rpki
play

RPKI A quick configuration intro Massimiliano Stucchi | 19th - PowerPoint PPT Presentation

Feb 19, 2024 •389 likes •562 views

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI Overview Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 2 Simply put 3 parts - Create certificates - Install/run validator -

  1. RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33

  2. RPKI Overview Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 2

  3. Simply put • 3 parts - Create certificates - Install/run validator - Validate certificates (router configuration) Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 3

  4. RPKI Overview 1 2 3 Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 4

  5. 1. Creating ROAs Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 5

  6. 2. Validator • Download from RIPE NCC - https://www.ripe.net/manage-ips-and-asns/resource- management/certification/tools-and-resources • Requires Java, rsync • Runs standalone • ./rpki-validator.sh start Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 6

  7. 3. Validate prefixes • Take routing decisions based on results of validation - Valid - Invalid - Unknown Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 7

  8. Support in Routers • Cisco : - XR 4.2.1 (CRS-x, ASR9000, c12K) / XR 5.1.1 (NCS6000, XRv) - XE 3.5 (C7200, c7600, ASR1K, CSR1Kv, ASR9k, ME3600…) - IOS15.2(1)S • Juniper has support since version 12.2 • Alcatel Lucent has support since SR-OS 12.0 R4 • Quagga has support through BGP-SRX • BIRD has support for ROA but does not do RPKI-RTR Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 8

  9. Cisco config - 1 route-map rpki-loc-pref permit 10 match rpki invalid set local-preference 90 ! route-map rpki-loc-pref permit 20 match rpki not-found set local-preference 100 ! route-map rpki-loc-pref permit 30 match rpki valid set local-preference 110 Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 9

  10. Cisco config - 2 router bgp 64500 bgp log-neighbor-changes bgp rpki server tcp 10.1.1.6 port 8282 refresh 5 network 192.0.2.0 neighbor 10.1.1.2 remote-as 64510 neighbor 10.1.1.2 route-map rpki-loc-pref in Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 10

  11. Juniper config - 1 policy-options { policy-statement validation { term valid { from { protocol bgp; validation-database valid; } then { validation-state valid; community add origin-validation-state-valid; next policy; } } } } Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 11

  12. Juniper config - 2 policy-options { policy-statement validation { term invalid { from { protocol bgp; validation-database invalid; } then { validation-state invalid; community add origin-validation-state-invalid; next policy; } } } } } Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 12

  13. Juniper config - 3 policy-options { policy-statement validation { term unknown { from protocol bgp; then { validation-state unknown; community add origin-validation-state- unknown; next policy; } } } } Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 13

  14. Juniper config - 4 protocols { bgp { group mypeers { import route-validation; peer-as 200; neighbor 10.1.1.2; } } } Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 14

  15. Routing Incidents • Misconfiguration - No malicious intentions - Software bugs • Malicious - Competition - Claiming “unused” space • Targeted Traffic Misdirection - Collect and/or tamper with data Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 15

  16. BGPsec • Still in draft state • Secures route propagation by using signatures in AS-Path Massimiliano Stucchi - RIPE NCC | 19 January 2016 | UKNOF 33 16

  17. Questions mstucchi@ripe.net @TrainingRIPENCC https://ripe.net/certification

Recommend

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

583 views • 43 slides
Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

889 views • 51 slides
Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1 Thursday, August 1, 13 RPKI Tools The authors believe the information already contained in the RPKI has value in itself, even for operators not

305 views • 11 slides
AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

662 views • 54 slides
From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

660 views • 27 slides
Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania December 10, 2019 Research supported by NSF EAGER Award #1748362 Global RPKI Deployment ASes Validating Routes 5%, 5 3%, 3 9%, 8 12%, 11 71%, 65

216 views • 8 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Applied Networking Research Workshop 2020 acm sigcomm Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer SIT Motivation - Resource Public Key Infrastructure (RPKI) secures the interdomain routing

586 views • 39 slides
Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0 Project: New RPKI system DNSSEC v2.0 Project: New DNSSEC signer IETF activities: Identity and join key WGs and RGs African Internet Resources

308 views • 13 slides
A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Validator http://rpki.net/ A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts Connection Counts Objects/Connection Seconds/Object Rob Austein

663 views • 32 slides
Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabin Meja Why and who? BGP origin validation based on RPKI is in early stages of deployment. It is necessary to

314 views • 13 slides
MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston University Outline Background How does BGP work? How does RPKI work? What is the maxLength? How maxLength causes problems

741 views • 34 slides
Key Rollover for the RPKI Steve Kent (Channeling Geoff

Key Rollover for the RPKI Steve Kent (Channeling Geoff

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston ) Key Rollover Document New doc: draC-huston-sidr-aao-profile-0-

494 views • 14 slides
Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of

Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of

Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of Connec2cut, Bar Ilan Univ, Fraunhofer SIT Joint project with Tomas Hlavacek, Yafim Kazak, Rafi Peretz, Fabian Sauer and Haya Shulman Route-Hijacking:

687 views • 36 slides
BGP Joeri de Ruiter Agenda BGP recap BGP security RPKI / ROA BGPsec

BGP Joeri de Ruiter Agenda BGP recap BGP security RPKI / ROA BGPsec

Advanced Network Security BGP Joeri de Ruiter Agenda BGP recap BGP security RPKI / ROA BGPsec Startng (almost) from scratch 2 Autonomous systems (AS) Internet is divided into Autonomous Systems (AS) Controlled by

815 views • 39 slides
The Current State of DNS Resolvers and RPKI Protection By Erik Dekker and Marius Brouwer 1

The Current State of DNS Resolvers and RPKI Protection By Erik Dekker and Marius Brouwer 1

The Current State of DNS Resolvers and RPKI Protection By Erik Dekker and Marius Brouwer 1 Motivation Why is this research important? 2 Motivation BGP is old First RFC was published in 1989 (RFC 1105) BGP was developed in times

457 views • 28 slides
RPKI rsync Download Delay Modeling Steve Kent and Kotikalapudi Sriram Email: kent@bbn.com ;

RPKI rsync Download Delay Modeling Steve Kent and Kotikalapudi Sriram Email: kent@bbn.com ;

RPKI rsync Download Delay Modeling Steve Kent and Kotikalapudi Sriram Email: kent@bbn.com ; ksriram@nist.gov March 11, 2013 IETF-86 SIDR WG Meeting, Orlando, FL The authors wish to thank David Mandelberg, Andrew Chi, and Rob Austein for

549 views • 29 slides
An Evaluation of IPFS As A distribution Mechanism for RPKI Repository Dadepo Aderemi, Woudt van

An Evaluation of IPFS As A distribution Mechanism for RPKI Repository Dadepo Aderemi, Woudt van

An Evaluation of IPFS As A distribution Mechanism for RPKI Repository Dadepo Aderemi, Woudt van Steenbergen Supervisor: Luuk Hendriks | NLnet Labs July 2, 2020 Web DNS IPFS IPFS Primer What A peer-to-peer distributed file system that

853 views • 25 slides
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010 Addition of Normative Language Originally the CP was an I-D. It was changed to be a regular document and as part of this the RFC 2119 keywords were

344 views • 15 slides
rsync considered inefficient and harmful ggm@apnic.net bje@apnic.net

rsync considered inefficient and harmful ggm@apnic.net bje@apnic.net

rsync considered inefficient and harmful ggm@apnic.net bje@apnic.net 1 RPKI uses rsync RPKI uses rsync as its data publica>on protocol for wider

681 views • 47 slides
RPKI Tutorial MENOG 10, Dubai UAE Marco Hogewoning Trainer Goals Explain where it started

RPKI Tutorial MENOG 10, Dubai UAE Marco Hogewoning Trainer Goals Explain where it started

RPKI Tutorial MENOG 10, Dubai UAE Marco Hogewoning Trainer Goals Explain where it started Learn what resources certificates are Learn how to request a certificate Learn how to create a Route Origin Authorization Learn how to

977 views • 59 slides
Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon

Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon

BFOC13. Boston University Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon Goldberg Leonid Reyzin Princeton University Boston University How Secure is Internet Routing Today? (1) I am

375 views • 14 slides
Internet Resource Certification (RPKI) Building a More Secure Internet Sint-Maarten Internet Week

Internet Resource Certification (RPKI) Building a More Secure Internet Sint-Maarten Internet Week

Internet Resource Certification (RPKI) Building a More Secure Internet Sint-Maarten Internet Week Carlos Mar2nez Cagnazzo carlos @ lacnic.net A9acks on rou;ng: IP hijacks How Internet number resources are managed IANA ARIN LACNIC APNIC

788 views • 31 slides
conficker.[ccTLD] Eric Ziegast / ISC DNS-OARC/ICANN March 14th, 2011 We want the Internet to

conficker.[ccTLD] Eric Ziegast / ISC DNS-OARC/ICANN March 14th, 2011 We want the Internet to

conficker.[ccTLD] Eric Ziegast / ISC DNS-OARC/ICANN March 14th, 2011 We want the Internet to work better. RPZ SIE RPKI Changing how New method for S the security e c u r i n DNS-based policy f g r communities o B m G P r

261 views • 14 slides

More recommend