• Home

  • Documents

  • RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries...
20
RPKI Workshop Routing Lab 1 NANOG / Denver 2011.06.12 Randy Bush <randy@psg.com> Michael Elkins <me@sigpipe.org> Rob Austein <sra@isc.org> Philip Smith <pfs@cisco.com> http://archive.psg.com/110603.afnog-lab.pdf 2011.06.12 RPKI Router Lab 1

RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

  • Upload
    others

  • View
    8

  • Download
    0

Embed Size (px)

Citation preview

Page 1: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

RPKI Workshop Routing Lab

1

NANOG / Denver 2011.06.12

Randy Bush <[email protected]> Michael Elkins <[email protected]>

Rob Austein <[email protected]> Philip Smith <[email protected]>

http://archive.psg.com/110603.afnog-lab.pdf

2011.06.12 RPKI Router Lab 1

Page 2: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

Lab Overview

2011.06.12 RPKI Router Lab 2

RPKI Engine

Repository Mgt

Publication Protocol

RPKI Repo

RCynic Gatherer

RPKI to Rtr Protocol

BGP Decision Process

Cache django

Page 3: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

BGP Feeds into Lab

2011.06.12 RPKI Router Lab 3

Global Internet

98.128.0.0/16!98.128.0.0/24!98.128.1.0/24!…!98.128.31.0/24!

98.128.0.0/16!98.128.0.0/24!98.128.1.0/24!…!98.128.31.0/24!

AS3130 AS4128

AS65000 AS65001

Seattle Dallas

Page 4: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

DynaMIPS on MacBook Pro 17”

Global Internet

2011.06.12 RPKI Router Lab Seattle Dallas

98.128.0.0/16!98.128.0.0/24!98.128.1.0/24!…!98.128.31.0/24!

98.128.0.0/16!98.128.0.0/24!98.128.1.0/24!…!98.128.31.0/24!

AS3130 AS4128

AS65000

RPKI Cache

RPKI-Rtr Protocol

AS65001

10.0.0.0/8

196.200.222.128/192

4

Page 5: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

IP Address Allocation

98.128.0.0/16 ARIN Experimental Allocation 98.128.0.0/24 Instructors Play 98.128.1.0/24 labuser01 98.128.2.0/24 labuser02 … 98.128.16.0/24 labuser16

2011.06.12 RPKI Router Lab 5

Page 6: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

GUI Accounts https://demo.rpki.net/rpki UserID Password labuser01 fnord labuser02 fnord labuser03 fnord … labuser16 fnord

2011.06.12 RPKI Router Lab 6

Page 7: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

2011.06.12 RPKI Router Lab 7

Page 8: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

2011.06.12 RPKI Router Lab 8

One Prefix

Page 9: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

2011.06.12 RPKI Router Lab 9

Issue a ROA

Page 10: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

2011.06.12 RPKI Router Lab 10

Looks Good

Page 11: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

Router Accounts telnet rmac.psg.com 20xx (your UserID) % telnet rmac.psg.com 2001 user: cisco password: cisco enable: cisco

2011.06.12 RPKI Router Lab 11

Page 12: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

Configure RPKI Server router bgp <AS> bgp rpki server tcp <ip address> port <port>

refresh <time in sec> router bgp 651xx bgp rpki server tcp 198.180.150.1 port \

42420 refresh 120

2011.06.12 RPKI Router Lab 12

Page 13: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

Check Server r0.sea#show ip bgp rpki servers

BGP SOVC neighbor is 198.180.150.1/42420 connected to port 42420

Flags 0, Refresh time is 600, Serial number is 1304239609

InQ has 0 messages, OutQ has 0 messages, formatted msg 345

Session IO flags 3, Session flags 4008

Neighbor Statistics:

Nets Processed 624

Connection state is ESTAB, I/O status: 1, unread input bytes: 0

Connection is ECN Disabled

Mininum incoming TTL 0, Outgoing TTL 255

Local host: 199.238.113.10, Local port: 57932

Foreign host: 198.180.150.1, Foreign port: 42420

Connection tableid (VRF): 0

2011.06.12 RPKI Router Lab 13

Page 14: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

Look at Table router1#show ip bgp rpki table

76 BGP sovc network entries using 6688 bytes of memory

78 BGP sovc record entries using 1560 bytes of memory

Network Maxlen Origin-AS Source Neighbor

98.128.0.0/24 24 3130 0 198.180.150.1/424

98.128.0.0/16 16 3130 0 198.180.150.1/424

98.128.6.0/24 24 4128 0 198.180.150.1/424

98.128.9.0/24 24 3130 0 198.180.150.1/424

98.128.30.0/24 24 1234 0 198.180.150.1/424

128.224.1.0/24 24 3130 0 198.180.150.1/424

129.6.0.0/17 17 49 0 198.180.150.1/424

129.6.112.0/24 24 10866 0 198.180.150.1/424

129.6.128.0/17 17 49 0 198.180.150.1/424

147.28.0.0/16 16 3130 0 198.180.150.1/424

2011.06.12 RPKI Router Lab 14

Page 15: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

Look at BGP Table * i I198.180.150.0 144.232.9.61 100 0 1239 3927 i

*> I 199.238.113.9 0 2914 3927 i

* I 129.250.11.41 0 2914 3927 i

*> V198.180.152.0 199.238.113.9 0 2914 4128 i

* V 129.250.11.41 0 2914 4128 i

*> N198.180.155.0 199.238.113.9 0 2914 22773 i

* N 129.250.11.41 0 2914 22773 i

*> N198.180.160.0 199.238.113.9 0 2914 23308 13408 5752 i

* N 129.250.11.41 0 2914 23308 13408 5752 i

2011.06.12 RPKI Router Lab 15

Page 16: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

Look at a Prefix R3#show ip bgp 98.128.0.0/24

BGP routing table entry for 98.128.0.0/24, version 360

Paths: (2 available, best #1, table default)

65000 3130

10.0.0.1 from 10.0.0.1 (193.0.24.64)

Origin IGP, localpref 100, valid, external, best

path 680D859C RPKI State valid

65001 4128

10.0.1.1 from 10.0.1.1 (193.0.24.65)

Origin IGP, localpref 100, valid, external

path 680D914C RPKI State invalid

2011.06.12 RPKI Router Lab 16

Page 17: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

Fat-Finger Detected

2011.06.12 RPKI Router Lab 17

Global Internet

98.128.0.0/16!

AS3130 AS4128

AS65000 AS65001

Seattle Dallas

98.128.0.0/16!

98.128.0.0/16

AS 3130

ROA

show ip bgp 98.128.0.0/16

Page 18: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

ROA Controls Validity

2011.06.12 RPKI Router Lab 18

Global Internet

98.128.0.0/16!

AS3130 AS4128

AS65000 AS65001

Seattle Dallas

98.128.0.0/16!

98.128.0.0/16

AS 4128

ROA

show ip bgp 98.128.0.0/16

Page 19: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

Try Your Own /24

2011.06.12 RPKI Router Lab 19

Global Internet

98.128.X.0/24!

AS3130 AS4128

AS65000 AS65001

98.128.X.0/24!

98.128.X.0/24

AS 3130

ROA

show ip bgp 98.128.X.0/24 98.128.0.0/16

AS 4128

ROA show ip bgp 98.128.0.0/16

Page 20: RPKI Workshop Routing Lab...Look at Table router1#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 78 BGP sovc record entries using 1560 bytes of memory

Mis-Origination Caught R3#sh ip bg 98.128.0.0/24

BGP routing table entry for 98.128.0.0/24, version 94

Paths: (2 available, best #2, table default)

Advertised to update-groups:

1

Refresh Epoch 1

65000 3130

10.0.0.1 from 10.0.0.1 (65.38.193.12)

Origin IGP, localpref 100, valid, external

path 6802D4DC RPKI State invalid

Refresh Epoch 1

65001 4128

10.0.1.1 from 10.0.1.1 (65.38.193.13)

Origin IGP, localpref 100, valid, external, best

path 6802D7C8 RPKI State valid

2011.06.12 RPKI Router Lab 20


BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation

BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation

Documents
RPKI Tutorial(PDF)

RPKI Tutorial(PDF)

Documents
RPKI with rpki.net ToolS · 2 RPKI: Introduction Tutorial Target audience Knowledge of Internet Routing(specially BGP) Familiar with any IRR Database No need to know Cryptography

RPKI with rpki.net ToolS · 2 RPKI: Introduction Tutorial Target audience Knowledge of Internet Routing(specially BGP) Familiar with any IRR Database No need to know Cryptography

Documents
Introduction to RPKI

Introduction to RPKI

Internet
RPKI & Route Origin Validation · •Route53 hijack (contd…) q Resolvers querying any Route53 managed names, would ask the authoritative servers controlled through the BGP hijack

RPKI & Route Origin Validation · •Route53 hijack (contd…) q Resolvers querying any Route53 managed names, would ask the authoritative servers controlled through the BGP hijack

Documents
eROU04 BGP Attributes - APNIC...2017/10/25  · tashi@apnic.net Specialties: BGP, IS-IS/OSPF, IPv6, Securing Internet Routing (RPKI), DWDM, Network Security 2 BGP Path Attributes •Attributes

eROU04 BGP Attributes - APNIC...2017/10/25  · [email protected] Specialties: BGP, IS-IS/OSPF, IPv6, Securing Internet Routing (RPKI), DWDM, Network Security 2 BGP Path Attributes •Attributes

Documents
Gems Sovc Report

Gems Sovc Report

Documents
RPKI Validation - Internet2 · 2017. 10. 27. · bgp rpki server tcp 163.253.39.165 port 8282 refresh 600 bgp bestpath prefix-validate allow-invalid neighbor 163.253.39.165 remote-as

RPKI Validation - Internet2 · 2017. 10. 27. · bgp rpki server tcp 163.253.39.165 port 8282 refresh 600 bgp bestpath prefix-validate allow-invalid neighbor 163.253.39.165 remote-as

Documents
What’s Next: DNSSEC & RPKI

What’s Next: DNSSEC & RPKI

Documents
Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Documents
The Transition to BGP Security Is the Juice Worth the Squeeze?netseminar.stanford.edu/seminars/10_31_13.pdf · Prefix 34109 RPKI AS 29997 204.16.254.0/24 SCNet: (29997, Prefix) NTT:

The Transition to BGP Security Is the Juice Worth the Squeeze?netseminar.stanford.edu/seminars/10_31_13.pdf · Prefix 34109 RPKI AS 29997 204.16.254.0/24 SCNet: (29997, Prefix) NTT:

Documents
Trust in Anarchy? · RPKI Trust Anchor(s) RPKI Security and Governance DNS? Trust vs. Assurance Structures Host Names BGP. Author: Ashwin Mathew Created Date: 11/2/2011 10:30:43 AM

Trust in Anarchy? · RPKI Trust Anchor(s) RPKI Security and Governance DNS? Trust vs. Assurance Structures Host Names BGP. Author: Ashwin Mathew Created Date: 11/2/2011 10:30:43 AM

Documents
Internet Infrastructure Security · Message to Take Away • Security requires an integral approach: • not BGP filtering, RPKI or DNS security, but all of them • Security requires

Internet Infrastructure Security · Message to Take Away • Security requires an integral approach: • not BGP filtering, RPKI or DNS security, but all of them • Security requires

Documents
BGP Resource Public Key Infrastructure (RPKI) … Resource Public Key Infrastructure (RPKI) Origin Validation . ... Overview of RPKI ... Figure 5 shows the high-level network diagram

BGP Resource Public Key Infrastructure (RPKI) … Resource Public Key Infrastructure (RPKI) Origin Validation . ... Overview of RPKI ... Figure 5 shows the high-level network diagram

Documents
LACNIC Update Report - ripe71.ripe.net Update Report ... • BGP & RPKI & IPv6 training ... • A sample of 10 countries was selected: Argentina, Chile, Bolivia, Peru,

LACNIC Update Report - ripe71.ripe.net Update Report ... • BGP & RPKI & IPv6 training ... • A sample of 10 countries was selected: Argentina, Chile, Bolivia, Peru,

Documents
Monitoring and Inspection of RPKI repositories · Monitoring and Inspection of RPKI repositories AndreasReuter Matr. 4569130 Supervisor: Prof. Dr.-Ing. JochenSchiller ... The BGP

Monitoring and Inspection of RPKI repositories · Monitoring and Inspection of RPKI repositories AndreasReuter Matr. 4569130 Supervisor: Prof. Dr.-Ing. JochenSchiller ... The BGP

Documents
The RPKI & Origin Validation - American Registry for ... · The RPKI & Origin Validation ARIN / San Juan ... to Smart Customer ... router bgp 4128 bgp router-id 198.180.152.251

The RPKI & Origin Validation - American Registry for ... · The RPKI & Origin Validation ARIN / San Juan ... to Smart Customer ... router bgp 4128 bgp router-id 198.180.152.251

Documents
BGP Origin Validation (RPKI) - Universiteit van Amsterdam

BGP Origin Validation (RPKI) - Universiteit van Amsterdam

Documents
Securing your resources with RPKI and IRT Securing your...RPKI: ROA •Resource Public Key Infrastructure (RPKI) is the infrastructure framework designed to secure the BGP table •ROA

Securing your resources with RPKI and IRT Securing your...RPKI: ROA •Resource Public Key Infrastructure (RPKI) is the infrastructure framework designed to secure the BGP table •ROA

Documents
CertProto RPKI Project

CertProto RPKI Project

Documents
Introduction to RPKI - MyNOG

Introduction to RPKI - MyNOG

Technology
RPKI Tutorial and hands-on - APNIC · 2018. 1. 23. · –BGPSEC –security mechanism for BGP routing is being implemented ... What’s up in Japan •JANOG RPKI routing WG –RPKI

RPKI Tutorial and hands-on - APNIC · 2018. 1. 23. · –BGPSEC –security mechanism for BGP routing is being implemented ... What’s up in Japan •JANOG RPKI routing WG –RPKI

Documents
GEMS SOVC REPORT - Putnam County, Florida · Title: GEMS SOVC REPORT Author: Administrator Created Date: 8/20/2012 9:29:16 AM

GEMS SOVC REPORT - Putnam County, Florida · Title: GEMS SOVC REPORT Author: Administrator Created Date: 8/20/2012 9:29:16 AM

Documents
Let’s adopt RPKI

Let’s adopt RPKI

Documents
RPKI vs ROVER Comparing the Risks of BGP Security Solutions · RPKI vs ROVER Comparing the Risks of BGP Security Solutions Full version from June 18, 2014.? Aanchal Malhotra and Sharon

RPKI vs ROVER Comparing the Risks of BGP Security Solutions · RPKI vs ROVER Comparing the Risks of BGP Security Solutions Full version from June 18, 2014.? Aanchal Malhotra and Sharon

Documents
RPKI Deployment - APNIC · • Route53 hijack (contd…) q Resolvers querying any Route53 managed names, would ask the authoritative servers controlled through the BGP hijack § Possibly,

RPKI Deployment - APNIC · • Route53 hijack (contd…) q Resolvers querying any Route53 managed names, would ask the authoritative servers controlled through the BGP hijack § Possibly,

Documents
RESOURCE PUBLIC KEY INFRASTRUCTURE EXTENSION · Resource Public Key Infrastructure (RPKI). Objects in the RPKI are intended to improve the security of the BGP system by providing

RESOURCE PUBLIC KEY INFRASTRUCTURE EXTENSION · Resource Public Key Infrastructure (RPKI). Objects in the RPKI are intended to improve the security of the BGP system by providing

Documents
Resource(PublicKeyInfrastructure((RPKI) · set routing-options validation group RPKI session 202.4.96.221 hold-time 180 set routing-options validation group RPKI session 202.4.96.221

Resource(PublicKeyInfrastructure((RPKI) · set routing-options validation group RPKI session 202.4.96.221 hold-time 180 set routing-options validation group RPKI session 202.4.96.221

Documents
The RPKI Documentation

The RPKI Documentation

Documents
Internet Number Registry Services the Next Generation · 5/8/2019  · RPKI •RPKIis a public key infrastructure (PKI) framework, designed to secure BGP routing ⎯Based on X.509

Internet Number Registry Services the Next Generation · 5/8/2019  · RPKI •RPKIis a public key infrastructure (PKI) framework, designed to secure BGP routing ⎯Based on X.509

Documents