APNIC eLearning:

Intro to RPKI

10 December 2014

12:30 PM AEST Brisbane (UTC+10)

Introduction

• Presenter/s

• Reminder: Please take time to fill-up the survey

Nurul Islam RomanTechnical Training Officernurul@apnic.net

Specialties: Routing & SwitchingIPv6 DNS/DNSSECInternet Resource ManagementNetwork Security

Overview

• What is RPKI?

• Background of RPKI

• Right to Resources

• X.509 Certificates

• Route Origin Authorizations (ROA)

• Resource Certification

• Creating ROA records

SIDR Working Group

• Secure Inter-Domain Routing (SIDR)

• Its purpose is to “reduce vulnerabilities to the inter-domain routing system”

• Addresses two vulnerabilities:• Is an Autonomous System authorized to originate an IP prefix?• Is the AS-Path represented in the route the same as the path through

which the NLRI traveled?

• Projects: PKI, RPKI, BGPsec

Source: SIDR WG https://datatracker.ietf.org/wg/sidr/charter/

BGP Security (BGPsec)

• Extension to BGP that provides improved security for BGP routing

• Currently an IETF Internet draft

• Implemented via a new optional non-transitive BGP path attribute that contains a digital signature

• Two things:– BGP Prefix Origin Validation (using RPKI)– BGP Path Validation

Three Pieces

• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (deployed at all RIRs)

• Origin Validation – Using the RPKI to detect and prevent mis-originations of someone else’s prefixes (in deployment)

• AS-Path Validation / BGPsec – Prevent Path Attacks on BGP (future work)

What is RPKI?

• Resource Public Key Infrastructure (RPKI)

• A robust security framework for verifying the association between resource holder and their Internet resources

• Created to address the issues in RFC 4593

• Uses X.509 v3 certificates– With RFC3779 extensions

What is RPKI?

• “represents the allocation hierarchy of IP address space and Autonomous Systems (AS) numbers”

• A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents

• Helps to secure Internet routing by validating routes– Proof that prefix announcements are coming from the legitimate

holder of the resource

RPKI is in the process of standardization through the Secure Inter-Domain Routing (SIDR) working group

RFCs on RPKI

• RFC 6810 – The Resource Public Key Infrastructure (RPKI) to Router Protocol (January 2013) - Standard

• RFC 6480 – An Infrastructure to Support Secure Internet Routing (Feb 2012) - informational

• RFC 6481 – A Profile for Resource Certificate Repository Structure (Feb 2012) - standard

• RFC 6491 – RPKI Objects Issued by IANA

• RFC 6493 – The RPKI Ghostbusters Record

• RFC 6487 – A Profile for X.509 PKIX Resource Certificate

A bit of History

• 1986 – Bellovin & Perlman identify the vulnerability in DNS and Routing

• 1999 - National Academies study called it out

• 2000 – S-BGP – X.509 PKI to support Secure BGP - Kent, Lynn, et al.

• 2003 – NANOG S-BGP Workshop

• 2006 – RPKI.NET(for ARIN) & APNIC start work on RPKI. RIPE starts in 2008.

• 2009 – RPKI.NET Open Testbed and running code in test routers

Benefits of RPKI - Routing

• Prevents “Route Hijacking”– when an entity participating in Internet routing announces a prefix

without authorization– Reason: malicious attack

• Prevents mis-origination– A prefix that is originated by an AS which does not own it– Reason: configuration mistake

Internet Routing

The Internet

Traffic202.12.29.0/24

Announce202.12.29.0/24

Global Routing Table

4.128/960.100/1660.100.0/20135.22/16…

Global Routing Table

4.128/960.100/1660.100.0/20135.22/16

202.12.29.0/24…

202.12.29.0/24

“Right” to Resources

• ISP gets their resources from the RIR

• ISP notifies its upstream of the prefixes to be announced

• Upstream _MUST_ check the Whois database if resource has been delegated to customer ISP.

We need to be able to authoritatively prove who owns an IP Prefix and what AS(s) may announce it.

X.509 Certificate

• Resource certificates are based on the X.509 certificate format - RFC 5280

• Extended by RFC 3779 – this extension binds a list of resources (IP, ASN) to the subject of the certificate

X.509 Certificate with 3779 Extension

• SIA – Subject Information Access; contains a URI that references the directory

Two Components

• Certificate Authority (CA)– Internet Registries (RIR, NIR, Large LIR)– Issue certificates for customers– Allow customers to use the CA’s GUI to issue ROAs for their prefixes

• Relying Party (RP)– Software which gathers data from CAs

Route Origin Authorization (ROA)

• Certificate holder uses its private key to sign an ROA

• Verifies that an AS has been given permission by an address block holder to advertise routes to one or more prefixes without that block

Resource Certification

• RIRs have been developing a new service for their members

• APNIC has now launched Resource Certification for the AP region

• The goal is to improve the security of inter-domain routing and augmenting the information published in the APNIC Whois Database

Resource Certification Benefits

• Routing information corresponds to properly delegated address resources

• Resource Certification gives resource holders proof that they hold certain resources

• Resource holders can attest to those resources when distributing them

• Resource Certification is a highly robust means of preventing the injection of false information into the Internet's routing system.

APNIC Resource Certification

• A robust security framework for verifying the association between resource holders and their Internet resources.

• Initiative from APNIC aimed at – improving the security of inter-domain routing, and – augmenting the information published in the Whois database

• Verifies a holder’s current “right-of-use” over an Internet resource

How it Works

Resource Certification (APNIC)

• Verify signed data using the signer’s public key

• Verify public key through a chain of interlocking certificates that connect a Trust Anchor to the signer’s public key certificate.– This is what we refer to as RPKI

• Why it’s important:– Routing advertisements is now verifiable

Creating ROA Records

• Login to MyAPNIC, then Resources -> Certification

Adding ROA Records

Deleting ROA Records

RPKI Validation

• RPKI-capable routers can fetch the validated ROA dataset from a trust anchor

• BGP states: – VALID if a matching VRP* was found– INVALID a VRP was found, but ASN did not match– UNKNOWN if no matching or covering VRP was found

Questions

• Please remember to fill out the feedback form– http://surveymonkey.com/s/apnic-

20141210-eL1

• Slide handouts will be available after completing the survey

APNIC Helpdesk Chat

Thank You!

End of Session