- Route Hijacking and the role of RPKI in Securing Internet Routing Infrastructure
Содержание
- 2. 2 BGP 101 2001:db8::/32 Network Next Hop AS_PATH Age Attrs 65530 65533 64512 65535 2001:db8:ab::1 65532
- 3. Current Practice Filtering limited to the edges facing the customer Filters on peering and transit sessions
- 4. Filter Where? Secure BGP Templates http://www.cymru.com/gillsr/doc uments/junos-bgp-template.htm https://www.team- cymru.org/ReadingRoom/Templ ates/secure-bgp-template.html
- 5. IP Address & AS Number Digital Certificate RPKI Resource Public Key Infrastructure
- 6. 6 BGP 101 + RPKI 2001:db8::/32 Network Next Hop AS_PATH Age 05:30:49 05:30:49 Attrs [{Origin: i}]
- 7. PKI In Other Application HTTPS Web Address as RESOURCE Hierarchical Trust Model CA as the root
- 8. What About RPKI?
- 9. The Eco System
- 10. RPKI Trust Anchor IANA AFRINIC RIPE NCC ARIN APNIC LACNIC NIR NIR ISP ISP ISP ISP
- 11. RPKI Implementation As an Announcer/LIR You choose if you want certification You choose if you want
- 12. Activate RPKI engine
- 13. Create ROA 1. Write your ASN 2. Your IP Block Create ROA for smaller block. 3.
- 14. How Do We Verify?
- 15. RPKI in Action {bgp4} Routers validate updates from other BGP peers {rtr} Caches feeds routers using
- 16. RPKI Implementation Issues
- 17. RPKI Data Violation : Invalid ASN Invalid origin AS is visible From private ASN!
- 18. RPKI Data Violation : Fixed Length Mismatch Most of the cases involve an invalid prefix (fixed
- 19. Fiji Total ASNs delegated by RIR: 8, Visible IPv4 routes: 50, Visible IPv6 routes: 5 http://rpki.apnictraining.net/output/fj.html
- 20. Moving Forward RPKI adoption is growing You are encouraged to create ROA. Experiment, test, play and
- 21. Data Collection GoBGP https://github.com/osrg/gobgp RPKI Dashboard https://github.com/remydb/RPKI-Dashboard RIPE RPKI Statistics https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html RIPE Cache Validator API http://rpki-validator.apnictraining.net:8080/export
- 23. Скачать презентацию
2
BGP 101
2001:db8::/32
Network
Next Hop
AS_PATH
Age
Attrs
65530
65533
64512
65535
2001:db8:ab::1
65532
2406:6400::/32
65531
65420
65534
2
BGP 101
2001:db8::/32
Network
Next Hop
AS_PATH
Age
Attrs
65530
65533
64512
65535
2001:db8:ab::1
65532
2406:6400::/32
65531
65420
65534
Current Practice
Filtering limited to the edges facing the customer
Filters on peering and transit
Current Practice
Filtering limited to the edges facing the customer
Filters on peering and transit
Filter Where?
Secure BGP Templates
http://www.cymru.com/gillsr/doc uments/junos-bgp-template.htm
https://www.team- cymru.org/ReadingRoom/Templ ates/secure-bgp-template.html
Filter Where?
Secure BGP Templates
http://www.cymru.com/gillsr/doc uments/junos-bgp-template.htm
https://www.team- cymru.org/ReadingRoom/Templ ates/secure-bgp-template.html
IP Address & AS Number
Digital Certificate
RPKI
Resource Public Key Infrastructure
IP Address & AS Number
Digital Certificate
RPKI
Resource Public Key Infrastructure
6
BGP 101 + RPKI
2001:db8::/32
Network
Next Hop
AS_PATH
Age
05:30:49
05:30:49
Attrs
[{Origin: i}]
[{Origin: i}]
V*> 2406:6400::/32
I > 2406:6400::/32
2001:df2:ee00::1
2001:df2:ee11::1
65531 65533 65535
65530 65420
65530
65533
64512
65535
2001:db8:ab::1
65532
2406:6400::/32
65531
65420
65534
6
BGP 101 + RPKI
2001:db8::/32
Network
Next Hop
AS_PATH
Age
05:30:49
05:30:49
Attrs
[{Origin: i}]
[{Origin: i}]
V*> 2406:6400::/32
I > 2406:6400::/32
2001:df2:ee00::1
2001:df2:ee11::1
65531 65533 65535
65530 65420
65530
65533
64512
65535
2001:db8:ab::1
65532
2406:6400::/32
65531
65420
65534
PKI In Other Application
HTTPS
Web Address as RESOURCE
Hierarchical Trust Model
CA as the root of
PKI In Other Application
HTTPS
Web Address as RESOURCE
Hierarchical Trust Model
CA as the root of
What About RPKI?
What About RPKI?
The Eco System
The Eco System
RPKI Trust Anchor
IANA
AFRINIC
RIPE NCC
ARIN
APNIC
LACNIC
NIR
NIR
ISP
ISP
ISP
ISP
ISP
Trust Anchor Certificate
Resource Allocation Hierarchy
Issued Certificates match
allocation actions
RPKI Trust Anchor
IANA
AFRINIC
RIPE NCC
ARIN
APNIC
LACNIC
NIR
NIR
ISP
ISP
ISP
ISP
ISP
Trust Anchor Certificate
Resource Allocation Hierarchy
Issued Certificates match
allocation actions
RPKI Implementation
As an Announcer/LIR
You choose if you want certification
You choose if you want
RPKI Implementation
As an Announcer/LIR
You choose if you want certification
You choose if you want
Activate RPKI engine
Activate RPKI engine
Create ROA
1. Write your ASN 2. Your IP Block
Create ROA for smaller block.
3. Subnet
4.
Create ROA
1. Write your ASN 2. Your IP Block
Create ROA for smaller block.
3. Subnet
4.
How Do We Verify?
How Do We Verify?
RPKI in Action
{bgp4} Routers validate updates from other BGP peers
{rtr} Caches feeds routers
RPKI in Action
{bgp4} Routers validate updates from other BGP peers
{rtr} Caches feeds routers
RPKI Implementation Issues
RPKI Implementation Issues
RPKI Data Violation : Invalid ASN
Invalid origin AS is visible
From private ASN!
RPKI Data Violation : Invalid ASN
Invalid origin AS is visible
From private ASN!
RPKI Data Violation : Fixed Length Mismatch
Most of the cases involve an invalid
RPKI Data Violation : Fixed Length Mismatch
Most of the cases involve an invalid
Fiji
Total ASNs delegated by RIR: 8, Visible IPv4 routes: 50, Visible IPv6 routes:
Fiji
Total ASNs delegated by RIR: 8, Visible IPv4 routes: 50, Visible IPv6 routes:
Moving Forward
RPKI adoption is growing
You are encouraged to create ROA. Experiment, test, play
Moving Forward
RPKI adoption is growing
You are encouraged to create ROA. Experiment, test, play
Data Collection
GoBGP
https://github.com/osrg/gobgp
RPKI Dashboard
https://github.com/remydb/RPKI-Dashboard
RIPE RPKI Statistics
https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html
RIPE Cache Validator API
http://rpki-validator.apnictraining.net:8080/export
Data Collection
GoBGP
https://github.com/osrg/gobgp
RPKI Dashboard
https://github.com/remydb/RPKI-Dashboard
RIPE RPKI Statistics
https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html
RIPE Cache Validator API
http://rpki-validator.apnictraining.net:8080/export
International mobility of students and academic staff
Артқы фон мен ойын кейіпкерлері
Информационные ресурсы
Сетикет. Правила поведения в сети интернета
Задачи по теме Алфавитный подход к определению количества информации
Примеры программ на ЯП Паскаль
Основы программирования. Лекция № 5
Операционная система Android
Электротехникалық құралдар мен тізбектерді Simulink/Matlab – та моделдеу
Ввод-вывод. Сериализация объектов
Экономическая кибернетика: Введение в программирование на R
Общее представление о технологии Blockchain. Ведение распределённого реестра в условиях низкого уровня доверия
SketchUp
Radio and Television today
Биллинговые системы
Компьютерные технологии. Лекция №7. Web-программирование: Django. Часть 2
Алгебра логики. Высказывания
Как составить презентацию к защите проекта (общие рекомендации для учеников)
Системный анализ: Кибернетические модели. Экономико-математические модели. Нормативные операционные модели
Тип данных
Что такое 3D моделирование
Компьютерные игры: симуляторы автомобилей и мотоциклов, самолётов, космических кораблей
Cхема. Карта
Педагогический проект Использование ИКТ на уроках русского языка и литературы
Idena. The first human-centric blockchain
Використання файлової системи і функцій символьного введення/виведення у сучасних операційних середовищах (Лекція № 3)
Триггеры в презентации. Применение. Создание слайдов с триггерами
MySql. Система управления реляционными базами данных