3. Long ago, people were living in peace
• Network engineers were innocent and trustworthy
• Global routing table only had valid prefixes
• But the perfect world can’t exist:
– Someone made mistake in BGP announcements
– Someone hijacked other’s prefixes
– Global routing table becomes vulnerable of incorrect routes
• Internet operations get affected
• The core of Internet can’t be left vulnerable like that
#bdNOG13 3
4. A route is not bad unless proved guilty
• How to prove it? – By validating
• How can we validate? – Cross-match with VRPs
• What makes the VRPs? – ROAs
• How to collect all the ROAs? – Resource PKI (RPKI)
• Who does what?
– Resource holders create ROA
– Network operators do ROV
#bdNOG13 4
5. RPKI is about 2 things: ROA and ROV
Signing prefixes
a.k.a. creating ROAs
1
RIR CA
RIR Resource DB
Member Login
Authentication
2001:db8::/32
192.0.2.0/24
AS 65000
ROA
#bdNOG13 5
6. RPKI is about 2 things: ROA and ROV
Validating ROAs
a.k.a doing ROV
2
RPKI Repository RPKI Validator BGP Router
RTR Protocol
rsync/RRDP
#bdNOG13 6
7. What Makes a Route RPKI Invalid?
192.168.0.0/24 ...65500 192.168.0.0/24 ...65520
192.168.0.0/23 ...65520
Max Length
Invalid
Max Length+Origin
Invalid
Origin
Invalid
R1
192.168.2.0/23 ...65500
100.100.0.0/24 ...65500
Valid
Not Found
192.168.0.0/22
65500
/23
Prefix
ASN
Max Length
192.168.0.0/22
192.168.0.0/23
192.168.0.0/24
192.168.1.0/24
192.168.2.0/23
192.168.2.0/24
192.168.3.0/24
Prefixes covered
by the ROA
7
VRP
17. Invalid Routes are Getting Rejected
• More and more operators are deploying RPKI and ROV
– BCC/NDC
– Telia
– NTT
– Cogent
– HE
– Cloudflare
– Netflix
– AMS-IX
– DE-CIX and many more
#bdNOG13 17
19. Creating ROA
Not a good idea to create ROAs
up to /24 (v4) or /48 (v6). Better to
create ROAs for specific prefixes
that are announced in BGP
19
#bdNOG13
VS
20. Creating ROA
VS
You may sign same prefix
with multiple ASNs but do
if you really really have to
20
#bdNOG13
23. General Recommendations
• Only create ROAs for prefixes that are announced in BGP
– Signing unannounced prefixes can lead to “validated hijack”
– Add to standard operating procedure: if it is originated, sign it!
• Check your ROAs and announcements from external sources
• Deploy at least two reliable Validator Caches
– Two different implementations, for software independence
• Needs to avoid default route on the border routers
#bdNOG13 23
24. General Recommendations
• While validating:
– If Valid: ALLOW
– If Invalid: DROP
– If Not Found: ALLOW with lower preference
• For fully supported Route Origin Validation across the network
– EBGP speaking routers need talk with a validator
– IBGP speaking routers do not need to talk with a validator
• Train the engineers with toolsets and debugging techniques
#bdNOG13 24
25. ROA for Small ISPs and Enterprises
• Have own Internet resources?
– Creating ROA is straightforward using RIR’s resource
management portal
• Got assignment for LIR?
– Have public ASN?
• Ask the LIR to create ROA with your ASN and verify
– Don’t have public ASN?
• Ask the LIR to create ROA for the assigned prefix and verify
#bdNOG13 25
26. ROV for Small ISPs and Enterprises
• Have BGP with transits and peers?
– Receive full routes from neighbors?
• Implementing ROV using validator cache is straightforward
– Receive partial routes with default from neighbors?
• Ask transits to do ROV for you
• Implement ROV using validator cache to validate peer and IX routes
– Receive only the default route
• ROV wouldn’t fit, however, you may ask transits to do ROV on their network J
• Have static routing with transits?
– ROV wouldn’t fit, however, you may ask transits to do ROV on their network
#bdNOG13 26