SlideShare a Scribd company logo

An Overview of RPKI

Carlos Martinez Cagnazzo
Carlos Martinez Cagnazzo
Technology
1 of 40
Internet Resource Certification (RPKI): Building a More Secure Internet TATT  Workshops,  Port  of  Spain   Carlos  Mar6nez  Cagnazzo   carlos  @  lacnic.net    
A=acks  on  rou?ng:  IP  hijacks  
How  Internet  number  resources  are   managed   IANA   ARIN   LACNIC   APNIC   RIPE  NCC   AfriNIC   ISP   NIC.br   NIC.MX   ISP  #1   LIRs/ISPs   LIRs/ISPs   End  users   ISP  mx  
How  Internet  number  resources  are   managed  (ii)   •  What  do  we  mean  by  resources   –  IPv4  Addresses   –  IPv6  Addresses   –  Autonomous  System  Numbers   •  Both  16  and  32  bits   •  Founda?onal  document:  RFC  2050   –  “IP  Registry  Alloca1on  Guidelines”   •  Each  RIR  is  the  authorita(ve  source  on  the   rela?onship  between  users/holders  and  resources   –  Each  RIR  operates  a  registry  database  
Rou?ng  in  the  Internet   ASN  20     announces   10.1.0.0/16   ASN 2 ASN1 ASN 3 ASN 20 ASN 10   The  10.1.0.016  prefix   propagates  across  ASs  (via  BGP   ASN  10  receives   sessions)   the  prefix     10.1.0.0/16   A=ributes:     10.1.0.0/16  AS_PATH  ASN1  ASN3  ASN20    
Rou?ng  in  the  Internet  (ii)   •  BGP  chooses  routes  using  a   decision  algorithm  and  the   ASN 2 values  of  the  available   ASN1 ASN 3 ASN 20 a=ributes   ASN 10 •  AS_PATH  is  a  list  of  the   autonomous  systems  a  given   UPDATE  has  traversed   In  this  case  ASN  20  is   –  The  first  entry  is  the  AS   the  "origin-­‐as"  for   origina?ng  the  route  ("origin-­‐ 10.1/16   as")  
Who  has  the  "right"  to  use   resources?   •  When  an  ISP  obtains  resources  from  its  RIR  (IPv6/IPv4/ ASN):   –  The  ISP  has  to  no?fy  its  upstream  ASNs  which  prefixes  are   going  to  be  announced  via  BGP   –  This  is  usually  done  via  e-­‐mail,  web  forms  or  by  upda?ng  an   IRR  (Internet  Rou1ng  Registry)   •  Upstreams  verify  (or  at  least  they  should)  the  right  of   use  for  the  announced  resources   –  RIR  WHOIS  Text-­‐based  and  not  really  suitable  for  automa?c   usage   –  IRR  WHOIS  Non-­‐signed  informa?on,  li=le  addi?onal  tools   provided  for  verifica?on  of  usage  rights  except  for  names,   phone  numbers  and  email  POCs   •  This  verifica?on  process  is  some?mes  not  as  thorough   as  it  should  be  
Checking  usage  rights  for  a   resource   •  Network  administrators   –  Local  checks  in  rou?ng  infrastructure   •  Require  previous  step  (registering  the  route  object  with  an  IRR)   –  Router  protec?on   –  Rou?ng  protocol  integrity   •  Peer  authen?ca?on   •  Filtering  known-­‐invalid  routes   –   RFC  1918  prefix  filtering   –   Bogon  filtering     •  In  the  end  the  integrity  of  the  rou?ng  system  depends   on  ad-­‐hoc  trust  rela(onships  between  peers  
Route  Hijacking   •  When  an  en?ty  par?cipa?ng  in  Internet  rou?ng   announces  a  prefix  without  authoriza?on  we  face  a   route  hijack   •  It  can  be  either  malicious  or  due  to  opera?onal   mistakes   •  Some  well-­‐known  cases:   –  Pakistan  Telecom  vs.  You  Tube  (2008)   –  China  Telecom  (2010)   –  Google  in  Eastern  Europe  (various  ASs,  2010)   –  Some  ocurrences  in  our  region  (January/February  2011)  
Route  Hijacking  (ii)     AS  6057   announces   200.40/16       AS  15358   AS  8158  gets   announces   200.40.0.0/16   200.40/24   AS  8158  gets   and     200.40.0.0/16   200.40.235.0/24   200.40.0.0/16  AS_PATH  ASN1  ASN3  ASN6057   200.40.235.0/24  AS_PATH  ASN1  ASN3  ASN6057    
Route  Hijacking  (iii)   •  RIPE  NCC  Video   –  h=p://www.youtube.com/watch?v=IzLPKuAOe50  
Resource  PKI   •  Resource  Public  Key  Infraestructure   –  Goal:  create  a  system  that  allows  the  cer?fica?on  of   usage  rights  for  Internet  numbering  resources   –  High-­‐level  overview   •  Use  of  X.509  v3  cer?ficates     •  Apply  RFC  3779  extensions  to  these  cer?ficates.  These   extensions  allow  Internet  resources  (IPv4/IPv6/ASNs)  fields   within  cer?ficates       •  A  way  to  automa?cally  validate  the  origin-­‐as  of  a  BGP  UPDATE   –  Standardiza?on  Ac?vi?es   •  IETF  SIDR  working  group   –  Implementa?on  Ac?vi?es   •  RIRs  
Resource  PKI  (ii)   •  Automated  origin  valida(on  for  route   announcements   •  The  en?ty  with  usage  rights  for  a  resource  signs  the   origin-­‐as  field  of  a  PKI  object   •  The  following  procedures  are  applied  to  validate   RPKI  cer?ficates  and  rou?ng  informa?on  objects:   –  The  cryptographic  validity  of  the  RPKI  cer?ficate  chain   (just  like  any  other  PKI)   –  The  CIDR  inclusion  proper?es  of  IP  addresses   •  In  this  way  it  becomes  more  difficult  for  a  third   party  to  inject  invalid  data  into  the  rou?ng  system  
Resource  PKI  (iii)   RPKI   Management   System   Cache   Repository  
Resource  PKI  (iv)   •  All  RPKI  signed  objects  are  listed  in  public   repositories   •  Aqer  verifica?on,  these  objects  can  be  used  to   configure  filtering  in  routers   •  Valida?on  Process   –  Signed  objects  have  references  to  the  cer?ficate  used  to   sign  them   –  Each  cer?ficate  has  a  pointer  to  an  upper  level  cer?ficate   –  The  resources  listed  in  a  cer?ficate  MUST  be  valid  subsets   of  the  resources  listed  in  its  parent's  cer?ficate   –  In  this  way  a  trust  chain  can  be  traced  to  a  "trust  anchor"   both  cryptographically  as  well  as  in  CIDR  terms  
X.509  v3  cer?ficates  with  RFC  3779   extensions   •  X.509  Digital  Cer?ficates   Version   –  Subject,  validity  period,  public  key  and   Serial  Number   other  fields   Signature  Algorithm   •  With  extensions:   Issuer   –  RFC  3779  defines  extensions  that  allow  the   Subject   representa?on  of  Internet  resources  as   Subject  Public  Key   cer?ficate  fields   Extensions   •  List  of  IPv4,  IPv6  and  ASNs  assigned  to   Subject  Informa?on    Authority  (SIA)   an  organiza?on   Authority  Informa?on     Access  (AIA)   •  Implemented  in  OpenSSL  1.0c  onwards   Addr:  10.10.10.0   Asid:  65535   –  It  has  to  be  specifically  enabled  when   running  "./configure"  
Cer?ficates  with  RFC  3779   extensions   Version   •  "IP  Delega?on"  Sec?on   Serial  Number   –  Special  value:  "INHERITED"     Signature  Algorithm   •  "AS  Delega?on"  Sec?on   Issuer   Subject   –  Special  value:  "INHERITED"   Subject  Public  Key   •  Valida?on  Process   Extensions   –  It  involves  the  valida?on  of  the  resources     Subject  Informa?on    Authority  (SIA)   Authority  Informa?on     Access  (AIA)   Addr:  10.10.10.0   Asid:  65535  
RPKI  Structure   RTA  is  the  self-­‐ signed  cer?ficate   LACNIC  RTA   in  the  hierarchy   LACNIC  resources   Signature   LACNIC   chain   Produc?on   <<INHERITED>>   ISP  #2   ISP  #1   ISP  #2  Resources   ISP  #1  Resources   End  User  CA   ROA   ROA   #1   End  En?ty  cert.   End  En?ty  cert.   (EU  #1  Resources)   ROA   ROA   End  En?ty  cert.   End  En?ty  cert.  
RPKI  Structure  (ii)   •  CAs   –  Cer?ficate-­‐signing  en?ty  (CA  bit  =  1)   •  ISPs  can  use  this  cer?ficate  to  sign  their  client's  cer?ficates   •  Cer?ficate  Repository   –  The  repository  contains  cer?ficates,  CRLs,  ROAs  and   manifests   –  Accesible  via  “rsync”   •  Management  Interface   –  Web  interface  for  those  who  prefer  "hosted"  mode  
RPKI  Management  for  Users   •  "Hosted"  mode   –  LACNIC  emits  the  resource  cer?ficate  for  an  organiza?on   and  guards  both  private  and  public  keys   •  Cer?ficates  are  emi=ed  when  requested  by  LACNIC  member   organiza?ons   –  Users  can  manage  their  RPKI  objects  using  a  user-­‐friendly   web  interface  provided  by  LACNIC   •  "Delegated"  mode   –  An  organiza?on  creates  its  own  resource  cer?ficate   –  This  cer?ficate  is  submi=ed  to  LACNIC  for  signing.  LACNIC   returns  the  signed  cer?ficate.   •  "Up-­‐down"  protocol  
Services  provided  by  the  RPKI  CA   •  Emiung  child  resource  cer?ficates  when  changes  to   the  registry  database  occur  or  when  solicited  by  a   resource  holder   •  Child  cer?ficate  revoca?on  when  solicited  by  a   resource  holder   •  CRL  periodic  update   •  Publishing  child  cer?ficates,  trust  anchor  and   auxiliary  objects  in  a  public  repository  (rsync)  
Resource  Cer?ficate  
ROAs   •  ROAs:  Rou?ng  Origin  Authoriza?on   –  ROAs  contain  data  on  the  allowed  origin-­‐as  for  a  set  of   prefixes   –  ROAs  are  signed  using  the  cer?ficates  generated  by  the   RPKI     –  Signed  ROAs  are  copied  to  the  repository  
ROAs  (ii)   •  A  simplified  ROA  contains  the  following   informa?on:   •  These  ROAs  states  that:   –  "The  prefix  200.40.0.0/17  will  be  originated  by  ASN  6057   and  could  be  de-­‐aggregated  up  to  /20"  "This  statement  is   valid  star1ng  on  Jan  2,  2011  un1l  Jan  1,  2012"   •  Other  ROA  content   –  ROAs  contain  cryptographic  material  that  allows   valida(on  of  the  ROAs  content  
ROAs  (iii)   •  Contents  of  a  ROA   –  An  end-­‐en?ty  cer?ficate  with  resources   –  A  list  of  "route  origin  a=esta?ons"     ROA   End  En?ty   200.40.0.0/20-­‐24  -­‐>  AS  100   172.17.0.0/16-­‐19  -­‐>  AS  100   Cer?ficate   200/8   172.17/16  
ROAs  (iii)  -­‐  Valida?on   •  In  order  to  validate  a  ROA  three  steps  have  to  be   performed   –  Crypto  valida?on  of  the  public  keys  and  signatures   included  in  the  EE  cer?ficates  inside  each  ROA   –  CIDR  inclusion  checking  of  resources  listed  in  the  EE   cer?ficate     –  CIDR  inclusion  checking  of  resources  in  the  route  origin   a=esta?ons.  These  resources  have  to  be  included  in  the   resources  listed  in  the  EE  cer?ficate  
RPKI  in  Ac?on   E   UPDAT Routers  assign  a   "validity  status"  to  the   route  included  in  an   UPDATE   Cache  periodically   updates  the  router   with  a  list  of  validated   prefixes  
RPKI  in  Ac?on  (ii)   •  The  valida?on  process  is  split  in  two  parts   –  Crypto  and  CIDR  valida?on  of  ROAs  and  cer?ficates   •  Performed  by  the  valida?n  cache   –  Valida?on  of  routes  in  BGP  UPDATEs   •  Performed  by  the  BGP  speakers  in  the  network   •  A  special  protocol  called  RTR  is  being  worked  on  by   the  IETF  for  Router  -­‐  Cache  communica?on  
RPKI  in  Ac?on  (iii)   •  Cache   –  Repository  content  is  downloaded  via  RSYNC   –  Cer?ficates  and  ROAs  are  validated   •  Cryptographically  (signature  chain)   •  Correct  CIDR  resource  inclusion   •  In  the  routers   –  A  database  of  prefix  <-­‐>  origin-­‐as  rela?onships  is  built  
BGP  interac?on   •  Routers  build  a  database  with  the  informa?on  they   receive  from  the  caches   •  This  table  contains   –  Prefix   –  Min  length   –  Max  length   –  Origin-­‐AS   •  By  applying  a  set  of  rules  a  validity  status  is  assigned   to  each  UPDATE  prefix      
BGP  interac?on  (ii)   VALID   IP  prefix/[min_len  –  max_len]   Origin  AS   UPDATE  200.0.0.0/9   172.16.0.0  /  [16-­‐20]   10   ORIGIN-­‐AS  20   200.0.0.0/[8-­‐21]   20   •  If  the  "UPDATE  pfx"  is  not  covered  by  any  entry  in   the  DB  -­‐>  "not  found"   •  If  the  "UPDATE  pfx"  is  covered  by  at  least  one  entry   in  the  DB,  and  the  origin-­‐AS  matches  the  ASNs  in   the  DB  -­‐>  "valid"   •  If  the  origin-­‐AS  does  NOT  match  -­‐>  "invalid"  
Herramientas   •  Validadores   –  RIPE   •  h=p://labs.ripe.net/Members/agowland/ripe-­‐ncc-­‐validator-­‐for-­‐ resource-­‐cer?fica?on/view     –  Rcyinc   •  h=p://subvert-­‐rpki.hactrn.net/rcynic/     •  Visualización  y  estadís?cas   –  Construidas  sobre  la  salida  de  los  validadores  
Validación  –  RIPE  Labs  
Validación  (ii)   •  Example:   –  Validación  top-­‐down  del  repositorio  de  LACNIC  exportando   prefijos  validados  en  un  CSV   •  Paso  1:  bajar  el  RTA  de  LACNIC   –  wget --output-document=./trust-anchors/ta- lacnic.cer https://rpki.lacnic.net/rpki/rootcert •  Paso  2:  correr  la  validación   –  ./ripencc-rpki-validator/bin/ certification-validator --top-down -o validator/ -t ./trust-anchors/ta-lacnic.cer -r lacnic-roas.csv
Validación  (iii)   •  ROAs  validados  y  prefijos  (lacnic-roas.csv)   URI,ASN,IP Prefix,Max Length,Not Before,Not After” rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/UTt-N3nQ91lGZh0jvWpPN- KirQ4.roa",AS28000,200.7.84.0/23,24,2011-01-07 02:00:00,2012-08-05 03:00:00” rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/UTt-N3nQ91lGZh0jvWpPN- KirQ4.roa",AS28000,2001:13c7:7001::/48,48,2011-01-07 02:00:00,2012-08-05 03:00:00” rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/ nfNV84A_GA8ZPeCMR4jX1qe557o.roa",AS28001,200.3.12.0/22,24,2011-01 -07 02:00:00,2012-08-05 03:00:00” rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/ nfNV84A_GA8ZPeCMR4jX1qe557o.roa",AS28001,2001:13c7:7002::/48,48,2 011-01-07 02:00:00,2012-08-05 03:00:00”
Visualizando  RPKI   •  Fuente:   –  h=p://www.labs.lacnic.net/~rpki/rpki-­‐heatmaps/latest/   –  Mapas  de  Hilbert  coloreados  de  acuerdo  con  el  espacio   cubierto  por  ROAs:  
The  LACNIC  RPKI  System   •  RPKI  in  hosted  mode  is  in  produc?on  state  since   1/1/2011   •  To  use  it  you  only  need:   –  Have  your  Administra?ve  Contact  details  (username  and   password)  at  hand  to  create  cer?ficates   –  Have  your  Technical  Contact  details  (username  and   password)  at  hand  to  create  ROAs   •  Where  is  it  ?    h=p://rpki.lacnic.net/      
Comentarios  finales   •  Posibles  usos  de  RPKI  mientras  no  todos  los  routers   sean  capaces  de  validar     –  Puentes  entre  IRRd  y  RPKI   –  Puentes  entre  WHOIS  y  RPKI   –  Procesamiento  de  tablas  BGP  de  routers  offline   •  Existe  una  variedad  de  herramientas  de  uso  libre   para  RPKI   •  Los  repositorios  de  los  5  RIRs  pueden  bajarse   libremente  via  rsync   –  rsync  –avz  rsync://repository.lacnic.net/rpki/  ./rpki  
Links  /  References   •  The  LACNIC  RPKI  System   –  h=p://rpki.lacnic.net/   •  LACNIC’s  RSYNC  Repository   –  rsync://repository.lacnic.net/rpki/   •  Lis?ng  the  repository   –  rsync  -­‐-­‐list-­‐only  rsync://repository.lacnic.net/rpki/lacnic/   •  Some  RPKI  Sta?s?cs   –  h=p://www.labs.lacnic.net/~rpki  
Thank You! Questions ? carlos @ lacnic.net Twitter @carlosm3011

Recommended

FreeRangeRouting - A new Quagga fork with more open development
FreeRangeRouting - A new Quagga fork with more open developmentFreeRangeRouting - A new Quagga fork with more open development
FreeRangeRouting - A new Quagga fork with more open developmentAPNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Bangladesh Network Operators Group
 

Recommended

FreeRangeRouting - A new Quagga fork with more open development
FreeRangeRouting - A new Quagga fork with more open developmentFreeRangeRouting - A new Quagga fork with more open development
FreeRangeRouting - A new Quagga fork with more open developmentAPNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Bangladesh Network Operators Group
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdateAPNIC
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs APNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...akg1330
 
23rd PITA AGM and Conference: Internet number registry services - the next ge...
23rd PITA AGM and Conference: Internet number registry services - the next ge...23rd PITA AGM and Conference: Internet number registry services - the next ge...
23rd PITA AGM and Conference: Internet number registry services - the next ge...APNIC
 
RPKI
RPKIRPKI
RPKIRIPE NCC
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsAPNIC
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4APNIC
 
IDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaIDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaAPNIC
 
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya 01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya Indonesia Network Operators Group
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial Bangladesh Network Operators Group
 
BKNIX Peering Forum 2023: APNIC Measurement Update
BKNIX Peering Forum 2023: APNIC Measurement UpdateBKNIX Peering Forum 2023: APNIC Measurement Update
BKNIX Peering Forum 2023: APNIC Measurement UpdateAPNIC
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityAPNIC
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
IAA Life in Lockdown series: Securing Internet Routing
IAA Life in Lockdown series: Securing Internet RoutingIAA Life in Lockdown series: Securing Internet Routing
IAA Life in Lockdown series: Securing Internet RoutingAPNIC
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na InternetJoão S Magalhães
 
Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4Carlos Martinez Cagnazzo
 
Evolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUICEvolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUICCarlos Martinez Cagnazzo
 

More Related Content

Similar to An Overview of RPKI

HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdateAPNIC
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs APNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...akg1330
 
23rd PITA AGM and Conference: Internet number registry services - the next ge...
23rd PITA AGM and Conference: Internet number registry services - the next ge...23rd PITA AGM and Conference: Internet number registry services - the next ge...
23rd PITA AGM and Conference: Internet number registry services - the next ge...APNIC
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsAPNIC
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4APNIC
 
IDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaIDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaAPNIC
 
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya 01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya Indonesia Network Operators Group
 
BKNIX Peering Forum 2023: APNIC Measurement Update
BKNIX Peering Forum 2023: APNIC Measurement UpdateBKNIX Peering Forum 2023: APNIC Measurement Update
BKNIX Peering Forum 2023: APNIC Measurement UpdateAPNIC
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityAPNIC
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
IAA Life in Lockdown series: Securing Internet Routing
IAA Life in Lockdown series: Securing Internet RoutingIAA Life in Lockdown series: Securing Internet Routing
IAA Life in Lockdown series: Securing Internet RoutingAPNIC
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na InternetJoão S Magalhães
 

Similar to An Overview of RPKI (20)

HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment Update
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
 
23rd PITA AGM and Conference: Internet number registry services - the next ge...
23rd PITA AGM and Conference: Internet number registry services - the next ge...23rd PITA AGM and Conference: Internet number registry services - the next ge...
23rd PITA AGM and Conference: Internet number registry services - the next ge...
 
RPKI
RPKIRPKI
RPKI
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
 
IDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaIDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesia
 
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya 01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
BKNIX Peering Forum 2023: APNIC Measurement Update
BKNIX Peering Forum 2023: APNIC Measurement UpdateBKNIX Peering Forum 2023: APNIC Measurement Update
BKNIX Peering Forum 2023: APNIC Measurement Update
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route Validity
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
 
IAA Life in Lockdown series: Securing Internet Routing
IAA Life in Lockdown series: Securing Internet RoutingIAA Life in Lockdown series: Securing Internet Routing
IAA Life in Lockdown series: Securing Internet Routing
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na Internet
 

More from Carlos Martinez Cagnazzo

Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4Carlos Martinez Cagnazzo
 
Evolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUICEvolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUICCarlos Martinez Cagnazzo
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersCarlos Martinez Cagnazzo
 
Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28Carlos Martinez Cagnazzo
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
Introduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de InternetIntroduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de InternetCarlos Martinez Cagnazzo
 
Seguridad de la Información para Traductores
Seguridad de la Información para TraductoresSeguridad de la Información para Traductores
Seguridad de la Información para TraductoresCarlos Martinez Cagnazzo
 
Mitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRLMitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRLCarlos Martinez Cagnazzo
 
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoNAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoCarlos Martinez Cagnazzo
 

More from Carlos Martinez Cagnazzo (20)

Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4
 
Evolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUICEvolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUIC
 
RPKI en America Latina y el Caribe
RPKI en America Latina y el CaribeRPKI en America Latina y el Caribe
RPKI en America Latina y el Caribe
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident Responders
 
Evolución de Protocolos de Internet 2017
Evolución de Protocolos de Internet 2017Evolución de Protocolos de Internet 2017
Evolución de Protocolos de Internet 2017
 
Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28
 
IPv6 Routing Table Prefix Size Analysis
IPv6 Routing Table Prefix Size AnalysisIPv6 Routing Table Prefix Size Analysis
IPv6 Routing Table Prefix Size Analysis
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
Internet of Things en el Dia de Internet
Internet of Things en el Dia de InternetInternet of Things en el Dia de Internet
Internet of Things en el Dia de Internet
 
Monitoreo de Red para Peering
Monitoreo de Red para PeeringMonitoreo de Red para Peering
Monitoreo de Red para Peering
 
An IPv6 Primer
An IPv6 PrimerAn IPv6 Primer
An IPv6 Primer
 
Introduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de InternetIntroduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de Internet
 
Enabling IPv6 Services Transparently
Enabling IPv6 Services TransparentlyEnabling IPv6 Services Transparently
Enabling IPv6 Services Transparently
 
LACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 WorldLACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 World
 
Seguridad de la Información para Traductores
Seguridad de la Información para TraductoresSeguridad de la Información para Traductores
Seguridad de la Información para Traductores
 
Mitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRLMitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRL
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 
IPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsIPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPs
 
Una introduccion a IPv6
Una introduccion a IPv6Una introduccion a IPv6
Una introduccion a IPv6
 
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoNAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

An Overview of RPKI

  • 1. Internet Resource Certification (RPKI): Building a More Secure Internet TATT  Workshops,  Port  of  Spain   Carlos  Mar6nez  Cagnazzo   carlos  @  lacnic.net    
  • 2. A=acks  on  rou?ng:  IP  hijacks  
  • 3. How  Internet  number  resources  are   managed   IANA   ARIN   LACNIC   APNIC   RIPE  NCC   AfriNIC   ISP   NIC.br   NIC.MX   ISP  #1   LIRs/ISPs   LIRs/ISPs   End  users   ISP  mx  
  • 4. How  Internet  number  resources  are   managed  (ii)   •  What  do  we  mean  by  resources   –  IPv4  Addresses   –  IPv6  Addresses   –  Autonomous  System  Numbers   •  Both  16  and  32  bits   •  Founda?onal  document:  RFC  2050   –  “IP  Registry  Alloca1on  Guidelines”   •  Each  RIR  is  the  authorita(ve  source  on  the   rela?onship  between  users/holders  and  resources   –  Each  RIR  operates  a  registry  database  
  • 5. Rou?ng  in  the  Internet   ASN  20     announces   10.1.0.0/16   ASN 2 ASN1 ASN 3 ASN 20 ASN 10   The  10.1.0.016  prefix   propagates  across  ASs  (via  BGP   ASN  10  receives   sessions)   the  prefix     10.1.0.0/16   A=ributes:     10.1.0.0/16  AS_PATH  ASN1  ASN3  ASN20    
  • 6. Rou?ng  in  the  Internet  (ii)   •  BGP  chooses  routes  using  a   decision  algorithm  and  the   ASN 2 values  of  the  available   ASN1 ASN 3 ASN 20 a=ributes   ASN 10 •  AS_PATH  is  a  list  of  the   autonomous  systems  a  given   UPDATE  has  traversed   In  this  case  ASN  20  is   –  The  first  entry  is  the  AS   the  "origin-­‐as"  for   origina?ng  the  route  ("origin-­‐ 10.1/16   as")  
  • 7. Who  has  the  "right"  to  use   resources?   •  When  an  ISP  obtains  resources  from  its  RIR  (IPv6/IPv4/ ASN):   –  The  ISP  has  to  no?fy  its  upstream  ASNs  which  prefixes  are   going  to  be  announced  via  BGP   –  This  is  usually  done  via  e-­‐mail,  web  forms  or  by  upda?ng  an   IRR  (Internet  Rou1ng  Registry)   •  Upstreams  verify  (or  at  least  they  should)  the  right  of   use  for  the  announced  resources   –  RIR  WHOIS  Text-­‐based  and  not  really  suitable  for  automa?c   usage   –  IRR  WHOIS  Non-­‐signed  informa?on,  li=le  addi?onal  tools   provided  for  verifica?on  of  usage  rights  except  for  names,   phone  numbers  and  email  POCs   •  This  verifica?on  process  is  some?mes  not  as  thorough   as  it  should  be  
  • 8. Checking  usage  rights  for  a   resource   •  Network  administrators   –  Local  checks  in  rou?ng  infrastructure   •  Require  previous  step  (registering  the  route  object  with  an  IRR)   –  Router  protec?on   –  Rou?ng  protocol  integrity   •  Peer  authen?ca?on   •  Filtering  known-­‐invalid  routes   –   RFC  1918  prefix  filtering   –   Bogon  filtering     •  In  the  end  the  integrity  of  the  rou?ng  system  depends   on  ad-­‐hoc  trust  rela(onships  between  peers  
  • 9. Route  Hijacking   •  When  an  en?ty  par?cipa?ng  in  Internet  rou?ng   announces  a  prefix  without  authoriza?on  we  face  a   route  hijack   •  It  can  be  either  malicious  or  due  to  opera?onal   mistakes   •  Some  well-­‐known  cases:   –  Pakistan  Telecom  vs.  You  Tube  (2008)   –  China  Telecom  (2010)   –  Google  in  Eastern  Europe  (various  ASs,  2010)   –  Some  ocurrences  in  our  region  (January/February  2011)  
  • 10. Route  Hijacking  (ii)     AS  6057   announces   200.40/16       AS  15358   AS  8158  gets   announces   200.40.0.0/16   200.40/24   AS  8158  gets   and     200.40.0.0/16   200.40.235.0/24   200.40.0.0/16  AS_PATH  ASN1  ASN3  ASN6057   200.40.235.0/24  AS_PATH  ASN1  ASN3  ASN6057    
  • 11. Route  Hijacking  (iii)   •  RIPE  NCC  Video   –  h=p://www.youtube.com/watch?v=IzLPKuAOe50  
  • 12. Resource  PKI   •  Resource  Public  Key  Infraestructure   –  Goal:  create  a  system  that  allows  the  cer?fica?on  of   usage  rights  for  Internet  numbering  resources   –  High-­‐level  overview   •  Use  of  X.509  v3  cer?ficates     •  Apply  RFC  3779  extensions  to  these  cer?ficates.  These   extensions  allow  Internet  resources  (IPv4/IPv6/ASNs)  fields   within  cer?ficates       •  A  way  to  automa?cally  validate  the  origin-­‐as  of  a  BGP  UPDATE   –  Standardiza?on  Ac?vi?es   •  IETF  SIDR  working  group   –  Implementa?on  Ac?vi?es   •  RIRs  
  • 13. Resource  PKI  (ii)   •  Automated  origin  valida(on  for  route   announcements   •  The  en?ty  with  usage  rights  for  a  resource  signs  the   origin-­‐as  field  of  a  PKI  object   •  The  following  procedures  are  applied  to  validate   RPKI  cer?ficates  and  rou?ng  informa?on  objects:   –  The  cryptographic  validity  of  the  RPKI  cer?ficate  chain   (just  like  any  other  PKI)   –  The  CIDR  inclusion  proper?es  of  IP  addresses   •  In  this  way  it  becomes  more  difficult  for  a  third   party  to  inject  invalid  data  into  the  rou?ng  system  
  • 14. Resource  PKI  (iii)   RPKI   Management   System   Cache   Repository  
  • 15. Resource  PKI  (iv)   •  All  RPKI  signed  objects  are  listed  in  public   repositories   •  Aqer  verifica?on,  these  objects  can  be  used  to   configure  filtering  in  routers   •  Valida?on  Process   –  Signed  objects  have  references  to  the  cer?ficate  used  to   sign  them   –  Each  cer?ficate  has  a  pointer  to  an  upper  level  cer?ficate   –  The  resources  listed  in  a  cer?ficate  MUST  be  valid  subsets   of  the  resources  listed  in  its  parent's  cer?ficate   –  In  this  way  a  trust  chain  can  be  traced  to  a  "trust  anchor"   both  cryptographically  as  well  as  in  CIDR  terms  
  • 16. X.509  v3  cer?ficates  with  RFC  3779   extensions   •  X.509  Digital  Cer?ficates   Version   –  Subject,  validity  period,  public  key  and   Serial  Number   other  fields   Signature  Algorithm   •  With  extensions:   Issuer   –  RFC  3779  defines  extensions  that  allow  the   Subject   representa?on  of  Internet  resources  as   Subject  Public  Key   cer?ficate  fields   Extensions   •  List  of  IPv4,  IPv6  and  ASNs  assigned  to   Subject  Informa?on    Authority  (SIA)   an  organiza?on   Authority  Informa?on     Access  (AIA)   •  Implemented  in  OpenSSL  1.0c  onwards   Addr:  10.10.10.0   Asid:  65535   –  It  has  to  be  specifically  enabled  when   running  "./configure"  
  • 17. Cer?ficates  with  RFC  3779   extensions   Version   •  "IP  Delega?on"  Sec?on   Serial  Number   –  Special  value:  "INHERITED"     Signature  Algorithm   •  "AS  Delega?on"  Sec?on   Issuer   Subject   –  Special  value:  "INHERITED"   Subject  Public  Key   •  Valida?on  Process   Extensions   –  It  involves  the  valida?on  of  the  resources     Subject  Informa?on    Authority  (SIA)   Authority  Informa?on     Access  (AIA)   Addr:  10.10.10.0   Asid:  65535  
  • 18. RPKI  Structure   RTA  is  the  self-­‐ signed  cer?ficate   LACNIC  RTA   in  the  hierarchy   LACNIC  resources   Signature   LACNIC   chain   Produc?on   <<INHERITED>>   ISP  #2   ISP  #1   ISP  #2  Resources   ISP  #1  Resources   End  User  CA   ROA   ROA   #1   End  En?ty  cert.   End  En?ty  cert.   (EU  #1  Resources)   ROA   ROA   End  En?ty  cert.   End  En?ty  cert.  
  • 19. RPKI  Structure  (ii)   •  CAs   –  Cer?ficate-­‐signing  en?ty  (CA  bit  =  1)   •  ISPs  can  use  this  cer?ficate  to  sign  their  client's  cer?ficates   •  Cer?ficate  Repository   –  The  repository  contains  cer?ficates,  CRLs,  ROAs  and   manifests   –  Accesible  via  “rsync”   •  Management  Interface   –  Web  interface  for  those  who  prefer  "hosted"  mode  
  • 20. RPKI  Management  for  Users   •  "Hosted"  mode   –  LACNIC  emits  the  resource  cer?ficate  for  an  organiza?on   and  guards  both  private  and  public  keys   •  Cer?ficates  are  emi=ed  when  requested  by  LACNIC  member   organiza?ons   –  Users  can  manage  their  RPKI  objects  using  a  user-­‐friendly   web  interface  provided  by  LACNIC   •  "Delegated"  mode   –  An  organiza?on  creates  its  own  resource  cer?ficate   –  This  cer?ficate  is  submi=ed  to  LACNIC  for  signing.  LACNIC   returns  the  signed  cer?ficate.   •  "Up-­‐down"  protocol  
  • 21. Services  provided  by  the  RPKI  CA   •  Emiung  child  resource  cer?ficates  when  changes  to   the  registry  database  occur  or  when  solicited  by  a   resource  holder   •  Child  cer?ficate  revoca?on  when  solicited  by  a   resource  holder   •  CRL  periodic  update   •  Publishing  child  cer?ficates,  trust  anchor  and   auxiliary  objects  in  a  public  repository  (rsync)  
  • 23. ROAs   •  ROAs:  Rou?ng  Origin  Authoriza?on   –  ROAs  contain  data  on  the  allowed  origin-­‐as  for  a  set  of   prefixes   –  ROAs  are  signed  using  the  cer?ficates  generated  by  the   RPKI     –  Signed  ROAs  are  copied  to  the  repository  
  • 24. ROAs  (ii)   •  A  simplified  ROA  contains  the  following   informa?on:   •  These  ROAs  states  that:   –  "The  prefix  200.40.0.0/17  will  be  originated  by  ASN  6057   and  could  be  de-­‐aggregated  up  to  /20"  "This  statement  is   valid  star1ng  on  Jan  2,  2011  un1l  Jan  1,  2012"   •  Other  ROA  content   –  ROAs  contain  cryptographic  material  that  allows   valida(on  of  the  ROAs  content  
  • 25. ROAs  (iii)   •  Contents  of  a  ROA   –  An  end-­‐en?ty  cer?ficate  with  resources   –  A  list  of  "route  origin  a=esta?ons"     ROA   End  En?ty   200.40.0.0/20-­‐24  -­‐>  AS  100   172.17.0.0/16-­‐19  -­‐>  AS  100   Cer?ficate   200/8   172.17/16  
  • 26. ROAs  (iii)  -­‐  Valida?on   •  In  order  to  validate  a  ROA  three  steps  have  to  be   performed   –  Crypto  valida?on  of  the  public  keys  and  signatures   included  in  the  EE  cer?ficates  inside  each  ROA   –  CIDR  inclusion  checking  of  resources  listed  in  the  EE   cer?ficate     –  CIDR  inclusion  checking  of  resources  in  the  route  origin   a=esta?ons.  These  resources  have  to  be  included  in  the   resources  listed  in  the  EE  cer?ficate  
  • 27. RPKI  in  Ac?on   E   UPDAT Routers  assign  a   "validity  status"  to  the   route  included  in  an   UPDATE   Cache  periodically   updates  the  router   with  a  list  of  validated   prefixes  
  • 28. RPKI  in  Ac?on  (ii)   •  The  valida?on  process  is  split  in  two  parts   –  Crypto  and  CIDR  valida?on  of  ROAs  and  cer?ficates   •  Performed  by  the  valida?n  cache   –  Valida?on  of  routes  in  BGP  UPDATEs   •  Performed  by  the  BGP  speakers  in  the  network   •  A  special  protocol  called  RTR  is  being  worked  on  by   the  IETF  for  Router  -­‐  Cache  communica?on  
  • 29. RPKI  in  Ac?on  (iii)   •  Cache   –  Repository  content  is  downloaded  via  RSYNC   –  Cer?ficates  and  ROAs  are  validated   •  Cryptographically  (signature  chain)   •  Correct  CIDR  resource  inclusion   •  In  the  routers   –  A  database  of  prefix  <-­‐>  origin-­‐as  rela?onships  is  built  
  • 30. BGP  interac?on   •  Routers  build  a  database  with  the  informa?on  they   receive  from  the  caches   •  This  table  contains   –  Prefix   –  Min  length   –  Max  length   –  Origin-­‐AS   •  By  applying  a  set  of  rules  a  validity  status  is  assigned   to  each  UPDATE  prefix      
  • 31. BGP  interac?on  (ii)   VALID   IP  prefix/[min_len  –  max_len]   Origin  AS   UPDATE  200.0.0.0/9   172.16.0.0  /  [16-­‐20]   10   ORIGIN-­‐AS  20   200.0.0.0/[8-­‐21]   20   •  If  the  "UPDATE  pfx"  is  not  covered  by  any  entry  in   the  DB  -­‐>  "not  found"   •  If  the  "UPDATE  pfx"  is  covered  by  at  least  one  entry   in  the  DB,  and  the  origin-­‐AS  matches  the  ASNs  in   the  DB  -­‐>  "valid"   •  If  the  origin-­‐AS  does  NOT  match  -­‐>  "invalid"  
  • 32. Herramientas   •  Validadores   –  RIPE   •  h=p://labs.ripe.net/Members/agowland/ripe-­‐ncc-­‐validator-­‐for-­‐ resource-­‐cer?fica?on/view     –  Rcyinc   •  h=p://subvert-­‐rpki.hactrn.net/rcynic/     •  Visualización  y  estadís?cas   –  Construidas  sobre  la  salida  de  los  validadores  
  • 34. Validación  (ii)   •  Example:   –  Validación  top-­‐down  del  repositorio  de  LACNIC  exportando   prefijos  validados  en  un  CSV   •  Paso  1:  bajar  el  RTA  de  LACNIC   –  wget --output-document=./trust-anchors/ta- lacnic.cer https://rpki.lacnic.net/rpki/rootcert •  Paso  2:  correr  la  validación   –  ./ripencc-rpki-validator/bin/ certification-validator --top-down -o validator/ -t ./trust-anchors/ta-lacnic.cer -r lacnic-roas.csv
  • 35. Validación  (iii)   •  ROAs  validados  y  prefijos  (lacnic-roas.csv)   URI,ASN,IP Prefix,Max Length,Not Before,Not After” rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/UTt-N3nQ91lGZh0jvWpPN- KirQ4.roa",AS28000,200.7.84.0/23,24,2011-01-07 02:00:00,2012-08-05 03:00:00” rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/UTt-N3nQ91lGZh0jvWpPN- KirQ4.roa",AS28000,2001:13c7:7001::/48,48,2011-01-07 02:00:00,2012-08-05 03:00:00” rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/ nfNV84A_GA8ZPeCMR4jX1qe557o.roa",AS28001,200.3.12.0/22,24,2011-01 -07 02:00:00,2012-08-05 03:00:00” rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/ nfNV84A_GA8ZPeCMR4jX1qe557o.roa",AS28001,2001:13c7:7002::/48,48,2 011-01-07 02:00:00,2012-08-05 03:00:00”
  • 36. Visualizando  RPKI   •  Fuente:   –  h=p://www.labs.lacnic.net/~rpki/rpki-­‐heatmaps/latest/   –  Mapas  de  Hilbert  coloreados  de  acuerdo  con  el  espacio   cubierto  por  ROAs:  
  • 37. The  LACNIC  RPKI  System   •  RPKI  in  hosted  mode  is  in  produc?on  state  since   1/1/2011   •  To  use  it  you  only  need:   –  Have  your  Administra?ve  Contact  details  (username  and   password)  at  hand  to  create  cer?ficates   –  Have  your  Technical  Contact  details  (username  and   password)  at  hand  to  create  ROAs   •  Where  is  it  ?    h=p://rpki.lacnic.net/      
  • 38. Comentarios  finales   •  Posibles  usos  de  RPKI  mientras  no  todos  los  routers   sean  capaces  de  validar     –  Puentes  entre  IRRd  y  RPKI   –  Puentes  entre  WHOIS  y  RPKI   –  Procesamiento  de  tablas  BGP  de  routers  offline   •  Existe  una  variedad  de  herramientas  de  uso  libre   para  RPKI   •  Los  repositorios  de  los  5  RIRs  pueden  bajarse   libremente  via  rsync   –  rsync  –avz  rsync://repository.lacnic.net/rpki/  ./rpki  
  • 39. Links  /  References   •  The  LACNIC  RPKI  System   –  h=p://rpki.lacnic.net/   •  LACNIC’s  RSYNC  Repository   –  rsync://repository.lacnic.net/rpki/   •  Lis?ng  the  repository   –  rsync  -­‐-­‐list-­‐only  rsync://repository.lacnic.net/rpki/lacnic/   •  Some  RPKI  Sta?s?cs   –  h=p://www.labs.lacnic.net/~rpki  
  • 40. Thank You! Questions ? carlos @ lacnic.net Twitter @carlosm3011