APNIC Training Delivery Manager Tashi Phuntsho gives a presentation on the importance of routing security at the PCTA e-Tech Show 2021, held online from 15 to 16 April 2021.

1. 1
(the trouble with)
Securing the Internet Routing
Tashi Phuntsho (tashi@apnic.net)
Senior Network Analyst/Technical Trainer

2. 2
2
Acknowledgement
• Stole slides/ideas from
– Geoff Huston, APNIC J

3. 3
3
Headlines
AS136168 (attempts) to hijack Twitter – 5 Feb 2021
http://bgpstream.com/event/268261

4. 4
4
Headlines
https://bgpstream.com/event/251690
AS1221 (Telstra) hijacks/leaks – 30 Sept 2020

5. 5
5
Headlines
https://blog.qrator.net/en/how-you-deal-route-leaks_69/
https://twitter.com/bgpmon/status/1246842916502302723?s=21

6. 6
6
Headlines
https://twitter.com/atoonk/status/1143143943531454464/photo/1 https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/amp/

7. 7
7
Headlines
https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies

8. 8
8
Headlines

9. 9
9
Why do we keep seeing these?
• As always, there is no Evil (E) bit (RFC3514)
– a bad routing update does not identify itself as BAD

10. 10
10
Current Practice
Peering/Transit
Request
LOA Check
Filters (in/out)
LOA Check
Whois
(manual)
Letter of
Authority
IRR (RPSL)

11. 11
11
Tools & Techniques
• Look up whois
– verify holder of a resource

12. 12
12
Tools & Techniques
• Ask for a Letter of Authority
– Absolve from any liabilities

13. 13
13
Tools & Techniques
• Look up/ask to enter
details in IRR
– describes route origination
and inter-AS routing policies

14. 14
14
Tools & Techniques
• IRR
– Helps generate network (prefix & as-path) filters using RPSL
tools
• Filter out route advertisements not described in the registry

15. 15
IRR Issues
• No single authority model
• How do I know an RR entry is
genuine/correct?
• Too many RRs
• If two RRs have conflicting data, which
one do I trust?
• Incomplete data
– If a route is not in a RR, is the
route
• Invalid, or
• Is the RR just missing data?

16. 16
16
Enter the RPKI framework
17821
65550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
65552
65553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
RPKI
Repo
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator

17. 17
17
Implementation
• Sign your route origins (create your ROAs)
• ** Multiple ROAs can exist for the same prefix
Prefix 2406:6400::/32
Max-length /36
Origin ASN AS45192

18. 18
18
ROA considerations
• Max length attribute
– Minimal ROA
• ROAs to cover only those prefixes announced in BGP
• https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-03
– Reduces spoofed origin-AS attack surface
0
1000
2000
3000
4000
5000
6000
D
e
c
'
1
9
J
a
n
'
2
0
F
e
b
'
2
0
M
a
r
'
2
0
A
p
r
'
2
0
M
a
y
'
2
0
J
u
l
y
'
2
0
A
u
g
'
2
0
S
e
p
'
2
0
O
c
t
'
2
0
N
o
v
'
2
0
D
e
c
'
2
0
J
a
n
'
2
1
F
e
b
'
2
1
M
a
r
'
2
1
A
p
r
'
2
1
INVALIDS - ML
IPv4 IPv6

19. 19
19
ROA considerations
• Know your network (origin AS)
– Do you have multiple ASes?
• Are they independent ASes? or
• Transit AS + multiple Access ASes?
https://blog.apnic.net/2020/04/10/rise-of-the-invalids/
0
500
1000
1500
2000
2500
D
e
c
'
1
9
J
a
n
'
2
0
F
e
b
'
2
0
M
a
r
'
2
0
A
p
r
'
2
0
M
a
y
'
2
0
J
u
l
y
'
2
0
A
u
g
'
2
0
S
e
p
'
2
0
O
c
t
'
2
0
N
o
v
'
2
0
D
e
c
'
2
0
J
a
n
'
2
1
F
e
b
'
2
1
M
a
r
'
2
1
A
p
r
'
2
1
INVALIDS – Origin AS
IPv4 IPv6

20. 20
20
Implementation
• Run your own RPKI validator:
– Dragon Research RPKI toolkit - https://github.com/dragonresearch/rpki.net
– ** RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3
– Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.8.3
– OctoRPKI/GoRTR (Cloudflare’s toolkit) - https://github.com/cloudflare/cfrpki
– Fort (NIC Mexico’s Validator) - https://nicmx.github.io/FORT-validator/
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/

21. 21
21
Validator considerations
• Securing the RTR session
– Plain text (TCP)
• run within your routing domain
– Other auth options
• SSH (v2)
• MD5 auth
• IPsec
• TLS
• TCP-AO

22. 22
22
Validator considerations
• When RTR session fails
– Based on the expire interval of ROA cache
• JunOS/SR-OS: 3600s, IOS-XE: 300s (RFC min ~ 600s)
– Defaults to NOT FOUND
• Including Invalids
– Hence, at least 2 x Validators (RTR sessions)

23. 23
23
Validator considerations
• VRP output

24. 24
24
Implementation
• Enable RTR on your routers
• eBGP speakers (border/peering/transit)
– Know your platform defaults and knobs
• Example: IOS-XE wont use Invalids for best path selection
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>

25. 25
25
Implementation
• Acting on the Validation states
– Tag & do nothing~ You have downstream/route server @IXPs
– RFC7115 – preference
– Drop Invalids
[Valid (ASN:65XX0), Not Found (ASN:65XX1), Invalid (ASN:65XX2)]
[Valid > Not Found > Invalid]
IPv4 ~ 6K
IPv6 ~ 2K

26. 26
26
Operational Considerations
• Default routes?
– Will match anything ~ Invalids

27. 27
27
Operational Considerations
• iBGP state propagation ~ multivendor
– Ex: IOS propagating states to JunOS peers
unknown iana 4300
– Options:
• Act on the states at the border, OR
• Tag/match with custom (standard) communities

28. 28
28
Other developments
• ROA with AS-0 origin (RFC6483/RFC7607)
– Negative attestation
• No valid ASN has been granted authority
• Not to be routed (Ex - IXP LAN prefixes)
– Overridden by another ROA
• with an origin AS other than AS-0
– Prop-132: unallocated/unassigned APNIC space
• Similar to RFC6491 for special-use/reserved/unallocated

29. 29
29
So, what can we all do?
• Basic BGP OpSec hygiene – RFC7454/RFC8212
– RFC8212: BGP default reject or something similar
– Filter your customers and peers
• Prefix filters, Prefix limit
• AS-PATH filters, AS-PATH limit
• Use IRR objects (source option) or ROA-to-IRR
– Filter your upstream(s)
– Create ROAs for your resources
– Filter inbound routes based on ROAs à ROV
• Join industry initiatives like MANRS
• https://www.manrs.org/

30. 30
30
PH focus
NOT FOUND
APNIC ARIN RIPE AFRINIC KRNIC CNNIC
IPv4 1814 51 7 54 4 4
IPv6 584 1
INVALIDS TYPE
APNIC ARIN AS ML ASML
IPv4 45 1 7 11 28
IPV6 1 1

31. 31
THANK YOU