Route Origin Authorization (ROA) using RPKI, PhNOG, Philippines
29
Transcript of Route Origin Authorization (ROA) using RPKI, PhNOG, Philippines
RPKI
• 10+yearexercisetosecureInternetNumberResource(INR)holdings,rouEng– ThelongtermgoalissecureBGP– We’realongwayoffwidespreadsecureBGP
• ResourcePublicKeyInfrastructure– WeissuecerEficatesoveryourresources– Youcanusethesetosignthings– ThecerEficatescarryalistofINRsoclearlyassociatetheINRwithwhateveryousign
– Ifyouprotectyourkeys,onlyyoucansign
EgProvisioning
• Dude..Routemyprefix– ok:showmeaLeUerofAuthority
• BadGuy:(forgescompanyleUerhead)– Ok:I’llroutethatprefix
• GoodGuy:Wait..WAT?YoujustrouteditonapieceofpaperwithcompanyleUerhead?
• Lowbarriertoentry.ALOAisnot“proof”• Letstrythatagain…
EgProvisioning• Dude..Routemyprefix
– ok:showmeaROAwithmyASorigin.• GoodGuy:(goesoffandcreatesROA)
– Ok:I’llroutethatprefix– BadGuy:Curses!Foiled!!!!!
• LowcostbuteffecEvebarriertocheats.– AROAIS“proof”
• Hardtofake– EvenifyourouteyourownINR,aROAmeansnobodyelsecanoriginateyourprefixes
– Hijacksbecomemuchharder
Really?
RouEngpermissionsareaboutasweak.Somebodyoutthere,isGoingtobelieveanLOA.IntheendrouEngisallAboutmoney.
ExtraBenefits..Andcosts
• BGPmonserviceswillnowcheckseenroutesinBGPagainstyourROAandwarnyouiftheyseedivergentbehaviour– Instantwarningofhijacks
• APNICislookingintopossiblefutureservicesinthisspace
• YouhavetokeepyourROAinsyncwithBGPchanges.IfyoualterprefixannouncesyoumayhavetoupdatetheROA.Thisisn’thard.
Goal:protectyourownnet• DoesRPKIfixeverything?
– No.– Infact,itdoesn’tdomuchrightnowbecauseoflowworldwidecoverage
• ButitssEllworthdoing.– Why?Becauseyoushouldclearlyshowwhatyouoperateandmanage,topreventpeoplehijackingyourassets
• Doyouwanttowinduproutedbysomebodywithoutknowingaboutit?– 2000prefixeshijacked(NANOGdiscussion&others)
HowdoIdoit?
• Easy!• GointoMyAPNIC
– GototheResourceCerEficaEonpane– Turniton– WeshowyourBGP,ifitsrightoneclickdoesit– YouneedtokeepyourBGP/ROAinsync
• Havingproblems?– Speaktoahostmaster/helpdeskoranyAPNICstaffattrainingandotherevents
CreaEngROARecords
AddingROARecords
DeleEngROARecords
Step-by-StepGuide
• VisithUp://www.apnic.net/roa
APNIC Helpdesk Chat
CanIseehowitsgoing?
• Prototypetoolto‘browse’theAPregionmapandseewhatpercentageofIPrangesinaneconomyareprotectedbyROA
• WorkinProgressbutwe’rehopingthisandothermodelsofnewservicewillbecomingoutsoon.Wewanttodevelopmore(moar)tools.
• Telluswhatyouthink!WhatdoyouwantfromAPNICnetworkinformaEon?
ROAbyASN,pereconomyEconomy Count Economy Count Economy Count
(null) 5 ID 2 NC 2
AF 1 IN 7 NL 2
AU 38 IT 1 NP 5
BD 57 JP 22 NZ 27
CH 1 LA 1 PH 28
CN 1 LK 10 PK 5
FI 1 MM 5 SG 16
GB 3 MN 3 TH 9
GU 1 MV 2 US 15
HK 3 MY 7 WS 3
ROAbyASN,pereconomyEconomy Count Economy Count Economy Count
(null) 5 ID 2 NC 2
AF 1 IN 7 NL 2
AU 38 IT 1 NP 5
BD 57 JP 22 NZ 27
CH 1 LA 1 PH 28
CN 1 LK 10 PK 5
FI 1 MM 5 SG 16
GB 3 MN 3 TH 9
GU 1 MV 2 US 15
HK 3 MY 7 WS 3
WAT????Economy Count Economy Count Economy Count
(null) 5 ID 2 NC 2
AF 1 IN 7 NL 2
AU 38 IT 1 NP 5
BD 57 JP 22 NZ 27
CH 1 LA 1 PH 28
CN 1 LK 10 PK 5
FI 1 MM 5 SG 16
GB 3 MN 3 TH 9
GU 1 MV 2 US 15
HK 3 MY 7 WS 3
WAIT..WAIT…Economy Count Economy Count Economy Count
(null) 5 ID 2 NC 2
AF 1 IN 7 NL 2
AU 38 IT 1 NP 5
BD 57 JP 22 NZ 27
CH 1 LA 1 PH 28
CN 1 LK 10 PK 5
FI 1 MM 5 SG 16
GB 3 MN 3 TH 9
GU 1 MV 2 US 15
HK 3 MY 7 WS 3
No,itsok• NullisAS0whichsomepeopleusetostoplongprefixesbeingannounced
• TheothersaretheeconomiesintheROA,madeintheAPNIC‘ROAFactory’.– TheEconomiesoftheASNrouEng,theorigin-ASinsidetheROA
– SomepeopleuseoutsideagenciestoroutetheirprefixesmanagedinAPNICregion
– SomepeopleoutsidetheAPNICregionhaveresourcesinsidetheAPNICregion
• So..IftheOrigin-AScountsarethatcoolwhatabouttheprefixes?
ROAbyprefix,byeconomyEconomy Count Economy Count Economy Count
AF 1 KH 9 NZ 26
AU 53 LA 1 PF 2
BD 57 LK 10 PH 29
BT 2 MM 5 PK 5
GU 1 MN 3 SG 20
HK 12 MV 2 TH 8
ID 3 MY 7 US 2
IN 10 NC 2 WS 3
JP 25 NP 8
ThisissEllconfusing
• Yeabuthowmuchoftheassetintheeconomyisthis?Howmany‘references’isn’tthesameas‘howmuchresource’isit?
• Ok.Letstryanotherway– LetsseewhattheRELATIVEamountofprefixinagiveneconomy,iscoveredbyaROA
– Butletsdoitvisually– Inawebtoolwecanwalkaroundin.
hUp://labs.apnic.net/widgets/roas-proto/
hUp://labs.apnic.net/widgets/roas-proto/
hUp://labs.apnic.net/widgets/roas-proto/
hUp://labs.apnic.net/widgets/roas-proto/
Twofingerswipe(rightclick)ZoomsinLepmousedragsmap
Weneedmoar
• BoUomline:thenumberofparEcipantsisdrivenbyhowmanyofyouwecanlockinaroomandpreventyoufromleavingunElyouhavemadeaROA– Or,whodoitforteeshirts– (wesEllhaveteeshirts)
• Weneedmore.Alotmore.– Weneedthepercentagestorise,sowecanstarttogettracEonbehindprocessesusingstrongchecksonwhocontrolstheassets.
Turniton!
• Ifyoudon’thaveitalready,getintoMyAPNICandturnonRPKI
• MakeaROAforyourannouncements• Startmonitoringwhoouttheremightbemis-usingyourresources.
MOAR!MIAW!!!
