentationAPNIC
 
How the Internet works...and why
How the Internet works...and whyHow the Internet works...and why
How the Internet works...and whyAPNIC
 
05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi Kawamura
05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi Kawamura05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi Kawamura
05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi KawamuraIndonesia Network Operators Group
 
IPv6 at 6connect, PTC17
IPv6 at 6connect, PTC17IPv6 at 6connect, PTC17
IPv6 at 6connect, PTC17APNIC
 
IPv6 Adoption by ASEAN Government Agencies
IPv6 Adoption by ASEAN Government AgenciesIPv6 Adoption by ASEAN Government Agencies
IPv6 Adoption by ASEAN Government AgenciesAPNIC
 
How APNIC can support law enforcement agencies in cybercrime investigtaion
How APNIC can support law enforcement agencies in cybercrime investigtaionHow APNIC can support law enforcement agencies in cybercrime investigtaion
How APNIC can support law enforcement agencies in cybercrime investigtaionAPNIC
 
APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5APNIC
 
npNOG 2: APNIC activity report
npNOG 2: APNIC activity reportnpNOG 2: APNIC activity report
npNOG 2: APNIC activity reportAPNIC
 
Internet infrastructure in South Asia
Internet infrastructure in South AsiaInternet infrastructure in South Asia
Internet infrastructure in South AsiaAPNIC
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approachAPNIC
 

Mais procurados (20)

Apnic IPv6 Deployment
Apnic IPv6 DeploymentApnic IPv6 Deployment
Apnic IPv6 Deployment
 
Internet Resource Transfer Policy: what can you learn from them?
Internet Resource Transfer Policy: what can you learn from them?Internet Resource Transfer Policy: what can you learn from them?
Internet Resource Transfer Policy: what can you learn from them?
 
BdNOG 3: A closer look at IPv4 transfers
BdNOG 3: A closer look at IPv4 transfersBdNOG 3: A closer look at IPv4 transfers
BdNOG 3: A closer look at IPv4 transfers
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
Government
Government Government
Government
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
 
The IANA Stewardship Transition Overview & Background
The IANA Stewardship Transition Overview & Background The IANA Stewardship Transition Overview & Background
The IANA Stewardship Transition Overview & Background
 
IDNOG 2: IPv4 Transfers
IDNOG 2: IPv4 TransfersIDNOG 2: IPv4 Transfers
IDNOG 2: IPv4 Transfers
 
Myanmar Member Gathering
Myanmar Member GatheringMyanmar Member Gathering
Myanmar Member Gathering
 
APNIC Update for ARIN 35
APNIC Update for ARIN 35APNIC Update for ARIN 35
APNIC Update for ARIN 35
 
HKNOG1.1 presentation
HKNOG1.1 presentationHKNOG1.1 presentation
HKNOG1.1 presentation
 
How the Internet works...and why
How the Internet works...and whyHow the Internet works...and why
How the Internet works...and why
 
05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi Kawamura
05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi Kawamura05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi Kawamura
05 (IDNOG01) Evolution of IXes and peering in Japan by Seiichi Kawamura
 
IPv6 at 6connect, PTC17
IPv6 at 6connect, PTC17IPv6 at 6connect, PTC17
IPv6 at 6connect, PTC17
 
IPv6 Adoption by ASEAN Government Agencies
IPv6 Adoption by ASEAN Government AgenciesIPv6 Adoption by ASEAN Government Agencies
IPv6 Adoption by ASEAN Government Agencies
 
How APNIC can support law enforcement agencies in cybercrime investigtaion
How APNIC can support law enforcement agencies in cybercrime investigtaionHow APNIC can support law enforcement agencies in cybercrime investigtaion
How APNIC can support law enforcement agencies in cybercrime investigtaion
 
APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5
 
npNOG 2: APNIC activity report
npNOG 2: APNIC activity reportnpNOG 2: APNIC activity report
npNOG 2: APNIC activity report
 
Internet infrastructure in South Asia
Internet infrastructure in South AsiaInternet infrastructure in South Asia
Internet infrastructure in South Asia
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approach
 

Destaque

An introduction to APNIC
An introduction to APNICAn introduction to APNIC
An introduction to APNICAPNIC
 
Measuring latency from the browser
Measuring latency from the browserMeasuring latency from the browser
Measuring latency from the browserAPNIC
 
China's Cyber Threat Landscape from the Perspective of CNCERT/CC by Zhu Yunqi...
China's Cyber Threat Landscape from the Perspective of CNCERT/CC by Zhu Yunqi...China's Cyber Threat Landscape from the Perspective of CNCERT/CC by Zhu Yunqi...
China's Cyber Threat Landscape from the Perspective of CNCERT/CC by Zhu Yunqi...APNIC
 
Who needs IPv6...in the Pacific?
Who needs IPv6...in the Pacific?Who needs IPv6...in the Pacific?
Who needs IPv6...in the Pacific?APNIC
 
Source Address Validation Everywhere, by Paul Vixie [APNIC 38 / Technical Key...
Source Address Validation Everywhere, by Paul Vixie [APNIC 38 / Technical Key...Source Address Validation Everywhere, by Paul Vixie [APNIC 38 / Technical Key...
Source Address Validation Everywhere, by Paul Vixie [APNIC 38 / Technical Key...APNIC
 
Internet Measurement Networks - SANOG 24
Internet Measurement Networks - SANOG 24Internet Measurement Networks - SANOG 24
Internet Measurement Networks - SANOG 24APNIC
 
CNNIC Update, by Jessica Shen [APNIC 38 / NIR SIG]
CNNIC Update, by Jessica Shen [APNIC 38 / NIR SIG]CNNIC Update, by Jessica Shen [APNIC 38 / NIR SIG]
CNNIC Update, by Jessica Shen [APNIC 38 / NIR SIG]APNIC
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI statusAPNIC
 
RightsCon 2015: IPv6 for n00bs
RightsCon 2015: IPv6 for n00bsRightsCon 2015: IPv6 for n00bs
RightsCon 2015: IPv6 for n00bsAPNIC
 
IANA Transition: What does it all mean? @ SAMNOG 27
IANA Transition: What does it all mean? @ SAMNOG 27IANA Transition: What does it all mean? @ SAMNOG 27
IANA Transition: What does it all mean? @ SAMNOG 27APNIC
 
APNIC Update: PITA 19
APNIC Update: PITA 19APNIC Update: PITA 19
APNIC Update: PITA 19APNIC
 
IPv6 performance
IPv6 performanceIPv6 performance
IPv6 performanceAPNIC
 
APNIC Update for NZNOG 2015
APNIC Update for NZNOG 2015APNIC Update for NZNOG 2015
APNIC Update for NZNOG 2015APNIC
 
The $1000 Internet Exchange
The $1000 Internet ExchangeThe $1000 Internet Exchange
The $1000 Internet ExchangeAPNIC
 
Weighing the world one click at a time
Weighing the world one click at a timeWeighing the world one click at a time
Weighing the world one click at a timeAPNIC
 
AFRINIC 24 - APNIC Update
AFRINIC 24 - APNIC UpdateAFRINIC 24 - APNIC Update
AFRINIC 24 - APNIC UpdateRobbie Mitchell
 
APNIC Update @ ARM, Mongolia
APNIC Update @ ARM, MongoliaAPNIC Update @ ARM, Mongolia
APNIC Update @ ARM, MongoliaAPNIC
 
APNIC Update @ SANOG 27
APNIC Update @ SANOG 27APNIC Update @ SANOG 27
APNIC Update @ SANOG 27APNIC
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Collective responsibility for security and resilience of the global routing s...
Collective responsibility for security and resilience of the global routing s...Collective responsibility for security and resilience of the global routing s...
Collective responsibility for security and resilience of the global routing s...APNIC
 

Destaque (20)

An introduction to APNIC
An introduction to APNICAn introduction to APNIC
An introduction to APNIC
 
Measuring latency from the browser
Measuring latency from the browserMeasuring latency from the browser
Measuring latency from the browser
 
China's Cyber Threat Landscape from the Perspective of CNCERT/CC by Zhu Yunqi...
China's Cyber Threat Landscape from the Perspective of CNCERT/CC by Zhu Yunqi...China's Cyber Threat Landscape from the Perspective of CNCERT/CC by Zhu Yunqi...
China's Cyber Threat Landscape from the Perspective of CNCERT/CC by Zhu Yunqi...
 
Who needs IPv6...in the Pacific?
Who needs IPv6...in the Pacific?Who needs IPv6...in the Pacific?
Who needs IPv6...in the Pacific?
 
Source Address Validation Everywhere, by Paul Vixie [APNIC 38 / Technical Key...
Source Address Validation Everywhere, by Paul Vixie [APNIC 38 / Technical Key...Source Address Validation Everywhere, by Paul Vixie [APNIC 38 / Technical Key...
Source Address Validation Everywhere, by Paul Vixie [APNIC 38 / Technical Key...
 
Internet Measurement Networks - SANOG 24
Internet Measurement Networks - SANOG 24Internet Measurement Networks - SANOG 24
Internet Measurement Networks - SANOG 24
 
CNNIC Update, by Jessica Shen [APNIC 38 / NIR SIG]
CNNIC Update, by Jessica Shen [APNIC 38 / NIR SIG]CNNIC Update, by Jessica Shen [APNIC 38 / NIR SIG]
CNNIC Update, by Jessica Shen [APNIC 38 / NIR SIG]
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI status
 
RightsCon 2015: IPv6 for n00bs
RightsCon 2015: IPv6 for n00bsRightsCon 2015: IPv6 for n00bs
RightsCon 2015: IPv6 for n00bs
 
IANA Transition: What does it all mean? @ SAMNOG 27
IANA Transition: What does it all mean? @ SAMNOG 27IANA Transition: What does it all mean? @ SAMNOG 27
IANA Transition: What does it all mean? @ SAMNOG 27
 
APNIC Update: PITA 19
APNIC Update: PITA 19APNIC Update: PITA 19
APNIC Update: PITA 19
 
IPv6 performance
IPv6 performanceIPv6 performance
IPv6 performance
 
APNIC Update for NZNOG 2015
APNIC Update for NZNOG 2015APNIC Update for NZNOG 2015
APNIC Update for NZNOG 2015
 
The $1000 Internet Exchange
The $1000 Internet ExchangeThe $1000 Internet Exchange
The $1000 Internet Exchange
 
Weighing the world one click at a time
Weighing the world one click at a timeWeighing the world one click at a time
Weighing the world one click at a time
 
AFRINIC 24 - APNIC Update
AFRINIC 24 - APNIC UpdateAFRINIC 24 - APNIC Update
AFRINIC 24 - APNIC Update
 
APNIC Update @ ARM, Mongolia
APNIC Update @ ARM, MongoliaAPNIC Update @ ARM, Mongolia
APNIC Update @ ARM, Mongolia
 
APNIC Update @ SANOG 27
APNIC Update @ SANOG 27APNIC Update @ SANOG 27
APNIC Update @ SANOG 27
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
Collective responsibility for security and resilience of the global routing s...
Collective responsibility for security and resilience of the global routing s...Collective responsibility for security and resilience of the global routing s...
Collective responsibility for security and resilience of the global routing s...
 

Semelhante a Introduction to RPKI - MyNOG

RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
Certification
CertificationCertification
CertificationRIPE NCC
 
Resource Certification
Resource CertificationResource Certification
Resource CertificationRIPE NCC
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification TutorialRIPE NCC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)Fakrul Alam
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationAPNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringAPNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?APNIC
 

Semelhante a Introduction to RPKI - MyNOG (20)

Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
Certification
CertificationCertification
Certification
 
Resource Certification
Resource CertificationResource Certification
Resource Certification
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?
 

Mais de Siena Perry

APNIC Hackathon Poke Prefix
APNIC Hackathon Poke PrefixAPNIC Hackathon Poke Prefix
APNIC Hackathon Poke PrefixSiena Perry
 
APNIC Hackathon Tunnel Vision
APNIC Hackathon Tunnel VisionAPNIC Hackathon Tunnel Vision
APNIC Hackathon Tunnel VisionSiena Perry
 
APNIC Hackathon The Lord of IPv6
APNIC Hackathon The Lord of IPv6APNIC Hackathon The Lord of IPv6
APNIC Hackathon The Lord of IPv6Siena Perry
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking Siena Perry
 
APNIC APIX Industry Benchmarking
APNIC APIX Industry Benchmarking APNIC APIX Industry Benchmarking
APNIC APIX Industry Benchmarking Siena Perry
 
DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71Siena Perry
 
Y4 it 2016- Hermoso
Y4 it 2016- HermosoY4 it 2016- Hermoso
Y4 it 2016- HermosoSiena Perry
 
APNIC Policy Webinar
APNIC Policy Webinar APNIC Policy Webinar
APNIC Policy Webinar Siena Perry
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Siena Perry
 

Mais de Siena Perry (11)

APNIC Hackathon Poke Prefix
APNIC Hackathon Poke PrefixAPNIC Hackathon Poke Prefix
APNIC Hackathon Poke Prefix
 
APNIC Hackathon Tunnel Vision
APNIC Hackathon Tunnel VisionAPNIC Hackathon Tunnel Vision
APNIC Hackathon Tunnel Vision
 
APNIC Hackathon The Lord of IPv6
APNIC Hackathon The Lord of IPv6APNIC Hackathon The Lord of IPv6
APNIC Hackathon The Lord of IPv6
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
 
APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking
 
APNIC APIX Industry Benchmarking
APNIC APIX Industry Benchmarking APNIC APIX Industry Benchmarking
APNIC APIX Industry Benchmarking
 
DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71
 
Y4 it 2016- Hermoso
Y4 it 2016- HermosoY4 it 2016- Hermoso
Y4 it 2016- Hermoso
 
IPv6 Update
IPv6 UpdateIPv6 Update
IPv6 Update
 
APNIC Policy Webinar
APNIC Policy Webinar APNIC Policy Webinar
APNIC Policy Webinar
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
 

Último

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Último (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Introduction to RPKI - MyNOG

  • 1. Issue Date: Revision: Resource Public Key Infrastructure (RPKI) MyNOG 4 Conference 2014 2014/08 2
  • 2. Overview •  Routing “incidents” •  RPKI Technical Details •  RPKI and BGPsec •  Components and Implementation •  Deployment Status in the RIRs •  APNIC Resource Certification 2
  • 3. Misdirection / Hijacking Incidents •  YouTube Incident –  Occurred 24 Feb 2008 (for about 2 hours) –  Pakistan Telecom announced YT block •  Google (AS15169) services downed –  Occurred 5 Nov 2012 (for 30 minutes) –  Moratel Indonesia (AS23947) 3 How frequent do these hijacking incidents happen?
  • 4. How we address this… •  A network should only originate his own prefix –  How do we verify? –  How do we avoid false advertisement? •  A provider should filter prefixes they propagate from customers –  Check the legitimacy of address (LoA) –  Transitive trust; BGP is a trust-based system 4
  • 5. WHOIS DB – Legitimacy of Address 5
  • 6. What is RPKI? •  Resource Public Key Infrastructure (RPKI) •  A robust security framework for verifying the association between resource holder and their Internet resources •  Created to address the issues in RFC 4593 “Generic Threats to Routing Protocols” •  Helps to secure Internet routing by validating routes –  Proof that prefix announcements are coming from the legitimate holder of the resource RFC 6480 – An Infrastructure to Support Secure Internet Routing (Feb 2012) 6
  • 7. Benefits of RPKI - Routing •  Prevents route hijacking –  A prefix originated by an AS without authorization –  Reason: malicious intent •  Prevents mis-origination –  A prefix that is mistakenly originated by an AS which does not own it –  Also route leakage –  Reason: configuration mistake / fat finger 7
  • 8. BGP Security (BGPsec) •  Extension to BGP that provides improved security for BGP routing •  Currently an IETF Internet draft •  Implemented via a new optional non-transitive BGP path attribute that contains a digital signature •  Two things: –  BGP Prefix Origin Validation (using RPKI) –  BGP Path Validation •  Similar efforts in the early days – IDR working group, S- BGP 8
  • 9. “Right” to Resources •  ISP gets their resources from the RIR •  ISP notifies its upstream of the prefixes to be announced •  Upstream must check the WHOIS database if resource has been delegated to customer ISP We need to be able to authoritatively prove who owns an IP Prefix and what AS(s) may announce it. 9
  • 10. RPKI Infrastructure •  A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents •  Main Components: –  Certificate Authority (CA) –  Relying Party (RP) –  Routers with RPKI support 10
  • 11. Issuing Party •  Internet Registries (RIR, NIR, Large LIRs) •  Acts as a Certificate Authority and issues certificates for customers •  Provides a web interface to issue ROAs for customer prefixes •  Publishes the ROA records APNIC RPKI Engine publication MyAPNIC GUI rpki.apnic.net Repository 11
  • 12. Route Origin Authorization (ROA) •  A digital object that contains a list of address prefixes and one AS number •  It is an authority created by a prefix holder to authorize an AS Number to originate one or more specific route advertisements •  Publish an ROA using MyAPNIC 12
  • 13. X.509 Certificate with 3779 Extension •  Resource certificates are based on the X.509 v3 certificate format (RFC 5280) •  Extended by RFC 3779 – binds a list of resources (IP, ASN) to the subject of the certificate •  SIA – Subject Information Access; contains a URI that references the directory X.509 Certificate RFC 3779 Extension SIA Owner's Public Key 13
  • 14. Relying Party (RP) IANA Repo APNIC Repo RIPE Repo LIR Repo LIR Repo RP Cache (gather) Validated Cache RPKI-Rtr Protocol rpki.ripe.net Software which gathers data from CAs Also called RP cache or validator 14
  • 16. Router Origin Validation •  Router must support RPKI •  Checks an RP cache / validator •  Validation returns 3 states: –  Valid = when authorization is found for prefix X –  Invalid = when authorization is found for prefix X but not from ASN Y –  Unknown = when no authorization data is found •  Vendor support: –  Cisco IOS – solid in 15.2 –  Cisco IOS/XR – shipped in 4.3.2 –  Juniper – shipped in 12.2 –  Alcatel Lucent – in development 16
  • 19. APNIC RPKI Service •  Enhancement to the RIRs –  Offers verifiable proof of resource holdings •  Resource certification is an opt-in service –  Resource holders choose to request a certificate and profice their public key to be certified •  APNIC has integrated the RPKI management service into MyAPNIC for APNIC Member use 19
  • 20. What you need to know •  You are encouraged to experiment, test, play and develop •  RPKI standards are still being developed, and the operating environment for RPKI use is still fragile •  It’s ready for testing and prototyping, but is probably not ready for production use just yet •  Please tell us what you find but don’t rely on it in your network yet 20
  • 21. What You Can Do Now? •  Create ROA records in MyAPNIC •  Build an RP cache •  Configure your router to use the cache (or a public one) •  Create BGP policies Best to do it in a test environment for now! J 21
  • 22. Build an RP Cache •  Download and install from rpki.net –  Instructions here: https://trac.rpki.net/wiki/doc/RPKI/Installation/ UbuntuPackages 22 The RP cache has a web interface
  • 23. Configure Router to Use Cache router bgp 651nn … bgp rpki server tcp 10.0.0.3 port 43779 refresh 60 bgp rpki server tcp 147.28.0.84 port 93920 refresh 60 … 23 RPKI Lab – Randy Bush
  • 24. BGP Table r0.sea#sh ip bgp Network Next Hop Metric LocPrf Weight Path * i I198.180.150.0 144.232.9.61 100 0 1239 3927 i *> I 199.238.113.9 0 2914 3927 i * I 129.250.11.41 0 2914 3927 i *> V198.180.152.0 199.238.113.9 0 2914 4128 i * V 129.250.11.41 0 2914 4128 i *> N198.180.155.0 199.238.113.9 0 2914 22773 i * N 129.250.11.41 0 2914 22773 i *> N198.180.160.0 199.238.113.9 0 2914 23308 13408 5752 i * N 129.250.11.41 0 2914 23308 13408 5752 i RPKI Lab – Randy Bush 24
  • 25. More References •  Securing BGP –  The Internet Protocol Journal, Volume 14, No. 2 •  An Infrastructure to Support Secure Internet Routing –  RFC6480 •  A Reappraisal of Validation in the RPKI –  Labs.apnic.net/blabs •  An Introduction to Routing Security (and RPKI Tools) •  MyAPNIC Resource Certification Guide 25
  • 27. You’re Invited! •  APNIC 38: Brisbane, Australia, 9-19 Sep 2014 •  APRICOT 2015: Fukuoka, Japan, 24 Feb-6 Mar 2015 27