PLNOG14: Quo Vadis RPKI - Andrzej Wolski
Transcript of PLNOG14: Quo Vadis RPKI - Andrzej Wolski
PLNOG14, Warsaw, Poland
Quo Vadis RPKI?
Andrzej Wolski Training Services RIPE NCC
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Internet Registry System 2
IANA
AFRINIC Africa
APNIC Asia Pacific
ARIN North America
LACNIC Latin America
RIPE NCC Eurasia
Middle East
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Who we are? 3
• RIPE NCC
• Located in Amsterdam
• Not for profit membership organisation
• One of five RIRs
• RIPE Community
• Open community
• Develops policies
• Organised in Working Groups
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
What we do? 4
• Distribute IP addresses and AS numbers
• Support RIPE community
• RIPE Database
• Resource Certification (RPKI)
• Reverse DNS and K-root server
• Training
• Research and Statistics
• Tools and measurements (RIPE Atlas, RIPEstat)
• Resource Certification (RPKI)
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
The State of the Global Routing 5
• Largely a trust-based system
• Maximum prefix lists
• Static prefix lists
• IRR sourced
• Often unfiltered
• Auditing is almost impossible
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Types of Routing Incidents 6
• Misconfiguration
• No malicious intentions
• Software bugs
• Malicious
• Competition
• Claiming “unused” space
• Targeted Traffic Misdirection
• Collect and/or temper with data
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
BGP Hijacking events in 2014
• Turkey Censorship - Affected open DNS resolvers: Google / Open DNS / Level3
• Syrian Telecom - 1480 prefixes- 206 ASNs
• The Bitcoin Hijack - 51 prefixes- 19 ASNs
7
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Fly-By Spammers 8
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
The Case for BGP Origin Validation 9
“Would you like a reliable way of telling whether a BGP Route Announcement is authorised by the
legitimate holder of the address space?”
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
That Should Be Easy, Right?!
• Current legitimate holder should be able to make a statement to protect it resources that:
- specifies which AS can originate your prefix, and- what the maximum length of that prefix is…
10
AS Number Prefix Maximum Length
Submit
Route Origin Authorization
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
RPKI: Ultra Quick Intro
• RIR becomes a Certificate Authority- Puts IPs and ASNs on a digital certificate; issues to LIRs- LIRs use certificate to make statements about their IPs- Statement is called a Route Origin Authorization (ROA)
• BGP Origin Validation- Out-of-band solution (whitelisting)- Operators validate and compare ROAs to real-world BGP
• Authorised announcements make them happy 😊
• Unauthorised announcements make them sad 😡
PLNOG 10: "BGP Origin Validation with RPKI" Alex Band
11
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Slow start
• RIPE NCC worked on a prototype since 2006• Launched an open beta mid-2010
- Get operational experience and feedback before launch
• A limited production service on 1 January 2011- Only LIR’s address space (no PI, no Legacy)- Only hosted system available with a web interface- No production grade support for Delegated RPKI- First version of RIPE NCC Validator
• Other types of address space added with time
12
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Keeping It Simple
• Conscious decision to keep it simple- Offer a stable and robust service- Gain operational experience- Gather user feedback - Automate all crypto complexity
• Mantra: Simplicity will spur on adoption- RPKI is a new technology- Small to no gains for early adopters- Avoid making users jump through burning hoops
13
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Certification v1 14
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Certification v2 15
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Certification v3 16
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Less Functionality, More Usability
• Automate signing and key roll overs- One click setup of resource certificate- User has a valid and published certificate for as long as
they are the holder of the resources- Changes in resource holdership are handled automatically
• Hide all the crypto complexity from the UI- Hashes, SIA and AIA pointers, etc.
• Just focus on creating and publishing ROAs- Match you intended BGP configuration
17
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
18
The current global reality…
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
People Requesting a Certificate 19
Source: http://certification-stats.ripe.net
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
People Actually Creating ROAs 20
Source: http://certification-stats.ripe.net
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Results 21
Source: http://certification-stats.ripe.net
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Results 22
Source: http://www.potaroo.net/ispcol/2015-01/bgp2014.html
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Results 23
Source: http://rpki.surfnet.pl/
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
A Success Story
• Ecuador Internet Exchange (NAP.EC)- two Cisco ASR-1001 route servers in different locations- two redundant servers installed
• each one with two different validators- RIPE NCC and rpki.net
24
• Origin validation was implemented in the route servers
• No action was taken regarding RPKI validity status
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
What Operators Tell Us…
• Give me new data faster!• Running the delegated model is not interesting
- They prefer an API into the hosted system for now
• Used to have stale route objects, now stale ROAs• The various relying party tools are not that mature• There are different flavours of invalid announcement
but I can’t filter on them in my router- “Unauthorized AS” and “Too specific prefix”
25
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Our Future Plans
• Merge IRR ‘route’ object management in RPKI UI• Replace rsync as protocol for fetching data
- something faster and more scalable (HTTP)
• Support Inter-RIR transfers• Aligning efforts between RIRs• Production support for the delegated model
- Yes, really… 😉
• End Goal: Path Validation (BGPSEC)• Major change to BGP msgs (on-line crypto)
26
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Why Should You Care?
• Your inbound and outbound traffic can be passively intercepted
• Your data can be:• stored
• dropped
• filtered
• modified
• It’s unlikely to be noticed, unless you’re looking for it
27
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
What Should You DO?
• Go to LIR Portal > Resource Certification• create your CA
• create a Route Origin Authorisations (ROAs) for your announcements
28
• Feedback button and live chat in the mgmt UI• Monthly webinars dedicated to RPKI• Integral part of RIPE NCC Routing Security course
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
You decide 29
• As an announcer/LIR • You choose if you want certification• You choose if you want to create ROAs• You choose AS, max length
• As a Relying Party • You can choose if you use the validator• You can override the lists of valid ROAs in the cache,
adding or removing valid ROAs locally• You can choose to make any routing decisions based on
the results of the BGP Verification (valid/invalid/unknown)
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
RPKI Support in Routers 30
• RPKI and RPKI-RTR Protocol are an IETF standard
• All router vendors can implement it
• Cisco support:• XR 4.2.1 (CRS-x, ASR9000, c12K) / XR 5.1.1 (NCS6000, XRv)• XE 3.5 (C7200, c7600, ASR1K, CSR1Kv, ASR90x, ME3600…)• IOS15.2(1)S
• Juniper has support since version 12.2
• Quagga has support through BGP-SRX
• BIRD has support for ROA but does not do RPKI-RTR
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Community Activity
• Open source RPKI Tools- rpki.net
• SURFnet RPKI Dashboard- rpki.surfnet.nl
• BGPMon Route Monitoring- bgpmon.net/services/route-monitoring/
• RIPE NCC Github- github.com/RIPE-NCC
31
Questions?
Andrzej Wolski – PLNOG 14 – Warsaw, Poland
32
ripe.net/certification #RPKI