SlideShare uma empresa Scribd logo

Route Origin Validation - A MANRS Approach

Bangladesh Network Operators Group
Bangladesh Network Operators Group

Route Origin Validation - A MANRS Approach

Internet
1 de 46
Baixar para ler offline
Route Origin Validation - A MANRS Approach Md. Zobair Khan MANRS Ambassador
Acknowledgement • This paper is made taking notes, diagram, configurations from MANRS, APNIC training materials & blog, NLnet Labs, Github & Dr. Philip Smith along with the operational experience of the author.
MANRS • Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats.
MANRS • MANRS outlines four simple but concrete actions that network operators should take: • Filtering • Anti-spoofing • Coordination • Global Validation
Global Validation • Publish your data, so others can validate routing information on a global scale • Automated information validation needs arrangements • Securing global routing information is done by RPKI
Resource Public Key Infrastructure (RPKI) • RPKI allows holders of Internet number resources to make verifiable statements about how they intend to use their resources. • RPKI is a way to define data in an out-of-band system such that the information that are exchanged by BGP can be validated to be correct. • RPKI is used to make Internet routing more secure.
Importance of RPKI • Secured Routing Table • Dynamic LOA checking • Maintaining a Dynamic Chain of Trust • Digitally Signed Resources Certificate (X.509 Certificates-RFC5280) • Helps to Stop Route Hijack
Route Origin Authorizations (ROA) • Using the RPKI system, the legitimate holder of a block of IP addresses can use their resource certificate to make an authoritative, signed statement about which autonomous system is authorized to originate their prefix in BGP. • These statements are called Route Origin Authorizations (ROAs).
Route Origin Validation (ROV) • RPKI system tries to closely mimic what route objects in the IRR intend to do, but then in a more trustworthy manner. • This process is called route origin validation (ROV)
Validity • Valid - Resources found in database which is called Validated ROA Payload (VRP). • Invalid – Resources found but partial/whole information doesn’t match with database. • Not Found - The prefix in this announcement is not covered by a VRP.
RPKI - Chain Of Trust
Ecosystem
Working Steps • Creating ROA for owned resources for RPKI • Implementing Validator relying software for ROV • Enforcing policies for based on Validation
Creating ROA • Go to Resources > Route Management and select Create route https://www.apnic.net/wp-content/uploads/2017/12/ROUTE_MANAGEMENT_GUIDE.pdf
Creating ROA • Mention your prefix with ASN & desired subnet & Submit https://www.apnic.net/wp-content/uploads/2017/12/ROUTE_MANAGEMENT_GUIDE.pdf
Relying Party Software  NLnet Labs Routinator https://github.com/NLnetLabs/routinator  LACNIC/NIC Mexico validator (FORT) https://github.com/NICMx/FORT-validator  Cloudflare validator (OctoRPKI) https://github.com/cloudflare/cfrpki
Routinator • Routinator is free, open source RPKI Relying Party software written by NLnet Labs in the Rust programming language. • Routinator connects to the Trust Anchors of the five Regional Internet Registries (RIRs) — APNIC, AFRINIC, ARIN, LACNIC and RIPE NCC — downloads all of the certificates and ROAs in the various repositories, verifies the signatures and makes the result available for use in the BGP workflow. • The validated cache can be fed directly into RPKI-capable routers via the RPKI to Router Protocol (RPKI-RTR), described in RFC 8210. https://rpki.readthedocs.io/en/latest/routinator/index.html
Installation Add the line below that corresponds to your operating system to your /etc/apt/sources.list or /etc/apt/sources.list.d/ deb [arch=amd64] https://packages.nlnetlabs.nl/linux/debian/ stretch main deb [arch=amd64] https://packages.nlnetlabs.nl/linux/debian/ buster main deb [arch=amd64] https://packages.nlnetlabs.nl/linux/ubuntu/ xenial main deb [arch=amd64] https://packages.nlnetlabs.nl/linux/ubuntu/ bionic main deb [arch=amd64] https://packages.nlnetlabs.nl/linux/ubuntu/ focal main
Installation Then run the following commands to add the public key and update the repository list wget -qO- https://packages.nlnetlabs.nl/aptkey.asc | sudo apt-key add - sudo apt update
Installation You can then install Routinator by running this command sudo apt install routinator
Installation Initialise, enable and start Routinator by running these commands. sudo routinator-init sudo systemctl enable --now routinator
Installation By default, Routinator will start the RTR server on port 3323 and the HTTP server on port 8323 which can be changed in /etc/routinator/routinator.conf. You can check the status of Routinator with sudo systemctl status routinator and view the logs with sudo journalctl --unit=routinator
Installation routinator -v vrps routinator server --rtr SERVER-IP:3323 --http SERVER-IP:9556 --refresh=900 &
Installation
OctoRPKI • Developed and used by Cloudflare • This application periodically refreshes the data provided by the RIRs and the delegated organizations. • It keeps exploring the RPKI repositories until it reaches a stable state (no new endpoints added). • RTR session is handeled by GoRTR – a separate module.
Installation First, go to the Releases tab, download the latest version matching your platform.
Installation To install the Linux deb package and start it: $ sudo dpkg -i octorpki_1.1.4_amd64.deb $ sudo systemctl start octorpki
Installation mkdir tals cd tals wget https://raw.githubusercontent.com/cloudflare/cfrpki/master/cmd/octorpki/tals/afrinic.tal wget https://raw.githubusercontent.com/cloudflare/cfrpki/master/cmd/octorpki/tals/apnic.tal wget https://raw.githubusercontent.com/cloudflare/cfrpki/master/cmd/octorpki/tals/lacnic.tal wget https://raw.githubusercontent.com/cloudflare/cfrpki/master/cmd/octorpki/tals/ripe.tal wget https://www.arin.net/resources/manage/rpki/arin-rfc7730.tal -O arin.tal cd ..
Installation Look into the tals directory to check if you have got all the 5 tals or not. Run the validator by issuing the following command. nohup octorpki -output.sign=false > out 2> err &
Installation If the validator runs smoothly, you will see the ROAs in web format by querying a json file. The validated cache output uses default port 8081. GoRTR metrics uses default port 8080. You can build RTR session on your desired port.
Installation GoRTR is Cloudflare’s RPKI-RTR server component, which allows RPKI-enabled routers to connect to it and fetch the validated cache (ROA cache). wget https://github.com/cloudflare/gortr/releases/download/v0.14.7/gortr_0.14.7_amd64.deb dpkg -i gortr_0.14.7_amd64.deb
Installation nohup gortr -bind=SERVER-IP:8282 -metrics.addr=:8080 -verify=false -cache=http://SERVER-IP:8081/output.json > out 2> err &
FORT Validator • FORT validator is an MIT-licensed RPKI Relying Party, this is a tool offered as part of the FORT project. • FORT is a joint initiative by LACNIC, the Regional Internet Registry for Latin America and the Caribbean, and NIC.MX. • RTR Configuration is done with json file.
Installation It has some dependencies. So need to resolve those first. sudo apt install openssl rsync libjansson-dev -y Version 1.5.0 is the latest official release. To fetch or review it, visit the GitHub release sudo wget https://github.com/NICMx/FORT-validator/releases/download/v1.5.0/fort_1.5.0-1_amd64.deb sudo apt install ./fort_1.5.0-1_amd64.deb
Installation You will find an example config.json file inside /etc/fort/example. Rename the actual config.josn file to something else and copy the config file in the example in /etc/fort/ In this way it will be much more easier to configure without destroying the json format. Change the below parameters if required. Tal Local-repository Address Port Rest of the fields should be fine with default values.
Installation Get the tals including Arin. sudo fort --init-tals --tal=/etc/fort/tal
Installation Start fort as a service. Check the status. It will take some time to build the first validated cache.
Hardware OS Juniper - Junos version 12.2 and newer. Cisco - IOS release 15.2 and newer, as well as Cisco IOS/XR since release 4.3.2. Nokia - SR OS 12.0.R4 and newer, running on the 7210 SAS, 7250 IXR, 7750 SR, 7950 XRS and the VSR. Arista - EOS 4.24.0F and newer MikroTik - 7.0beta7 and newer Huawei - VRP 8.150 and newer.
Router Configuration router bgp [ASN] rpki server [SERVER IP] transport tcp port 3323 refresh-time 120 address-family ipv4 unicast bgp origin-as validation signal ibgp address-family ipv6 unicast bgp origin-as validation signal ibgp Configuration of IOS-XR
Router Configuration • routing-options { autonomous-system [ASN]; validation { group rpki-validator { Session [Server IP] { refresh-time 120; Port 3323; local-address X.X.X.253; } } } } Configuration of Junos
Decision • Since now the validation states are visible to you, you can decide what to do with invalids • You can – – Use them with low preference – Or drop them
Policy route-policy RPKI if validation-state is invalid then set local-preference 50 else if validation-state is valid then set local-preference 200 else pass endif endif end-policy route-policy RPKI if validation-state is invalid then drop else if validation-state is valid then set local-preference 200 else pass endif endif end-policy Configuration of IOS-XR
Closure • https://sg-pub.ripe.net/jasper/rpki-web-test/
One Last Thing • ARIN has announced a surprised maintenance of 30 min in July 2021. Announcement was made on 2nd June 2021. • They are doing it to make sure that their RPKI infrastructure is running with peak performance. • https://www.arin.net/announcements/20210602-rpki/ • Also Job Snijders has shared some valuable insights on this maintenance work. • https://lists.arin.net/pipermail/arin-tech-discuss/2021-June/000932.html • Our learning – – When you deploy RPKI, you need to keep an eye on your RPKI infrastructure performance. – You need to make sure that any maintenance work is informed to your clients way ahead. – Also you need to be aware of the events taking places in RIRs regarding their RPKI Infrastructure.
Reference • https://www.manrs.org/about/ • https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/ • http://www.bgp4all.com.au/pfs/training/apnic48/agenda • https://rpki.readthedocs.io/en/latest/ops/tools.html#doc-tools • https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources • https://github.com/cloudflare/cfrpki#octorpki
Query !! Thanks …

Recomendados

Automating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleAutomating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleBangladesh Network Operators Group
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationTom Paseka
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBangladesh Network Operators Group
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6Shixiong Shang
 
pps Matters
pps Matterspps Matters
pps MattersBangladesh Network Operators Group
 

Recomendados

Automating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleAutomating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleBangladesh Network Operators Group
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationTom Paseka
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBangladesh Network Operators Group
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6Shixiong Shang
 
pps Matters
pps Matterspps Matters
pps MattersBangladesh Network Operators Group
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaBangladesh Network Operators Group
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6Shixiong Shang
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologySagi Brody
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricBangladesh Network Operators Group
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Juniper Networks
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsShannon McFarland
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationMyNOG
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12Bangladesh Network Operators Group
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
DPDK Summit 2015 - Sprint - Arun Rajagopal
DPDK Summit 2015 - Sprint - Arun RajagopalDPDK Summit 2015 - Sprint - Arun Rajagopal
DPDK Summit 2015 - Sprint - Arun RajagopalJim St. Leger
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 
BGP persistence
BGP persistenceBGP persistence
BGP persistenceBertrand Duvivier
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 

Mais conteúdo relacionado

Mais procurados

OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6Shixiong Shang
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologySagi Brody
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricBangladesh Network Operators Group
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Juniper Networks
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsShannon McFarland
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationMyNOG
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
DPDK Summit 2015 - Sprint - Arun Rajagopal
DPDK Summit 2015 - Sprint - Arun RajagopalDPDK Summit 2015 - Sprint - Arun Rajagopal
DPDK Summit 2015 - Sprint - Arun RajagopalJim St. Leger
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 

Mais procurados (20)

Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack Environments
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s Implementation
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norway
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
DPDK Summit 2015 - Sprint - Arun Rajagopal
DPDK Summit 2015 - Sprint - Arun RajagopalDPDK Summit 2015 - Sprint - Arun Rajagopal
DPDK Summit 2015 - Sprint - Arun Rajagopal
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
 
BGP persistence
BGP persistenceBGP persistence
BGP persistence
 

Semelhante a Route Origin Validation - A MANRS Approach

Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Web Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC ProjectWeb Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC ProjectSaltlux Inc.
 
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get DiagnosticsBoris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get DiagnosticsShapeBlue
 
Resource Certification
Resource CertificationResource Certification
Resource CertificationRIPE NCC
 
Certification
CertificationCertification
CertificationRIPE NCC
 
haproxy-150423120602-conversion-gate01.pdf
haproxy-150423120602-conversion-gate01.pdfhaproxy-150423120602-conversion-gate01.pdf
haproxy-150423120602-conversion-gate01.pdfPawanVerma628806
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security RoadmapAPNIC
 
Oracle Sandbox
Oracle SandboxOracle Sandbox
Oracle SandboxDatavail
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?APNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
 

Semelhante a Route Origin Validation - A MANRS Approach (20)

Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on KamailioAstricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
Web Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC ProjectWeb Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC Project
 
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get DiagnosticsBoris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
 
Resource Certification
Resource CertificationResource Certification
Resource Certification
 
Certification
CertificationCertification
Certification
 
haproxy-150423120602-conversion-gate01.pdf
haproxy-150423120602-conversion-gate01.pdfhaproxy-150423120602-conversion-gate01.pdf
haproxy-150423120602-conversion-gate01.pdf
 
HAProxy
HAProxy HAProxy
HAProxy
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
 
Oracle Sandbox
Oracle SandboxOracle Sandbox
Oracle Sandbox
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 

Mais de Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

Mais de Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 

Último

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 

Último (9)

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 

Route Origin Validation - A MANRS Approach

  • 1. Route Origin Validation - A MANRS Approach Md. Zobair Khan MANRS Ambassador
  • 2. Acknowledgement • This paper is made taking notes, diagram, configurations from MANRS, APNIC training materials & blog, NLnet Labs, Github & Dr. Philip Smith along with the operational experience of the author.
  • 3. MANRS • Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats.
  • 4. MANRS • MANRS outlines four simple but concrete actions that network operators should take: • Filtering • Anti-spoofing • Coordination • Global Validation
  • 5. Global Validation • Publish your data, so others can validate routing information on a global scale • Automated information validation needs arrangements • Securing global routing information is done by RPKI
  • 6. Resource Public Key Infrastructure (RPKI) • RPKI allows holders of Internet number resources to make verifiable statements about how they intend to use their resources. • RPKI is a way to define data in an out-of-band system such that the information that are exchanged by BGP can be validated to be correct. • RPKI is used to make Internet routing more secure.
  • 7. Importance of RPKI • Secured Routing Table • Dynamic LOA checking • Maintaining a Dynamic Chain of Trust • Digitally Signed Resources Certificate (X.509 Certificates-RFC5280) • Helps to Stop Route Hijack
  • 8. Route Origin Authorizations (ROA) • Using the RPKI system, the legitimate holder of a block of IP addresses can use their resource certificate to make an authoritative, signed statement about which autonomous system is authorized to originate their prefix in BGP. • These statements are called Route Origin Authorizations (ROAs).
  • 9. Route Origin Validation (ROV) • RPKI system tries to closely mimic what route objects in the IRR intend to do, but then in a more trustworthy manner. • This process is called route origin validation (ROV)
  • 10. Validity • Valid - Resources found in database which is called Validated ROA Payload (VRP). • Invalid – Resources found but partial/whole information doesn’t match with database. • Not Found - The prefix in this announcement is not covered by a VRP.
  • 11. RPKI - Chain Of Trust
  • 13. Working Steps • Creating ROA for owned resources for RPKI • Implementing Validator relying software for ROV • Enforcing policies for based on Validation
  • 14. Creating ROA • Go to Resources > Route Management and select Create route https://www.apnic.net/wp-content/uploads/2017/12/ROUTE_MANAGEMENT_GUIDE.pdf
  • 15. Creating ROA • Mention your prefix with ASN & desired subnet & Submit https://www.apnic.net/wp-content/uploads/2017/12/ROUTE_MANAGEMENT_GUIDE.pdf
  • 16. Relying Party Software  NLnet Labs Routinator https://github.com/NLnetLabs/routinator  LACNIC/NIC Mexico validator (FORT) https://github.com/NICMx/FORT-validator  Cloudflare validator (OctoRPKI) https://github.com/cloudflare/cfrpki
  • 17. Routinator • Routinator is free, open source RPKI Relying Party software written by NLnet Labs in the Rust programming language. • Routinator connects to the Trust Anchors of the five Regional Internet Registries (RIRs) — APNIC, AFRINIC, ARIN, LACNIC and RIPE NCC — downloads all of the certificates and ROAs in the various repositories, verifies the signatures and makes the result available for use in the BGP workflow. • The validated cache can be fed directly into RPKI-capable routers via the RPKI to Router Protocol (RPKI-RTR), described in RFC 8210. https://rpki.readthedocs.io/en/latest/routinator/index.html
  • 18. Installation Add the line below that corresponds to your operating system to your /etc/apt/sources.list or /etc/apt/sources.list.d/ deb [arch=amd64] https://packages.nlnetlabs.nl/linux/debian/ stretch main deb [arch=amd64] https://packages.nlnetlabs.nl/linux/debian/ buster main deb [arch=amd64] https://packages.nlnetlabs.nl/linux/ubuntu/ xenial main deb [arch=amd64] https://packages.nlnetlabs.nl/linux/ubuntu/ bionic main deb [arch=amd64] https://packages.nlnetlabs.nl/linux/ubuntu/ focal main
  • 19. Installation Then run the following commands to add the public key and update the repository list wget -qO- https://packages.nlnetlabs.nl/aptkey.asc | sudo apt-key add - sudo apt update
  • 20. Installation You can then install Routinator by running this command sudo apt install routinator
  • 21. Installation Initialise, enable and start Routinator by running these commands. sudo routinator-init sudo systemctl enable --now routinator
  • 22. Installation By default, Routinator will start the RTR server on port 3323 and the HTTP server on port 8323 which can be changed in /etc/routinator/routinator.conf. You can check the status of Routinator with sudo systemctl status routinator and view the logs with sudo journalctl --unit=routinator
  • 23. Installation routinator -v vrps routinator server --rtr SERVER-IP:3323 --http SERVER-IP:9556 --refresh=900 &
  • 25. OctoRPKI • Developed and used by Cloudflare • This application periodically refreshes the data provided by the RIRs and the delegated organizations. • It keeps exploring the RPKI repositories until it reaches a stable state (no new endpoints added). • RTR session is handeled by GoRTR – a separate module.
  • 26. Installation First, go to the Releases tab, download the latest version matching your platform.
  • 27. Installation To install the Linux deb package and start it: $ sudo dpkg -i octorpki_1.1.4_amd64.deb $ sudo systemctl start octorpki
  • 28. Installation mkdir tals cd tals wget https://raw.githubusercontent.com/cloudflare/cfrpki/master/cmd/octorpki/tals/afrinic.tal wget https://raw.githubusercontent.com/cloudflare/cfrpki/master/cmd/octorpki/tals/apnic.tal wget https://raw.githubusercontent.com/cloudflare/cfrpki/master/cmd/octorpki/tals/lacnic.tal wget https://raw.githubusercontent.com/cloudflare/cfrpki/master/cmd/octorpki/tals/ripe.tal wget https://www.arin.net/resources/manage/rpki/arin-rfc7730.tal -O arin.tal cd ..
  • 29. Installation Look into the tals directory to check if you have got all the 5 tals or not. Run the validator by issuing the following command. nohup octorpki -output.sign=false > out 2> err &
  • 30. Installation If the validator runs smoothly, you will see the ROAs in web format by querying a json file. The validated cache output uses default port 8081. GoRTR metrics uses default port 8080. You can build RTR session on your desired port.
  • 31. Installation GoRTR is Cloudflare’s RPKI-RTR server component, which allows RPKI-enabled routers to connect to it and fetch the validated cache (ROA cache). wget https://github.com/cloudflare/gortr/releases/download/v0.14.7/gortr_0.14.7_amd64.deb dpkg -i gortr_0.14.7_amd64.deb
  • 32. Installation nohup gortr -bind=SERVER-IP:8282 -metrics.addr=:8080 -verify=false -cache=http://SERVER-IP:8081/output.json > out 2> err &
  • 33. FORT Validator • FORT validator is an MIT-licensed RPKI Relying Party, this is a tool offered as part of the FORT project. • FORT is a joint initiative by LACNIC, the Regional Internet Registry for Latin America and the Caribbean, and NIC.MX. • RTR Configuration is done with json file.
  • 34. Installation It has some dependencies. So need to resolve those first. sudo apt install openssl rsync libjansson-dev -y Version 1.5.0 is the latest official release. To fetch or review it, visit the GitHub release sudo wget https://github.com/NICMx/FORT-validator/releases/download/v1.5.0/fort_1.5.0-1_amd64.deb sudo apt install ./fort_1.5.0-1_amd64.deb
  • 35. Installation You will find an example config.json file inside /etc/fort/example. Rename the actual config.josn file to something else and copy the config file in the example in /etc/fort/ In this way it will be much more easier to configure without destroying the json format. Change the below parameters if required. Tal Local-repository Address Port Rest of the fields should be fine with default values.
  • 36. Installation Get the tals including Arin. sudo fort --init-tals --tal=/etc/fort/tal
  • 37. Installation Start fort as a service. Check the status. It will take some time to build the first validated cache.
  • 38. Hardware OS Juniper - Junos version 12.2 and newer. Cisco - IOS release 15.2 and newer, as well as Cisco IOS/XR since release 4.3.2. Nokia - SR OS 12.0.R4 and newer, running on the 7210 SAS, 7250 IXR, 7750 SR, 7950 XRS and the VSR. Arista - EOS 4.24.0F and newer MikroTik - 7.0beta7 and newer Huawei - VRP 8.150 and newer.
  • 39. Router Configuration router bgp [ASN] rpki server [SERVER IP] transport tcp port 3323 refresh-time 120 address-family ipv4 unicast bgp origin-as validation signal ibgp address-family ipv6 unicast bgp origin-as validation signal ibgp Configuration of IOS-XR
  • 40. Router Configuration • routing-options { autonomous-system [ASN]; validation { group rpki-validator { Session [Server IP] { refresh-time 120; Port 3323; local-address X.X.X.253; } } } } Configuration of Junos
  • 41. Decision • Since now the validation states are visible to you, you can decide what to do with invalids • You can – – Use them with low preference – Or drop them
  • 42. Policy route-policy RPKI if validation-state is invalid then set local-preference 50 else if validation-state is valid then set local-preference 200 else pass endif endif end-policy route-policy RPKI if validation-state is invalid then drop else if validation-state is valid then set local-preference 200 else pass endif endif end-policy Configuration of IOS-XR
  • 44. One Last Thing • ARIN has announced a surprised maintenance of 30 min in July 2021. Announcement was made on 2nd June 2021. • They are doing it to make sure that their RPKI infrastructure is running with peak performance. • https://www.arin.net/announcements/20210602-rpki/ • Also Job Snijders has shared some valuable insights on this maintenance work. • https://lists.arin.net/pipermail/arin-tech-discuss/2021-June/000932.html • Our learning – – When you deploy RPKI, you need to keep an eye on your RPKI infrastructure performance. – You need to make sure that any maintenance work is informed to your clients way ahead. – Also you need to be aware of the events taking places in RIRs regarding their RPKI Infrastructure.
  • 45. Reference • https://www.manrs.org/about/ • https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/ • http://www.bgp4all.com.au/pfs/training/apnic48/agenda • https://rpki.readthedocs.io/en/latest/ops/tools.html#doc-tools • https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources • https://github.com/cloudflare/cfrpki#octorpki