APNIC Updates

Issue Date:

Revision:

Resource Public Key Infrastructure (RPKI)

Anna Mulingbayan

MYNOG 5

21 August 2015

31/12/2014

1

Why use RPKI?

2

• Prevent route hijacking

– Only the rightful custodian can originate the prefix announcement – ISPs filter prefixes they propagate

• Minimize common routing errors

– Limits human errors– Prioritize routes with certificates

Real life routing incidents

3

• June 2015 - Telecom Malaysia causes large-scale routing issues due to route leak

• April 2014 - Indosat leaked 32,000 routes

• April 2010 - China Telecom advertisement causes 15% of Internet traffic to passed through Chinese servers

• February 2008 - Pakistan Telecom announces 208.65.153.0/24 (YouTube prefix)

What is RPKI?

Resource Public Key Infrastructure(RPKI)

• A robust security framework for verifying the association between resource holders and their Internet resources

• Uses x.509 certificates with RFC3779 extensions

• Collaborative effort by all RIRs to help secure Internet routing by validating routes

4

How to use RPKI?

5

• Create Route Origin Authorization (ROA) objects• What’s contained in a ROA– The AS number you have authorized– The prefix that is being originated from it– The most specific prefix (maximum length) that the AS may announce

For example: “AS64496 originates a route for the prefix 2001:DB8::/32 with a maximum prefix length of /40)”

Creating ROA in MyAPNIC

6

• What you need to have before creating a ROA

– Must be an APNIC Member– Have access to MyAPNIC with 2 factor authentication

• Takes only 5 minutes to create, and 10 minutes to be visible to the public

Activate RPKI Engine

7

Creating your ROA (Using suggestions)

8

Creating your ROA (Manual)

9

Created your ROA, what’s next?

10

• Maintain your ROAs - Changed BGP announcement- New delegation- Transferred resources

• RPKI validator- https://trac.rpki.net/wiki/doc/RPKI- Valid- Invalid - Unknown

Success Story

• May 2015: APNIC Outreach in Bangladesh– 13 organizations visited– Onsite support to create ROA objects

11

561 valid prefixes (24%)

http://rpki.surfnet.nl/bd.html

World Leaderboard (economy)

12

http://rpki.surfnet.nl/country.html

As of June 10, 2015

ROA in South East Asia

13

Economy

Roa

IPv4 total IPv4 Roa IPv4 % IPv6 total IPv6 roa IPv6 pctcount

ID 1 17666560 65536 0.37096073 3204484864 0 0

MY 2 6490880 358400.552159337 1476404224 0 0

PH 18 5352704 1850883.457841121 872419840 256 0.000029344

SG 14 5165568 78080 1.51154723 2315278848 67109376 2.898543994

*As at 5 Aug 2015

Issue Date:

Revision:

IPv4 Transfers

Who can do the transfer?

15

• Transfer of IPv4 between you and– Other APNIC Members– Members from other RIR’s eg. ARIN

• Transfer between APNIC Members- So far MY has a total of 11 transfers- Transfer logs http://ftp.apnic.net/transfers/apnic/

• Transfer between APNIC and RIR– Transfer from RIR Member to APNIC Member, or vice versa– Source account to initiate transfer request– Registry of the recipient account to evaluate transfer request– More information on: www.apnic.net/transfer

How many transfers are we doing?

16

0

20

40

60

80

100

120

140

160

180

2010 2011 2012 2013 2014 2015APNIC total 2 35 83 98 165 88MY 4 7 0 0 0

How to do the transfer in MyAPNIC? (source account)

17

MyAPNIC (source account)

18

MyAPNIC(recipient account)

19

Tips

20

• Pre-approval– allows you to demonstrate your need for the IPv4 block in advance– process is faster as the evaluation is done beforehand– complete the “Transfer pre-approval” form via MyAPNIC– more information at http://www.apnic.net/pre-approval

• IPv4 Transfer listing service– list Members who have received pre-approval on APNIC website to allow others with excess IPv4 to contact you

– More information at http://www.apnic.net/pre-approval-listing

• APNIC Transfers Mailing List– facilitate discussion on topics related to IPv4 transfer– to subscribe please go to www.apnic.net/mailing-lists

You’re Invited!• APNIC 40: Jakarta, Indonesia from 3 - 10 Sept 2015

21

THANK YOU

22

APNIC Updates

Internet

Transcript of APNIC Updates