APNIC Training Delivery Manager presents an analysis on Thailand's RPKI status at ThaiNOG Day 2021, held with the BKNIX Peering Forum 2021 from 13 to 14 May 2021.
7. 7
7
Why do we keep seeing these?
• As always, there is no Evil (E) bit (RFC3514)
– a bad routing update does not identify itself as BAD
à Hence, approx. the GOOD
8. 8
8
Enter the RPKI framework
17821
65550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
65552
65553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
RPKI
Repo
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator
14. 14
14
TH Focus
INVALIDS
REGISTRY TYPE
APNIC RIPE AS ML ASML
IPv4 59 1 17 28 15
IPV6 29 NA NA 29 NA
0
1
2
3
4
5
6
7
8
9
AS ML ML ASML ASML
MUT WIN JASTEL-IDC TRUE IG THAMMASAT
55760 45223 55423 38082 37992
IPv4 (INVALID) ~ 62%
0
5
10
15
20
ML ML ML ML ML
AsiaNet DTN JasTel TRIPLE T JASTEL-
IDC
7470 9587 45629 45758 55423
IPv6 (INVALID) ~ 90%
15. 15
15
Implementation
• Sign your route origins (create your ROAs)
• ** Multiple ROAs can exist for the same prefix
Prefix 2406:6400::/32
Max-length /36
Origin ASN AS45192
16. 16
16
ROA considerations
• Max length attribute
– Minimal ROA
• ROAs to cover only those prefixes announced in BGP
• https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-03
– Reduces spoofed origin-AS attack surface
0
1000
2000
3000
4000
5000
6000
7000
D
e
c
'
1
9
J
a
n
'
2
0
F
e
b
'
2
0
M
a
r
'
2
0
A
p
r
'
2
0
M
a
y
'
2
0
J
u
n
'
2
0
J
u
l
y
'
2
0
A
u
g
'
2
0
S
e
p
'
2
0
O
c
t
'
2
0
N
o
v
'
2
0
D
e
c
'
2
0
J
a
n
'
2
1
F
e
b
'
2
1
M
a
r
'
2
1
A
p
r
'
2
1
M
a
y
'
2
1
INVALIDS (ML)
IPv4 IPv6
17. 17
17
ROA considerations
• Know your network (origin AS)
– Do you have multiple ASes?
• Are they independent ASes? or
• Transit AS + multiple access/stub ASes?
https://blog.apnic.net/2020/04/10/rise-of-the-invalids/
0
500
1000
1500
2000
2500
D
e
c
'
1
9
J
a
n
'
2
0
F
e
b
'
2
0
M
a
r
'
2
0
A
p
r
'
2
0
M
a
y
'
2
0
J
u
n
'
2
0
J
u
l
y
'
2
0
A
u
g
'
2
0
S
e
p
'
2
0
O
c
t
'
2
0
N
o
v
'
2
0
D
e
c
'
2
0
J
a
n
'
2
1
F
e
b
'
2
1
M
a
r
'
2
1
A
p
r
'
2
1
M
a
y
'
2
1
INVALIDS (AS)
IPv4 IPv6
18. 18
18
ROA considerations
• Know your network (ASML)
0
200
400
600
800
1000
1200
1400
1600
1800
D
e
c
'
1
9
J
a
n
'
2
0
F
e
b
'
2
0
M
a
r
'
2
0
A
p
r
'
2
0
M
a
y
'
2
0
J
u
n
'
2
0
J
u
l
y
'
2
0
A
u
g
'
2
0
S
e
p
'
2
0
O
c
t
'
2
0
N
o
v
'
2
0
D
e
c
'
2
0
J
a
n
'
2
1
F
e
b
'
2
1
M
a
r
'
2
1
A
p
r
'
2
1
M
a
y
'
2
1
INVALIDS (ASML)
IPv4 IPv6
19. 19
19
Implementation
• Run your own RPKI validator:
– ** RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3
– Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.8.3
– OctoRPKI/GoRTR (Cloudflare’s toolkit) - https://github.com/cloudflare/cfrpki
– Fort (NIC Mexico’s Validator) - https://nicmx.github.io/FORT-validator/
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/
20. 20
20
Validator considerations
• Securing the RTR session
– Plain text (TCP)
• run within your routing domain
– Other auth options
• SSH (v2)
• MD5 auth
• IPsec
• TLS
• TCP-AO
21. 21
21
Validator considerations
• When RTR session fails
– Based on the expire interval of ROA cache
• Know your platform defaults
• JunOS/SR-OS ~ 3600s, IOS-XE ~ 300s (RFC min ~ 600s)
– Defaults to NOT FOUND
• Including Invalids
– Hence, at least 2 x Validators (RTR sessions)
23. 23
23
Implementation
• Enable RTR on your routers
• eBGP speakers (border/peering/transit)
– Know your platform defaults and knobs
• Eg: IOS-XE wont use Invalids for best path selection
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>
24. 24
24
Implementation
• Acting on the validation states
– Tag & do nothing: You have downstream/route server @IXPs
– RFC7115 – preference
– Drop Invalids
[Valid (ASN:65XX0), Not Found (ASN:65XX1), Invalid (ASN:65XX2)]
[Valid > Not Found > Invalid]
IPv4 ~ 7K
IPv6 ~ 2K
27. 27
27
Operational Considerations
• iBGP state propagation ~ vendor interop?
– Ex: IOS propagating states to JunOS peers
unknown iana 4300
– Options (hack):
• Act on the states at the border, OR
• Tag/match with custom (standard) communities
28. 28
28
Other developments
• ROA with AS0 origin (RFC6483/RFC7607)
– Negative attestation
• No valid ASN has been granted authority
• Not to be routed (Eg: IXP Peering LAN prefixes)
– Overridden by another ROA (with an origin AS other than
AS0)
– APNIC’s RPKI backend supported this since Nov 2018
29. 29
29
Other developments
• Prop-132 based AS0 ROA
– APNIC is directed to publish an AS0 ROA for undelegated
and unassigned APNIC space
• ~ comparable to RFC6491 for special use/reserved/unallocated IANA
space
– APNIC implemented on 2 Sept 2020
• Separate TAL ~ opt-in (the main RPKI TAL is included in all RPs)
– Process:
• “fast to remove” (within 5mins of delegation)
• “slow to add” (undelegated/reclaimed resources added in a cron-job)
30. 30
30
Summary
• Maintain BGP OpSec hygiene – RFC7454/RFC8212
– RFC8212: BGP default reject or something similar
– Filter your customers and peers
• Prefix filters, Prefix limit
• AS-PATH filters, AS-PATH limit
• Use IRR objects (source option) or ROA-to-IRR
– Filter your upstream(s)
– Create ROAs for your resources
– Filter inbound routes based on ROAs à ROV
• Join industry initiatives like MANRS
• https://www.manrs.org/