This document discusses how multi-homing and RPKI can provide robust and secure internet connections. It explains that multi-homing with BGP allows networks to direct traffic through the most cost effective connections, improving resilience and performance. RPKI helps secure BGP routing by preventing route hijacking and mis-origination through the use of Route Origin Authorizations (ROAs) and an RPKI validator. ROAs authorize which ASNs can originate which IP prefixes. The validator checks BGP updates against ROAs to label routes as valid, invalid, or not found. This validation information can then be used to define routing policies.
4. Routing and ASNs
• RFC 1930:
– An AS (Autonomous System) is a connected group of one or more IP
prefixes run by one or more network operators that has a SINGLE
and CLEARLY DEFINED routing policy.
– An AS has a globally unique number (sometimes referred to as an
ASN, or Autonomous System Number) associated with it. This
number is used in both the exchange of exterior routing information
(between neighbouring ASes), and as an identifier of the AS itself.
4
Source - https://tools.ietf.org/html/rfc1930
5. Connecting to the Internet
202.178.112.0/24
2400:3E00:DD::/48 202.178.112.0/24
2400:3E00:DD::/48
Multi-homed network
MAY have a need for a public ASN
Single-homed network
No need for public ASN
5
6. Why multi-home with BGP and use a
public ASN?
6
• Good interconnection strategy can lower cost of operation
by directing traffic through the most cost effective
connections wherever possible
Cost
• Looking further than next hop path diversification allows
you to better evaluate interconnection options, which in
turn could result in better network resiliency
Resilience
• Understanding where your network traffic goes and when
possible shortening of the path to your main
customers/suppliers/partners could result in better overall
network experience
Performance
13. Fat-fingers/Hijacks/Leaks
• 13,935 total incidents in 2017 (either outages or attacks like
route leaks and hijacks)
• Over 10% of all ASes on the Internet were affected
• 38% were considered routing attacks
• 3,106 ASes were a victim of at least one routing incident
• 1,546 networks caused at least one incident
Source : https://bgpstream.com/
13
14. Fat-fingers/Hijacks/Leaks
14
What is the IP of
www.mybank.com
10.0.0.1
198.51.100.x
Announced by a
less specific
route (eg: /20)
198.51.100.x
Announced by a
more specific
route (eg : /24)
What is the IP
for Mybank?
203.0.113.1
Mybank is
203.0.113.1
Mybank is
203.0.113.1
Hi MyBank, My
username and
password is..
15. How do we address these…
• Let the world know what ASNs are authorized to announce
your IP prefixes
• Check if you are announcing authorized prefixes
15
17. Benefits of RPKI
• Prevents route hijacking
– A prefix originated by an AS without authorization
– Reason: malicious intent
• Prevents mis-origination
– A prefix that is mistakenly originated by an AS which does not own it
– Also route leakage
– Reason: configuration mistakes/fat-finger
17
19. RPKI profile
19
• Resource certificates are
based on the X.509 v3
certificate format (RFC 5280)
• Extended by RFC 3779 – binds
a list of resources (IPv4/v6,
ASNs) to the subject of the
certificate
• SIA (Subject Information
Access) contains a URI that
references the directory where
it is published
X.509 cert
RFC 3779
Extension
IP resources
(addr & ASN)
SIA – URI where this
publishes
Owner’s Public Key
CA
Signedbyparent’sPRIVATEkey
20. ROA — Route Origin Authorization
• A digitally signed object that contains a list of address
prefixes and the nominated ASN
• It is an authority created by a prefix holder to authorize an
ASN to originate one or more prefixes
– Which can be verified cryptographically using RPKI
• Multiple ROAs can exist for the same prefix
20
Prefix 203.176.32.0/19
Max-length /24
Origin ASN AS17821
23. 23
Some other ways to check ROAs
# whois -h rr.ntt.net 2001:df2:ee00::/48
route6: 2001:df2:ee00::/48
descr: RPKI ROA for 2001:df2:ee00::/48
remarks: This route object represents routing data retrieved from the RPKI
remarks: The original data can be found here: https://rpki.gin.ntt.net/r/AS131107/2001:df2:ee00::/48
remarks: This route object is the result of an automated RPKI-to-IRR conversion process.
remarks: maxLength 48
origin: AS131107
mnt-by: MAINT-JOB
changed: job@ntt.net 20180802
source: RPKI # Trust Anchor: APNIC RPKI Root
24. Some other ways to check ROAs
24
# whois -h whois.bgpmon.net 2001:df2:ee00::/48
Prefix: 2001:df2:ee00::/48
Prefix description: APNICTRAINING-DC
Country code: AU
Origin AS: 131107
Origin AS Name: APNICTRAINING LAB DC
RPKI status: ROA validation successful
First seen: 2016-06-30
Last seen: 2018-01-21
Seen by #peers: 97
# whois -h whois.bgpmon.net "--roa 131107 2001:df2:ee00::/48”
------------------------
ROA Details
------------------------
Origin ASN: AS131107
Not valid Before: 2016-09-07 02:10:04
Not valid After: 2020-07-30 00:00:00 Expires in
2y190d9h34m23.2000000029802s
Trust Anchor: rpki.apnic.net
Prefixes: 2001:df2:ee00::/48 (max length /48)
202.125.96.0/24 (max length /24)
29. Origin validation
• Router gets ROA information from the RPKI cache
– Crypto is stripped (by the validator)
• The BGP process will check each received BGP update
against the ROA information and label
– Valid
– Invalid
– Not Found
29
30. RPKI states
30
VALID AS65420 10.0.0.0/16
VALID AS65420 10.0.128.0/17
INVALID AS65421 10.0.0.0/16
INVALID AS65420 10.0.10.0/24
UNKNOWN AS65430 10.0.0.0/8
65420 10.0.0.0/16 /18
Origin AS Prefix Max Length
ROA =>
31. Policies based on validation
• Define your policy based on the validation state
– Do nothing (observe)
– Tag (BGP communities)
– Modify preference values
• RFC 7115
– Drop invalid announcements (paranoid!)
• Invalid - but verify against other databases (IRR whois)
31
32. Further reading on RPKI
• RFC 5280: X.509 PKI certificates
• RFC 3779: Extensions for IP addresses and ASNs
• RFC 6481-6493: Resource Public Key Infrastructure
32
By end of 2017, BPGSTEAM reported close to 40000 routing incidents, that effected 10% of all AS number in the internet.
Note that 38% of these incidents had the characteristics of a routing attack, that is hijack or a leak.
If you have been following internet security news, you might know some of the well known organizations which were affected.
Earlier this year, Amazon route53 DNS services were attacked, End of last year, Google Japan routes were leaked causing significant delays.
Looking back few years back, YouTube was also a victim due to a route leak in Pakistan.
If you are providing services which includes sensitive data, it is possible that someone is looking at the vulnerabilities in your systems, including your routing.
Updated
Validator gathers all ROAs from the distributed RPKI database
Validates each entry’s signature (validated cache)
The validator forwards the ROAs in the validated cache to the Router through the RPKI-to-Rtr protocol, with the crypto certificates removed.
The router periodically checks the Validator (refresh) for any changes to the ROAs.
Relying Parties can configure a locally managed cache of the distributed RPKI repository and collect the set of valid ROAs [rcynic]. They can then, via the dedicated RPKI cache-to-router protocol [rpki-rtr], maintain, on a set of “client” routers the set of address prefix/originating AS authorities that are described in valid ROAs. This information can be used by the BGP-speaking router as an input to the local route decision process.