SlideShare una empresa de Scribd logo

RPKI Deployment Status in Bangladesh

Bangladesh Network Operators Group
Bangladesh Network Operators Group

RPKI Deployment Status in Bangladesh

Internet
1 de 27
Descargar para leer sin conexión
RPKI Deployment Status in Bangladesh Md. Abdul Awal Network Startup Resource Center https://nsrc.org
Why Should We Care About RPKI? 2 #bdNOG13
Long ago, people were living in peace • Network engineers were innocent and trustworthy • Global routing table only had valid prefixes • But the perfect world can’t exist: – Someone made mistake in BGP announcements – Someone hijacked other’s prefixes – Global routing table becomes vulnerable of incorrect routes • Internet operations get affected • The core of Internet can’t be left vulnerable like that #bdNOG13 3
A route is not bad unless proved guilty • How to prove it? – By validating • How can we validate? – Cross-match with VRPs • What makes the VRPs? – ROAs • How to collect all the ROAs? – Resource PKI (RPKI) • Who does what? – Resource holders create ROA – Network operators do ROV #bdNOG13 4
RPKI is about 2 things: ROA and ROV Signing prefixes a.k.a. creating ROAs 1 RIR CA RIR Resource DB Member Login Authentication 2001:db8::/32 192.0.2.0/24 AS 65000 ROA #bdNOG13 5
RPKI is about 2 things: ROA and ROV Validating ROAs a.k.a doing ROV 2 RPKI Repository RPKI Validator BGP Router RTR Protocol rsync/RRDP #bdNOG13 6
What Makes a Route RPKI Invalid? 192.168.0.0/24 ...65500 192.168.0.0/24 ...65520 192.168.0.0/23 ...65520 Max Length Invalid Max Length+Origin Invalid Origin Invalid R1 192.168.2.0/23 ...65500 100.100.0.0/24 ...65500 Valid Not Found 192.168.0.0/22 65500 /23 Prefix ASN Max Length 192.168.0.0/22 192.168.0.0/23 192.168.0.0/24 192.168.1.0/24 192.168.2.0/23 192.168.2.0/24 192.168.3.0/24 Prefixes covered by the ROA 7 VRP
RPKI deployment in Bangladesh 8 #bdNOG13
RPKI ROA Adoption Source: https://observatory.manrs.org/ #bdNOG13 9
RPKI Validation https://stats.labs.apnic.net/rpki/BD #bdNOG13 10
RPKI Validation https://stats.labs.apnic.net/rpki/BD #bdNOG13 11
RPKI Invalids Source: https://observatory.manrs.org/ Source: https://rpki.anuragbhatia.com/ #bdNOG13 12
RPKI Invalid Types #bdNOG13 13 Source: https://rpki.anuragbhatia.com/ (last updated on 8-Jun-2021) 15 101 Invalids per Address Family IPv4 IPv6 0 20 40 60 80 100 120 IPv4 IPv6 # of Invalid Routes RPKI Invalid Types Origin Invalid Max Length Invalid
Top Contributors of RPKI Invalids #bdNOG13 14 3 3 3 3 3 5 5 8 16 39 0 10 20 30 40 137823 137935 141439 131216 24342 63969 38071 136516 134204 58715 # of RPKI Invalid BGP Announcements AS Number Source: https://rpki.anuragbhatia.com/ (last updated on 8-Jun-2021) 0 5 10 15 20 25 IPv4 IPv6 # of ASN ASNs Announcing Invalid Routes Origin Invalid Max Length Invalid
What Goes Wrong? 15
Routing Incidents Source: https://observatory.manrs.org/ #bdNOG13 16
Invalid Routes are Getting Rejected • More and more operators are deploying RPKI and ROV – BCC/NDC – Telia – NTT – Cogent – HE – Cloudflare – Netflix – AMS-IX – DE-CIX and many more #bdNOG13 17
Considerations about ROA and ROV 18 #bdNOG13
Creating ROA Not a good idea to create ROAs up to /24 (v4) or /48 (v6). Better to create ROAs for specific prefixes that are announced in BGP 19 #bdNOG13 VS
Creating ROA VS You may sign same prefix with multiple ASNs but do if you really really have to 20 #bdNOG13
Doing ROV Validation without dropping RPKI Invalids Validation with dropping RPKI Invalids 21 #bdNOG13 VS
Recommendations on RPKI Deployment 22 #bdNOG13
General Recommendations • Only create ROAs for prefixes that are announced in BGP – Signing unannounced prefixes can lead to “validated hijack” – Add to standard operating procedure: if it is originated, sign it! • Check your ROAs and announcements from external sources • Deploy at least two reliable Validator Caches – Two different implementations, for software independence • Needs to avoid default route on the border routers #bdNOG13 23
General Recommendations • While validating: – If Valid: ALLOW – If Invalid: DROP – If Not Found: ALLOW with lower preference • For fully supported Route Origin Validation across the network – EBGP speaking routers need talk with a validator – IBGP speaking routers do not need to talk with a validator • Train the engineers with toolsets and debugging techniques #bdNOG13 24
ROA for Small ISPs and Enterprises • Have own Internet resources? – Creating ROA is straightforward using RIR’s resource management portal • Got assignment for LIR? – Have public ASN? • Ask the LIR to create ROA with your ASN and verify – Don’t have public ASN? • Ask the LIR to create ROA for the assigned prefix and verify #bdNOG13 25
ROV for Small ISPs and Enterprises • Have BGP with transits and peers? – Receive full routes from neighbors? • Implementing ROV using validator cache is straightforward – Receive partial routes with default from neighbors? • Ask transits to do ROV for you • Implement ROV using validator cache to validate peer and IX routes – Receive only the default route • ROV wouldn’t fit, however, you may ask transits to do ROV on their network J • Have static routing with transits? – ROV wouldn’t fit, however, you may ask transits to do ROV on their network #bdNOG13 26
Thanks awal@nsrc.org

Recomendados

Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaBangladesh Network Operators Group
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
Routing diff
Routing diffRouting diff
Routing diffBangladesh Network Operators Group
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBangladesh Network Operators Group
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationMyNOG
 
RPKI invalids aren't gone yet
RPKI invalids aren't gone yetRPKI invalids aren't gone yet
RPKI invalids aren't gone yetBangladesh Network Operators Group
 
Using BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsUsing BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsRowell Dionicio
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationAndy Davidson
 

Recomendados

Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaBangladesh Network Operators Group
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
Routing diff
Routing diffRouting diff
Routing diffBangladesh Network Operators Group
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBangladesh Network Operators Group
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationMyNOG
 
RPKI invalids aren't gone yet
RPKI invalids aren't gone yetRPKI invalids aren't gone yet
RPKI invalids aren't gone yetBangladesh Network Operators Group
 
Using BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsUsing BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsRowell Dionicio
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationAndy Davidson
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
Bgp Basic Labs
Bgp Basic LabsBgp Basic Labs
Bgp Basic Labscisconetworker
 
Part1
Part1Part1
Part1cisconetworker
 
Wli Tx4 G54 Manual V1.6 Web
Wli Tx4 G54 Manual V1.6 WebWli Tx4 G54 Manual V1.6 Web
Wli Tx4 G54 Manual V1.6 Web925351jay1
 
How BGP Works
How BGP WorksHow BGP Works
How BGP WorksThousandEyes
 
Bgp
BgpBgp
BgpRaghu Kiran
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming TechniquesAPNIC
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGPDuane Bodle
 
An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)Jasim Alam
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Cisco Canada
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)Vamsidhar Naidu
 
SGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshopSGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshopAPNIC
 
Bgp For Presentation
Bgp For PresentationBgp For Presentation
Bgp For PresentationAlp isik
 
BGP
BGPBGP
BGPTotan Banik
 
B G P Part2
B G P Part2B G P Part2
B G P Part2cisconetworker
 
Study Notes BGP Exam
Study Notes BGP ExamStudy Notes BGP Exam
Study Notes BGP ExamDuane Bodle
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGPAPNIC
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
Bgp
BgpBgp
BgpFebrian ‎
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
The impact of an RPKI validator in Bangladesh and Lessons Learned
The impact of an RPKI validator in Bangladesh and Lessons Learned The impact of an RPKI validator in Bangladesh and Lessons Learned
The impact of an RPKI validator in Bangladesh and Lessons LearnedBangladesh Network Operators Group
 

Más contenido relacionado

La actualidad más candente

Wli Tx4 G54 Manual V1.6 Web
Wli Tx4 G54 Manual V1.6 WebWli Tx4 G54 Manual V1.6 Web
Wli Tx4 G54 Manual V1.6 Web925351jay1
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming TechniquesAPNIC
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGPDuane Bodle
 
An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)Jasim Alam
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Cisco Canada
 
SGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshopSGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshopAPNIC
 
Bgp For Presentation
Bgp For PresentationBgp For Presentation
Bgp For PresentationAlp isik
 
Study Notes BGP Exam
Study Notes BGP ExamStudy Notes BGP Exam
Study Notes BGP ExamDuane Bodle
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGPAPNIC
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 

La actualidad más candente (20)

Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
Bgp Basic Labs
Bgp Basic LabsBgp Basic Labs
Bgp Basic Labs
 
Part1
Part1Part1
Part1
 
Wli Tx4 G54 Manual V1.6 Web
Wli Tx4 G54 Manual V1.6 WebWli Tx4 G54 Manual V1.6 Web
Wli Tx4 G54 Manual V1.6 Web
 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
 
Bgp
BgpBgp
Bgp
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming Techniques
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
 
An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)
 
SGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshopSGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshop
 
Bgp For Presentation
Bgp For PresentationBgp For Presentation
Bgp For Presentation
 
BGP
BGPBGP
BGP
 
B G P Part2
B G P Part2B G P Part2
B G P Part2
 
Study Notes BGP Exam
Study Notes BGP ExamStudy Notes BGP Exam
Study Notes BGP Exam
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
Bgp
BgpBgp
Bgp
 

Similar a RPKI Deployment Status in Bangladesh

HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
The impact of an RPKI validator in Bangladesh and Lessons Learned
The impact of an RPKI validator in Bangladesh and Lessons Learned The impact of an RPKI validator in Bangladesh and Lessons Learned
The impact of an RPKI validator in Bangladesh and Lessons LearnedBangladesh Network Operators Group
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingAPNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingAPNIC
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingAPNIC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing SecurityRIPE NCC
 

Similar a RPKI Deployment Status in Bangladesh (20)

HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
The impact of an RPKI validator in Bangladesh and Lessons Learned
The impact of an RPKI validator in Bangladesh and Lessons Learned The impact of an RPKI validator in Bangladesh and Lessons Learned
The impact of an RPKI validator in Bangladesh and Lessons Learned
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet Routing
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
Routing Security
Routing SecurityRouting Security
Routing Security
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet Routing
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 

Más de Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

Más de Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 

Último

'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 

Último (20)

'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 

RPKI Deployment Status in Bangladesh

  • 1. RPKI Deployment Status in Bangladesh Md. Abdul Awal Network Startup Resource Center https://nsrc.org
  • 2. Why Should We Care About RPKI? 2 #bdNOG13
  • 3. Long ago, people were living in peace • Network engineers were innocent and trustworthy • Global routing table only had valid prefixes • But the perfect world can’t exist: – Someone made mistake in BGP announcements – Someone hijacked other’s prefixes – Global routing table becomes vulnerable of incorrect routes • Internet operations get affected • The core of Internet can’t be left vulnerable like that #bdNOG13 3
  • 4. A route is not bad unless proved guilty • How to prove it? – By validating • How can we validate? – Cross-match with VRPs • What makes the VRPs? – ROAs • How to collect all the ROAs? – Resource PKI (RPKI) • Who does what? – Resource holders create ROA – Network operators do ROV #bdNOG13 4
  • 5. RPKI is about 2 things: ROA and ROV Signing prefixes a.k.a. creating ROAs 1 RIR CA RIR Resource DB Member Login Authentication 2001:db8::/32 192.0.2.0/24 AS 65000 ROA #bdNOG13 5
  • 6. RPKI is about 2 things: ROA and ROV Validating ROAs a.k.a doing ROV 2 RPKI Repository RPKI Validator BGP Router RTR Protocol rsync/RRDP #bdNOG13 6
  • 7. What Makes a Route RPKI Invalid? 192.168.0.0/24 ...65500 192.168.0.0/24 ...65520 192.168.0.0/23 ...65520 Max Length Invalid Max Length+Origin Invalid Origin Invalid R1 192.168.2.0/23 ...65500 100.100.0.0/24 ...65500 Valid Not Found 192.168.0.0/22 65500 /23 Prefix ASN Max Length 192.168.0.0/22 192.168.0.0/23 192.168.0.0/24 192.168.1.0/24 192.168.2.0/23 192.168.2.0/24 192.168.3.0/24 Prefixes covered by the ROA 7 VRP
  • 8. RPKI deployment in Bangladesh 8 #bdNOG13
  • 9. RPKI ROA Adoption Source: https://observatory.manrs.org/ #bdNOG13 9
  • 12. RPKI Invalids Source: https://observatory.manrs.org/ Source: https://rpki.anuragbhatia.com/ #bdNOG13 12
  • 13. RPKI Invalid Types #bdNOG13 13 Source: https://rpki.anuragbhatia.com/ (last updated on 8-Jun-2021) 15 101 Invalids per Address Family IPv4 IPv6 0 20 40 60 80 100 120 IPv4 IPv6 # of Invalid Routes RPKI Invalid Types Origin Invalid Max Length Invalid
  • 14. Top Contributors of RPKI Invalids #bdNOG13 14 3 3 3 3 3 5 5 8 16 39 0 10 20 30 40 137823 137935 141439 131216 24342 63969 38071 136516 134204 58715 # of RPKI Invalid BGP Announcements AS Number Source: https://rpki.anuragbhatia.com/ (last updated on 8-Jun-2021) 0 5 10 15 20 25 IPv4 IPv6 # of ASN ASNs Announcing Invalid Routes Origin Invalid Max Length Invalid
  • 17. Invalid Routes are Getting Rejected • More and more operators are deploying RPKI and ROV – BCC/NDC – Telia – NTT – Cogent – HE – Cloudflare – Netflix – AMS-IX – DE-CIX and many more #bdNOG13 17
  • 18. Considerations about ROA and ROV 18 #bdNOG13
  • 19. Creating ROA Not a good idea to create ROAs up to /24 (v4) or /48 (v6). Better to create ROAs for specific prefixes that are announced in BGP 19 #bdNOG13 VS
  • 20. Creating ROA VS You may sign same prefix with multiple ASNs but do if you really really have to 20 #bdNOG13
  • 21. Doing ROV Validation without dropping RPKI Invalids Validation with dropping RPKI Invalids 21 #bdNOG13 VS
  • 22. Recommendations on RPKI Deployment 22 #bdNOG13
  • 23. General Recommendations • Only create ROAs for prefixes that are announced in BGP – Signing unannounced prefixes can lead to “validated hijack” – Add to standard operating procedure: if it is originated, sign it! • Check your ROAs and announcements from external sources • Deploy at least two reliable Validator Caches – Two different implementations, for software independence • Needs to avoid default route on the border routers #bdNOG13 23
  • 24. General Recommendations • While validating: – If Valid: ALLOW – If Invalid: DROP – If Not Found: ALLOW with lower preference • For fully supported Route Origin Validation across the network – EBGP speaking routers need talk with a validator – IBGP speaking routers do not need to talk with a validator • Train the engineers with toolsets and debugging techniques #bdNOG13 24
  • 25. ROA for Small ISPs and Enterprises • Have own Internet resources? – Creating ROA is straightforward using RIR’s resource management portal • Got assignment for LIR? – Have public ASN? • Ask the LIR to create ROA with your ASN and verify – Don’t have public ASN? • Ask the LIR to create ROA for the assigned prefix and verify #bdNOG13 25
  • 26. ROV for Small ISPs and Enterprises • Have BGP with transits and peers? – Receive full routes from neighbors? • Implementing ROV using validator cache is straightforward – Receive partial routes with default from neighbors? • Ask transits to do ROV for you • Implement ROV using validator cache to validate peer and IX routes – Receive only the default route • ROV wouldn’t fit, however, you may ask transits to do ROV on their network J • Have static routing with transits? – ROV wouldn’t fit, however, you may ask transits to do ROV on their network #bdNOG13 26