SlideShare uma empresa Scribd logo

Routing Security

RIPE NCC
RIPE NCC

Presentation given by Nathalie Trenaman online at the Lebanese University on 21 April 2021

Tecnologia
1 de 58
Baixar para ler offline
Nathalie Trenaman| 13 April 2021 | Lebanese University, Faculty of Sciences Routing Security
Introduction to BGP routing
3 Internet building blocks ASN (Autonomous System Number)
4 ASN (Autonomous System Number) Internet building blocks ASN Addresses Interconnect Autonomous System
5 Routing on the Internet “BGP protocol” Can I trust AS2? Routing table 
 194.x.x.x = AS2 Routing table 
 193.x.x.x = AS1 Is AS1 correct? AS1 
 193.x.x.x AS2 
 194.x.x.x AS2: “I have 194.x.x.x” AS1: “I have 193.x.x.x”
6 Route Propagation AS15 AS756 R1 AS33 AS164 66.2.9.0/24 M ED=700 MED=500 LP=100 LP=50 AS25 AS5 R2 LP=40 tra ffi c route
7 Accidents Happen • Fat Fingers - 2 and 3 are really close on our keyboards…. • Policy Violations (leaks) - Oops, we did not want this to go on the public Internet - Infamous incident with Pakistan Telecom and YouTube
8 Incidents Are Common • 2019 Routing Security Review - 12,600 incidents - 4,4% of all ASNs affected - 3,000 ASNs are victims of at least one incident - 1,300 ASNs caused at least one incident Source: https://bgpstream.com
9 How Bad Is It?
10 Routing on the Internet Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” RIPE Database “Internet Routing Registry”
11 Problem Statement • Some IRR data can not be fully trusted - Accuracy - Incomplete data - Lack of maintenance • Not every RIR has an IRR - Third party databases need to be used - No verification of who holds IPs/ASNs
• Problem Statement
13 Internet Routing Registry • Many exist, most widely used - RIPE Database - RADB • Verification of holdership over resources - RIPE Database for RIPE Region resources only - RADB allows paying customers to create any object - Lots of the other IRRs do not formally verify holdership
Introduction to RPKI
15 Resource Public Key Infrastructure • Ties IP addresses and ASNs to public keys • Follows the hierarchy of the registries • Authorised statements from resource holders - “ASN X is authorised to announce my Prefix Y” - Signed, holder of Y
16 RPKI Certificate Structure Member Member Member ROA ROA ROA Certificate hierarchy follows allocation hierarchy ARIN APNIC RIPE LACNIC AFRINIC
17 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
18 RPKI Chain of Trust RIPE NCC Root Certificate Self-signed ALL Resources Root’s private key signature public key
19 RPKI Chain of Trust LIR Certificate Signed by the Root private key LIR’s Resources Root’s private key signature public key
20 RPKI Adoption
21 Two elements of RPKI Signing Create your ROAs Validating Verifying others
ROAs
23 ROA (Route Origin Authorisation) • A ROA is… • LIRs can create a ROA for each one of their resources (IP address ranges) • Multiple ROAs can be created for an IP range • ROAs can overlap
24 What is in a ROA ? Prefix The network for which you are creating the ROA The ASN that’s supposed to be originating the BGP Announcement Origin ASN Max Length The Maximum prefix length accepted for this ROA
25 RPKI Chain of Trust ALL Resources LIR’s Resources Root’s private key signature signature public key public key
26 Route Origin Authorisation Prefix is authorised to be announced by AS Number LIR’s private key ROA signature
27 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
28 Hosted or Delegated RPKI RIPE ROA ROA ROA ROA ROA Member Member Member ROA Member-X CA Member-Y CA RIPE NCC Hosted System
29 Hosted RPKI • Automatic signing and key roll overs - One click setup of resource certificate - User has a valid and published certificate for as long as they are the holder of the resources - All the complexity is handled by the hosted system • Lets you focus on creating and publishing ROAs - Match your intended BGP configuration
30 Delegated RPKI • Run your own Certification Authority software - Dragon research Labs, RPKI toolkit - NLNetLabs, Krill • Setup connection with RIPE NCC CA • Generate a certificate and get it signed by the parent CA • Run your own repository
31 First login to the dashboard
32 Creating ROAs
33 Reviewing changes
34 Checking the effects
/23 35 193.0.24.0/21 AS2121 Max Length: /21 ROA 193.0.24.0/21 193.0.24.0/22 193.0.28.0/22 193.0.24.0/23 AS2121 Max Length: /24 ROA 193.0.30.0/23 AS2121 Max Length: /23 ROA ✖ ✖ ✔︎ /23 /23 /23 /23 /23 /24 /24 /24 /24 /24 /24 /24 /24 /24 /24 ✖ ✔︎✔︎✔︎✔︎ ✖ ✖ ✖ ✖ ✖ ✖ ✖
36 RPKI Adoption
37 ROA Adoption
38 ROA Accuracy
Validation Tools
40 Two elements of RPKI Signing Create your ROAs Validating Verifying others
41 Routing on the Internet Is A correct? A 
 192.0.2.0/24 B 
 193.0.24.0/21 A: “I have 192.0.2.0/24” 1. Create route authorisation record (ROA) 2. Validate route RPKI Repository A is authorised to announce 192.0.2.0/24 BGP
42 Trust Anchor Locator (TAL) RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository • Location of RIR repositories • Root’s public key TAL TAL TAL TAL List of ROAs Cerfificates
43 RPKI Validators • Software that creates a local “validated cache” with all the valid ROAs - Downloads the RPKI repository from the RIRs - Validates the chain of trust of all the ROAs and associated CAs - Talks to your routers using the RPKI-RTR Protocol
44 Relying Party RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository List of ROAs Cerfificates
45 RPKI-RTR ROAs ROAs VALIDATOR SOFTWARE Verification Validated Cache RPKI-RTR ROUTERS RIR REPOSITORIES
46 Relying Party ROA AS111 10.0.7.30/22 AS222 10.0.6.10/24 AS333 10.4.17.5/20 AS111 10.0.7.30/22 AS111 10.0.7.30/22 AS111 10.0.7.30/22 BGP Announcements BETTER ROUTING DECISIONS
47 RIPE NCC Validator • https://github.com/RIPE-NCC/rpki-validator • Version 3.1 • Java-based, web interface, white-list functionality • Can speak RPKI-RTR
48 Alternatives • All are open source: - Routinator - https://github.com/NLnetLabs/ routinator/ - FORT - https://github.com/NICMx/FORT-validator/ - OctoRPKI - https://github.com/cloudflare/cfrpki - RPKI-client - https://rpki-client.org/ - Prover - https://github.com/lolepezy/rpki-prover - Rpstir2 - https://github.com/bgpsecurity/rpstir2
ROA Validation
50 Two elements of RPKI Signing Create your ROAs Validating Verifying others
51 ROA Validation • Routers receive data from the validated cache via RPKI-RTR • Based on this and on BGP announcements, you have to make decisions - Accept or discard the BGP Announcement - As temporary measure, you could influence other attributes, such as Local Preference
52 ROAs ROAs ROA Validation BGP Validation VALID INVALID VALID INVALID UNKNOWN NOT FOUND
53 Invalid ROA • Invalid ROA - The ROA in the repository cannot be validated by the client (ISP) so it is not included in the validated cache • Invalid BGP announcement - There is a ROA in validated cache for that prefix but for a different AS. - Or the max length doesn’t match. • If no ROA in the cache then announcement is “unknown”
54 Whitelisting • If there is an invalid ROA for a network that’s important for you or your customers, you can whitelist it • This is done on your local validator software - It creates a “fake” ROA for the resources you want • It allows you to contact the operator to fix their ROA - Think of e-mail, contact forms, etc…
55 Take the Poll!
Status of RPKI ROV Name Type Details Status Telia Transit Signed & Filtering Safe Cogent Transit Signed & Filtering Safe GTT Transit Signed & Filtering Safe NTT Transit Signed & Filtering Safe Hurricane Electric Transit Signed & Filtering Safe Tata Transit Signed & Filtering Safe PCCW Transit Signed & Filtering Safe RETN Transit Partially Signed & Filtering Safe Cloud fl are Cloud Signed & Filtering Safe Amazon Cloud Signed & Filtering Safe Net fl ix Cloud Signed & Filtering Safe Wikimedia Foundation Cloud Signed & Filtering Safe Scaleway Cloud Signed & Filtering Safe • Source: isbgpsafeyet.com
57 Where do we go from here ? • RPKI is only one of the steps towards full BGP Validation - Paths are not validated • We need more building blocks - BGPSec (RFC) - ASPA (draft) - AS-Cones (draft)
Questions nathalie@ripe.net rpki@ripe.net

Recomendados

RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshBangladesh Network Operators Group
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net ToolsBangladesh Network Operators Group
 
RPKI invalids aren't gone yet
RPKI invalids aren't gone yetRPKI invalids aren't gone yet
RPKI invalids aren't gone yetBangladesh Network Operators Group
 
Routing diff
Routing diffRouting diff
Routing diffBangladesh Network Operators Group
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...akg1330
 
BGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesBGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesAPNIC
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI statusAPNIC
 
Resource Certification
Resource CertificationResource Certification
Resource CertificationRIPE NCC
 

Recomendados

RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshBangladesh Network Operators Group
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net ToolsBangladesh Network Operators Group
 
RPKI invalids aren't gone yet
RPKI invalids aren't gone yetRPKI invalids aren't gone yet
RPKI invalids aren't gone yetBangladesh Network Operators Group
 
Routing diff
Routing diffRouting diff
Routing diffBangladesh Network Operators Group
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...akg1330
 
BGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesBGP Flexibility and Its Consequences
BGP Flexibility and Its ConsequencesAPNIC
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI statusAPNIC
 
Resource Certification
Resource CertificationResource Certification
Resource CertificationRIPE NCC
 
Certification
CertificationCertification
CertificationRIPE NCC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Nowjulievreeland
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial Bangladesh Network Operators Group
 
RPKI
RPKIRPKI
RPKIRIPE NCC
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricBangladesh Network Operators Group
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6Ahmed AbdelSalam
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingAPNIC
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification TutorialRIPE NCC
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust AnchorAPNIC
 
I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4Hussein Elmenshawy
 
Is IPv6 Really Faster?
Is IPv6 Really Faster?Is IPv6 Really Faster?
Is IPv6 Really Faster?APNIC
 
C Cpres
C CpresC Cpres
C Cpresramya5a
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationTom Paseka
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Cisco Canada
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfRIPE NCC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. Qrator Labs
 

Mais conteúdo relacionado

Mais procurados

Certification
CertificationCertification
CertificationRIPE NCC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Nowjulievreeland
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricBangladesh Network Operators Group
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6Ahmed AbdelSalam
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingAPNIC
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification TutorialRIPE NCC
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust AnchorAPNIC
 
Is IPv6 Really Faster?
Is IPv6 Really Faster?Is IPv6 Really Faster?
Is IPv6 Really Faster?APNIC
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationTom Paseka
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Cisco Canada
 

Mais procurados (16)

Certification
CertificationCertification
Certification
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Now
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
RPKI
RPKIRPKI
RPKI
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet Routing
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust Anchor
 
I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4
 
Is IPv6 Really Faster?
Is IPv6 Really Faster?Is IPv6 Really Faster?
Is IPv6 Really Faster?
 
C Cpres
C CpresC Cpres
C Cpres
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering Automation
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
 

Semelhante a Routing Security

ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfRIPE NCC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. Qrator Labs
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingAPNIC
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs APNIC
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIAPNIC
 
State of RPKI in Cambodia and SEA, presentation by Shane Hermoso for KHNOG
State of RPKI in Cambodia and SEA, presentation by Shane Hermoso for KHNOG State of RPKI in Cambodia and SEA, presentation by Shane Hermoso for KHNOG
State of RPKI in Cambodia and SEA, presentation by Shane Hermoso for KHNOG APNIC
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)NaveenLakshman
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingAPNIC
 
PacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingPacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingAPNIC
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)Fakrul Alam
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingAPNIC
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
INNOG 6: Cleaning up your RPKI invalides
INNOG 6: Cleaning up your RPKI invalidesINNOG 6: Cleaning up your RPKI invalides
INNOG 6: Cleaning up your RPKI invalidesAPNIC
 

Semelhante a Routing Security (20)

ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences.
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet Routing
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKI
 
State of RPKI in Cambodia and SEA, presentation by Shane Hermoso for KHNOG
State of RPKI in Cambodia and SEA, presentation by Shane Hermoso for KHNOG State of RPKI in Cambodia and SEA, presentation by Shane Hermoso for KHNOG
State of RPKI in Cambodia and SEA, presentation by Shane Hermoso for KHNOG
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
 
PacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingPacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet Routing
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet Routing
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
 
INNOG 6: Cleaning up your RPKI invalides
INNOG 6: Cleaning up your RPKI invalidesINNOG 6: Cleaning up your RPKI invalides
INNOG 6: Cleaning up your RPKI invalides
 

Mais de RIPE NCC

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in TechRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfRIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfRIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfRIPE NCC
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsRIPE NCC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing SecurityRIPE NCC
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfRIPE NCC
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasRIPE NCC
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasRIPE NCC
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet InfrastructureRIPE NCC
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenRIPE NCC
 

Mais de RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 

Último

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Último (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Routing Security

  • 1. Nathalie Trenaman| 13 April 2021 | Lebanese University, Faculty of Sciences Routing Security
  • 3. 3 Internet building blocks ASN (Autonomous System Number)
  • 4. 4 ASN (Autonomous System Number) Internet building blocks ASN Addresses Interconnect Autonomous System
  • 5. 5 Routing on the Internet “BGP protocol” Can I trust AS2? Routing table 
 194.x.x.x = AS2 Routing table 
 193.x.x.x = AS1 Is AS1 correct? AS1 
 193.x.x.x AS2 
 194.x.x.x AS2: “I have 194.x.x.x” AS1: “I have 193.x.x.x”
  • 7. 7 Accidents Happen • Fat Fingers - 2 and 3 are really close on our keyboards…. • Policy Violations (leaks) - Oops, we did not want this to go on the public Internet - Infamous incident with Pakistan Telecom and YouTube
  • 8. 8 Incidents Are Common • 2019 Routing Security Review - 12,600 incidents - 4,4% of all ASNs affected - 3,000 ASNs are victims of at least one incident - 1,300 ASNs caused at least one incident Source: https://bgpstream.com
  • 10. 10 Routing on the Internet Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” RIPE Database “Internet Routing Registry”
  • 11. 11 Problem Statement • Some IRR data can not be fully trusted - Accuracy - Incomplete data - Lack of maintenance • Not every RIR has an IRR - Third party databases need to be used - No verification of who holds IPs/ASNs
  • 13. 13 Internet Routing Registry • Many exist, most widely used - RIPE Database - RADB • Verification of holdership over resources - RIPE Database for RIPE Region resources only - RADB allows paying customers to create any object - Lots of the other IRRs do not formally verify holdership
  • 15. 15 Resource Public Key Infrastructure • Ties IP addresses and ASNs to public keys • Follows the hierarchy of the registries • Authorised statements from resource holders - “ASN X is authorised to announce my Prefix Y” - Signed, holder of Y
  • 16. 16 RPKI Certificate Structure Member Member Member ROA ROA ROA Certificate hierarchy follows allocation hierarchy ARIN APNIC RIPE LACNIC AFRINIC
  • 17. 17 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
  • 18. 18 RPKI Chain of Trust RIPE NCC Root Certificate Self-signed ALL Resources Root’s private key signature public key
  • 19. 19 RPKI Chain of Trust LIR Certificate Signed by the Root private key LIR’s Resources Root’s private key signature public key
  • 21. 21 Two elements of RPKI Signing Create your ROAs Validating Verifying others
  • 22. ROAs
  • 23. 23 ROA (Route Origin Authorisation) • A ROA is… • LIRs can create a ROA for each one of their resources (IP address ranges) • Multiple ROAs can be created for an IP range • ROAs can overlap
  • 24. 24 What is in a ROA ? Prefix The network for which you are creating the ROA The ASN that’s supposed to be originating the BGP Announcement Origin ASN Max Length The Maximum prefix length accepted for this ROA
  • 25. 25 RPKI Chain of Trust ALL Resources LIR’s Resources Root’s private key signature signature public key public key
  • 26. 26 Route Origin Authorisation Prefix is authorised to be announced by AS Number LIR’s private key ROA signature
  • 27. 27 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
  • 28. 28 Hosted or Delegated RPKI RIPE ROA ROA ROA ROA ROA Member Member Member ROA Member-X CA Member-Y CA RIPE NCC Hosted System
  • 29. 29 Hosted RPKI • Automatic signing and key roll overs - One click setup of resource certificate - User has a valid and published certificate for as long as they are the holder of the resources - All the complexity is handled by the hosted system • Lets you focus on creating and publishing ROAs - Match your intended BGP configuration
  • 30. 30 Delegated RPKI • Run your own Certification Authority software - Dragon research Labs, RPKI toolkit - NLNetLabs, Krill • Setup connection with RIPE NCC CA • Generate a certificate and get it signed by the parent CA • Run your own repository
  • 31. 31 First login to the dashboard
  • 35. /23 35 193.0.24.0/21 AS2121 Max Length: /21 ROA 193.0.24.0/21 193.0.24.0/22 193.0.28.0/22 193.0.24.0/23 AS2121 Max Length: /24 ROA 193.0.30.0/23 AS2121 Max Length: /23 ROA ✖ ✖ ✔︎ /23 /23 /23 /23 /23 /24 /24 /24 /24 /24 /24 /24 /24 /24 /24 ✖ ✔︎✔︎✔︎✔︎ ✖ ✖ ✖ ✖ ✖ ✖ ✖
  • 40. 40 Two elements of RPKI Signing Create your ROAs Validating Verifying others
  • 41. 41 Routing on the Internet Is A correct? A 
 192.0.2.0/24 B 
 193.0.24.0/21 A: “I have 192.0.2.0/24” 1. Create route authorisation record (ROA) 2. Validate route RPKI Repository A is authorised to announce 192.0.2.0/24 BGP
  • 42. 42 Trust Anchor Locator (TAL) RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository • Location of RIR repositories • Root’s public key TAL TAL TAL TAL List of ROAs Cerfificates
  • 43. 43 RPKI Validators • Software that creates a local “validated cache” with all the valid ROAs - Downloads the RPKI repository from the RIRs - Validates the chain of trust of all the ROAs and associated CAs - Talks to your routers using the RPKI-RTR Protocol
  • 44. 44 Relying Party RIPE NCC ARIN APNIC AFRINIC LACNIC Validator Repository Repository Repository Repository Repository List of ROAs Cerfificates
  • 46. 46 Relying Party ROA AS111 10.0.7.30/22 AS222 10.0.6.10/24 AS333 10.4.17.5/20 AS111 10.0.7.30/22 AS111 10.0.7.30/22 AS111 10.0.7.30/22 BGP Announcements BETTER ROUTING DECISIONS
  • 47. 47 RIPE NCC Validator • https://github.com/RIPE-NCC/rpki-validator • Version 3.1 • Java-based, web interface, white-list functionality • Can speak RPKI-RTR
  • 48. 48 Alternatives • All are open source: - Routinator - https://github.com/NLnetLabs/ routinator/ - FORT - https://github.com/NICMx/FORT-validator/ - OctoRPKI - https://github.com/cloudflare/cfrpki - RPKI-client - https://rpki-client.org/ - Prover - https://github.com/lolepezy/rpki-prover - Rpstir2 - https://github.com/bgpsecurity/rpstir2
  • 50. 50 Two elements of RPKI Signing Create your ROAs Validating Verifying others
  • 51. 51 ROA Validation • Routers receive data from the validated cache via RPKI-RTR • Based on this and on BGP announcements, you have to make decisions - Accept or discard the BGP Announcement - As temporary measure, you could influence other attributes, such as Local Preference
  • 52. 52 ROAs ROAs ROA Validation BGP Validation VALID INVALID VALID INVALID UNKNOWN NOT FOUND
  • 53. 53 Invalid ROA • Invalid ROA - The ROA in the repository cannot be validated by the client (ISP) so it is not included in the validated cache • Invalid BGP announcement - There is a ROA in validated cache for that prefix but for a different AS. - Or the max length doesn’t match. • If no ROA in the cache then announcement is “unknown”
  • 54. 54 Whitelisting • If there is an invalid ROA for a network that’s important for you or your customers, you can whitelist it • This is done on your local validator software - It creates a “fake” ROA for the resources you want • It allows you to contact the operator to fix their ROA - Think of e-mail, contact forms, etc…
  • 56. Status of RPKI ROV Name Type Details Status Telia Transit Signed & Filtering Safe Cogent Transit Signed & Filtering Safe GTT Transit Signed & Filtering Safe NTT Transit Signed & Filtering Safe Hurricane Electric Transit Signed & Filtering Safe Tata Transit Signed & Filtering Safe PCCW Transit Signed & Filtering Safe RETN Transit Partially Signed & Filtering Safe Cloud fl are Cloud Signed & Filtering Safe Amazon Cloud Signed & Filtering Safe Net fl ix Cloud Signed & Filtering Safe Wikimedia Foundation Cloud Signed & Filtering Safe Scaleway Cloud Signed & Filtering Safe • Source: isbgpsafeyet.com
  • 57. 57 Where do we go from here ? • RPKI is only one of the steps towards full BGP Validation - Paths are not validated • We need more building blocks - BGPSec (RFC) - ASPA (draft) - AS-Cones (draft)