the rpki and bgp origin validation · ee cert ca ca ca 2012.02.27 apricot rtgsec up-chain...
TRANSCRIPT
![Page 1: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/1.jpg)
The RPKI and BGP Origin Validation
APRICOT / New Delhi 2012.02.27
Randy Bush <[email protected]>
Rob Austein <[email protected]> Steve Bellovin <[email protected]>
And a cast of thousands! Well, dozens :)
2012.02.27 APRICOT RtgSec 1
![Page 2: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/2.jpg)
Why Origin Validation? • Prevent YouTube accident • Prevent 7007 accident, UU/Sprint 2 days! • Prevents most accidental announcements • Does not prevent malicious path attacks
such as the Kapela/Pilosov DefCon attack • That requires ‘Path Validation’ and locking
the data plane to the control plane, the third step, a few years away
2012.02.27 APRICOT RtgSec 2
![Page 3: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/3.jpg)
Prefix Has Origin AS BGP routing table entry for 98.128.1.0/24 Paths: (32 available, best #21, table Default-IP-Routing-Table)
1221 4637 3561 2914 4128
2012.02.27 APRICOT RtgSec 3
The AS-Path
Origin AS
![Page 4: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/4.jpg)
Three Pieces • RPKI – Resource Public Key Infrastructure,
the Certificate Infrastructure to Support the other Pieces (starting last year)
• Origin Validation – Using the RPKI to detect and prevent mis-originations of someone else’s prefixes (early 2012)
• AS-Path Validation AKA BGPsec – Prevent Attacks on BGP (future work)
2012.02.27 APRICOT RtgSec 4
![Page 5: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/5.jpg)
Resource Public Key
Infrastructure (RPKI)
2012.02.27 APRICOT RtgSec 5
![Page 6: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/6.jpg)
X.509 RPKI Being Developed & Deployed
by IANA, RIRs, and
Operators 2012.02.27 APRICOT RtgSec 6
![Page 7: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/7.jpg)
Private/Public Keys
2012.02.27 APRICOT RtgSec
Stolen from - http://gdp.globus.org/gt4-tutorial/multiplehtml/ch09s03.html
7 7
![Page 8: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/8.jpg)
En/DeCryption
2012.02.27 APRICOT RtgSec 8 8
![Page 9: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/9.jpg)
Digital Signature
2012.02.27 APRICOT RtgSec 9 9
![Page 10: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/10.jpg)
RFC 3779 Extension
Describes IP
Resources (Addr & ASN)
X.509 Cert
Owner’s Public Key
X.509 Certificate w/ 3779 Ext CA
SIA – URI for where this Publishes
2012.02.27 APRICOT RtgSec 10
Signed by
Parent’s Private Key
![Page 11: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/11.jpg)
98.128.0.0/16
Public Key
98.128.0.0/20
Public Key
98.128.16.0/20
Public Key
98.128.32.0/19
Public Key
98.128.16.0/24
Public Key
98.128.17.0/24
Public Key
Cert/RGnet
Cert/Rob Cert/Randy
Cert/ISC Cert/PSGnet
Cert/ARIN CA
CA CA CA
CA CA
Certificate Hierarchy follows
Allocation Hierarchy
SIA
2012.02.27 APRICOT RtgSec 11
![Page 12: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/12.jpg)
That’s Who Owns It but
Who May Route It?
2012.02.27 APRICOT RtgSec 12
![Page 13: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/13.jpg)
98.128.0.0/16
Public Key
98.128.0.0/16
AS 42
EE Cert
ROA
Route Origin Authorization (ROA)
98.128.0.0/16 147.28.0.0/16
Public Key
Owning Cert CA
End Entity Cert can not sign certs. can sign other things e.g. ROAs
This is not a Cert It is a signed blob
2012.02.27 APRICOT RtgSec 13
![Page 14: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/14.jpg)
98.128.0.0/16
AS 42
98.128.0.0/16
Public Key
EE Cert
ROA
Multiple ROAs Make Before Break
98.128.0.0/16 147.28.0.0/16
Public Key
Owning Cert CA
2012.02.27 APRICOT RtgSec 14
98.128.0.0/16
AS 3130
ROA I Plan to Switch
Providers
98.128.0.0/16
Public Key
EE Cert
![Page 15: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/15.jpg)
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
PSGnet
ARIN
IANA
98.128.0.0/16-24
AS 3130
ROA
ROA Aggregation Using Max Length 98.128.0.0/16
Public Key
EE Cert
CA
CA
CA
2011.11.09 RPKI Origin 15 15
![Page 16: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/16.jpg)
RPKI-Based
Origin Validation
2012.02.27 APRICOT RtgSec 16
![Page 17: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/17.jpg)
2012.02.27 APRICOT RtgSec
RPKI Certificate
Engine
Resource PKI
IP Resource Certs ASN Resource Certs
Route Origin Attestations
Publication Protocol
Up / Down to Parent
Up / Down to Child
17
GUI
![Page 18: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/18.jpg)
2012.02.27 APRICOT RtgSec 18
Warning What ROA Will Do
![Page 19: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/19.jpg)
2012.02.27 APRICOT RtgSec
IANA
Resource PKI
Publication Protocol
APNIC
Resource
PKI Publication
Protocol
IIJ
Resource PKI
Publication Protocol
19
GUI
GUI
GUI
Please Issue My Cert Up/ Down
Please Issue My Cert Up/ Down
Please Issue My Cert Up/ Down Cert Issuance
Issuing Parties
Cert Issuance
Cert Issuance
![Page 20: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/20.jpg)
2012.02.27 APRICOT RtgSec 20
Issuing Parties
IANA
Resource PKI
Publication Protocol
Up Down
APNIC
Resource PKI
Publication Protocol
Up Down
IIJ
Resource
PKI Publication
Protocol
SIA Pointers
SIA Pointers
GUI
GUI
GUI
![Page 21: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/21.jpg)
2012.02.27 APRICOT RtgSec 21
IANA
Resource PKI
Publication Protocol
Up Down
APNIC
Resource PKI
Publication Protocol
Up Down
IIJ
Resource
PKI Publication
Protocol
RCynic Gatherer
BGP Decision Process
Validated Cache
SIA Pointers
SIA Pointers
Trust Anchor
GUI
GUI
GUI
Issuing Parties Relying Parties
route: 147.28.0.0/16!descr: 147.28.0.0/16-16!origin: AS3130!notify: [email protected]!mnt-by: MAINT-RPKI!changed: [email protected] 20110606!source: RPKI!
Pseudo IRR
NOC Tools
![Page 22: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/22.jpg)
2012.02.27 APRICOT RtgSec
Global RPKI
Asia Cache
NoAm Cache
Euro Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
Cust Facing
Cust Facing
Cust Facing
Cust Facing
Cust Facing
High Priority
Lower Priority
Extremely Large ISP Deployment
22
Caches Feed
Caches
![Page 23: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/23.jpg)
How Do ROAs Affect BGP Updates?
2012.02.27 APRICOT RtgSec 23
![Page 24: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/24.jpg)
In NOC 2012.02.27 APRICOT RtgSec
IANA
Resource PKI
Publication Protocol
Up Down
APNIC
Resource PKI
Publication Protocol
Up Down
IIJ
Resource PKI
Publication Protocol
RCynic Gatherer
RPKI to Rtr
Protocol
In PoP
BGP Decision Process
Validated Cache
SIA Pointers
SIA Pointers
Trust Anchor
24
GUI
GUI
GUI
![Page 25: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/25.jpg)
IPv4 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 4 | | +-------------------------------------------+ | | | Length=20 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..32 | 0..32 | | +-------------------------------------------+ | | | IPv4 prefix | | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
2012.02.27 APRICOT RtgSec 25
![Page 26: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/26.jpg)
IPv6 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 6 | | +-------------------------------------------+ | | | Length=40 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..128 | 0..128 | | +-------------------------------------------+ | | +--- ---+ | | +--- IPv6 prefix ---+ | | +--- ---+ | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
2012.02.27 APRICOT RtgSec 26
![Page 27: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/27.jpg)
2012.02.27 APRICOT RtgSec 27
BGP Updates are compared with ROAs loaded
from the RPKI
![Page 28: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/28.jpg)
2012.02.27 APRICOT RtgSec 28
BGP Peer
BGP Data
RPKI Cache
RPKI-Rtr Protocol
BGP Updates
RPKI ROAs
mark
Valid
Invalid
NotFound
Marking BGP Updates
![Page 29: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/29.jpg)
Result of Check • Valid – A matching/covering ROA was
found with a matching AS number • Invalid – A matching or covering ROA
was found, but AS number did not match, and there was no valid one
• Not Found – No matching or covering ROA was found, same as today
2012.02.27 APRICOT RtgSec 29
![Page 30: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/30.jpg)
Configure Router to Get ROAs
router bgp 3130
…
bgp rpki server tcp 198.180.150.1 port 42420 refresh 3600
bgp rpki server tcp 147.28.0.35 port 93920 refresh 3600
…
2012.02.27 APRICOT RtgSec 30
![Page 31: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/31.jpg)
Valid! r0.sea#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24, version 3043542 Paths: (3 available, best #1, table default) 6939 27318 206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid 2914 4459 27318 199.238.113.9 from 199.238.113.9 (129.250.0.19) Origin IGP, metric 43, localpref 100, valid, external Community: 2914:410 2914:1005 2914:3000 3130:380 path 09AF35CC RPKI State valid
2012.02.27 APRICOT RtgSec 31
![Page 32: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/32.jpg)
Invalid! r0.sea#show bgp 198.180.150.0 BGP routing table entry for 198.180.150.0/24, version 2546236 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 8 Refresh Epoch 1 1239 3927 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid
2012.02.27 APRICOT RtgSec 32
![Page 33: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/33.jpg)
NotFound r0.sea#show bgp 64.9.224.0 BGP routing table entry for 64.9.224.0/20, version 35201 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 Refresh Epoch 1 1239 3356 36492 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 4, localpref 100, valid, internal Community: 3130:370 path 11861AA4 RPKI State not found
2012.02.27 APRICOT RtgSec 33
![Page 34: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/34.jpg)
What are the BGP / ROA
Matching Rules?
2012.02.27 APRICOT RtgSec 34
![Page 35: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/35.jpg)
2012.02.27 APRICOT RtgSec 35
A Prefix is Covered by a ROA when the ROA prefix length is less than or equal to the Route prefix length
98.128.0.0/16
98.128.0.0/12-16
98.128.0.0/16-24
98.128.0.0/20-24
Covers
Covers
No. It’s Longer
BGP
ROA
ROA
ROA
![Page 36: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/36.jpg)
2012.02.27 APRICOT RtgSec 36
Prefix is Matched by a ROA when the Prefix is Covered by that ROA, prefix length is less than or equal to the ROA max-len, and the Route Origin AS is equal to the ROA’s AS
98.128.0.0/16 AS 42
98.128.0.0/12-16 AS 42
98.128.0.0/16-24 AS 666
98.128.0.0/20-24 AS 42
Matched
No. AS Mismatch
No. ROA Longer
BGP
ROA
ROA
ROA
![Page 37: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/37.jpg)
2012.02.27 APRICOT RtgSec 37
98.128.0.0/16-24 AS 6
BGP
ROA0
98.128.0.0/16-20 AS 42 ROA1
98.128.0.0/12 AS 42 NotFound, shorter than ROAs
BGP 98.128.0.0/16 AS 42 Valid, Matches ROA1
BGP 98.128.0.0/20 AS 42 Valid, Matches ROA1
BGP 98.128.0.0/24 AS 42 Invalid, longer than ROAs
BGP 98.128.0.0/24 AS 6 Valid, Matches ROA0
Matching and Validity
![Page 38: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/38.jpg)
The Operator Tests and then Sets Local Policy
2012.02.27 APRICOT RtgSec 38
![Page 39: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/39.jpg)
Fairly Secure route-map validity-0
match rpki valid
set local-preference 100
route-map validity-1
match rpki not-found
set local-preference 50
! invalid is dropped
2012.02.27 APRICOT RtgSec 39
![Page 40: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/40.jpg)
Paranoid
route-map validity-0
match rpki valid
set local-preference 110
! everything else dropped
2012.02.27 APRICOT RtgSec 40
![Page 41: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/41.jpg)
After AS-Path route-map validity-0 match rpki not-found
set metric 100
route-map validity-1
match rpki invalid
set metric 150
route-map validity-2
set metric 50 2012.02.27 APRICOT RtgSec 41
![Page 42: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/42.jpg)
Allocation in Reality
My Infrastructure
Unused Static (non BGP) Cust
BGP Cust
2012.02.27 APRICOT RtgSec 42
/16 Assignment from RIR
![Page 43: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/43.jpg)
ROA Use
My Aggregate ROA
Customer ROAs
I Generate for ‘Lazy’ Customer My Infrastructure
Unused Static (non BGP) Cust
BGP Cust
2012.02.27 APRICOT RtgSec 43
![Page 44: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/44.jpg)
Covering a Customer
My Infrastructure
Unused Static (non BGP) Cust
BGP Cust
2012.02.27 APRICOT RtgSec 44
I Issue a ROA for the Covering Prefix
I need to do this to protect Static Customers and my Infrastructure
44
![Page 45: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/45.jpg)
Covering a Customer
My Infrastructure
Unused Static (non BGP) Cust
BGP Cust
2012.02.27 APRICOT RtgSec 45
But if I Issue a ROA for the Covering Prefix
Before My Customers issue ROAs for These
45
![Page 46: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/46.jpg)
Covering a Customer
My Infrastructure
Unused Static (non BGP) Cust
BGP Cust
2012.02.27 APRICOT RtgSec 46
If I Issue a ROA for the Covering Prefix
Before My Customers issue ROAs for These Their Routing Becomes Invalid!
46
![Page 47: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/47.jpg)
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
RGnet
ARIN
IANA
98.128.0.0/1724
AS 3130
ROA
98.128.0.0/17
Public Key
EE Cert
CA
CA
CA
2012.02.27 APRICOT RtgSec
Up-Chain Expiration
98.128.0.0/17
Public Key
PSGnet CA
Sloppy Admin Cert Soon to Expire!
These are not Identity Certs
So Who You Gonna Call? So My ROA
will become Invalid!
47
![Page 48: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/48.jpg)
ROA Invalid but I Can Route • The ROA will become Invalid
• My announcement will just become NotFound, not Invalid
• Unless my upstream has a ROA for the covering prefix, which is likely
2012.02.27 APRICOT RtgSec 48
![Page 49: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/49.jpg)
So Who You Gonna Call?
2012.02.27 APRICOT RtgSec 49
![Page 50: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/50.jpg)
2012.02.27 APRICOT RtgSec
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
RGnet
ARIN
IANA
98.128.0.0/17-24
AS 3130
ROA
98.128.0.0/17
Public Key
EE Cert
CA
CA
CA
Ghostbusters!
98.128.0.0/17
Public Key
PSGnet CA
BEGIN:vCard VERSION:3.0 FN:Human's Name N:Name;Human's;Ms.;Dr.;OCD;ADD ORG:Organizational Entity ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern; WA; 98666;U.S.A. TEL;TYPE=VOICE,MSG,WORK:+1-666-555-1212 TEL;TYPE=FAX,WORK:+1-666-555-1213 EMAIL;TYPE=INTERNET:[email protected] END:vCard
Ghostbusters Record
draft-ietf-sidr-ghostbusters
50
![Page 51: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/51.jpg)
But in the End, You Control Your Policy
“Announcements with Invalid origins SHOULD NOT be used, but MAY be used to meet special operational needs.” -- draft-ietf-sidr-origin-ops But if I do not reject Invalid, what is all this for?
2012.02.27 APRICOT RtgSec 51
![Page 52: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/52.jpg)
Open Source (BSD Lisc) Running Code https://rpki.net/
Test Code in Routers Talk to C & J
2012.02.27 APRICOT RtgSec 52
![Page 53: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/53.jpg)
Vendor Code • Cisco IOS and XR test code have Origin
Validation now, shipping some code now
• Juniper has test code now, ship 2Q2012
• Work continues daily in test routers
• Compute load much less than ACLs from IRR data, 10µsec per update!
2012.02.27 APRICOT RtgSec 53
![Page 54: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/54.jpg)
2012.02.27 APRICOT RtgSec
BGPsec AS-Path Validation
Future Work
54
![Page 55: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/55.jpg)
Origin Validation is Weak • RPKI-Based Origin Validation only stops
accidental misconfiguration, which is very useful. But ...
• A malicious router may announce as any AS, i.e. forge the ROAed origin AS.
• This would pass ROA Validation as in draft-ietf-sidr-pfx-validate.
2012.02.27 APRICOT RtgSec 55
![Page 56: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/56.jpg)
Full Path Validation
• Rigorous per-prefix AS path validation is the goal
• Protect against origin forgery and AS-Path monkey in the middle attacks
• Not merely showing that a received AS path is not impossible
2012.02.27 APRICOT RtgSec 56
![Page 57: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/57.jpg)
Forward Path Signing
AS hop N signing (among other things) that it is sending the announcement to AS hop N+1 by AS number, is believed to be fundamental to protecting against monkey in the middle attacks
2012.02.27 APRICOT RtgSec 57
![Page 58: The RPKI and BGP Origin Validation · EE Cert CA CA CA 2012.02.27 APRICOT RtgSec Up-Chain Expiration 98.128.0.0/17 Public Key PSGnet CA Sloppy Admin Cert Soon to Expire! These are](https://reader033.vdocuments.mx/reader033/viewer/2022042419/5f3548cb2274d0089a232192/html5/thumbnails/58.jpg)
Forward Path Signing
2012.02.27 APRICOT RtgSec
AS1 AS2 ^RtrCert
Signed Forward
Reference
^RtrCert NLRI AS0 AS1
Hash Signed by Router Key AS0.rtr-xx
Sig0
Hash Signed by Router Key AS1-rtr-yy
Sig1
58