RPKI Deployment Status in Bangladesh
20 de Dec de 2022•0 gostou•37 visualizações
0 gostaram
Seja o primeiro a gostar disto
mostrar mais
visualizações
Vistos totais
0
No Slideshare
0
De incorporações
0
Número de incorporações
0
Baixar para ler offline
Denunciar
Internet
RPKI Deployment Status in Bangladesh
bdNOG
Recomendados
Resource Public Key Infrastructure (RPKI) Bangladesh Network Operators Group
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
Introduction to RPKI - MyNOGSiena Perry
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
RPKI Deployment Status in BangladeshBangladesh Network Operators Group
RPKI Deployment Status in Bangladesh
- RPKI Deployment Status in Bangladesh Md Abdul Awal #bdnog15
- 2 v1.0 2 RPKI – South Asia 0 20 40 60 80 100 BT MV NP LK BD PK AF IN Valid Not-Found Invalid
- RPKI at a Glance
- 4 v1.0 4 What makes a prefix RPKI Invalid • Digitally signed object q Binds list of prefixes and the nominated ASN q can be verified cryptographically • ** Multiple ROAs can exist for the same prefix Prefix 203.176.32.0/19 Max-length /24 Origin ASN AS17821
- 5 v1.0 5 RPKI Components • Issuing Party – Internet Registries (*IRs) q Certificate Authority (CA) that issues resource certificates to end-holders q Publishes the objects (ROAs) signed by the resource certificate holders APNIC RPKI Engine publication MyAPNIC GUI rpki.apnic.net Repository
- 6 v1.0 6 RPKI Components • Relying Party (RP) q RPKI Validator that gathers data (ROA) from the distributed RPKI repositories q Validates each entry’s signature against the TA to build a “Validated cache” rpki.apnic.net IANA Repo APNIC Repo RIPE Repo LIR Repo LIR Repo RP (RPKI Validator) Validated Cache rsync/RRDP rsync/RRDP rsync/RRDP rsync/RRDP
- 7 v1.0 7 Route Origin Validation 17821 65550 2406:6400::/48 65551 2406:6400::/48 65551 65550 17821 i 65552 65553 2406:6400::/48 2406:6400::/48 65553 65552 i rsync/RRDP Validator Global (RPKI) Repository RPKI-to-Router (RTR) 2406:6400::/32-48 17821 ROA 2406:6400::/32-48 17821 Invalid Valid
- 8 v1.0 8 RPKI Validation States ASN Prefix Max Length 65420 10.0.0.0/16 18 ASN Prefix RPKI State VALID VALID INVALID INVALID NOT FOUND 65420 10.0.0.0/16 65420 10.0.128.0/17 65421 10.0.0.0/16 65420 10.0.10.0/24 65430 10.0.0.0/8 ROA BGP Routes
- RPKI Deployment Status
- 10 v1.0 10 Bangladesh – ROA Adoption https://stats.labs.apnic.net/roa/BD Last updated: 30 Nov 2022 Inconsistent Pattern
- 11 v1.0 11 Bangladesh – INVALIDs https://stats.labs.apnic.net/roa/BD Last updated: 30 Nov 2022 IPv4 IPv6 Max_Len?
- 12 v1.0 12 Bangladesh – INVALIDs https://stats.labs.apnic.net/roa/BD Last updated: 30 Nov 2022 15% 85% 0% IPV4 INV:ML INV:AS INV:ASML 99% 1% 0% IPV6 INV:ML INV:AS INV:ASML
- 13 v1.0 13 Bangladesh – RPKI ROV https://stats.labs.apnic.net/rpki/BD Last updated: 30 Nov 2022
- 14 v1.0 14 Bangladesh – RPKI ROV Big operators are not doing ROV https://stats.labs.apnic.net/rpki/BD https://bgp.he.net/country/BD Last updated: 30 Nov 2022
- 15 v1.0 15 Bangladesh – Routing Incidents https://observatory.manrs.org/ Last updated: 30 Nov 2022
- 16 v1.0 16 Example: RPKI VALIDs https://bgp.he.net/ Last updated: 30 Nov 2022
- 17 v1.0 17 Example: RPKI INVALIDs https://stats.labs.apnic.net/roa/BD https://bgp.he.net/ Last updated: 30 Nov 2022
- 18 v1.0 18 What Happens to Your INVALIDs • Many big providers blocking it already q Traffic may choose suboptimal path • You may not realize if your INVALIDs are dropped q Local providers might not drop it yet • Your aggregated prefix might be VALID q Hence no impact realized q But TE might not work as expected
- 19 v1.0 19 https://www.apnic.net/community/security/resource-certification/#routing
- 20 v1.0 20 Any questions?
- 21