resource pubic key infrastructure · public key concept •private key: this key must be known only...
TRANSCRIPT
![Page 1: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/1.jpg)
RPKIResourcePubicKeyInfrastructure
![Page 2: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/2.jpg)
PurposeofRPKI
• RPKIreplacesIRRorlivessidebyside?• Sidebyside:differentadvantages• Security,almostrealtime,simpleinterface:RPKI
• PurposeofRPKI• IsthatASNauthorizedtooriginatethataddressrange?
2
![Page 3: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/3.jpg)
ASPath
3
2001:DB8::/32 655516555065549i
65551
Ihave2001:DB8::/32
Sendapacketto2001:DB8::1
65553 65549
65550
65536Ihave2001:DB8::/32
2001:DB8::/32 6555265536i
65552
VALID
INVALID
![Page 4: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/4.jpg)
RPKIDeployment
4
Phase1OriginValidation
Phase2PathValidation
Ihave2001:DB8::/32
Sendapacketto2001:DB8::1
65552 65549
65551 65550
![Page 5: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/5.jpg)
InternetRegistry(IR)/RIR
• MaintainsInternetResourcessuchasIPaddressesandASNs,andpublishtheregistrationinformation• AllocationsforLocalInternetRegistries• Assignmentsforend-users
• APNICistheRegionalInternetRegistry(RIR)intheAsiaPacificregion• NationalInternetRegistry(NIR)existsinseveraleconomies
5
![Page 6: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/6.jpg)
TheEco-System
6
![Page 7: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/7.jpg)
GoalsofRPKI
• AbletoauthoritativelyprovewhoownsanIPPrefixandwhatAS(s)mayAnnounceIt• Reducingroutingleaks• Attachingdigitalcertificatestonetworkresources(ASNumber&IPAddress)
• PrefixOwnershipFollowstheAllocationHierarchyIANA,RIRs,ISPs,…
7
![Page 8: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/8.jpg)
AdvantageofRPKI
• Useabletoolset• Noinstallationrequired• Easytoconfiguremanualoverrides
• Tightintegrationwithrouters• SupportedroutershaveawarenessofRPKIvaliditystates
• SteppingstoneforAS-PathValidation• PreventAttacksonBGP
8
![Page 9: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/9.jpg)
RPKIImplementation
• TwoRPKIimplementationtype• Delegated:EachparticipatingnodebecomesaCAandrunstheirownRPKIrepository,delegatedbytheparentCA.• Hosted:TheRIRrunstheCAfunctionalityforinterestedparticipants.
9
![Page 10: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/10.jpg)
TwoComponents
• CertificateAuthority(CA)• InternetRegistries(RIR,NIR,LargeLIR)• Issuecertificatesforcustomers• AllowcustomerstousetheCA’sGUItoissueROAsfortheirprefixes
• RelyingParty(RP)• SoftwarewhichgathersdatafromCAs
10
![Page 11: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/11.jpg)
IssuingParty
• InternetRegistries(RIR,NIR,LargeLIRs)• ActsasaCertificateAuthorityandissuescertificatesforcustomers• ProvidesawebinterfacetoissueROAsforcustomerprefixes• PublishestheROArecords
11
APNICRPKIEngine
publication
MyAPNIC GUI
rpki.apnic.net
Repository
![Page 12: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/12.jpg)
RelyingParty(RP)
12
IANARepo
APNICRepo RIPERepo
LIRRepo LIRRepo
RPCache(gather) Validated
Cache
RPKI-Rtr Protocol
rpki.ripe.net
SoftwarewhichgathersdatafromCAsAlsocalledRPcacheorvalidator
rpki.apnic.net
![Page 13: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/13.jpg)
RPKIBuildingBlocks
1. TrustAnchors(RIR’s)2. RouteOriginationAuthorizations(ROA)3. Validators
13
![Page 14: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/14.jpg)
1.PKI&TrustAnchors
![Page 15: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/15.jpg)
PublicKeyConcept
• Privatekey:Thiskeymustbeknownonlybyitsowner.• Publickey:Thiskeyisknowntoeveryone(itispublic)• Relationbetweenbothkeys:Whatonekeyencrypts,theotheronedecrypts,andviceversa.Thatmeansthatifyouencryptsomethingwithmypublickey(whichyouwouldknow,becauseit'spublic:-),Iwouldneedmyprivatekeytodecryptthemessage.• SamealikehttpwithSSLakahttps
15
![Page 16: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/16.jpg)
RPKIProfile
CertificatesareX.509certificatesthatconformtothePKIXprofile[PKIX].Theyalsocontainan
extensionfieldthatlistsacollectionofIPresources(IPv4addresses,IPv6
addressesandASNumbers)[RFC3779]
16
X.509Cert
RFC3779Extension
Describes IPResources(Addr &ASN)
SIA– URIforwherethisPublishes
Owner’sPublicKey
CA
Signed
byParent’sPrivateKey
X.509Certificates3779EXT
![Page 17: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/17.jpg)
TrustAnchor
IANA
AFRINIC RIPE NCC ARIN APNIC LACNIC
NIR NIR
ISP ISP ISP ISP ISP
Trust Anchor CertificateResourceAllocationHierarchy
Issued Certificates
matchallocation actions
17
Source:http://isoc.org/wp/ietfjournal/?p=2438
![Page 18: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/18.jpg)
RPKIChainofTrust
• TheRIRsholdaself-signedrootcertificateforalltheresourcesthattheyhaveintheregistry• Theyarethetrustanchorforthesystem
• Thatrootcertificateisusedtosignacertificatethatlistsyourresources• Youcanissuechildcertificatesforthoseresourcestoyourcustomers• Whenmakingassignmentsorsuballocations
18
![Page 19: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/19.jpg)
2.ROARouteOriginAuthorizations
![Page 20: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/20.jpg)
RouteOriginationAuthorizations(ROA)
• AROAisadigitallysignedobject thatprovidesameansofverifyingthatanIPaddressblockholder hasauthorized anAutonomousSystem(AS) tooriginateroutestooneormoreprefixes withintheaddressblock.• WithaROA,theresourceholderisattesting thattheoriginASnumberisauthorized toannounce theprefix(es).TheattestationcanbeverifiedcryptographicallyusingRPKI.
20
![Page 21: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/21.jpg)
RouteOriginationAuthorizations(ROA)
• NexttotheprefixandtheASNwhichisallowedtoannounceit,theROAcontains:• Aminimumprefixlength• Amaximumprefixlength• Anexpirydate• OriginASN
• MultipleROAscanexistforthesameprefix• ROAscanoverlap
21
![Page 22: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/22.jpg)
3.Validators
![Page 23: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/23.jpg)
OriginValidation• RoutergetsROAinformationfromtheRPKICache• RPKIverificationisdonebytheRPKICache
• TheBGPprocesswillcheckeachannouncementwiththeROAinformationandlabeltheprefix
23
ValidatedRPKICache
RPKItoRTRprotocol
![Page 24: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/24.jpg)
ResultofCheck
• Valid – IndicatesthattheprefixandASpairarefoundinthedatabase.• Invalid – Indicatesthattheprefixisfound,buteitherthecorrespondingASreceivedfromtheEBGPpeerisnottheASthatappearsinthedatabase,ortheprefixlengthintheBGPupdatemessageislongerthanthemaximumlengthpermittedinthedatabase.• NotFound /Unknown– Indicatesthattheprefixisnotamongtheprefixesorprefixrangesinthedatabase.
Valid>Unknown>Invalid
24
![Page 25: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/25.jpg)
ROAExample
25
Prefix:10.0.0.0/16ASN:65420
ROA 65420 10.0.0.0/16 /18
OriginAS Prefix MaxLength
VALID AS65420 10.0.0.0/16
VALID AS65420 10.0.128.0/17
INVALID AS65421 10.0.0.0/16
INVALID AS65420 10.0.10.0/24
UNKNOWN AS65430 10.0.0.0/8
![Page 26: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/26.jpg)
LocalPolicy
• Youcandefineyourpolicybasedontheoutcomes• Donothing• Justlogging• LabelBGPcommunities• Modifypreferencevalues• Rejectingtheannouncement
26
![Page 27: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/27.jpg)
Insummary
• Asanannouncer/LIR• Youchooseifyouwantcertification• YouchooseifyouwanttocreateROAs• YouchooseAS,maxlength
• AsaRelyingParty• Youcanchooseifyouusethevalidator• YoucanoverridethelistsofvalidROAsinthecache,addingorremovingvalidROAslocally• YoucanchoosetomakeanyroutingdecisionsbasedontheresultsoftheBGPVerification(valid/invalid/unknown)
27
![Page 28: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/28.jpg)
RPKICaveats
• WhenRTRsessiongoesdown,theRPKIstatuswillbenotfoundforallthebgp routeafterawhile• Invalid=>notfound• weneedseveralRTRsessionsorcareyourfilteringpolicy
• Incaseoftherouterreload,whichoneisfaster,receivingROAsorreceivingBGProutes?• IfreceivingBGPismatchfasterthanROA,therouterpropagatetheinvalidroutetoothers• WeneedtoputourCachevalidatorwithinourIGPscope
28
![Page 29: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/29.jpg)
RPKIFurtherReading
• RFC5280:X.509PKICertificates• RFC3779:ExtensionsforIPAddressesandASNs• RFC6481-6493:ResourcePublicKeyInfrastructure
29
![Page 30: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/30.jpg)
RPKIConfiguration
![Page 31: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/31.jpg)
RPKIConfiguration
• Resources:• AS:131107[APNICTRAINING-DC]• IPv4:202.125.96.0/24• IPv6:2001:df2:ee00::/48
• Process• CreateROA• Setupcachevalidationserver• ValidatetheROA
31
![Page 32: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/32.jpg)
ImplementationScenario
32
ASBR
{rtr}
DNS
Trust Anchors
DNS
Trust AnchorsDNS
Trust Anchors
DNS
RPKI Cache Validator
{rsync}{bgp4}
repository
upstream
• {bgp4}RoutersvalidateupdatesfromotherBGPpeers
• {rtr}CachesfeedsroutersusingRTRprotocolwithROAinformation
• {rsync}Cachesretrievesandcryptographicallyvalidatescertificates&ROAsfromrepositories
![Page 33: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/33.jpg)
PhaseI- PublishingROA
33
• LogintoyourMyAPNIC portal• Requiredvalidcertificate• GotoResources>CertificationTab
![Page 34: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/34.jpg)
PhaseI- PublishingROA
34
![Page 35: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/35.jpg)
PhaseI- PublishingROA
• ShowavailableprefixforwhichyoucancreateROA
35
![Page 36: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/36.jpg)
PhaseI- PublishingROA
36
![Page 37: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/37.jpg)
PhaseI- CheckyourROA
37
# whois -h whois.bgpmon.net 2001:df2:ee00::/48
Prefix: 2001:df2:ee00::/48Prefix description: APNICTRAINING-DCCountry code: AUOrigin AS: 131107Origin AS Name: ASN for APNICTRAINING LAB DCRPKI status: ROA validation successfulFirst seen: 2016-06-30Last seen: 2017-01-03Seen by #peers: 160
![Page 38: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/38.jpg)
PhaseI- CheckyourROA
38
# whois -h whois.bgpmon.net " --roa 131107 2001:df2:ee00::/48"
0 – Valid------------------------ROA Details------------------------Origin ASN: AS131107Not valid Before: 2016-09-07 02:10:04Not valid After: 2020-07-30 00:00:00 Expires in 3y208d1h39m28.7999999821186sTrust Anchor: rpki.apnic.netPrefixes: 2001:df2:ee00::/48 (max length /48) 202.125.96.0/24 (max length /24)
![Page 39: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/39.jpg)
PhaseII- RPKIValidator
• Twooptions:
A.RIPENCCRPKIValidator• https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources
B.DragonResearchLabsRPKIToolkit• https://github.com/dragonresearch/rpki.net
39
![Page 40: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/40.jpg)
PhaseII- RPKIValidator
A.RIPENCCRPKIValidator
• DownloadRPKIValidator• http://www.ripe.net/lir-services/resource-management/certification/tools-and-resources
• Installation
40
# tar -zxvf rpki-validator-app-2.21-dist.tar.gz# cd rpki-validator-app-2.21# ./rpki-validator.sh start
![Page 41: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/41.jpg)
PhaseII- RPKIValidator
41
A.RIPENCCRPKIValidator
http://rpki-validator.apnictraining.net:8080/
![Page 42: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/42.jpg)
PhaseII- RPKIValidator
B.DragonResearchLabsRPKIToolkit
• InstallationprocessinUbuntuXenial 16.04• https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-rp.md
• Installation
42
# wget -q -O /etc/apt/sources.list.d/rpki.listhttps://download.rpki.net/APTng/rpki.xenial.list# wget -q -O /etc/apt/trusted.gpg.d/rpki.asc https://download.rpki.net/APTng/apt-gpg-key.asc# apt update# apt install rpki-rp
![Page 43: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/43.jpg)
PhaseII- RPKIValidator
• B.DragonResearchLabsRPKIToolkit
43
http://rpki-dragonresearch.apnictraining.net/rcynic/
![Page 44: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/44.jpg)
PhaseIII- RouterConfiguration(JunOS)
http://pastebin.com/50bmnv9F
![Page 45: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/45.jpg)
PhaseIII- RouterConfiguration(IOS)
http://pastebin.com/p30nWu0R
![Page 46: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/46.jpg)
PhaseIII- RouterConfiguration(GoBGP)
http://pastebin.com/DwQbdq7A
![Page 47: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/47.jpg)
Checkyourprefix
rpki-junos>show route protocol bgp 202.125.96.46/24
202.125.96.0/24 *[BGP/170] 3w5d 16:57:33, MED 0, localpref 110AS path: 3333 4608 131107 I, validation-state:
verified> to 193.0.19.254 via xe-1/3/0.0
• Junos
![Page 48: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/48.jpg)
Checkyourprefix
rpki-ios>show ip bgp 202.125.96.0/24
BGP routing table entry for 202.125.96.0/24, version 70470025Paths: (2 available, best #2, table default)Not advertised to any peerRefresh Epoch 13333 1273 4637 1221 4608 131107 193.0.19.254 from 193.0.3.5 (193.0.0.56)Origin IGP, localpref 110, valid, externalCommunity: 83449328 83450313path 287058B8 RPKI State valid
• IOS
![Page 49: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/49.jpg)
Checkyourprefix
fakrul@gobgp:~$ gobgp global rib 202.125.96.0/24
Network Next Hop AS_PATH Age Attrs
V*> 202.125.96.0/24 202.12.29.113 4608 1221 4826 131107 00:13:29 [{Origin: i} {Med: 0} {LocalPref: 110} {Communities: 4608:11101}]
• GoBGP
![Page 50: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/50.jpg)
Commands
• Checksessionstatusofcachevalidatorservershow validation session detail
show bgp ipv4 unicast rpki servers
gobgp rpki server
JunOS
IOS
GoBGP
show validation database
show bgp ipv4 unicast rpki table
gobgp rpki table
JunOS
IOS
GoBGP
• Fullvalidationdatabase
![Page 51: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/51.jpg)
!Caution!
51
![Page 52: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/52.jpg)
Testbed
• Cisco(hostedbytheRIPENCC)• PublicCiscorouter:rpki-rtr.ripe.net• Telnetusername:ripe/Nopassword
• Juniper(hostedbyKaia GlobalNetworks)• PublicJuniperrouters:193.34.50.25,193.34.50.26• Telnetusername:rpki /Password:testbed
52
![Page 53: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/53.jpg)
Configuration- ReferenceLink
• Cisco• http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html#wp3677719851
• Juniper• http://www.juniper.net/techpubs/en_US/junos12.2/topics/topic-map/bgp-origin-as-validation.html
53
![Page 54: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/54.jpg)
54
www.apnic.net/roa
![Page 55: Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only by its owner. •Public key: This key is known to everyone (it is public) •Relation](https://reader034.vdocuments.mx/reader034/viewer/2022042311/5ed9d641e5e78214d863ba6b/html5/thumbnails/55.jpg)
Thanks