getting ipv6 & securing your routing
DESCRIPTION
Presentation given by Ferenc Csorba at: IPv6 Kongress, Frankfurt, Germany, on 10-11 May 2012TRANSCRIPT
![Page 1: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/1.jpg)
Getting IPv6 & Securing your Routing
IPv6 KongressMay 2012, Frankfurt
Sandra Brás & Ferenc Csorba, RIPE NCC
![Page 2: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/2.jpg)
Schedule
• IPv4 exhaustion
• IPv6 address space
• European IPv6 deployment statistics
• BGP multihoming
• Routing Registry and the RIPE Database
• Resource Certification
2
![Page 3: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/3.jpg)
RIPE / RIPE NCC
3
RIPEOpen communityDevelops addressing policiesWorking group mailing lists
RIPE NCCLocated in AmsterdamNot for profit membership organisationOne of five RIRs
![Page 4: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/4.jpg)
The five RIRs
4
![Page 5: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/5.jpg)
Internet Number Resources
• IP addresses- IPv4 eg. 193.0.0.203- IPv6 eg. 2001:610:240:11::c100:1319
• Autonomous System Numbers (ASN)
• Other public services- Training Services- RIPE Database - K-root name server - Measurement tools- E-learning
- RIPE Labs- RIPE Stat- RIPE Atlas
5
![Page 6: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/6.jpg)
Registration
6
![Page 7: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/7.jpg)
Conservation
7
![Page 8: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/8.jpg)
Aggregation
8
![Page 9: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/9.jpg)
Who makes policies?
9
AfriNIC RIPE NCC ARIN APNIC LACNIC
ARINcommunity
proposalproposal proposal proposal proposal
RIPEcommunity
AfriNICcommunity
APNICcommunity
LACNICcommunity
ICANN / IANA
ASO
Reach consensus across communities
Global Policy Proposal
![Page 10: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/10.jpg)
Why would you want to participate?
• Policy determines how you run your business
• Over 8000 LIRs
• Only a fraction are active participants in the PDP
10
![Page 11: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/11.jpg)
How can you participate?
• Working Group mailing lists- RIPE website → RIPE → Mailing Lists
• Come to the RIPE Meetings- Two free tickets for new LIRs- Remote participation is also possible
11
![Page 12: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/12.jpg)
IPv4 Address Pool Exhaustion
![Page 13: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/13.jpg)
IANA IPv4 pool
13
0%
10%
20%
30%
40%
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
![Page 14: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/14.jpg)
IPv4 address distribution
14
Allocation PA Assignment PI Assignment
IANA
End User
LIR
RIR
/0
/21
/8
/25/23 /25
![Page 15: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/15.jpg)
0
64
128
192
256
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
IANA and RIRs IPv4 poolIANA Pool RIR Allocations Advertised RIR Pool
Data
Today
15
![Page 16: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/16.jpg)
Our slice of the IPv4 pie
APNIC
ARIN
LACNIC
AfriNIC
Legacy
Other IANA
16
RIPE NCC
![Page 17: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/17.jpg)
IPv4 exhaustion phases
17
time
IANA pool exhausted
IPv4 still available. RIPE NCC continues
distributing it
Each of the 5 RIRs given a /8
RIPE NCC reaches final /8
RIPE NCC’s allocation policy from last /8
applies
RIPE NCC pool
exhausted
RIPE NCC can only distribute IPv6
now
?
![Page 18: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/18.jpg)
Run Out Fairly (of IPv4)
• Gradually reduced allocation / assignment periods
• Needs for “Entire Period” of up to... - 12 months (January 2010)- 9 months (July 2010)- 6 months (January 2011)- 3 months (July 2011)
• 50% has to be used up by half-period
18
![Page 19: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/19.jpg)
RIPE NCC’s last /8
• We do things differently!
• Ensures IPv4 access for all members- 16000+ /22s in a /8- members can get one /22 (=1024 addresses)- must already hold IPv6 - must qualify for allocation
• /16 set aside for unforeseen situations- if unused, will be distributed
• No PI
19
![Page 20: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/20.jpg)
Transfer of IPv4 Allocations
• Policy 2007-08: Allocation Transfer Policy- Don’t buy your IPv4 on eBay!
- Transfer unused allocations to another LIR
- Minimum allocation size /21
- Evaluated by RIPE NCC
- Update in RIPE Database
20
http://www.ripe.net/lir-services/resource-management/listing
![Page 21: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/21.jpg)
IPv4 Depletion in the RIPE NCC’s Region
21
- https://www.ripe.net/internet-coordination/ipv4-exhaustion
![Page 22: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/22.jpg)
IPv4 Allocation Rate
22
0
75
150
225
300
2000
-01
2000
-07
2001
-01
2001
-07
2002
-01
2002
-07
2003
-01
2003
-07
2004
-01
2004
-07
2005
-01
2005
-07
2006
-01
2006
-07
2007
-01
2007
-07
2008
-01
2008
-07
2009
-01
2009
-07
2010
-01
2010
-07
2011
-01
2011
-07
2012
-01
![Page 23: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/23.jpg)
IPv4 Depletion Worldwide
23
0
1
2
3
4
5
6
AfriNIC RIPE NCC LACNIC ARIN APNIC
IPv4 Pool in /8’s
![Page 24: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/24.jpg)
IPv6 Address Space
![Page 25: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/25.jpg)
Where do all the addresses come from?
25
IANA
IETF
AfriNIC LACNICRIPE NCC
8000 LIRs
APNICARIN
End Users
![Page 26: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/26.jpg)
IPv6 address distribution
26
PA Allocation Provider Aggregatable
Assignment
PI Assignment
IANA
End User
LIR
RIR
/3
/32
/12
/56/48 /48
![Page 27: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/27.jpg)
IPv6 basics
• IPv6 address: 128 bits- 32 bits in IPv4
• Every subnet should be a /64
• Customer assignments (sites) between:- /64 (1 subnet)- /48 (65536 subnets)
• Minimum allocation size /32- 65536 /48’s- 16777216 /56’s
27
![Page 28: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/28.jpg)
28
IPv4 vs IPv6 (rounded off)
4x109 2x1019
2x106 4x109
2048 4x109
in each allocation: in each allocation:
IPv4 IPv6
addresses
addresses
allocationsto members
subnets
subnets
![Page 29: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/29.jpg)
Prefix
/24/25/26/27/28/29/30/31/32/33/34/35/36/37/38/39/40/41/42/43/44/45/46/47/48/49/50/51/52/53/54/55/56/57/58/59/60/61/62/63/64
Bits
104103102101100999897969594939291908988878685848382818079787776757473727170696867666564
/56s
4G2G1G
512M256M128M64M32M16M8M4M2M1M
512K256K128K64K32K16K8K4K2K1K
5122561286432168421
/64s
1T512G256G128G64G32G16G8G4G2G1G
512M256M128M64M32M16M8M4M1M1M
512K256K128K64K32K16K8K4K2K1K
5122561286432168421
/48s
16M8M4M2M1M
512K256K128K64K32K16K8K4K2K1K
5122561286432168421
RIP
E N
CC
IPv6
Cha
rt
IP Addresses
1248
163264
1282565121 K2 K4 K8 K
16 K32 K64 K
128 K256 K512 K
1 M2 M4 M8 M
16 M32 M64 M
128 M256 M512 M
1024 M2048 M4096 M
Bits
01234567891011121314151617181920212223242526272829303132
Prefix
/32/31/30/29/28/27/26/25/24/23/22/21/20/19/18/17/16/15/14/13/12/11/10/9/8/7/6/5/4/3/2/1/0
Subnet Mask
255.255.255.255255.255.255.254255.255.255.252255.255.255.248255.255.255.240255.255.255.224255.255.255.192255.255.255.128255.255.255.0255.255.254.0255.255.252.0255.255.248.0255.255.240.0255.255.224.0255.255.192.0255.255.128.0255.255.0.0255.254.0.0255.252.0.0255.248.0.0255.240.0.0255.224.0.0255.192.0.0255.128.0.0255.0.0.0254.0.0.0252.0.0.0248.0.0.0240.0.0.0224.0.0.0192.0.0.0128.0.0.00.0.0.0
IPv4 CIDR Chart RIPE NCC
www.ripe.netContact Registration Services:
Classless Inter-Domain Routing (CIDR)
29
![Page 30: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/30.jpg)
Address Notation
2001:0db8:003e:ef11:0000:0000:c100:004d
30
2001: db8: 3e:ef11: 0: c100:0 00 000 000 004d0:
2001:db8:3e:ef11:0:0:c100:4d
0 0 0 11 1 1 11 1 1 0 0 0 0 1
![Page 31: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/31.jpg)
Getting an IPv6 allocation
• To qualify, an organisation must:- Be an LIR - Have a plan for making assignments within two years
• Minimum allocation size /32
• Announcement as a single prefix recommended
31
![Page 32: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/32.jpg)
RIPE Policy Proposal 2011-04
• Extension of the Minimum Size for IPv6 Initial Allocation
- Proposes initial allocation up to a /29- For example, for small LIRs to deploy IPv6 via 6RD
(RFC 5969)
• Proposal currently in Review Phase- The RIPE NCC is working on impact analysis
32
UNDER DISCUSSION
![Page 33: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/33.jpg)
What does the first IPv6 allocation cost?
33
- for all- pending General Meeting decision
- for approximately 97% of the LIRs- more points, but not higher category!
or:
![Page 34: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/34.jpg)
Why Create an IPv6 Addressing Plan?
• Mental health during implementation(!)
• Easier implementation of security policies
• Efficient addressing plans are scalable
• More efficient route aggregation
34
![Page 35: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/35.jpg)
IPv6 Subnetting
35
![Page 36: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/36.jpg)
Make an addressing plan (I)
• Number of hosts is irrelevant
• Multiple /48s per pop can be used- separate blocks for infrastructure and customers- document address needs for allocation criteria
• /64 for all subnets- autoconfiguration works- renumbering easier- less typo errors because of simplicity
36
![Page 37: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/37.jpg)
Make an addressing plan (II)
• Use one /64 block (per site) for loopbacks- One /128 per device- One /64 contains enough /128s for 18.446.744.073.709.551.616 devices
37
![Page 38: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/38.jpg)
More On Addressing Plans for ISPs
• For private networks, look at ULA
• For servers you want manual configuration
• Use port numbers for addresses- pop server 2001:db8:1::110- dns server 2001:db8:1::53- etc...
38
![Page 39: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/39.jpg)
Point-to-Point Connections
• How much space for point-to-point connections?- RFC4291: Interface IDs are required to be /64- RFC3627: Use of /127 between routers considered
harmful - RFC6547: RFC3627 to Historic Status- RFC6164: Using /127 on Inter-Router links
• Be safe: reserve a /64, assign a /127 per point-to-point connection
39
![Page 40: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/40.jpg)
Customer assignments
• Give your customers enough addresses- Up to a /48
• For more addresses, send in request form- Alternatively, make a sub-allocation
• Every assignment must now be registered in the RIPE database
40
![Page 41: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/41.jpg)
Using AGGREGATED-BY-LIR
41
ALLOCATED-BY-RIR
ALLOCATED-BY-LIR
/48 /48/48/48/48
AGGREGATED-BY-LIRassignment-size: 48 /40
hint :)
ASSIGNED AGGREGATED-BY-LIRassignment-size: 56
/34/44/36
![Page 42: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/42.jpg)
Group assignments in the RIPE DB
inet6num: 2001:db8:1000::/36netname: Bluelightdescr: We want more Bluelight B.V.descr: Colocation servicescountry: NLadmin-c: BN649-RIPEtech-c: BN649-RIPEstatus: AGGREGATED-BY-LIRassignment-size: 48mnt-by: BLUELIGHT-MNTnotify: [email protected]: [email protected] 20110218source: RIPE
42
![Page 43: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/43.jpg)
Customers And Their /48
• Customers have no idea how to handle 65536 subnets!
• Provide them with information– https://www.ripe.net/lir-services/training/material/IPv6-for-LIRs-Training-Course/IPv6_addr_plan4.pdf
43
![Page 44: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/44.jpg)
IPv6 Address Management
• Your Excel sheet might not scale– There are 65.536 /48s in a /32
– There are 65.536 /64s in a /48
– There are 16.777.216 /56s in a /32
• Find a suitable IPAM solution
44
![Page 45: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/45.jpg)
Getting IPv6 PI address space
• To qualify, an organisation must: - Meet the contractual requirements for provider independent resources
• Minimum assignment size /48
45
![Page 46: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/46.jpg)
3e:ef11:
Reverse DNS
46
2001:db8: :c100:4d
![Page 47: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/47.jpg)
.ip6.arpa
0 00 0000:0000 003e:ef11:
Reverse DNS
47
2001: db8: :c100: 4d8bd01002
. . . . . . .
d.4.0.0.0.0.1.c.0.0.0.0.0.0.0.0.1.1.f.e.e.3.0.0.8.b.d.0.1.0.0.2.ip6.arpa PTR yourname.domain.tld
d.4.0.0.0.0.1.c.0.0.0.0.0.0.0.0.1.1.f.e.e.3.0.0.8.b.d.0.1.0.0.2.ip6.arpa PTR yourname.domain.tld
![Page 48: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/48.jpg)
IPv6 Deployment Statistics
![Page 49: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/49.jpg)
2
IPv6 Allocation Rate
![Page 50: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/50.jpg)
IPv6 PI Assignments
3
![Page 51: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/51.jpg)
Members with IPv6 and IPv4
51
3918
89
3846
IPv4 only IPv6 only IPv6 and IPv4
7853 members with IP resources
![Page 52: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/52.jpg)
IPv6 Ripeness
52
• Rating system:- One star if the LIR has an IPv6 allocation
- Additional stars if:
- IPv6 Prefix is announced on router
- A route6 object is in the RIPE Database
- Reverse DNS is set up
- A list of all 4 star LIRs: http://ripeness.ripe.net/
![Page 53: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/53.jpg)
IPv6 RIPEness: 8097 LIRs (5 May 2012)
No IPv651%
4 stars18%
3 stars11%
2 stars6%
1 star14%
1 star 2 stars 3 stars 4 stars No IPv6
![Page 54: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/54.jpg)
IPv6 RIPEness – countries (5 May 2012)
54
0
225
450
675
900
Slov
enia
(47
LIR
s)
Net
herl
ands
(41
8 LI
Rs)
Cze
ch R
epub
lic (
221
LIR
s)
Ger
man
y (8
21 L
IRs)
Switz
erla
nd (
260
LIR
s)
Pola
nd (
214
LIR
s)
Aus
tria
(15
5 LI
Rs)
Port
ugal
(37
LIR
s)
Nor
way
(16
3 LI
Rs)
Den
mar
k (1
23 L
IRs)
1star 2star 3star 4star 0star
![Page 55: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/55.jpg)
IPv6 RIPEness – relative (5 May 2012)
55
0%
25%
50%
75%
100%
Slov
enia
(47
LIR
s)
Net
herl
ands
(41
8 LI
Rs)
Cze
ch R
epub
lic (
221
LIR
s)
Ger
man
y (8
21 L
IRs)
Switz
erla
nd (
260
LIR
s)
Pola
nd (
214
LIR
s)
Aus
tria
(15
5 LI
Rs)
Port
ugal
(37
LIR
s)
Nor
way
(16
3 LI
Rs)
Den
mar
k (1
23 L
IRs)
1star 2star 3star 4star 0star
![Page 56: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/56.jpg)
IPv6 enabled ASes in global routing
56
0%
8%
17%
25%
33%
42%
50%
2004 2005 2006 2007 2008 2009 2010 2011 2012
All Germany Belgium France Netherlands
http://v6ASNs.ripe.net
![Page 57: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/57.jpg)
World IPv6 Launch
• http://www.worldipv6launch.org/
57
![Page 58: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/58.jpg)
Useful information
Websites
• http://www.getipv6.info/
• http://www.ipv6actnow.org
• http://datatracker.ietf.org/wg/v6ops/
• http://www.ripe.net/ripe/docs/ripe-501.html
Mailing lists
• http://lists.cluenet.de/mailman/listinfo/ipv6-ops
• http://www.ripe.net/mailman/listinfo/ipv6-wg
58
![Page 59: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/59.jpg)
Multihomed BGP Routing Setup
![Page 60: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/60.jpg)
Scenario 1: LIR = PA allocation + ASN
60
ISP 2
x
ISP 1
AS3
AS4
AS6
AS5
AS7
• Can make assignments to End Users
![Page 61: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/61.jpg)
Scenario 2: End User = PI + ASN
• Can NOT sub-assign further!!! - (in IPv4 can still use PI for xDSL, broadband...)
61
ISP 2
x
ISP 1
![Page 62: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/62.jpg)
Scenario 3: LIR = PI + ASN
• Can NOT sub-assign further!!! - (in IPv4 can still use PI for xDSL, broadband...)
62
ISP 2
x
ISP 1
![Page 63: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/63.jpg)
Scenario 4: PI End User, not multihomed
• Part of LIR’s AS number- does not want to / can not run BGP- still wants “portable” addresses
63
ISP 2
x
ISP 1
![Page 64: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/64.jpg)
How to get an AS Number
• Assignment requirements- Address space- Multihoming- One AS Number per network
• For LIR itself
• For End User- Sponsoring LIR requests it for End User- Direct Assignment User requests it for themselves
64
![Page 65: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/65.jpg)
32-bit AS Numbers and you
• New format: “AS4192351863”
• Act now!
• Prepare for 32-bit ASNs in your organisation:- Check if hardware is compatible; if not, contact hardware vendor
- Check if upstream uses compatible hardware; if not, they should upgrade!
65
![Page 66: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/66.jpg)
RIPE Database
![Page 67: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/67.jpg)
RIPE Database
• Public Internet resource and routing registry database
67
![Page 68: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/68.jpg)
RIPE Database objects
• Resources– inetnum, inet6num, aut-num, domain
• Routing
– route, route6, aut-num
• Security– mntner
• Contact– organisation, person, role
68
![Page 69: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/69.jpg)
Protection
69
mntner: LIR-MNTadmin-c: JS123-RIPEtech-c: JS123-RIPEmnt-by: LIR-MNTnotify: [email protected]: [email protected]: [email protected]: MD5-PW $1$xT9SJ
person: John Smithnic-hdl: JS123-RIPEaddress: sesamestreet 1phone: +1 555 0101e-mail: [email protected]: LIR-MNT
![Page 70: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/70.jpg)
Protection
70
mntner: LIR-MNTadmin-c: LA789-RIPEtech-c: LA789-RIPEmnt-by: LIR-MNTnotify: [email protected]: [email protected]: [email protected]: MD5-PW $1$xT9SJ
person: John Smith
nic-hdl: JS123-RIPEmnt-by: LIR-MNTaddress: sesamestreet 1phone: +1 555 0101e-mail: [email protected]
aut-num: 64551descr: My AS Numbermnt-by: RIPE-NCC-END-MNTmnt-by: LIR-MNTorg: ORG-BB2-RIPEadmin-c: LA789-RIPEtech-c: LA789-RIPE
inetnum: 85.11.186.0/25descr: My Assignmentstatus: ASSIGNED PAmnt-by: LIR-MNTadmin-c: LA789-RIPEtech-c: LA789-RIPE
![Page 71: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/71.jpg)
Routing Registry
![Page 72: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/72.jpg)
What is “Internet Routing Registry”
• Distributed databases with public routing policy information, mirroring each other: irr.net
- APNIC, RADB, Level3, SAVVIS...
• RIPE NCC operates “RIPE Routing Registry”
• Big operators make use of it- AS286 (KPN), AS5400 (BT), AS1299 (Telia), AS8918
(Carrier1), AS2764 (Connect), AS3561 (Savvis), AS3356 (Level 3)...
72
![Page 73: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/73.jpg)
Publishing routing policy in IRR
• Required by some Transit Providers & IXPs- they use it for prefix-based filtering
• Allows for automated generation of prefix filters - and router configuration commands, based on RR
• Contributes to routing security- prefix filtering based on IRR registered routes
prevents accidental leaks and route hijacking
• Good housekeeping
73
![Page 74: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/74.jpg)
RIPE RR is part of the RIPE Database
• route[6] object creation is responsibility of LIR- every time you receive a new allocation, do create a
route or route6 object
• route and route6 objects represent routed prefix- address space being announced by an AS number
74
![Page 75: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/75.jpg)
Route and route6 object
75
inet6num: 2001:db8::/32
tech-c: LA789-RIPEadmin-c: JD1-RIPEmnt-by: RIPE-NCC-HM-MNT
route6: 2001:db8::/32
origin: AS2tech-c: LA789-RIPEadmin-c: JD1-RIPEmnt-by: RIPE-NCC-HM-MNT
organisation: ORG-BB2-RIPE
aut-num: AS2
tech-c: LA789-RIPEadmin-c: JD1-RIPEmnt-by: RIPE-NCC-HM-MNT
![Page 76: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/76.jpg)
Route6 object:
Aut-num object:
IPv6 in the Routing Registry
76
aut-num: AS65550mp-import: afi ipv6.unicast from AS64496 accept ANYmp-export: afi ipv6.unicast to AS64496 announce AS65550
route6: 2001:DB8::/32origin: AS65550
![Page 77: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/77.jpg)
Automation of router configuration
• Describing routing policy in aut-num enables generation of route-maps for policy routing
• Tools can read your policy towards peers- translation from RPSL to router configuration
commands
• Tools collect the data your peers have in RR- if their data changes, you only have to periodically run
your scripts to collect updates
77
![Page 78: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/78.jpg)
Resource Certification
![Page 79: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/79.jpg)
Limitations of the Routing Registry
• Many registries exist, operated by different parties:
– Not all of them mirror each other
– Do you trust the information they provide?
• The IRR system is far from complete
• Resulting filters are hard to maintain and can take a lot of router memory
79
![Page 80: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/80.jpg)
The RIPE NCC involvement in RPKI
• The authority who is the holder of an Internet Number Resource in our region
– IPv4 and IPv6 address ranges
– Autonomous System Numbers
• Information is kept in the registry
• Accuracy and completeness are key
80
![Page 81: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/81.jpg)
Digital resource certificates
• Issue digital certificates along with the registration of Internet Resources
• Two main purposes:– Make the registry more robust
– Making Internet Routing more secure
• Validation is the added value
81
![Page 82: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/82.jpg)
Using certificates
• Certification is a free, opt-in service– Your choice to request a certificate
– Linked to your membership
– Renewed every 12 months
• Certificate does not list any identity information
• Digital proof you are the holder of a resource
82
![Page 83: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/83.jpg)
The PKI system
• The RIRs hold a self-signed root certificate for all the resources that they have in the registry
– They are the trust anchor for the system
• That root certificate is used to sign a certificate that lists your resources
• You can issue child certificates for those resources to your customers
– When making assignments or sub allocations
83
![Page 84: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/84.jpg)
Certificate Authority (CA) Structure
84
Root CA (RIPE NCC)
Member CA (LIR)
Customer CA
![Page 85: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/85.jpg)
Which resources are certified?
• Provider Aggregatable (PA) IP addresses
• Provider Independent (PI) addresses marked as “Infrastructure”
• Other resources will be added over time:– PI addresses for which we have a contract
– ERX resources
85
![Page 86: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/86.jpg)
Route Origination Authorisation (ROA)
• Next to the prefix and the ASN which is allowed to announce it, the ROA contains:
– A minimum prefix length
– A maximum prefix length
– An expiry date
• Multiple ROAs can exist for the same prefix
• ROAs can overlap
86
![Page 87: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/87.jpg)
Publication and validation
• ROAs are published in the same repositories as the certificates and their keys
• You can download them and use software to verify all the cryptographic signatures are valid
– Was this really the owner of the prefix?
• You will end up with a list of prefixes and the ASN that is expected to originate them
– And you can be sure the information comes from the holder of the resources
87
![Page 88: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/88.jpg)
Validator
![Page 89: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/89.jpg)
ROA Validation
• You can download all the certificates, public keys and ROAs which form the RPKI
• Software running on your own machine can retrieve and then verify the information
– Cryptographic tools can check all the signatures
• The result is a list of all valid combinations of ASN and prefix, the “validated cache”
89
![Page 90: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/90.jpg)
Reasons for a ROA to be invalid
• The start date is in the future– Actually this is flagged as an error
• The end date is in the past– It is expired and the ROA will be ignored
• The signing certificate or key pair has expired or has been revoked
• It does not validate back to a configured trust anchor
90
![Page 91: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/91.jpg)
The Decision Process
• When you receive a BGP announcement from one of your neighbors you can compare this to the validated cache
• There are three possible outcomes:– Unknown: there is no covering ROA for this prefix
– Valid: a ROA matching the prefix and ASN is found
– Invalid: There is a ROA but it does not match theASN or the prefix length
91
![Page 92: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/92.jpg)
Modifying the Validated Cache
• The RIPE NCC Validator allows you to manually override the validation process
• Adding an ignore filter will ignore all ROAs for a given prefix
– The end result is the validation state will be “unknown”
• Creating a whitelist entry for a prefix and ASN will locally create a valid ROA
– The end result is the validation state becomes “valid”
92
![Page 93: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/93.jpg)
The Decision is Yours
• The Validator is a tool which can help you making informed decisions about routing
• Using it properly can enhance the security and stability of the Internet
• It is your network and you make the final decision
93
![Page 94: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/94.jpg)
Public Testbeds
• A few people allow access to routers that run RPKI and allow you to have a look at it
• RIPE NCC has a Cisco:– Telnet to rpki-rtr.ripe.net
– User: ripe, no password
• Eurotransit has a Juniper:– Telnet to 193.34.50.25 or 193.34.50.26
– Username: rpki, password: testbed
94
(http://www.ripe.net/lir-services/resource-management/certification/tools-and-resources)
![Page 95: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/95.jpg)
Roadmap
• Support for non-hosted is still under development by the RIPE NCC
– Expected release will be third quarter 2012
• We can give you access to beta test– Mail [email protected] if you are interested
• More information will be published on the certification website– http://www.ripe.net/certification
95
![Page 96: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/96.jpg)
Follow us!
96
@TrainingRIPENCC
![Page 98: Getting IPv6 & Securing your Routing](https://reader033.vdocument.in/reader033/viewer/2022042813/546464cbaf795969338b491a/html5/thumbnails/98.jpg)
Fin
Ende
KpajKonec
Son
Fine
Pabaiga
Einde
Fim
Finis
Koniec
Lõpp
Kрай
SfârşitКонeц
KrajVége
Kiнець
Slutt
Loppu
Τέλος
Y Diwedd
Amaia Tmiem
Соңы
Endir
Slut
Liðugt
An Críoch
Fund
הסוף
Fí
ËnnFinvezh
The End!
Beigas