mnNOG 2020: The Journey [100% ROA Coverage]

•

0 gostou•471 visualizações

APNIC Training Delivery Manager Tashi Phuntsho supported the preparation of the presentation on reaching 100% ROA coverage at mnNOG 2020, held online on 28 October 2020.

Internet

The Journey
[100% ROA coverage]
mnNOG-2 | 28 Oct 2020
Gonchig Altansukh (SkyTel), Tashi Phuntsho (APNIC)

What did we achieve?
https://nlnetlabs.nl/projects/rpki/rpki-analytics/

What does it mean?
• MN routes (route origin) are authorized by MN
prefix holders!
- The Internet will see valid/authorized routes from MN
• Will prevent others from hijacking MN routes
- And hence, prevent rerouting of traffic intended for MN
address holders
- Thus, protecting users from being directed along
bogus/hijacked paths

How did we get here?
• mnNOG-1 happened!

How did we get here?
• ROA signing BOF @ mnNOG-1

How did we get here?
• ROA signing BOF @ mnNOG-1
https://stat.ripe.net/MN#tabId=routing

How did we get here?
• And we continued the work in 2020
4th June 2020

How did we get here?
- Ulsbold
Damjinkhuu -
- Gonchig
Tugsuu -
- Ariunbold -

Are we done?
• The next logical step (ISPs/Operators)
- route origin validation (ROV) & drop Invalids!
§ AS55805 (Mobicom) is already doing it
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
RPKI
Repo
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator

ROV – on your routers
• Only on your eBGP speakers
- Border/peering/transit/edge
• As simple as:
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>

ROV – Validators
• Run your own validator:
- ** RIPE validator https://github.com/RIPE-NCC/rpki-validator-
3/releases/tag/3.1-2020.09.25.11.16 (deprecating in 2021!)
- Routinator https://github.com/NLnetLabs/routinator/releases/tag/v0.8.0
- Fort https://github.com/NICMx/FORT-validator/releases/tag/v1.4.1
- OctoRPKI https://github.com/cloudflare/cfrpki/releases/tag/v1.1.4
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/

ROV - Validator Considerations
• Secure the RTR session
- Secure options: SSH, MD5 auth, IPsec, TLS, TCP-AO
- Plain text (TCP) – run it within your routing domain!
• Redundant RTR sessions
- defaults to NOT FOUND (incl INVALIDs)
- Hence, at least 2xValidators (RTR sessions)

ROV - Validator Considerations
• Redundant RTR sessions – diverse code base?

ROV - Operational Considerations
• Default routes?
- Will match anything ~
Invalids
• iBGP state propagation?
- Watch out for vendor
interop issues, and
- Know your platform defaults
- Example:
- IOS-XE, RPKI state trumps
other BGP attributes
CR
BR1
BR2
Upstream-I Upstream-II
iBGP
eBGP
RTR RTR
X
Validator

Are we done?
• Make sure all future BGP announcements have a
covering ROA!
- Leak more specifics for BGP TE reasons, or
- You get new/additional address space

Mais conteúdo relacionado

Mais procurados

btNOG 6: Securing Internet Routing

APNIC

VNIX-NOG 2021: IPv6 Deployment Update

APNIC

TCP and BBR

APNIC

mnNOG 1: Securing internet Routing

APNIC

IPv6 Deployment Case on a Korean Governmental Website

APNIC

Traffic engineering, policy routing, or service function chaining are used in many networks today. Unfortunately there is still one hard question left that management or security departments tend to ask: "Can you please prove to me that all traffic that was meant to traverse a specific service chain really followed that path?" Proof-of-transit is here to help: By adding some meta-data to our traffic, we can now provide a packet by packet proof of the actual path followed. This presentation outlines the technology (based on Shamir's Secret Sharing Scheme) as well as the implementation on IOS and FD.io/VPP.

Proof of Transit: Securely Verifying a Path or Service Chain

Frank Brockners

QOS (Quality of Services) - Computer Networks

IIIT Manipur

RPKI Overview, Case Studies, Deployment and Operations

APNIC

Integrated services - IntServ

Pradnya Saval

Quality of service

arya krazydude

4th SDN Interest Group Seminar-Session 2-3(130313)

NAIM Networks, Inc.

NZNOG 2020: Buffers, Buffer Bloat and BBR

APNIC

Route Hijaking and the role of RPKI

APNIC

A week with analysing RPKI status

APNIC

Rolling the Root Zone DNSSEC Key Signing Key

APNIC

Andrzej Wolski - RIPE Language: English Securing BGP has been on the todo list of the the community at large for many years. Resource Public Key Infrastructure (RPKI) is the latest and most successful initiative. RPKI solves one of the most fundamental problems, it allows to verify whether an Autonomous System (AS) is authorized to announce a specific IP address range. We will look at closely at the state of the RPKI deployment. Successes and failures globally, define areas for improvement and quickly zoom in into our region. Register to the next PLNOG edition: krakow.plnog.pl

PLNOG14: Quo Vadis RPKI - Andrzej Wolski

PROIDEA

28th TWNIC OPM and TWNOG 2017: Security best practices for network operators

APNIC

Linx88 IPv6 Neighbor Discovery Russell Heilling

Russell Heilling

32nd TWNIC IP OPM: ROA+ROV deployment & industry development

APNIC

The Next Generation Internet Number Registry Services

MyNOG

Mais procurados (20)

btNOG 6: Securing Internet Routing

VNIX-NOG 2021: IPv6 Deployment Update

TCP and BBR

mnNOG 1: Securing internet Routing

IPv6 Deployment Case on a Korean Governmental Website

Proof of Transit: Securely Verifying a Path or Service Chain

QOS (Quality of Services) - Computer Networks

RPKI Overview, Case Studies, Deployment and Operations

Integrated services - IntServ

Quality of service

4th SDN Interest Group Seminar-Session 2-3(130313)

NZNOG 2020: Buffers, Buffer Bloat and BBR

Route Hijaking and the role of RPKI

A week with analysing RPKI status

Rolling the Root Zone DNSSEC Key Signing Key

PLNOG14: Quo Vadis RPKI - Andrzej Wolski

28th TWNIC OPM and TWNOG 2017: Security best practices for network operators

Linx88 IPv6 Neighbor Discovery Russell Heilling

32nd TWNIC IP OPM: ROA+ROV deployment & industry development

The Next Generation Internet Number Registry Services

Semelhante a mnNOG 2020: The Journey [100% ROA Coverage]

Finding the path, by Yoshinobu Matsuzaki [APNIC 38 / APOPS 1]

APNIC

PhNOG 2020: ROA and RPKI in the Philippines

APNIC

IAA Life in Lockdown series: Securing Internet Routing

APNIC

FIWARE Tech Summit - Stream Processing with Kurento Media Server

FIWARE

WebRTC gives us a way to do real-time, peer-to-peer communication on the web. In this talk, we'll go over the current state of WebRTC (both the awesome parts and the parts which need to be improved) as well as what could come in the future. Mostly though, we'll take a look at how to combine WebRTC with other web technologies to create great experiences on the front-end for real-time, p2p web apps.

WebRTC: A front-end perspective

shwetank

Webinar topic: OSPF On Router OS7 Presenter: Achmad Mardiansyah & M. Taufik Nurhuda In this webinar series, How OSPF On Router OS7 Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback Check our schedule for future events: https://www.glcnetworks.com/en/schedule/ Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord Recording available on Youtube https://youtu.be/nuByFdZHvAg

OSPF On Router OS7

GLC Networks

Mikrotik User Meeting Manila: bgp vs ospf

Achmad Mardiansyah

a 86 slides presentation, derived from years of practical experience, covering following topics: - understanding HTTP, the web protocol (and other related standards, e.g., XML) - assessment of web performance (bytes and turns, Apdex) - recommendations in web performance (web fat index, caching strategy, compression strategy) - troubleshooting the web (user experience, access topologies, service variations, toolbox) - golden rules for web robustness

web performance explained to network and infrastructure experts

Bernard Paques

FIWARE Global Summit - Real-time Media Stream Processing Using Kurento

FIWARE

SDARPiBot - VLES'16

Arun Joseph

Webinar topic: MPLS on Router OS V7 - Part 1 Presenter: Achmad Mardiansyah & M. Taufik Nurhuda In this webinar series, How MPLS on Router OS V7 works Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback Check our schedule for future events: https://www.glcnetworks.com/en/schedule/ Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord Recording available on Youtube https://youtu.be/SvZrYNA0-rQ

MPLS on Router OS V7 - Part 1

GLC Networks

Smart net

Amirhosein Ataei

Webinar topic: BGP security tuning: pull-up route Presenter: Achmad Mardiansyah In this webinar, we discussed about BGP security tuning: pull-up route. pullup route is a very simple trick that is very useful to avoid routing loop with your upstream provider Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback Check our schedule for future events: https://www.glcnetworks.com/en/schedule/ Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord Recording is available on youtube: https://youtu.be/8g0qymHVrY8

BGP security tuning: pull-up route

GLC Networks

HKNOG 7.0: RPKI - it's time to start deploying it

APNIC

npNOG 5: Securing Internet Routing

APNIC

LkNOG 3: Securing Internet Routing

APNIC

GÉANT TURN pilot

Mihály Mészáros

FIWARE Global Summit - Real-time Media Stream Processing Using Kurento

FIWARE

Sctp tutorial

Susant Sahani

Webinar topic: BGP troubleshooting: route origin Presenter: Achmad Mardiansyah In this webinar, we discussed about troubleshooting BGP issue related to attribute: route origin. Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback Check our schedule for future events: https://www.glcnetworks.com/en/schedule/ Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord Recording is available on youtube: https://youtu.be/mrN6FUjXAmE

BGP troubleshooting: route origin

GLC Networks

Semelhante a mnNOG 2020: The Journey [100% ROA Coverage] (20)

Finding the path, by Yoshinobu Matsuzaki [APNIC 38 / APOPS 1]

PhNOG 2020: ROA and RPKI in the Philippines

IAA Life in Lockdown series: Securing Internet Routing

FIWARE Tech Summit - Stream Processing with Kurento Media Server

WebRTC: A front-end perspective

OSPF On Router OS7

Mikrotik User Meeting Manila: bgp vs ospf

web performance explained to network and infrastructure experts

FIWARE Global Summit - Real-time Media Stream Processing Using Kurento

SDARPiBot - VLES'16

MPLS on Router OS V7 - Part 1

Smart net

BGP security tuning: pull-up route

HKNOG 7.0: RPKI - it's time to start deploying it

npNOG 5: Securing Internet Routing

LkNOG 3: Securing Internet Routing

GÉANT TURN pilot

FIWARE Global Summit - Real-time Media Stream Processing Using Kurento

Sctp tutorial

BGP troubleshooting: route origin

Mais de APNIC

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...

APNIC

APNIC Updates presented by Paul Wilson at ARIN 53

APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024

APNIC

'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...

APNIC

On Starlink, presented by Geoff Huston at NZNOG 2024

APNIC

Networking in the Penumbra presented by Geoff Huston at NZNOG

APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119

APNIC

draft-harrison-sidrops-manifest-number-01, presented at IETF 119

APNIC

Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119

APNIC

IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119

APNIC

Is DNS ready for IPv6, presented by Geoff Huston at IETF 119

APNIC

Benefits of doing Internet peering and running an Internet Exchange (IX) pres...

APNIC

APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85

APNIC

NANOG 90: 'BGP in 2023' presented by Geoff Huston

APNIC

DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston

APNIC

APAN 57: APNIC Report at APAN 57, Bangkok, Thailand

APNIC

Lao Digital Week 2024: It's time to deploy IPv6

APNIC

AINTEC 2023: Networking in the Penumbra!

APNIC

CNIRC 2023: Global and Regional IPv6 Deployment 2023

APNIC

AFSIG 2023: APNIC Foundation and support for Internet development

APNIC

Mais de APNIC (20)