Issue Date:

Revision:

Securing the Global Routing System and the Approach of Operators

Fakrul AlamSenior Training Officerfakrul@apnic.net

[20 July 2016]

[2.0]

IDNOG328 July 2016, Jakarta, Indonesia

Incidents

2

Motivations!

3

Current practice

4

Receive Request

LOA Check

Create associate Prefix / AS

Filter

Tools & techniques

• Manual LoA Check– Whois search on the customer’s IP address from the IRR database– Find the admin-c / tech-c contact email address from the database

search and email them for verification– Check corresponding “route objects”

• Automated LoA Check– Fetch the routing policy from the IRR Database– Generate associate prefix/AS filter– Mostly done using RPSL

• RPKI– Check and validate prefix origin cryptographically

5

LoA check

6

• The system is sometimes overly complicated, and lacks sufficient examples

• End users cannot figure it out, which means another layer of support structure must be added, or proxy registration must be implemented

LoA check & RPSL

7

A publicly accessible description of every import and export policy to every transit, peer, and customer is difficult to maintain, and is not in the best business interests of many ISPs

RPKI implementation

• Origin validation

• Hosted CA– Easy to deploy, but have to trust a third party with your private key

• Delegated– Complexity in installing the CA, generating ROAs, and publishing URI

and point TA

• Upgrade at least ASBRs to RPKI capable code

8

Technology & learning curve

9

RPSL RFC2622

RPSLng RFC4012

RPKI RFC6810

But how are operators adopting and implementing?

10

Distribution of prefixes

11

Total Prefixes : 650772 / 6th July 2016

Prefixes with IRR data

12

Violations: 80794 (19.53%)

Consistent: 332981 (80.47%)

IRR data violations example

13

Prefixes with RPKI

14

Violations: 775 (3.82%)

Consistent: 19522 (96.18%)

Violations: 2398 (13.56%)

Consistent: 15289 (86.44%)

RPKI data violation example

• Most of the cases involve an invalid prefix (fixed length mismatch)– Create ROA for /22 but announce 24

• Invalid origin AS is also visible

15

RPKI data violation example

16

How about Indonesia?

17

Indonesia

18

http://rpki.apnictraining.net/output/id.html

Total ASNs delegated by RIR: 166Visible IPv4 routes: 7305Visible IPv6 routes: 299

IPv4 prefixes announcement

19

source : http://www.ris.ripe.net/dumps/riswhoisdump.IPv4.gzdate : 21 June 2016

1 1 5 10 75 12 36 68 340 533981

1243

3995

1 1 30

500

1000

1500

2000

2500

3000

3500

4000

4500

SUBNET 11 13 14 15 16 17 18 19 20 21 22 23 24 26 27 29

IPV4 PREFIXES DISTRIBUTION BY SUBNET

IPv6 prefixes announcement

20

source : http://www.ris.ripe.net/dumps/riswhoisdump.IPv6.gzdate : 21 June 2016

1

26

5 2 5

27

13 2 3

114

523

4

50

3 160

20

40

60

80

100

120

SUBNET 31 32 33 34 36 38 40 44 47 48 60 64 125 126 127 128

IPV6 PREFIXES DISTRIBUTION BY SUBNET

Summary

• RPKI adoption is growing– In most cases, operators create ROAs for min length and advertise

the longest prefix– Some ROAs are invalid due to further allocation to customers

• BGP operations and security – draft-ietf-opsec-bgp-security-07

21

Data collection

• OpenBMP– https://github.com/OpenBMP/openbmp

• RPKI Dashboard– https://github.com/remydb/RPKI-Dashboard

• RIPE NCC RPKI Statistics– https://lirportal.ripe.net/certification/content/static/statistics/world-

roas.html

• RIPE NCC RPKI Validator API– http://rpki-validator.apnictraining.net:8080/export

22

Thank You

Your views matter!

Closes 5 August 2016 Your views guide the future direction of APNIC

https://survey.apnic.net

24