APNIC Training Delivery Manager Tashi Phuntsho supported the preparation of the presentation on reaching 100% ROA coverage at mnNOG 2020, held online on 28 October 2020.
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
mnNOG 2020: The Journey [100% ROA Coverage]
1. The Journey
[100% ROA coverage]
mnNOG-2 | 28 Oct 2020
Gonchig Altansukh (SkyTel), Tashi Phuntsho (APNIC)
2. What did we achieve?
https://nlnetlabs.nl/projects/rpki/rpki-analytics/
3. What does it mean?
• MN routes (route origin) are authorized by MN
prefix holders!
- The Internet will see valid/authorized routes from MN
• Will prevent others from hijacking MN routes
- And hence, prevent rerouting of traffic intended for MN
address holders
- Thus, protecting users from being directed along
bogus/hijacked paths
10. Are we done?
• The next logical step (ISPs/Operators)
- route origin validation (ROV) & drop Invalids!
§ AS55805 (Mobicom) is already doing it
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
RPKI
Repo
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator
11. ROV – on your routers
• Only on your eBGP speakers
- Border/peering/transit/edge
• As simple as:
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>
12. ROV – Validators
• Run your own validator:
- ** RIPE validator https://github.com/RIPE-NCC/rpki-validator-
3/releases/tag/3.1-2020.09.25.11.16 (deprecating in 2021!)
- Routinator https://github.com/NLnetLabs/routinator/releases/tag/v0.8.0
- Fort https://github.com/NICMx/FORT-validator/releases/tag/v1.4.1
- OctoRPKI https://github.com/cloudflare/cfrpki/releases/tag/v1.1.4
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/
13. ROV - Validator Considerations
• Secure the RTR session
- Secure options: SSH, MD5 auth, IPsec, TLS, TCP-AO
- Plain text (TCP) – run it within your routing domain!
• Redundant RTR sessions
- defaults to NOT FOUND (incl INVALIDs)
- Hence, at least 2xValidators (RTR sessions)
15. ROV - Operational Considerations
• Default routes?
- Will match anything ~
Invalids
• iBGP state propagation?
- Watch out for vendor
interop issues, and
- Know your platform defaults
- Example:
- IOS-XE, RPKI state trumps
other BGP attributes
CR
BR1
BR2
Upstream-I Upstream-II
iBGP
eBGP
RTR RTR
X
Validator
16. Are we done?
• Make sure all future BGP announcements have a
covering ROA!
- Leak more specifics for BGP TE reasons, or
- You get new/additional address space