Alex Band | 22 June 2017 | DE-CIX Technical Meeiting

RPKI at the RIPE NCC

Presenter name | Event | Date 2

BGP Routing

• Routing is non-hierarchical, open and free - You can announce any address block on your router, also one that is not yours

- Accidental errors happen frequently, malicious attacks are relatively easy

• Filtering based on Internet Routing Registry - Great coverage in RIPE region; almost every announcement covered by ‘route’ object

- Globally, coverage and quality is actually rather poor

Presenter name | Event | Date 3

RPKI: Ultra Quick Intro

• RIR becomes a Certificate Authority - RIPE NCC puts IPs and ASNs on a digital certificate; issues them to resource holders

- They use certificate to make statements about their IP address space

- Statement is called a Route Origin Authorization (ROA): - “This AS may originate these of my prefixes in BGP” - “This is how much the AS may deaggagate the prefix”

• BGP Origin Validation - Operators validate and compare ROAs to real-world BGP

- Authorised announcements make them happy 😊

- Unauthorised announcements make them sad 😡

Presenter name | Event | Date 4

It’s like really reliable route objects, offered by every RIR in the world

Presenter name | Event | Date 5

The philosophy since 2011

• Conscious decision to keep it simple - Offer a stable and robust service

- Gather user feedback

- Automate all crypto complexity

• Mantra: Simplicity will spur on adoption - RPKI is a new technology

- Small to no gains for early adopters

- Avoid making users jump through burning hoops

Presenter name | Event | Date 6

Less Functionality, More Usability

• Automate signing and key roll overs - One click setup of resource certificate

- User has a valid certificate for as long as they are the holder of the resources

- Changes in resource holdership and transfers are handled automatically

• Hide all the crypto complexity from the UI - Hashes, SIA and AIA pointers, etc.

• Just focus on creating and publishing ROAs - Match your intended BGP configuration

Presenter name | Event | Date 7

Presenter name | Event | Date 8

Presenter name | Event | Date 9

Presenter name | Event | Date 10

Adoption

Presenter name | Event | Date 11

Validating and Using RPKI Data

• Each RIR has a public repository - Holds certificates, ROAs, CRLs and manifests

- Refreshed at least every 24 hrs

- Accessed using a Validation tool

• Finds repository using a Trust Anchor Locator (TAL) - Communication via rsync (and recently through HTTPS)

- Builds up a local validated cache

Presenter name | Event | Date 12

Presenter name | Event | Date 13

RIPE NCC RPKI Validator

• Currently 2.x code base - Bulky tool with a lot of bells and whistles

• Development of 3.0 code base starting next month - Lean and mean, packaged for Linux

- Run as a daemon, command line interface, API

Feature requests?

Presenter name | Event | Date 14

Questionsalexb@ripe.net @alexander_band