SlideShare una empresa de Scribd logo

IAA Life in Lockdown series: Securing Internet Routing

APNIC
APNIC

APNIC Training Delivery Manager Tashi Phuntsho, presents on practical ways to implement RPKI at the IAA Life in Lockdown online event, 'how to stop heists, hijacks and hostages', held on 21 July 2020.

Internet
1 de 30
Descargar para leer sin conexión
1 (the trouble with) Securing the Internet Routing Tashi Phuntsho (tashi@apnic.net) Senior Network Analyst/Technical Trainer
22 Headlines https://blog.qrator.net/en/how-you-deal-route-leaks_69/ https://twitter.com/bgpmon/status/1246842916502302723?s=21
33 Headlines https://twitter.com/atoonk/status/1143143943531454464/photo/1 https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/amp/
44 Headlines https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies
55 Headlines After (JP->JP) https://dyn.com/blog/large-bgp-leak-by-google-disrupts-internet-in-japan/ Before (JP->JP)
66 Headlines
77 Why do we keep seeing these? • As always, there is no Evil bit (RFC3514) – a bad routing update does not identify itself as BAD
88 Current Practice Peering/Transit Request LOA Check Filters (in/out) LOA Check Whois (manual) Letter of Authority IRR (RPSL)
99 Tools & Techniques • Look up whois – verify holder of a resource
1010 Tools & Techniques • Ask for a Letter of Authority – Absolve from any liabilities
1111 Tools & Techniques • Look up/ask to enter details in IRR – describes route origination and inter-AS routing policies
1212 Tools & Techniques • IRR – Helps generate network (prefix & as-path) filters using RPSL tools • Filter out route advertisements not described in the registry
13 IRR Issues • No single authority model • How do I know an RR entry is genuine/correct? • Too many RRs • If two RRs have conflicting data, which one do I trust? • Incomplete data – If a route is not in a RR, is the route • Invalid, or • Is the RR just missing data?
1414 Enter the RPKI framework 1782165550 2406:6400::/48 65551 2406:6400::/48 65551 65550 17821 i 6555265553 2406:6400::/48 2406:6400::/48 65553 65552 i rsync/RRDP RPKI Repo RPKI-to-Router (RTR) 2406:6400::/32-48 17821 ROA 2406:6400::/32-48 17821 Invalid Valid Validator
1515 Implementation • Sign your route origins (create your ROAs) Prefix 2406:6400::/32 Max-length /36 Origin ASN AS45192
1616 ROA considerations • Max length attribute – Minimal ROA • ROAs to cover only those prefixes announced in BGP • https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-03 – Reduces spoofed origin-AS attack surface 0 500 1000 1500 2000 2500 3000 3500 4000 Dec'19 Jan'20 Feb'20 May'20 July'20 Invalids (Max Length) IPv4 IPv6
1717 ROA considerations • Know your network (origin AS) – Do you have multiple ASes? • Are they independent ASes? or • Transit AS + multiple Access ASes? https://blog.apnic.net/2020/04/10/rise-of-the-invalids/ 0 500 1000 1500 2000 2500 Dec'19 Jan'20 Feb'20 May'20 July'20 Invalids (Orgin AS) IPv4 IPv6
1818 Implementation • Run your own RPKI validator: – Dragon Research RPKI toolkit - https://github.com/dragonresearch/rpki.net – RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3 – Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.7.1 – OctoRPKI/GoRTR (Cloudflare’s toolkit) - https://github.com/cloudflare/cfrpki – Fort (NIC Mexico’s Validator) - https://nicmx.github.io/FORT-validator/ https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/
1919 Validator considerations • Securing the RTR session – Plain text (TCP) • run within your routing domain – Other auth options • SSH (v2) • MD5 auth • IPsec • TLS • TCP-AO
2020 Validator considerations • When RTR session fails – Based on the expire interval of ROA cache • JunOS/SR-OS: 3600s, IOS-XE: 300s (RFC min ~ 600secs) – Defaults to NOT FOUND • Including Invalids – Hence, at least 2 x Validators (RTR sessions)
2121 Validator considerations • VRP output
2222 Implementation • Enable RTR on your routers • eBGP speakers (border/peering/transit) – Know your platform defaults and knobs • Example: IOS-XE wont use Invalids for best path selection router bgp 131107 bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs> routing-options { autonomous-system 131107; validation { group rpki-validator { session <validatorIP> { refresh-time <secs>; port <323/3323/8282>; local-address X.X.X.X; } } } } router bgp 131107 rpki server <validatorIP> transport tcp port <323/3323/8282> refresh-time <secs>
2323 Implementation • Acting on the Validation states – Tag & do nothing~ You have downstream/route server @IXPs [Valid (ASN:65XX1), Not Found (ASN:65XX2), Invalid (ASN:65XX3)] – RFC7115 • Prefer “Valid > Not Found > Invalid” – Drop Invalids • ~6K IPv4 and ~3K IPv6 routes
2424 Operational Considerations • Default routes? – Will match anything ~ Invalids
2525 Other developments • ROA with AS-0 origin (RFC6483/RFC7607) – Negative attestation • No valid ASN has been granted authority • Not to be routed (Ex - IXP LAN prefixes) – Overridden by another ROA • with an origin AS other than AS-0 – Prop-132: unallocated/unassigned APNIC space • Similar to RFC6491 for special-use/reserved/unallocated
2626 So, what can we all do? • Basic BGP OpSec hygiene – RFC7454/RFC8212 – RFC8212: BGP default reject or something similar – Filter your customers and peers • Prefix filters, Prefix limit • AS-PATH filters, AS-PATH limit • Use IRR objects (source option) or ROA-to-IRR – Filter your upstream(s) – Create ROAs for your resources – Filter inbound routes based on ROAs à ROV • Join industry initiatives like MANRS • https://www.manrs.org/
2727 AU focus NOT FOUND AFRINIC APNIC ARIN RIPE IRINN JPNIC IPv4 44 17106 379 104 13 7 IPv6 1561 8 8 ~18K ~1.5K INVALIDS APNIC Validity JPNIC Validity IPv4 20 16(ML), 3(AS), 1(ASML) 1 1xAS IPv6 6 4(ML), 2(AS)
2828 AU focus Network Routed (v4) ROA (AS, Prefix, ML) Validity AS132405 (Summit Internet) 4x/24s 132405,43.250.92.0/22,22 Invalid ML AS134090 (XIntegration) 2x/24s 134090,103.106.88.0/22,22 134090,103.106.90.0/23,23 Invalid ML AS10214 (Pentanet) 2x/24s 10214,121.200.32.0/23,23 132458, 121.200.32.0/23,23 Invalid ML AS17918 (AC3) 2x24s 14168,122.252.148.0/22,22 16509, 122.252.148.0/22,22 Invalid ASML AS4739 (Internode) 1x16 4713,118.0.0.0/12,24 Invalid AS AS1221 (Telstra AU) 1x24 4637,192.74.139.0/24,24 Invalid AS Network Routed (v6) ROA (AS, Prefix, ML) Validity AS59256(Ausnet Servers) 2x/48s 59256,2401:9CC0::/32,32 Invalid ML AS64098 (IP Transit) 1x/48 64098,2403:780::/32,40 Invalid ML AS134409 (Public DNS/Host Link) 1x48 24322,2407:C820::/32,32 24322,2407:C280:FFFF::/48,48 Invalid AS AS38220 (Amaze) 1x36 45177,2403:CC00:4000::/36,36 Invalid AS
2929 Acknowledgement • Geoff Huston, APNIC • Randy Bush, IIJ Labs/Arrcus
30 THANK YOU

Recomendados

0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test
Balazs Bucsay
 
CH07 pipelined cpu
CH07 pipelined cpuCH07 pipelined cpu
CH07 pipelined cpu
Sadiq Ur Rehman
 
僕とPerlとYAPC Asia
僕とPerlとYAPC Asia僕とPerlとYAPC Asia
僕とPerlとYAPC Asia
Hirofumi Kataoka
 
CCNP 642-732 Training
CCNP 642-732 TrainingCCNP 642-732 Training
CCNP 642-732 Training
saenaetr
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route Validity
APNIC
 
npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing
APNIC
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet Routing
APNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
 

Recomendados

0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test
Balazs Bucsay
 
CH07 pipelined cpu
CH07 pipelined cpuCH07 pipelined cpu
CH07 pipelined cpu
Sadiq Ur Rehman
 
僕とPerlとYAPC Asia
僕とPerlとYAPC Asia僕とPerlとYAPC Asia
僕とPerlとYAPC Asia
Hirofumi Kataoka
 
CCNP 642-732 Training
CCNP 642-732 TrainingCCNP 642-732 Training
CCNP 642-732 Training
saenaetr
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route Validity
APNIC
 
npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing
APNIC
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet Routing
APNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
APNIC
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
APNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
APNIC
 
LkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingLkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet Routing
APNIC
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet Routing
APNIC
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
Raphaël PINSON
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
APNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
APNIC
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
Bangladesh Network Operators Group
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
APNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
APNIC
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
Bangladesh Network Operators Group
 
HKNOG 9.0: (the trouble with) Securing Internet Routing
HKNOG 9.0: (the trouble with) Securing Internet RoutingHKNOG 9.0: (the trouble with) Securing Internet Routing
HKNOG 9.0: (the trouble with) Securing Internet Routing
APNIC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
Siena Perry
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
Shumon Huque
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
akg1330
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 

Más contenido relacionado

Similar a IAA Life in Lockdown series: Securing Internet Routing

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 

Similar a IAA Life in Lockdown series: Securing Internet Routing (20)

APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
LkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingLkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet Routing
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet Routing
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
HKNOG 9.0: (the trouble with) Securing Internet Routing
HKNOG 9.0: (the trouble with) Securing Internet RoutingHKNOG 9.0: (the trouble with) Securing Internet Routing
HKNOG 9.0: (the trouble with) Securing Internet Routing
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
 
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...
 

Más de APNIC

Más de APNIC (20)

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 

Último

Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Escorts Call Girls
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
soniya singh
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
Escorts Call Girls
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Delhi Call girls
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
soniya singh
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
@Chandigarh #call #Girls 9053900678 @Call #Girls in @Punjab 9053900678
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
SUHANI PANDEY
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
singhpriety023
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
kojalkojal131
 

Último (20)

Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
 

IAA Life in Lockdown series: Securing Internet Routing

  • 1. 1 (the trouble with) Securing the Internet Routing Tashi Phuntsho (tashi@apnic.net) Senior Network Analyst/Technical Trainer
  • 7. 77 Why do we keep seeing these? • As always, there is no Evil bit (RFC3514) – a bad routing update does not identify itself as BAD
  • 8. 88 Current Practice Peering/Transit Request LOA Check Filters (in/out) LOA Check Whois (manual) Letter of Authority IRR (RPSL)
  • 9. 99 Tools & Techniques • Look up whois – verify holder of a resource
  • 10. 1010 Tools & Techniques • Ask for a Letter of Authority – Absolve from any liabilities
  • 11. 1111 Tools & Techniques • Look up/ask to enter details in IRR – describes route origination and inter-AS routing policies
  • 12. 1212 Tools & Techniques • IRR – Helps generate network (prefix & as-path) filters using RPSL tools • Filter out route advertisements not described in the registry
  • 13. 13 IRR Issues • No single authority model • How do I know an RR entry is genuine/correct? • Too many RRs • If two RRs have conflicting data, which one do I trust? • Incomplete data – If a route is not in a RR, is the route • Invalid, or • Is the RR just missing data?
  • 14. 1414 Enter the RPKI framework 1782165550 2406:6400::/48 65551 2406:6400::/48 65551 65550 17821 i 6555265553 2406:6400::/48 2406:6400::/48 65553 65552 i rsync/RRDP RPKI Repo RPKI-to-Router (RTR) 2406:6400::/32-48 17821 ROA 2406:6400::/32-48 17821 Invalid Valid Validator
  • 15. 1515 Implementation • Sign your route origins (create your ROAs) Prefix 2406:6400::/32 Max-length /36 Origin ASN AS45192
  • 16. 1616 ROA considerations • Max length attribute – Minimal ROA • ROAs to cover only those prefixes announced in BGP • https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-03 – Reduces spoofed origin-AS attack surface 0 500 1000 1500 2000 2500 3000 3500 4000 Dec'19 Jan'20 Feb'20 May'20 July'20 Invalids (Max Length) IPv4 IPv6
  • 17. 1717 ROA considerations • Know your network (origin AS) – Do you have multiple ASes? • Are they independent ASes? or • Transit AS + multiple Access ASes? https://blog.apnic.net/2020/04/10/rise-of-the-invalids/ 0 500 1000 1500 2000 2500 Dec'19 Jan'20 Feb'20 May'20 July'20 Invalids (Orgin AS) IPv4 IPv6
  • 18. 1818 Implementation • Run your own RPKI validator: – Dragon Research RPKI toolkit - https://github.com/dragonresearch/rpki.net – RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3 – Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.7.1 – OctoRPKI/GoRTR (Cloudflare’s toolkit) - https://github.com/cloudflare/cfrpki – Fort (NIC Mexico’s Validator) - https://nicmx.github.io/FORT-validator/ https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/
  • 19. 1919 Validator considerations • Securing the RTR session – Plain text (TCP) • run within your routing domain – Other auth options • SSH (v2) • MD5 auth • IPsec • TLS • TCP-AO
  • 20. 2020 Validator considerations • When RTR session fails – Based on the expire interval of ROA cache • JunOS/SR-OS: 3600s, IOS-XE: 300s (RFC min ~ 600secs) – Defaults to NOT FOUND • Including Invalids – Hence, at least 2 x Validators (RTR sessions)
  • 22. 2222 Implementation • Enable RTR on your routers • eBGP speakers (border/peering/transit) – Know your platform defaults and knobs • Example: IOS-XE wont use Invalids for best path selection router bgp 131107 bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs> routing-options { autonomous-system 131107; validation { group rpki-validator { session <validatorIP> { refresh-time <secs>; port <323/3323/8282>; local-address X.X.X.X; } } } } router bgp 131107 rpki server <validatorIP> transport tcp port <323/3323/8282> refresh-time <secs>
  • 23. 2323 Implementation • Acting on the Validation states – Tag & do nothing~ You have downstream/route server @IXPs [Valid (ASN:65XX1), Not Found (ASN:65XX2), Invalid (ASN:65XX3)] – RFC7115 • Prefer “Valid > Not Found > Invalid” – Drop Invalids • ~6K IPv4 and ~3K IPv6 routes
  • 24. 2424 Operational Considerations • Default routes? – Will match anything ~ Invalids
  • 25. 2525 Other developments • ROA with AS-0 origin (RFC6483/RFC7607) – Negative attestation • No valid ASN has been granted authority • Not to be routed (Ex - IXP LAN prefixes) – Overridden by another ROA • with an origin AS other than AS-0 – Prop-132: unallocated/unassigned APNIC space • Similar to RFC6491 for special-use/reserved/unallocated
  • 26. 2626 So, what can we all do? • Basic BGP OpSec hygiene – RFC7454/RFC8212 – RFC8212: BGP default reject or something similar – Filter your customers and peers • Prefix filters, Prefix limit • AS-PATH filters, AS-PATH limit • Use IRR objects (source option) or ROA-to-IRR – Filter your upstream(s) – Create ROAs for your resources – Filter inbound routes based on ROAs à ROV • Join industry initiatives like MANRS • https://www.manrs.org/
  • 27. 2727 AU focus NOT FOUND AFRINIC APNIC ARIN RIPE IRINN JPNIC IPv4 44 17106 379 104 13 7 IPv6 1561 8 8 ~18K ~1.5K INVALIDS APNIC Validity JPNIC Validity IPv4 20 16(ML), 3(AS), 1(ASML) 1 1xAS IPv6 6 4(ML), 2(AS)
  • 28. 2828 AU focus Network Routed (v4) ROA (AS, Prefix, ML) Validity AS132405 (Summit Internet) 4x/24s 132405,43.250.92.0/22,22 Invalid ML AS134090 (XIntegration) 2x/24s 134090,103.106.88.0/22,22 134090,103.106.90.0/23,23 Invalid ML AS10214 (Pentanet) 2x/24s 10214,121.200.32.0/23,23 132458, 121.200.32.0/23,23 Invalid ML AS17918 (AC3) 2x24s 14168,122.252.148.0/22,22 16509, 122.252.148.0/22,22 Invalid ASML AS4739 (Internode) 1x16 4713,118.0.0.0/12,24 Invalid AS AS1221 (Telstra AU) 1x24 4637,192.74.139.0/24,24 Invalid AS Network Routed (v6) ROA (AS, Prefix, ML) Validity AS59256(Ausnet Servers) 2x/48s 59256,2401:9CC0::/32,32 Invalid ML AS64098 (IP Transit) 1x/48 64098,2403:780::/32,40 Invalid ML AS134409 (Public DNS/Host Link) 1x48 24322,2407:C820::/32,32 24322,2407:C280:FFFF::/48,48 Invalid AS AS38220 (Amaze) 1x36 45177,2403:CC00:4000::/36,36 Invalid AS
  • 29. 2929 Acknowledgement • Geoff Huston, APNIC • Randy Bush, IIJ Labs/Arrcus