APNIC Training Delivery Manager presents an analysis on Thailand's RPKI status at ThaiNOG Day 2021, held with the BKNIX Peering Forum 2021 from 13 to 14 May 2021.

1. 1
(the trouble with)
Securing the Internet Routing
Thailand’s Route Validity
Tashi Phuntsho (tashi@apnic.net)
Senior Network Analyst/Technical Trainer

2. 2
2
Acknowledgement
• Stole slides/ideas from
– Geoff Huston, APNIC J

3. 3
3
Headlines
AS55410 leaks 30K prefixes/4K ASNs – 16 Apr 2021
https://bgpstream.com/event/271478
https://blog.apnic.net/2021/04/26/a-major-bgp-route-leak-by-as55410/

4. 4
4
Headlines
AS136168 (attempts) to hijack Twitter – 5 Feb 2021
http://bgpstream.com/event/268261

5. 5
5
Headlines
https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies

6. 6
6
Headlines

7. 7
7
Why do we keep seeing these?
• As always, there is no Evil (E) bit (RFC3514)
– a bad routing update does not identify itself as BAD
à Hence, approx. the GOOD

8. 8
8
Enter the RPKI framework
17821
65550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
65552
65553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
RPKI
Repo
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator

9. 9
TH Focus
• VALID
IPv4 ~ 35% IPv6 ~ 63%
https://stats.labs.apnic.net/roas

10. 10
TH Focus
• VALID ~ South-East Asia
https://stats.labs.apnic.net/roas

11. 11
TH Focus
• NOT FOUND
IPv4 ~ 64% IPv6 ~ 35%
https://stats.labs.apnic.net/roas

12. 12
12
TH Focus
NOT FOUND
APNIC ARIN AFRINIC RIPE IRINN TOTAL
IPv4 4875 63 4 9 1 4952
IPv6 469 2 NA NA NA 471
0
200
400
600
800
1000
1200
1400
1600
1800
2000
TOT CS
LOXINFO
TOT-2 UIH PROENNET
23969 4750 131293 38794 23884
IPv4 (NOT FOUND) ~ 60%
0
50
100
150
200
250
300
TRUE/REAL
MOVE
SYMPHONY
COMM
PEA CS LOX
IDC
GITS
(NECTEC)
132061 132280 133193 9891 9835
IPv6 (NOT FOUND) ~ 70%

13. 13
TH focus
• INVALID
IPv4 ~ 1% IPv6 ~ 2%
https://stats.labs.apnic.net/roas

14. 14
14
TH Focus
INVALIDS
REGISTRY TYPE
APNIC RIPE AS ML ASML
IPv4 59 1 17 28 15
IPV6 29 NA NA 29 NA
0
1
2
3
4
5
6
7
8
9
AS ML ML ASML ASML
MUT WIN JASTEL-IDC TRUE IG THAMMASAT
55760 45223 55423 38082 37992
IPv4 (INVALID) ~ 62%
0
5
10
15
20
ML ML ML ML ML
AsiaNet DTN JasTel TRIPLE T JASTEL-
IDC
7470 9587 45629 45758 55423
IPv6 (INVALID) ~ 90%

15. 15
15
Implementation
• Sign your route origins (create your ROAs)
• ** Multiple ROAs can exist for the same prefix
Prefix 2406:6400::/32
Max-length /36
Origin ASN AS45192

16. 16
16
ROA considerations
• Max length attribute
– Minimal ROA
• ROAs to cover only those prefixes announced in BGP
• https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-03
– Reduces spoofed origin-AS attack surface
0
1000
2000
3000
4000
5000
6000
7000
D
e
c
'
1
9
J
a
n
'
2
0
F
e
b
'
2
0
M
a
r
'
2
0
A
p
r
'
2
0
M
a
y
'
2
0
J
u
n
'
2
0
J
u
l
y
'
2
0
A
u
g
'
2
0
S
e
p
'
2
0
O
c
t
'
2
0
N
o
v
'
2
0
D
e
c
'
2
0
J
a
n
'
2
1
F
e
b
'
2
1
M
a
r
'
2
1
A
p
r
'
2
1
M
a
y
'
2
1
INVALIDS (ML)
IPv4 IPv6

17. 17
17
ROA considerations
• Know your network (origin AS)
– Do you have multiple ASes?
• Are they independent ASes? or
• Transit AS + multiple access/stub ASes?
https://blog.apnic.net/2020/04/10/rise-of-the-invalids/
0
500
1000
1500
2000
2500
D
e
c
'
1
9
J
a
n
'
2
0
F
e
b
'
2
0
M
a
r
'
2
0
A
p
r
'
2
0
M
a
y
'
2
0
J
u
n
'
2
0
J
u
l
y
'
2
0
A
u
g
'
2
0
S
e
p
'
2
0
O
c
t
'
2
0
N
o
v
'
2
0
D
e
c
'
2
0
J
a
n
'
2
1
F
e
b
'
2
1
M
a
r
'
2
1
A
p
r
'
2
1
M
a
y
'
2
1
INVALIDS (AS)
IPv4 IPv6

18. 18
18
ROA considerations
• Know your network (ASML)
0
200
400
600
800
1000
1200
1400
1600
1800
D
e
c
'
1
9
J
a
n
'
2
0
F
e
b
'
2
0
M
a
r
'
2
0
A
p
r
'
2
0
M
a
y
'
2
0
J
u
n
'
2
0
J
u
l
y
'
2
0
A
u
g
'
2
0
S
e
p
'
2
0
O
c
t
'
2
0
N
o
v
'
2
0
D
e
c
'
2
0
J
a
n
'
2
1
F
e
b
'
2
1
M
a
r
'
2
1
A
p
r
'
2
1
M
a
y
'
2
1
INVALIDS (ASML)
IPv4 IPv6

19. 19
19
Implementation
• Run your own RPKI validator:
– ** RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3
– Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.8.3
– OctoRPKI/GoRTR (Cloudflare’s toolkit) - https://github.com/cloudflare/cfrpki
– Fort (NIC Mexico’s Validator) - https://nicmx.github.io/FORT-validator/
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/

20. 20
20
Validator considerations
• Securing the RTR session
– Plain text (TCP)
• run within your routing domain
– Other auth options
• SSH (v2)
• MD5 auth
• IPsec
• TLS
• TCP-AO

21. 21
21
Validator considerations
• When RTR session fails
– Based on the expire interval of ROA cache
• Know your platform defaults
• JunOS/SR-OS ~ 3600s, IOS-XE ~ 300s (RFC min ~ 600s)
– Defaults to NOT FOUND
• Including Invalids
– Hence, at least 2 x Validators (RTR sessions)

22. 22
22
Validator considerations
• VRP output

23. 23
23
Implementation
• Enable RTR on your routers
• eBGP speakers (border/peering/transit)
– Know your platform defaults and knobs
• Eg: IOS-XE wont use Invalids for best path selection
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>

24. 24
24
Implementation
• Acting on the validation states
– Tag & do nothing: You have downstream/route server @IXPs
– RFC7115 – preference
– Drop Invalids
[Valid (ASN:65XX0), Not Found (ASN:65XX1), Invalid (ASN:65XX2)]
[Valid > Not Found > Invalid]
IPv4 ~ 7K
IPv6 ~ 2K

25. 25
25
Operational Considerations
• Default routes?
– Will match anything ~ Invalids

26. 26
26
Operational Considerations
• VRFs?
– Know your platform
• RPKI (RTR) supported on VRF instances? or
• just the global table?

27. 27
27
Operational Considerations
• iBGP state propagation ~ vendor interop?
– Ex: IOS propagating states to JunOS peers
unknown iana 4300
– Options (hack):
• Act on the states at the border, OR
• Tag/match with custom (standard) communities

28. 28
28
Other developments
• ROA with AS0 origin (RFC6483/RFC7607)
– Negative attestation
• No valid ASN has been granted authority
• Not to be routed (Eg: IXP Peering LAN prefixes)
– Overridden by another ROA (with an origin AS other than
AS0)
– APNIC’s RPKI backend supported this since Nov 2018

29. 29
29
Other developments
• Prop-132 based AS0 ROA
– APNIC is directed to publish an AS0 ROA for undelegated
and unassigned APNIC space
• ~ comparable to RFC6491 for special use/reserved/unallocated IANA
space
– APNIC implemented on 2 Sept 2020
• Separate TAL ~ opt-in (the main RPKI TAL is included in all RPs)
– Process:
• “fast to remove” (within 5mins of delegation)
• “slow to add” (undelegated/reclaimed resources added in a cron-job)

30. 30
30
Summary
• Maintain BGP OpSec hygiene – RFC7454/RFC8212
– RFC8212: BGP default reject or something similar
– Filter your customers and peers
• Prefix filters, Prefix limit
• AS-PATH filters, AS-PATH limit
• Use IRR objects (source option) or ROA-to-IRR
– Filter your upstream(s)
– Create ROAs for your resources
– Filter inbound routes based on ROAs à ROV
• Join industry initiatives like MANRS
• https://www.manrs.org/

31. 31
THANK YOU