aaron murrihy aaron murrihy reannz co nz
play

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb - PowerPoint PPT Presentation

Mar 07, 2024 •120 likes •662 views

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

  1. SECURING THE INTERNET – VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI – Feb 20

  2. ABOUT US 2 Apricot 2020 RPKI – Feb 20

  3. ABOUT REANNZ New Zealand’s NREN • Engineering team of 7 • AS38022 • Peering points in 3 countries • – NZ, Australia, US 100G backbone • 3 Apricot 2020 RPKI – Feb 20

  4. THE PROBLEM 4 Apricot 2020 RPKI – Feb 20

  5. PROBLEM ROUTE HIJACKING 192.168.0.0/20 BGP has no mechanism for ensuring trust! 192.168.0.0/21 192.168.8.0/21 5 Apricot 2020 RPKI – Feb 20

  6. PROBLEM ROUTE HIJACKING 192.168.0.0/20 192.168.0.0/20 6 Apricot 2020 RPKI – Feb 20

  7. PROBLEM ROUTE HIJACKING 192.168.0.0/20 g n i r e e P Can be malicious or accidental 7 Apricot 2020 RPKI – Feb 20

  8. PROBLEM MITIGATIONS Route filters based on IRR information • – Which registry? – What about transit providers? – Still no mechanism for ensuring trust Or… • 8 Apricot 2020 RPKI – Feb 20

  9. RPKI 9 Apricot 2020 RPKI – Feb 20

  10. RPKI ABOUT RPKI R esource P ublic K ey I nfrastructure RFC6480 (and many others) • Binds route prefix to origin ASN • – Signed cryptographically – Ensures trust (sort of) Recommended for MANRS compliance • – https://www.manrs.org Signed prefixes stored (and distributed) by the 5 RIRs • https://blog.cloudflare.com/rpki/ 10 Apricot 2020 RPKI – Feb 20

  11. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super Fun Time Party 11 Apricot 2020 RPKI – Feb 20

  12. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super Fun Time Can I join Party the party? 12 Apricot 2020 RPKI – Feb 20

  13. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super What’s your Fun Time name? Party 13 Apricot 2020 RPKI – Feb 20

  14. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super Fun Time Party Jamie 14 Apricot 2020 RPKI – Feb 20

  15. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super From Fun Time Wellington? Party 15 Apricot 2020 RPKI – Feb 20

  16. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super Fun Time Na, from Party Sydney 16 Apricot 2020 RPKI – Feb 20

  17. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Super Sorry, buddy. You’re not on Fun Time my list Party 17 Apricot 2020 RPKI – Feb 20

  18. RPKI WHAT DOES RPKI PROTECT AGAINST (#1) Another ASN advertising your routes Super Fun Time Party 18 Apricot 2020 RPKI – Feb 20

  19. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Party 19 Apricot 2020 RPKI – Feb 20

  20. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Can I join Party the party? 20 Apricot 2020 RPKI – Feb 20

  21. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super What’s your Fun Time name? Party 21 Apricot 2020 RPKI – Feb 20

  22. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Party Jamie 22 Apricot 2020 RPKI – Feb 20

  23. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super From Fun Time Wellington? Party 23 Apricot 2020 RPKI – Feb 20

  24. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Party Yep 24 Apricot 2020 RPKI – Feb 20

  25. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Jamie Senior? Party 25 Apricot 2020 RPKI – Feb 20

  26. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Fun Time Party No, Jamie Junior 26 Apricot 2020 RPKI – Feb 20

  27. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) Super Sorry, buddy. I’ve been specifically asked by your Fun Time Dad to only let him in. Party 27 Apricot 2020 RPKI – Feb 20

  28. RPKI WHAT DOES RPKI PROTECT AGAINST (#2) The same or a different ASN advertising a more specific route Super Fun Time Party 28 Apricot 2020 RPKI – Feb 20

  29. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super Fun Time Party 29 Apricot 2020 RPKI – Feb 20

  30. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super Fun Time Can I join Party the party? 30 Apricot 2020 RPKI – Feb 20

  31. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super What’s your Fun Time name? Party 31 Apricot 2020 RPKI – Feb 20

  32. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super Fun Time Party Jamie 32 Apricot 2020 RPKI – Feb 20

  33. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super From Fun Time Wellington? Party 33 Apricot 2020 RPKI – Feb 20

  34. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super Fun Time Party Umm… OK, Sure 34 Apricot 2020 RPKI – Feb 20

  35. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Super That’s good enough Fun Time for me. Come on in! Party 35 Apricot 2020 RPKI – Feb 20

  36. RPKI WHAT DOESN’T RPKI PROTECT AGAINST Malicious party forging your ASN as the origin Super Fun Time Party 36 Apricot 2020 RPKI – Feb 20

  37. RPKI TLDR Protects against • – accidental advertisement of incorrect routes – route hijacking with more specific prefixes Doesn’t protect against • – malicious advertisement of routes with impersonated origin ASN – accidental transit of peer routes Validating the AS path is a whole other kettle of cryptographic fish 37 Apricot 2020 RPKI – Feb 20

  38. RPKI IMPLEMENTATION 38 Apricot 2020 RPKI – Feb 20

  39. RPKI IMPLEMENTATION RPKI ARCHITECTURE RSYNC RPKI-RTR ROA Validator BGP Routers 39 Apricot 2020 RPKI – Feb 20

  40. RPKI IMPLEMENTATION ROA https://myapnic.net -> Resources -> (Route Management) Routes 40 Apricot 2020 RPKI – Feb 20

  41. RPKI IMPLEMENTATION ROA Just tick the ROA option - trivial 41 Apricot 2020 RPKI – Feb 20

  42. RPKI IMPLEMENTATION VALIDATOR (RELYING PARTY) RIPE RPKI Validator – Infrastructure Java • 2 x containers • Ansible-managed • Memory-hungry (~6GB) • – Capability Downloads ROAs with RSYNC • Validates ROAs cryptographically • ROA overrides (Ignore, Whitelist) • Performs the RTR transfer to your BGP routers • Validated data can be exposed via JSON API • https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/ 42 Apricot 2020 RPKI – Feb 20

  43. RPKI IMPLEMENTATION VALIDATOR (RELYING PARTY) 43 Apricot 2020 RPKI – Feb 20

  44. RPKI IMPLEMENTATION ADVERTISE VALIDATED DATA TO NETWORK RPKI to Router (RTR) protocol – RFC6810 – Unencrypted filter protect-re { term rpki-rtr { routing-options { from { validation { notification-rib [ some-inet.0 some-inet6.0 ]; source-prefix-list { rpki-rtr-validators; group rpki-wlg { session 203.0.113.14 { } protocol tcp; port 8282; source-port 8282; local-address 192.0.2.1 } } then accept; } } } } } 44 Apricot 2020 RPKI – Feb 20

  45. RPKI IMPLEMENTATION ENABLING RPKI POLICY Just add an import filter to your peering policy term valid { term invalid { term unknown { from { from { from { protocol bgp; protocol bgp; protocol bgp; validation-database valid; validation-database invalid; validation-database unknown; } } } then { then { then { validation-state valid; validation-state invalid; validation-state unknown; next policy; reject; next policy; } } } } } } 45 Apricot 2020 RPKI – Feb 20

  46. RPKI IMPLEMENTATION REANNZ RPKI BEST PRACTICE Apply on external BGP feeds • – Peerings, Transit Providers, R&E Not applying to customers • – Exact route filters already in place (built from IPAM) Begin by logging invalid routes • Then act on RPKI validation • – Valid == Accept – Invalid == Reject – Unknown == Accept 46 Apricot 2020 RPKI – Feb 20

  47. RPKI IMPLEMENTATION REANNZ RPKI BEST PRACTICE Use exact prefix lengths for ROAs • Automate regular checks of your configured ROAs • aaron@nms-wlg:~$ check_reannz_roas Missing ROAs: 140.200.0.0/24 AS38022 140.200.1.0/24 AS38299 Extra ROA's: 140.200.1.0/24 AS38022 47 Apricot 2020 RPKI – Feb 20

  48. RPKI IMPLEMENTATION SHOULD I ENABLE RPKI VALIDATION? Pro • – Gain benefit without full (internet-wide) implementation – Security improves as adoption increases – BGP performance/reliability unaffected – Cleanly handles failure – Operationally, pretty simple to implement/run Con • – Requires ensuring ROAs are kept up-to-date – Some extra training for the NOC 48 Apricot 2020 RPKI – Feb 20

  49. RPKI IMPLEMENTATION SHOULD I ENABLE RPKI VALIDATION? Pro • N o – Gain benefit without full (internet-wide) implementation t i f y o – Security improves as adoption increases u r e c – BGP performance/reliability unaffected e i v e – Cleanly handles failure t h e d – Operationally, pretty simple to implement/run e f a u l t r o u t e Con • ! – Requires ensuring ROAs are kept up-to-date – Some extra training for the NOC 49 Apricot 2020 RPKI – Feb 20

  50. RPKI IMPLEMENTATION Number of reported faults: 0 http://sg-pub.ripe.net/jasper/rpki-web-test 50 Apricot 2020 RPKI – Feb 20

  51. RPKI IMPLEMENTATION Number of reported faults: 2 http://sg-pub.ripe.net/jasper/rpki-web-test 51 Apricot 2020 RPKI – Feb 20

  52. RPKI IMPLEMENTATION LESSONS LEARNED Keep your WHOIS contact details up-to-date • Automate checks of validity of your ROAs • – https://github.com/taiji-k/roamon-verify Implement a check of what IP space disappears when rejecting invalid • routes – Ignore where there is a valid covering route – https://nusenu.github.io/RPKI-Observatory/unreachable-networks.html 52 Apricot 2020 RPKI – Feb 20

Recommend

UNLEASHING THE HIVEMIND BUILDING SCALABLE NETWORKS AARON MURRIHY SENIOR NETWORK ENGINEER

UNLEASHING THE HIVEMIND BUILDING SCALABLE NETWORKS AARON MURRIHY SENIOR NETWORK ENGINEER

REANNZ LUNCHTIME SESSION 17 JULY 2019 UNLEASHING THE HIVEMIND BUILDING SCALABLE NETWORKS AARON MURRIHY SENIOR NETWORK ENGINEER aaron.murrihy@reannz.co.nz 1 REANNZ Lunch 19 Scalable Networks 4 STAGES OF NETWORK PROGRESSION 2 REANNZ

198 views • 19 slides
IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start

IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start

IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start security research since 15 th Community Experience CHROOT/HITCON (security group) - member III,CSIST (government organizations) - training course

1.36k views • 110 slides
AARON INDUSTRIES LIMITED H2FY19 EARNINGS PRESENTATION JUNE 2019 NSE: AARON | BLOOMBERG:

AARON INDUSTRIES LIMITED H2FY19 EARNINGS PRESENTATION JUNE 2019 NSE: AARON | BLOOMBERG:

AARON INDUSTRIES LIMITED H2FY19 EARNINGS PRESENTATION JUNE 2019 NSE: AARON | BLOOMBERG: AARON:IN | CIN: L31908GJ2013PLC077306 COMPANY OVERVIEW FOUNDATION 1 Aaron Industries Limited was founded by Mr. Amar Doshi in 2013, involved in the

426 views • 13 slides
Aaron Booker, Albertville, AL Aaron will be demonstrating his skills and approach to finishing

Aaron Booker, Albertville, AL Aaron will be demonstrating his skills and approach to finishing

Aaron Booker, Albertville, AL Aaron will be demonstrating his skills and approach to finishing sculptures using painting techniques. Aaron Booker, 38, from Albertville Alabama, began carving in 2001. He has always been very artistic since a

180 views • 17 slides
Aaron Pulkka 2 Evolving International Partnerships from Outsourcing to Exporting Aaron

Aaron Pulkka 2 Evolving International Partnerships from Outsourcing to Exporting Aaron

Aaron Pulkka 2 Evolving International Partnerships from Outsourcing to Exporting Aaron Pulkka | Director of Production | Activision 3 Overview Aaron Pulkka Key Ideas My Background Development Outsourcing Game Exporting

549 views • 52 slides
Physician Drug Selection in Oncology Aaron Mitchell, MD Aaron Winn, MPP Stacie Dusetzina, PhD 1

Physician Drug Selection in Oncology Aaron Mitchell, MD Aaron Winn, MPP Stacie Dusetzina, PhD 1

Pharmaceutical Industry Payments and Physician Drug Selection in Oncology Aaron Mitchell, MD Aaron Winn, MPP Stacie Dusetzina, PhD 1 Background: conflicts of interest Common in US Potential unintended consequences DeJong et al, JAMA

472 views • 28 slides
Olsr.Org // FunkFeuer // Freifunk Aaron Kaplan <aaron@lo-res.org> Henning Rogge

Olsr.Org // FunkFeuer // Freifunk Aaron Kaplan <aaron@lo-res.org> Henning Rogge

Olsr.Org // FunkFeuer // Freifunk Aaron Kaplan <aaron@lo-res.org> Henning Rogge <hrogge@fgan.de> Oct 2008 Presentation at OLSR Interop 08, Ottawa, CA Disclaimer can only speak about Freifunk out of experience and I know the

1.17k views • 87 slides
Design Patterns for Large Scale Data Movement Aaron Lee aaron.lee@solacesystems.com Data

Design Patterns for Large Scale Data Movement Aaron Lee aaron.lee@solacesystems.com Data

Design Patterns for Large Scale Data Movement Aaron Lee aaron.lee@solacesystems.com Data Movement Patterns o The right solution depends on the problem youre solving Real-time or intermittent? Update rates? Any weird networks?

518 views • 25 slides
J2EE Development with Apache Geronimo Aaron Mulder Chariot Solutions Speaker Aaron Mulder

J2EE Development with Apache Geronimo Aaron Mulder Chariot Solutions Speaker Aaron Mulder

J2EE Development with Apache Geronimo Aaron Mulder Chariot Solutions Speaker Aaron Mulder Geronimo Developer Works on deployment, management, console, kernel, ... Online Geronimo book at http:// chariotsolutions.com/geronimo/

638 views • 62 slides
INTERNATIONAL NETWORK DAN TWOHILL daniel.twohill@reannz.co.nz 2 REANNZ Lunch 19

INTERNATIONAL NETWORK DAN TWOHILL daniel.twohill@reannz.co.nz 2 REANNZ Lunch 19

REANNZ LUNCH 19 14TH AUG INTERNATIONAL NETWORK DAN TWOHILL daniel.twohill@reannz.co.nz 2 REANNZ Lunch 19 International Network TRAFFIC TYPES 1. International R&E 2. Domestic 3. Caches 4. Commodity Internet 5 REANNZ

444 views • 22 slides
Next Level DSLs Configure your app the Kotlin way! Aaron Sarazan CTO - Stencil Ltd.

Next Level DSLs Configure your app the Kotlin way! Aaron Sarazan CTO - Stencil Ltd.

Next Level DSLs Configure your app the Kotlin way! Aaron Sarazan CTO - Stencil Ltd. https://gitlab.com/asarazan/kotlinconf18 aaron@stencil.ltd Isolated Feature Development A Plugin Its like an app, just smaller Android Manifest Plugin

856 views • 62 slides
Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and

Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and

Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and Zohar Manna Stanford University (Aaron is visiting EPFL and will be at CU Boulder) Benchmark: intel_005 #latch vars: 170 #coi vars: 69 Solved:

207 views • 17 slides
The Calculus of Computation Decision Procedures with Applications to Verification Aaron R.

The Calculus of Computation Decision Procedures with Applications to Verification Aaron R.

The Calculus of Computation Decision Procedures with Applications to Verification Aaron R. Bradley and Zohar Manna Stanford University (Aaron is visiting EPFL and will soon be at CU Boulder) The Calculus of Computation 1/17 The Calculus of

587 views • 17 slides
Building an Elastic Main-Memory Database: E-Store AARON J. ELMORE AELMORE@CS.UCHICAGO.EDU

Building an Elastic Main-Memory Database: E-Store AARON J. ELMORE AELMORE@CS.UCHICAGO.EDU

Building an Elastic Main-Memory Database: E-Store AARON J. ELMORE AELMORE@CS.UCHICAGO.EDU Collaboration Between Many Rebecca Taft, Vaibhav Arora, Essam Mansour, Marco Serafini, Jennie Duggan, Aaron J. Elmore, Ashraf Aboulnaga, Andy Pavlo, Amr

1.26k views • 79 slides
Aaron T Wolf, PhD Program in Water Conflict Management Oregon State University, USA

Aaron T Wolf, PhD Program in Water Conflict Management Oregon State University, USA

Aaron T Wolf, PhD Program in Water Conflict Management Oregon State University, USA International Symposium on Water Diplomacy Stockholm, Sweden 16-17 November 2016 EMAIL: WOLFA@GEO.ORST.EDU WWW.TRANSBOUNDARYWATERS.ORST.EDU Aaron T Wolf, PhD

839 views • 48 slides
Aaron Rizzuto GSPS Dec-2014 A Bit About Me

Aaron Rizzuto GSPS Dec-2014 A Bit About Me

Aaron Rizzuto GSPS Dec-2014 A Bit About Me Undergrad at University of Sydney Physics + Maths Famous USyd Jacaranda PhD at

924 views • 27 slides
Hi. I'm Aaron. I'm glad that I'm following Thomas' talk because they fit together very well.

Hi. I'm Aaron. I'm glad that I'm following Thomas' talk because they fit together very well.

Hi. I'm Aaron. I'm glad that I'm following Thomas' talk because they fit together very well. He mentioned a little bit about scanning living objects and how that's very challenging. I'm focusing very much on that today, and also bringing a

308 views • 18 slides
Meeting 9-4-2015 Aaron J. Cole WDNR Senior Fisheries Biologist Barron & Polk counties

Meeting 9-4-2015 Aaron J. Cole WDNR Senior Fisheries Biologist Barron & Polk counties

Pipe Lake Meeting 9-4-2015 Aaron J. Cole WDNR Senior Fisheries Biologist Barron & Polk counties Aaron.Cole@Wisconsin.gov 715-637-6864 FISHERIES MANAGEMENT . we make fishing better Sampling Fyke Netting (Apr. 4 to Apr.

695 views • 21 slides
Pollards Rho Algorithm for Elliptic Curves Aaron Blumenfeld November 30, 2015 Aaron

Pollards Rho Algorithm for Elliptic Curves Aaron Blumenfeld November 30, 2015 Aaron

Pollards Rho Algorithm Partitions Future Work References Pollards Rho Algorithm for Elliptic Curves Aaron Blumenfeld November 30, 2015 Aaron Blumenfeld Pollards Rho Algorithm for Elliptic Curves Pollards Rho Algorithm

496 views • 15 slides
Transport Energy Taskforce Working Group 2 18 December, London 2014 Aaron Berry Head of

Transport Energy Taskforce Working Group 2 18 December, London 2014 Aaron Berry Head of

Transport Energy Taskforce Working Group 2 18 December, London 2014 Aaron Berry Head of Biofuels Strategy Department for Transport Aaron.berry@dft.gsi.gov.uk www.gov.uk/dft Agenda Introductions Actions from previous meeting

597 views • 22 slides
Insert title Accountability Aaron Oxley, Developed Country Civil Society

Insert title Accountability Aaron Oxley, Developed Country Civil Society

Keeping the Promises: Insert title Accountability Aaron Oxley, Developed Country Civil Society aaron.oxley@results.org.uk Accountability: A HLM Success Dont let anyone tell you differently: accountability was one of the success stories

522 views • 18 slides
QSym over Sym has a stable basis Aaron Lauve and Sarah Mason 3 August 2010 Aaron Lauve and Sarah

QSym over Sym has a stable basis Aaron Lauve and Sarah Mason 3 August 2010 Aaron Lauve and Sarah

Overview Symmetric and quasisymmetric polynomials The Bergeron-Reutenauer basis QSym over Sym has a stable basis Aaron Lauve and Sarah Mason 3 August 2010 Aaron Lauve and Sarah Mason QSym/Sym Overview Symmetric and quasisymmetric

736 views • 62 slides
GAME OUTSOURCING SUMMIT AARON PULKKA GAME OUTSOURCING SUMMIT Putting it All Together - Building

GAME OUTSOURCING SUMMIT AARON PULKKA GAME OUTSOURCING SUMMIT Putting it All Together - Building

GAME OUTSOURCING SUMMIT AARON PULKKA GAME OUTSOURCING SUMMIT Putting it All Together - Building the Right Outsourcing Team Aaron Pulkka | Director of Production | Activision GAME OUTSOURCING SUMMIT AARON PULKKA Outsourcing Team Internal

854 views • 43 slides
Pingin' II : Now we're Analyzin' Aaron Schulman Youndo Lee Ramakrishna

Pingin' II : Now we're Analyzin' Aaron Schulman Youndo Lee Ramakrishna

Pingin' II : Now we're Analyzin' Aaron Schulman Youndo Lee Ramakrishna Padmanabhan Neil Spring University of Maryland Problem How do we reduce pings from (to) many vantage points to a responsiveness state? UP DOWN

568 views • 11 slides

More recommend