rpki at the ripe ncc - de-cix · validating and using rpki data •each rir has a public repository...
TRANSCRIPT
Alex Band | 22 June 2017 | DE-CIX Technical Meeiting
RPKI at the RIPE NCC
Presenter name | Event | Date 2
BGP Routing
• Routing is non-hierarchical, open and free - You can announce any address block on your router, also one that is not yours
- Accidental errors happen frequently, malicious attacks are relatively easy
• Filtering based on Internet Routing Registry - Great coverage in RIPE region; almost every announcement covered by ‘route’ object
- Globally, coverage and quality is actually rather poor
Presenter name | Event | Date 3
RPKI: Ultra Quick Intro
• RIR becomes a Certificate Authority - RIPE NCC puts IPs and ASNs on a digital certificate; issues them to resource holders
- They use certificate to make statements about their IP address space
- Statement is called a Route Origin Authorization (ROA): - “This AS may originate these of my prefixes in BGP” - “This is how much the AS may deaggagate the prefix”
• BGP Origin Validation - Operators validate and compare ROAs to real-world BGP
- Authorised announcements make them happy 😊
- Unauthorised announcements make them sad 😡
Presenter name | Event | Date 4
It’s like really reliable route objects, offered by every RIR in the world
Presenter name | Event | Date 5
The philosophy since 2011
• Conscious decision to keep it simple - Offer a stable and robust service
- Gather user feedback
- Automate all crypto complexity
• Mantra: Simplicity will spur on adoption - RPKI is a new technology
- Small to no gains for early adopters
- Avoid making users jump through burning hoops
Presenter name | Event | Date 6
Less Functionality, More Usability
• Automate signing and key roll overs - One click setup of resource certificate
- User has a valid certificate for as long as they are the holder of the resources
- Changes in resource holdership and transfers are handled automatically
• Hide all the crypto complexity from the UI - Hashes, SIA and AIA pointers, etc.
• Just focus on creating and publishing ROAs - Match your intended BGP configuration
Presenter name | Event | Date 7
Presenter name | Event | Date 8
Presenter name | Event | Date 9
Presenter name | Event | Date 10
Adoption
Presenter name | Event | Date 11
Validating and Using RPKI Data
• Each RIR has a public repository - Holds certificates, ROAs, CRLs and manifests
- Refreshed at least every 24 hrs
- Accessed using a Validation tool
• Finds repository using a Trust Anchor Locator (TAL) - Communication via rsync (and recently through HTTPS)
- Builds up a local validated cache
Presenter name | Event | Date 12
Presenter name | Event | Date 13
RIPE NCC RPKI Validator
• Currently 2.x code base - Bulky tool with a lot of bells and whistles
• Development of 3.0 code base starting next month - Lean and mean, packaged for Linux
- Run as a daemon, command line interface, API
Feature requests?
Presenter name | Event | Date 14
[email protected] @alexander_band