This document discusses how multi-homing and RPKI can provide robust and secure internet connections. It explains that multi-homing with BGP allows networks to direct traffic through the most cost effective connections, improving resilience and performance. RPKI helps secure BGP routing by preventing route hijacking and mis-origination through the use of Route Origin Authorizations (ROAs) and an RPKI validator. ROAs authorize which ASNs can originate which IP prefixes. The validator checks BGP updates against ROAs to label routes as valid, invalid, or not found. This validation information can then be used to define routing policies.

1. Robust and Secure
Connections
Multi-homed and RPKI validated!
LKNOG 2, 2 November 2018
Pubudu Jayasinghe: pubudu@apnic.net

2. Agenda
• Internet number resources
• Robust connectivity with multihoming
• Routing Security with RPKI
2

3. IP addresses and ASNs
3

4. Routing and ASNs
• RFC 1930:
– An AS (Autonomous System) is a connected group of one or more IP
prefixes run by one or more network operators that has a SINGLE
and CLEARLY DEFINED routing policy.
– An AS has a globally unique number (sometimes referred to as an
ASN, or Autonomous System Number) associated with it. This
number is used in both the exchange of exterior routing information
(between neighbouring ASes), and as an identifier of the AS itself.
4
Source - https://tools.ietf.org/html/rfc1930

5. Connecting to the Internet
202.178.112.0/24
2400:3E00:DD::/48 202.178.112.0/24
2400:3E00:DD::/48
Multi-homed network
MAY have a need for a public ASN
Single-homed network
No need for public ASN
5

6. Why multi-home with BGP and use a
public ASN?
6
• Good interconnection strategy can lower cost of operation
by directing traffic through the most cost effective
connections wherever possible
Cost
• Looking further than next hop path diversification allows
you to better evaluate interconnection options, which in
turn could result in better network resiliency
Resilience
• Understanding where your network traffic goes and when
possible shortening of the path to your main
customers/suppliers/partners could result in better overall
network experience
Performance

7. View within an AS: Telco/ISP
7

8. View within an AS: University
8

9. View within an AS: Data Centre
9

10. View within an AS: Bank/Supermarket
10

11. 11
Getting the resources: Eligibility
www.apnic.net/apply

12. Securing BGP — RPKI
www.apnic.net/rpki

13. Fat-fingers/Hijacks/Leaks
• 13,935 total incidents in 2017 (either outages or attacks like
route leaks and hijacks)
• Over 10% of all ASes on the Internet were affected
• 38% were considered routing attacks
• 3,106 ASes were a victim of at least one routing incident
• 1,546 networks caused at least one incident
Source : https://bgpstream.com/
13

14. Fat-fingers/Hijacks/Leaks
14
What is the IP of
www.mybank.com
10.0.0.1
198.51.100.x
Announced by a
less specific
route (eg: /20)
198.51.100.x
Announced by a
more specific
route (eg : /24)
What is the IP
for Mybank?
203.0.113.1
Mybank is
203.0.113.1
Mybank is
203.0.113.1
Hi MyBank, My
username and
password is..

15. How do we address these…
• Let the world know what ASNs are authorized to announce
your IP prefixes
• Check if you are announcing authorized prefixes
15

16. What is RPKI?
16
RPKI
Resource
PKI

17. Benefits of RPKI
• Prevents route hijacking
– A prefix originated by an AS without authorization
– Reason: malicious intent
• Prevents mis-origination
– A prefix that is mistakenly originated by an AS which does not own it
– Also route leakage
– Reason: configuration mistakes/fat-finger
17

18. RPKI building blocks
1. Trust anchors (RIRs)
2. Route Origination Authorizations (ROA)
3. RPKI Validator
18

19. RPKI profile
19
• Resource certificates are
based on the X.509 v3
certificate format (RFC 5280)
• Extended by RFC 3779 – binds
a list of resources (IPv4/v6,
ASNs) to the subject of the
certificate
• SIA (Subject Information
Access) contains a URI that
references the directory where
it is published
X.509 cert
RFC 3779
Extension
IP resources
(addr & ASN)
SIA – URI where this
publishes
Owner’s Public Key
CA
Signedbyparent’sPRIVATEkey

20. ROA — Route Origin Authorization
• A digitally signed object that contains a list of address
prefixes and the nominated ASN
• It is an authority created by a prefix holder to authorize an
ASN to originate one or more prefixes
– Which can be verified cryptographically using RPKI
• Multiple ROAs can exist for the same prefix
20
Prefix 203.176.32.0/19
Max-length /24
Origin ASN AS17821

21. How to check your ROAs
21
MyAPNIC

22. 22
RPKI Validators
• RIPE RPKI Validator
• Dragon Research Labs RPKI Toolkit
• Routinator
• RTRlib (bird, FRR, Quagga…)
https://www.ripe.net/manage-ips-and-asns/resource-
management/certification/tools-and-resources
https://github.com/dragonresearch/rpki.net
https://github.com/NLnetLabs/routinator
https://rtrlib.realmv6.org/

23. 23
Some other ways to check ROAs
# whois -h rr.ntt.net 2001:df2:ee00::/48
route6: 2001:df2:ee00::/48
descr: RPKI ROA for 2001:df2:ee00::/48
remarks: This route object represents routing data retrieved from the RPKI
remarks: The original data can be found here: https://rpki.gin.ntt.net/r/AS131107/2001:df2:ee00::/48
remarks: This route object is the result of an automated RPKI-to-IRR conversion process.
remarks: maxLength 48
origin: AS131107
mnt-by: MAINT-JOB
changed: job@ntt.net 20180802
source: RPKI # Trust Anchor: APNIC RPKI Root

24. Some other ways to check ROAs
24
# whois -h whois.bgpmon.net 2001:df2:ee00::/48
Prefix: 2001:df2:ee00::/48
Prefix description: APNICTRAINING-DC
Country code: AU
Origin AS: 131107
Origin AS Name: APNICTRAINING LAB DC
RPKI status: ROA validation successful
First seen: 2016-06-30
Last seen: 2018-01-21
Seen by #peers: 97
# whois -h whois.bgpmon.net "--roa 131107 2001:df2:ee00::/48”
------------------------
ROA Details
------------------------
Origin ASN: AS131107
Not valid Before: 2016-09-07 02:10:04
Not valid After: 2020-07-30 00:00:00 Expires in
2y190d9h34m23.2000000029802s
Trust Anchor: rpki.apnic.net
Prefixes: 2001:df2:ee00::/48 (max length /48)
202.125.96.0/24 (max length /24)

25. 25
https://bgp.he.net/
Some other ways to check ROAs

26. Relying Party (RPKI Validator)
• RPKI Validator
– Gathers ROAs from the distributed RPKI database
– Validates each entry’s signature
• Validated cache
26

27. rpki.apnic.net
IANA
Repo
APNIC
Repo
RIPE
Repo
LIR Repo LIR Repo
RPKI Validator Validated
Cache
rsync
rsync
rsync
rsync
Relying Party (RPKI Validator)
27

28. Origin validation
28
RPKI-to-Router
(RtR)
RPKI Validator/
RPKI Cache server
2406:6400::/32-48
17821
.1/:1
.2/:2
AS17821
ASXXXX
Global (RPKI)
Repository
ROA
2406:6400::/32-48
17821
TA
TA
TA
2406:6400::/48

29. Origin validation
• Router gets ROA information from the RPKI cache
– Crypto is stripped (by the validator)
• The BGP process will check each received BGP update
against the ROA information and label
– Valid
– Invalid
– Not Found
29

30. RPKI states
30
VALID AS65420 10.0.0.0/16
VALID AS65420 10.0.128.0/17
INVALID AS65421 10.0.0.0/16
INVALID AS65420 10.0.10.0/24
UNKNOWN AS65430 10.0.0.0/8
65420 10.0.0.0/16 /18
Origin AS Prefix Max Length
ROA =>

31. Policies based on validation
• Define your policy based on the validation state
– Do nothing (observe)
– Tag (BGP communities)
– Modify preference values
• RFC 7115
– Drop invalid announcements (paranoid!)
• Invalid - but verify against other databases (IRR whois)
31

32. Further reading on RPKI
• RFC 5280: X.509 PKI certificates
• RFC 3779: Extensions for IP addresses and ASNs
• RFC 6481-6493: Resource Public Key Infrastructure
32

33. Learn more
33
training.apnic.net
APNIC Academy
academy.apnic.net

34. Questions?