Validation, Routers,
& Caches
AfNOG / Lusaka
2013.06.14
Amazon Sakura
AS GoJ AS
AS 234
16509 Customers buy ‘Transit’ 9370
147.28.0.0/16
Amazon Sakura
AS GoJ AS
AS 234
16509 Customers buy ‘Transit’ 9370
Origin AS
16509 1239 2497 234
The AS-Path
Pakistan
Telekom
Oops!
Pakistan
Telekom
a Prefix is Originated
by an AS Which Does
Not Own It
2013.06.14 AfNOG RPKI 11
I Do Not Call it
Hijacking
X.509 Cert
Private
Key SIA – URI for where this Publishes
Hierarchy 98.128.0.0/16
Allocation
SIA
CA CA CA
Hierarchy
Cert/ISC Cert/RGnet Cert/PSGnet
CA CA
Cert/Randy Cert/Rob
98.128.16.0/24 98.128.17.0/24
Public Key
Public Key
98.128.0.0/16
AS 42
Public Key
CA
ARIN
98.0.0.0/8
Public Key
CA
PSGnet
98.128.0.0/16
ROA Aggregation
Public Key
Public Key
ROA
98.128.0.0/16-24
AS 3130
98.128.0.0/16
EE Cert 147.28.0.0/16 EE Cert
ROA ROA
98.128.0.0/16
I Plan to
98.128.0.0/16
Switch
AS 42
Providers
AS 3130
GUI
ASN Resource Certs
Up / Down
to Child
Publication
IANA Protocol
Resource
PKI
GUI
Publication
APNIC Protocol
Resource
PKI
GUI
Publication
JPNIC Protocol
Resource
PKI
GUI
IR’s ID=Me
Database(s) Internal
Public
RPKI Internal
My RightsToRoute Keys
Protocol
CA Data
My Misc
Publication Publication
Up/Down EE
Delegations Public Keys
Config
Protocol Point
Registry
Options
to Custs
Contract
Certs
Issued
Local Data
Issued to
ROAs
DownStreams
Management Out?
Up / Down
Delegated Protocol
a la DNS 2% of an RIR’s Users
90% of an RIR’s IP Space
2013.06.14 AfNOG RPKI 36
Issuing Parties
Trust
Anchor
Publication
IANA Protocol
Resource
PKI
GUI
Up
SIA
Down
Pointers
Publication
GUI
APNIC Protocol
Resource
PKI
Up
Down SIA
Pointers
Publication
GUI JPNIC Protocol
Resource
PKI
Gatherer
descr: 147.28.0.0/16-16!
Protocol PKI origin: AS3130!
GUI notify: irr-hack@rpki.net!
mnt-by: MAINT-RPKI!
changed: irr-hack@rpki.net 20110606!
source: RPKI!
Up
SIA
Down
Pointers
Validated
Cache NOC Tools
Publication
GUI
APNIC Protocol
Resource
PKI
Up
Down SIA BGP
Pointers
Decision
Publication
Process
GUI JPNIC Protocol
Resource
PKI
High Priority
Lower Priority
2013.06.14 AfNOG RPKI 40
How Do ROAs
Affect BGP
Updates?
In PoP
Anchor
IANA
Publication Resource
Protocol PKI
GUI
Up
SIA
RCynic
Down
Pointers Gatherer
Validated
Cache
Up
Down SIA Crypto Stripped
Pointers
Publication Resource
RPKI BGP
JPNIC
GUI Protocol PKI to Rtr Decision
Protocol
Process
In NOC
2013.06.14 AfNOG RPKI 42
ROAs Become Router VRPs
Want to Run on
Current Hardware
RPKI-Rtr
Protocol RPKI
RPKI
Cache VRPs
Crypto is
Stripped
Matching Rules?
BGP 98.128.0.0/16 AS 42
VRP1 98.128.0.0/16-20 AS 42
route-map validity-0
match rpki valid
set local-preference 110
! everything else dropped
route-map validity-0
match rpki invalid
set local-preference 110
! everything else dropped
BGP Data
BGP
Updates
Valid SNMP
N
mark Invalid O
RPKI-Rtr NotFound syslog C
Protocol RPKI
VRPs
• AlcaLu – in development
2013.06.14 AfNOG RPKI 67
RPKI Implementations
• RIPE/NCC – CA (partial closed) & RP
(partial open)
Gatherer
descr: 147.28.0.0/16-16!
Protocol PKI origin: AS3130!
GUI notify: irr-hack@rpki.net!
mnt-by: MAINT-RPKI!
changed: irr-hack@rpki.net 20110606!
source: RPKI!
Up
SIA
Down
Pointers
Validated
Cache NOC Tools
Publication
GUI
JPNIC Protocol
Resource
PKI
Up
Our
BGP
Focus
Down SIA
Pointers
Decision
GUI IIJ
Publication
Protocol
Resource
PKI
Today Process
So You Can
Copy and Paste
2013.06.14 AfNOG RPKI 74
Lab Overview
GUI
RCynic RPKI BGP
django
Gatherer Cache to Rtr Decision
Protocol
Process
RPKI
Engine
Publication
Protocol
Repository Mgt RPKI
Repo
ubu04
ubu05
RP - cache0.vmini
GUI
ubu16
CA - ca0.vmini
Ubuntu/KVM
Server in Mac Mini running
Ashburn Ubuntu KVM
Global
RPKI Internet
Cache
98.128.0.0/16! 98.128.0.0/16!
98.128.0.0/24! AS3130 AS4128 98.128.0.0/24!
98.128.1.0/24! 98.128.1.0/24!
…! …!
98.128.31.0/24! 98.128.31.0/24!
Seattle Dallas
2013.06.14 AfNOG RPKI 77
IP Address Allocation
98.128.0.0/16 ARIN Experimental Allocation
UserID Password
labuser01 fnord
labuser02 fnord
labuser03 fnord
…
labuser16 fnord
2013.06.14 AfNOG RPKI 79
https://ca0.vmini.rpki.net/
labuserNN
fnord
AS65000 AS65001
AS 3130
Global
Internet
AS3130 AS4128
98.128.0.0/16! 98.128.0.0/16!
Seattle Dallas
2013.06.14 AfNOG RPKI 90
ROA Controls Validity
show ip bgp 98.128.0.0/16
ROA
98.128.0.0/16
AS65000 AS65001
AS 4128
Global
Internet
AS3130 AS4128
98.128.0.0/16! 98.128.0.0/16!
Seattle Dallas
2013.06.14 AfNOG RPKI 91
Try Your Own /24
ROA show ip bgp 98.128.0.0/16
98.128.0.0/16
show ip bgp 98.128.X.0/24
AS 4128
98.128.X.0/24
Global
AS 3130 Internet
AS3130 AS4128
98.128.X.0/24! 98.128.X.0/24!
Advertised to update-groups:
1
Refresh Epoch 1
65000 3130
65001 4128
10.0.1.1 from 10.0.1.1 (65.38.193.13)
Origin IGP, localpref 100, valid, external, best
path 6802D7C8 RPKI State valid
2013.06.14 AfNOG RPKI 93
Issuing Parties Relying Parties
Trust
Anchor
Gatherer
descr: 147.28.0.0/16-16!
Protocol PKI origin: AS3130!
GUI notify: irr-hack@rpki.net!
mnt-by: MAINT-RPKI!
changed: irr-hack@rpki.net 20110606!
source: RPKI!
Up
SIA
Down
Pointers
Validated
Cache NOC Tools
Publication
JPNIC Resource
Our
GUI Protocol PKI
Up
Down SIA
Focus BGP
Pointers
Today Decision
Process
IIJ
Publication Resource
GUI Protocol PKI
Publication
altCA Protocol
Resource
PKI
GUI
Up
SIA
Down
Pointers
Publication Resource
workshop Protocol
GUI PKI
Up
Down SIA
Pointers
Publication Resource
not used Protocol
GUI PKI
Also At
https://wiki.rg.net/wiki/RPKI
2013.06.14 AfNOG RPKI 97
Routers
• Use Your Own! (in production
images from C&J)
• 16 DynaMIPS 7200s
or
$ ssh demo@r1.iad.rg.net
Password: demo
Sorry, no enable J
2013.06.14 AfNOG RPKI 100
BGP Configuration
router bgp 651nn
That’s All!!
2013.06.14 AfNOG RPKI 101
Take a Look!
r0.sea#show ip bgp 198.180.150.0
1239 3927
144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2)
Origin incomplete, metric 750, localpref 110, valid,
internal, best
path 14CB1C54 RPKI State valid
2914 3927
199.238.113.9 from 199.238.113.9 (129.250.0.167)
Origin IGP, metric 90, localpref 100, valid, external
Community: 2914:410 2914:1001 2914:2000 2914:3000 3130:380
path 196F0E70 RPKI State valid
On Your Laptop
(FreeBSD, Ubuntu, …)
or
Remote (Virtual) Ubuntu Server
• ssh labuserNN@ubuNN.rpki.net
• Password is Vattood1
2013.06.14 AfNOG RPKI 107
Select Trust Anchors
• We are going to use emulated routers on
DynaMIPS, and it is memory limited
• Edit /etc/rcynic.conf
trust-anchor-directory = \
/etc/rpki/trust-anchor/altca.tal