RPKI invalids aren't going away - SANOG
20
RPKI invalids aren’t going away Md. Abdul Awal #SANOG36
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of RPKI invalids aren't going away - SANOG
RPKI invalids aren’t going awayMd. Abdul Awal
#SANOG36
Routing Incidents in South Asian Countries
#SANOG36 2
Stats: observatory.manrs.org
Routing incidentsstill exist
0
5
10
15
20
25
30
35
40
45
50
Jul-19
Aug-19
Sep-19
Oct-19
Nov-19
Dec-19
Jan-20
Feb-20
Mar-20
Apr-20
May-20
Jun-20Jul-2
0
Aug-20
Sep-20
Oct-20
Nov-20
Dec-20
Number of routing incidents
AF BD BT IN MV MM NP LK PK
0
10
20
30
40
50
60
70
80
90
100
Jul-19
Aug-19
Sep-19
Oct-19
Nov-19
Dec-19
Jan-20
Feb-20
Mar-20
Apr-20
May-20
Jun-20Jul-2
0
Aug-20
Sep-20
Oct-20
Nov-20
Dec-20
RPKI status of BGP prefixes in AF, BD, BT, IN, MM, MV, NP, LK and PK
Valid Not Found Invalid
RPKI Status of BGP Prefixes in South Asia
#SANOG36 3
Stats: observatory.manrs.org
Invalids are not going away
1% of total BGP announcements in South Asia are invalid, that’s about 600 prefixes in global BGP table
Prefix/Route Hijack: The Common Routing Incident
#SANOG36 4
AS 65505
AS 64512
AS 64710
AS 65500
AS 64805
AS 64650
192.168.0.0/24
AS 65500 owns 192.168.0.0/24
192.168.0.0/24
AS 65510
Prefix Hijacker
AS 65510 does NOT own 192.168.0.0/24 AS 64805 takes wrong path to 192.168.0.0/24
RPKI would be able to solve it
#SANOG36 5
Signing prefixes a.k.a. creating ROA1
RIR CA
RIR Resource DB
Member LoginAuthentication
2001:db8::/32192.0.2.0/24
AS 65500ROA
Validating ROAsa.k.a doing ROV2
RPKI Repository RPKI Validator BGP Router
RTR Protocolrsync/RRDP
What makes a route RPKI Invalid?
Route Origin Authorization (ROA)
#SANOG36
192.168.0.0/22
65500
/23
Prefix
ASN
Max Length
192.168.0.0/22
192.168.0.0/23
192.168.0.0/24
192.168.1.0/24
192.168.2.0/23
192.168.2.0/24
192.168.3.0/24
Prefixes covered by the ROA
7
Route Origin Validation (ROV)
#SANOG36 8
192.168.0.0/22
65500
/23
192.168.0.0/24 ...65500 192.168.0.0/24 ...65520
192.168.0.0/23 ...65520
Max Length Invalid Max Length+Origin Invalid
Origin Invalid
VRPs
R1
192.168.2.0/23 ...65500
100.100.0.0/24 ...65500
Valid
Not found
R2
192.168.2.0/23100.100.0.0/24
Let’s see some examples
Example: RPKI Invalids
#SANOG36 10
Example: Invalid Origin
#SANOG36 11
Example: Invalid Prefix Length
#SANOG36 12
More Example: Invalid Prefix Length
#SANOG36 13
RPKI Invalids in South Asia
Country % of Invalids
IN 55.1
PK 22.2
BD 18.1
LK 2.6
NP 1.2
AF 0.5
MM 0.3
MV 0
BT 0
#SANOG36 14
50%47%
3%
Invalid Types
Max Length Origin Max Length+Origin
Stats: Anurag Bhatia (https://rpki.anuragbhatia.com)
So, why invalids exist in routing atmosphere?
Several Reasons…
• Incorrect ROAs§ Mostly because of misconfigured Max Length§ Sometimes because of wrong ASN§ Lack of awareness?
• Wrong BGP annoucements§ Route advertised without checking its ROA§ Old habit?
• Most importantly, invalids are not dropped§ Origin validation is not widely deployed in the region§ Any reason?
#SANOG36 16
Fix it: Who and How
#SANOG36 17
192.168.0.0/22
65500
/23
Create appropriate ROAs for your prefixes
Announce only the correct prefix in BGP
Implement origin validation i.e. drop RPKI Invalids
Route Origin Validation at IX and Transit
#SANOG36 18
AS 65505 AS 64512 AS 64710
AS 65500
Route Server
IX Switch
No invalid routes towards peers
Invalid routes droped by IX
AS 65505 AS 64512 AS 64710
International Transit
Transit Provider
No invalid routes towards cliets
Invalid routes droped by Transit
AS 65530
AS 65500
Internet Exchange Point Transit Provider Network
Validation can make our routing table Invalid-free
#SANOG36 19
International Transits
Internet Routing InfrastructureWithout Validation
International Transits
Internet Routing InfrastructureWith Validation
Transit IXP ISP
Transit providers and IXPs can prevent Invalid
route propagation
Thanks!
Questions?
