Embed Size (px)
Citation preview
Issue Date:
Revision:
Resource Public Key Infrastructure (RPKI)
Anna Mulingbayan
MYNOG 5
20 August 2015
31/12/2014
1
2
Why use RPKI?
• Prevent route hijacking
– Only the rightful custodian can originate the prefix announcement – ISPs filter prefixes they propagate
• Minimize common routing errors
– Limits human errors– Prioritize routes with certificates
3
Real life routing incidents
• June 2015 - Telecom Malaysia causes large-scale routing issues due to route leak
• April 2014 - Indosat leaked 32,000 routes • April 2010 - China Telecom advertisement causes 15% of
Internet traffic to passed through Chinese servers
• February 2008 - Pakistan Telecom announces 208.65.153.0/24 (YouTube prefix)
4
What is RPKI?
Resource Public Key Infrastructure(RPKI)
• A robust security framework for verifying the association between resource holders and their Internet resources
• Uses x.509 certificates with RFC3779 extensions
• Collaborative effort by all RIRs to help secure Internet routing by validating routes
5
How to use RPKI?• Create Route Origin Authorization (ROA) objects
• What’s contained in a ROA– The AS number you have authorized– The prefix that is being originated from it– The most specific prefix (maximum length) that the AS may
announce
For example: “AS64496 originates a route for the prefix 2001:DB8::/32 with a maximum prefix length of /40)”
6
Creating ROA in MyAPNIC• What you need to have before creating a ROA
– Must be an APNIC Member– Have access to MyAPNIC with 2 factor authentication
• Takes only 5 minutes to create, and 10 minutes to be visible to the public
7
Activate RPKI Engine
8
Creating your ROA (Using suggestions)
9
Creating your ROA (Manual)
10
Created your ROA, what’s next?
• Maintain your ROAs - Changed BGP announcement - New delegation - Transferred resources
• RPKI validator - https://trac.rpki.net/wiki/doc/RPKI - Valid - Invalid - Unknown
11
Success Story
• May 2015: APNIC Outreach in Bangladesh– 13 organizations visited– Onsite support to create ROA objects
561 valid prefixes (24%)
http://rpki.surfnet.nl/bd.html
12
World Leaderboard (economy)
http://rpki.surfnet.nl/country.html
As of June 10, 2015
13
ROA in South East Asia
Economy
Roa
IPv4 total IPv4 Roa IPv4 % IPv6 total IPv6 roa IPv6 pctcount
ID 1 17666560 65536 0.37096073 3204484864 0 0
MY 2 6490880 35840 0.5521593371476404224 0 0
PH 18 5352704 185088 3.457841121872419840 256 0.000029344
SG 14 5165568 78080 1.51154723 2315278848 67109376 2.898543994
*As at 5 Aug 2015
Issue Date:
Revision:
IPv4 Transfers
15
Who can do the transfer?
• Transfer of IPv4 between you and– Other APNIC Members– Members from other RIR’s eg. ARIN
• Transfer between APNIC Members- So far MY has a total of 11 transfers- Transfer logs http://ftp.apnic.net/transfers/apnic/
• Transfer between APNIC and RIR– Transfer from RIR Member to APNIC Member, or vice versa– Source account to initiate transfer request– Registry of the recipient account to evaluate transfer request– More information on: www.apnic.net/transfer
16
How many transfers are we doing?
2010 2011 2012 2013 2014 20150
20
40
60
80
100
120
140
160
180
17
How to do the transfer in MyAPNIC? (source account)
18
MyAPNIC (source account)
19
MyAPNIC(recipient account)
20
Tips• Pre-approval
– allows you to demonstrate your need for the IPv4 block in advance– process is faster as the evaluation is done beforehand– complete the “Transfer pre-approval” form via MyAPNIC– more information at http://www.apnic.net/pre-approval
• IPv4 Transfer listing service– list Members who have received pre-approval on APNIC website to
allow others with excess IPv4 to contact you– More information at http://www.apnic.net/pre-approval-listing
• APNIC Transfers Mailing List– facilitate discussion on topics related to IPv4 transfer– to subscribe please go to www.apnic.net/mailing-lists
21
You’re Invited!• APNIC 40: Jakarta, Indonesia from 3 - 10 Sept 2015
22
THANK YOU
