RPKI: An Operator’s Implementation
25
COMMERCIAL–IN-CO NFI DE NC E COMMERCIAL–IN-CO NFI DE NC E SEACOM’s Experience Deploying RPKI
-
Upload
malaysia-network-operators-group -
Category
Internet
-
view
523 -
download
2
Transcript of RPKI: An Operator’s Implementation
COMMERCIAL–IN-CO NFI DENCECOMMERCIAL–IN-CO NFI DENCE
SEACOM’s ExperienceDeploying RPKI
COMMERCIAL–IN-CO NFI DENCE
RPKI
• Resource Public Key Infrastructure.
• Certify IP resources.• Validate route origination.• Phase 2 is to validate path.
• Let’s talk about the steps (AFRINIC region).
COMMERCIAL–IN-CO NFI DENCE
Create BPKI
COMMERCIAL–IN-CO NFI DENCE
Authorized BPKI Profiles
COMMERCIAL–IN-CO NFI DENCE
Resource Certification
COMMERCIAL–IN-CO NFI DENCE
Create ROA’s
COMMERCIAL–IN-CO NFI DENCE
View Created ROA’s
COMMERCIAL–IN-CO NFI DENCE
Download & Install RPKI Project (… was our choice)
http://rpki.net/wiki/doc/RPKI/Installation
COMMERCIAL–IN-CO NFI DENCE
Router Setup – IOS & IOS XE
router bgp ASNbgp rpki server tcp 2001:DB8::1 port 43779 refresh 300bgp rpki server tcp 2001:DB8::2 port 43779 refresh 300bgp rpki server tcp 192.0.2.1 port 43779 refresh 300bgp rpki server tcp 192.0.2.2 port 43779 refresh 300
COMMERCIAL–IN-CO NFI DENCE
Router Setup – IOS XR
router bgp ASNrpki server 192.0.2.1transport tcp port 43779refresh-time 300
!rpki server 192.0.2.2transport tcp port 43779refresh-time 300
!rpki server 2001:db8::1 transport tcp port 43779refresh-time 300
!rpki server 2001:db8::2transport tcp port 43779refresh-time 300
!
COMMERCIAL–IN-CO NFI DENCE
Router Setup – Junos
tinka@lab# show routing-options validationgroup rpki-validation-caches {
session 192.0.2.1 {refresh-time 300;port 43779;local-address 192.0.2.254;
}session 192.0.2.2 {
refresh-time 300;port 43779;local-address 192.0.2.254;
}}group rpki-validation-caches6 {
session 2001:db8::1 {refresh-time 300;port 43779;local-address 2001:db8::254;
}session 2001:db8::2 {
refresh-time 300;port 43779;local-address 2001:db8::254;
}}
{master}[edit]tinka@lab#
COMMERCIAL–IN-CO NFI DENCE
Verifying (… IOS & IOS XE example)
lg-01-jnb.za>sh ip bgp 105.16.0.0BGP routing table entry for 105.16.0.0/12, version 70256714Paths: (2 available, best #2, table default)
Not advertised to any peerRefresh Epoch 137100
105.22.32.1 from 105.22.32.1 (105.16.0.163)Origin IGP, metric 0, localpref 100, valid, externalCommunity: 37100:1000path 0F87C714 RPKI State validrx pathid: 0, tx pathid: 0
Refresh Epoch 137100
105.22.40.1 from 105.22.40.1 (105.16.0.162)Origin IGP, metric 0, localpref 100, valid, external, bestCommunity: 37100:1000path 1B430634 RPKI State validrx pathid: 0, tx pathid: 0x0
lg-01-jnb.za>
COMMERCIAL–IN-CO NFI DENCE
Verifying (… IOS & IOS XE example)
lg-01-jnb.za>sh bgp ipv6 unicast 2c0f:feb0::/32BGP routing table entry for 2C0F:FEB0::/32, version 19272326Paths: (2 available, best #2, table default)Not advertised to any peerRefresh Epoch 1371002C0F:FEB0:B:2::1 (FE80::86B5:9C00:15FC:2400) from 2C0F:FEB0:B:2::1 (105.16.0.163)Origin IGP, metric 0, localpref 100, valid, externalCommunity: 37100:1000path 2BEDB1FC RPKI State validrx pathid: 0, tx pathid: 0
Refresh Epoch 1371002C0F:FEB0:B:3::1 (FE80::86B5:9C00:15F5:7C00) from 2C0F:FEB0:B:3::1 (105.16.0.162)Origin IGP, metric 0, localpref 100, valid, external, bestCommunity: 37100:1000path 2A2AC60C RPKI State validrx pathid: 0, tx pathid: 0x0
lg-01-jnb.za>
COMMERCIAL–IN-CO NFI DENCE
Verifying (… IOS & IOS XE example)
lg-01-jnb.za#sh ip bgp rpki table14946 BGP sovc network entries using 1315248 bytes of memory15543 BGP sovc record entries using 310860 bytes of memory
Network Maxlen Origin-AS Source Neighbor2.0.0.0/16 16 3215 0 105.16.160.2/437792.0.0.0/16 16 3215 0 2C0F:FEB0:B:1::2/437792.0.0.0/16 16 3215 0 2C0F:FEB0:2:1::2/437792.0.0.0/16 16 3215 0 105.16.112.2/437792.0.0.0/12 16 3215 0 105.16.160.2/437792.0.0.0/12 16 3215 0 2C0F:FEB0:B:1::2/437792.1.0.0/16 16 3215 0 105.16.160.2/437792.1.0.0/16 16 3215 0 2C0F:FEB0:B:1::2/437792.1.0.0/16 16 3215 0 2C0F:FEB0:2:1::2/437792.1.0.0/16 16 3215 0 105.16.112.2/43779<snip>…lg-01-jnb.za#
COMMERCIAL–IN-CO NFI DENCE
Verifying (… IOS & IOS XE example)
lg-01-jnb.za#sh bgp ipv6 unicast rpki table2217 BGP sovc network entries using 248304 bytes of memory2309 BGP sovc record entries using 46180 bytes of memory
Network Maxlen Origin-AS Source Neighbor2001:500:4::/48 48 10745 0 105.16.160.2/437792001:500:4::/48 48 10745 0 2C0F:FEB0:B:1::2/437792001:500:4::/48 48 10745 0 2C0F:FEB0:2:1::2/437792001:500:4::/48 48 10745 0 105.16.112.2/437792001:500:13::/48 48 393225 0 105.16.160.2/437792001:500:13::/48 48 393225 0 2C0F:FEB0:B:1::2/437792001:500:13::/48 48 393225 0 2C0F:FEB0:2:1::2/437792001:500:13::/48 48 393225 0 105.16.112.2/437792001:500:30::/48 48 10745 0 105.16.160.2/437792001:500:30::/48 48 10745 0 2C0F:FEB0:B:1::2/43779<snip>…lg-01-jnb.za#
COMMERCIAL–IN-CO NFI DENCE
Verifying (… IOS & IOS XE example)
lg-01-jnb.za#sh ip bgpBGP table version is 100925789, local router ID is 105.22.40.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incompleteRPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight PathN* 1.0.0.0/24 105.22.32.1 0 0 37100 15169 iN*> 105.22.40.1 0 0 37100 15169 iN* 1.0.4.0/24 105.22.32.1 0 0 37100 6939 4826 38803 56203 iN*> 105.22.40.1 0 0 37100 6939 4826 38803 56203 iN* 1.0.5.0/24 105.22.32.1 0 0 37100 6939 4826 38803 56203 iN*> 105.22.40.1 0 0 37100 6939 4826 38803 56203 iN* 1.0.6.0/24 105.22.32.1 0 0 37100 6939 4826 38803 56203 56203 56203 iN*> 105.22.40.1 0 0 37100 6939 4826 38803 56203 56203 56203 iN* 1.0.64.0/18 105.22.32.1 0 0 37100 2497 7670 7670 18144 iN*> 105.22.40.1 0 0 37100 2497 7670 7670 18144 iN*> 1.0.128.0/18 105.22.32.1 0 0 37100 2914 38040 9737 iN* 105.22.40.1 0 0 37100 2914 38040 9737 iN*> 1.0.128.0/17 105.22.32.1 0 0 37100 2914 38040 9737 iN* 105.22.40.1 0 0 37100 2914 38040 9737 iN* 1.0.129.0/24 105.22.32.1 0 0 37100 4651 9737 23969 iN*> 105.22.40.1 0 0 37100 4651 9737 23969 iN* 1.0.130.0/24 105.22.32.1 0 0 37100 4651 9737 23969 I<snip>…lg-01-jnb.za#
COMMERCIAL–IN-CO NFI DENCE
Verifying (… IOS & IOS XE example)
lg-01-jnb.za#sh bgp ipv6 unicastBGP table version is 22720683, local router ID is 105.22.40.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incompleteRPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight PathN* 2001::/32 2C0F:FEB0:B:2::1
0 0 37100 6939 iN*> 2C0F:FEB0:B:3::1
0 0 37100 6939 iN*> 2001:4:112::/48 2C0F:FEB0:B:3::1
0 0 37100 112 iN* 2C0F:FEB0:B:2::1
0 0 37100 112 iN*> 2001:200::/32 2C0F:FEB0:B:3::1
0 0 37100 2914 2500 iN* 2C0F:FEB0:B:2::1
0 0 37100 2914 2500 iN* 2001:200:900::/40
2C0F:FEB0:B:2::10 0 37100 6939 2516 7660 i
N*> 2C0F:FEB0:B:3::10 0 37100 6939 2516 7660 i
<snip>…lg-01-jnb.za#
COMMERCIAL–IN-CO NFI DENCE
Verifying (… pretty GUI’s, HE example)
COMMERCIAL–IN-CO NFI DENCE
Verifying (… pretty GUI’s, HE example)
COMMERCIAL–IN-CO NFI DENCE
Issues – Bad IOS XE Bug!
COMMERCIAL–IN-CO NFI DENCE
Issues – Bad IOS XE Bug!
COMMERCIAL–IN-CO NFI DENCE
Issues – IOS & IOS XE RFC 6811 Violation!
COMMERCIAL–IN-CO NFI DENCE
Issues – IOS & IOS XE RFC 6811 Violation!
COMMERCIAL–IN-CO NFI DENCE
MyNOG-6
• For MyNOG-6, will report on CA services for downstream customers.
![Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor](https://static.fdocuments.in/doc/165x107/5fbcbb49efb8a823413ea78d/limiting-the-power-of-rpki-authorities-rpki-is-a-prerequisite-for-bgpsec-rfc-8205.jpg)
