internet routing registry and rpki tutorial, by nurul islam roman [apnic 38]
DESCRIPTION
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman. A tutorial given at APNIC 38.TRANSCRIPT
![Page 1: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/1.jpg)
Internet Routing Registry & RPKI Tutorial
Nurul Islam Roman, APNIC
![Page 2: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/2.jpg)
Objectives
• To provide an introduction to the APNIC Routing Registry– Explain concepts of the global RR– Outline the benefits of the APNIC Routing Registry– Discuss Routing Policy Specification Language (RPSL)
• New Initiative RPKI
![Page 3: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/3.jpg)
Overview
• What is IRR?
• Whois DB Recap
• APNIC database and the IRR
• Using the Routing Registry
• Using RPSL in practice
• Benefit of using IRR
![Page 4: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/4.jpg)
What is IRR?
![Page 5: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/5.jpg)
Prefix Advertise to Internet
• Ingress prefix from downstream:– Option 1: Customer single home and non portable prefix
• Customer is not APNIC member prefix received from upstream ISP
– Option 2: Customer single home and portable prefix• Customer is APNIC member receive allocation as service provider but no AS
number yet
– Option 3: Customer multihome and non portable prefix• Customer is not APNIC member both prefix and ASN received from upstream ISP
– Option 4: Customer multihome and portable prefix• Customer is APNIC member both prefix and ASN received from APNIC
![Page 6: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/6.jpg)
Prefix Filtering BCP [Single home]
• Option 1: Customer single home and non portable prefix
Internet
upstream
downstream
AS17821Static 3fff:ffff:dcdc::/48 to customer WAN Interface
No LoA Check of Cust prefix
ISP Prefix3fff:ffff::/32
Customer Prefix3fff:ffff:dcdc::/48
NO BGPStatic Default to ISP
WAN Interface
![Page 7: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/7.jpg)
Prefix Filtering BCP [Single home]
• Option 2: : Customer single home and portable prefix
Internet
upstream
downstream
AS17821Static 2001:0DB8::/32 to customer WAN Interface
BGP network 2001:0DB8::/32 AS17821 iCheck LoA of Cust prefix
ISP Prefix3fff:ffff::/32
Customer Prefix2001:0DB8::/32
NO BGPStatic Default to ISP
WAN InterfaceStatic 2001:0DB8::/32 null0
![Page 8: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/8.jpg)
Prefix Filtering [Multihome]
• Option 3: Customer multihome and non portable prefix
Internet
upstream can not change
AS17821eBGP peering with customer
WAN interfaceNo LoA Check of Cust prefix
ISP Prefix3fff:ffff::/32
Customer Prefix3fff:ffff:dcdc::/48
AS131107Check LoA of Cust prefix
Manual process e-mail to tech-cAutomated process route object or RPKINearly same filter requirement as other ISP
AS64500 eBGP peering with both
ISP WAN InterfaceBGP network 3fff:ffff:dcdc::/48 AS64500 i
or aggregate address from gateway router
upstreamcan change
![Page 9: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/9.jpg)
Prefix Filtering [Multihome]
• Option 4: Customer multihome and portable prefix
Internet
upstream can change
AS17821Check LoA of Cust prefix
Manual process e-mail to tech-cAutomated process route object or RPKI
ISP Prefix3fff:ffff::/32
Customer Prefix2001:0DB8::/32
AS131107Check LoA of Cust prefix
Manual process e-mail to tech-cAutomated process route object or RPKINearly same filter requirement as other ISP
AS64500 eBGP peering with both
ISP WAN InterfaceBGP network 2001:0DB8::/32 AS64500 i
or aggregate address from gateway router
upstreamcan change
![Page 10: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/10.jpg)
What is a Routing Registry?
• A repository (database) of Internet routing policy information• Autonomous Systems exchanges routing information via
BGP• Exterior routing decisions are based on policy based
rules• However BGP does not provides a mechanism to
publish/communicate the policies themselves• RR provides this functionality
• Routing policy information is expressed in a series of objects
• Stability and consistency of routing• Network operators share information
![Page 11: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/11.jpg)
RIPE
RADB CW
APNIC Connect
ARIN, ArcStar, FGC, Verio, Bconnex, Optus, Telstra, ...
IRR = APNIC RR + RIPE DB + RADB + C&W + ARIN + …
What is a Routing Registry?
![Page 12: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/12.jpg)
What is Routing Policy?• Description of the routing relationship between
autonomous systems– Who are my BGP peers?
• Customer, peers, upstream
– What routes are:• Originated by each neighbour?• Imported from each neighbour?• Exported to each neighbour?• Preferred when multiple routes exist?
– What to do if no route exists?– What routes to aggregate?
![Page 13: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/13.jpg)
Representation of Routing Policy
AS1 AS2
In order for traffic to flow from NET2 to NET1 between AS1 and AS2:
NET1 NET2
AS1 has to announce NET1 to AS2 via BGP
Resulting in packet flow from NET2 to NET1
And AS2 has to accept this information and use it
![Page 14: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/14.jpg)
AS1 AS2
NET1 NET2
In order for traffic to flow towards from NET1 to NET2:
AS2 must announce NET2 to AS1
And AS1 has to accept this information and use it
Resulting in packet flow from NET 1 to NET2
Representation of Routing Policy
![Page 15: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/15.jpg)
RPSL• Routing Policy Specification Language
– Object oriented language • Based on RIPE-181
– Structured whois objects
• Higher level of abstraction than access lists
• Describes things interesting to routing policy:– Routes, AS Numbers …– Relationships between BGP peers– Management responsibility
RFC2622
RFC2725
RFC2650
![Page 16: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/16.jpg)
Routing Policy - Examples
AS 1 AS 2
aut-num: AS1…import: from AS2
action pref= 100;accept AS2
export: to AS2 announce AS1
aut-num: AS2…import: from AS1
action pref=100;accept AS1
export: to AS1 announce AS2
Basic concept
“action pref” - the lower the value, the preferred the route
![Page 17: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/17.jpg)
Routing Policy - Examples
AS 123 AS4 AS5
AS5
More complex example
• AS4 gives transit to AS5, AS10• AS4 gives local routes to AS123
AS10
![Page 18: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/18.jpg)
Routing Policy - Examples
AS 123 AS4 AS5AS5
import: from AS123 action pref=100; accept AS123
aut-num: AS4
import: from AS5 action pref=100; accept AS5
import: from AS10 action pref=100; accept AS10
export: to AS123 announce AS4
export: to AS5 announce AS4 AS10
export: to AS10 announce AS4 AS5Not a path
AS10
![Page 19: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/19.jpg)
Routing Policy - Examples
AS123 AS4
More complex example
• AS4 and AS6 private link1• AS4 and AS123 main transit link2 • backup all traffic over link1 and link3 in event of link2 failure
AS6privatelink1
link3
transit traffic over link2
![Page 20: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/20.jpg)
Routing Policy - Examples
AS123 AS4
AS6private link1
link3
AS representation
transit traffic over link2
import: from AS123 action pref=100; accept ANY
aut-num: AS4
import: from AS6 action pref=50; accept AS6
import: from AS6 action pref=200; accept ANY
export: to AS6 announce AS4
export: to AS123 announce AS4
full routing received
higher cost for backup route
![Page 21: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/21.jpg)
Whois Database Recap
![Page 22: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/22.jpg)
APNIC Database
• Public network management database– APNIC whois database contains:
• Internet resource information and contact details
– APNIC Routing Registry (RR) contains:• routing information
• APNIC RR is part of IRR– Distributed databases that mirror each other
![Page 23: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/23.jpg)
Database Object
• An object is a set of attributes and values
• Each attribute of an object...• Has a value• Has a specific syntax• Is mandatory or optional• Is single- or multi-valued
• Some attributes ...• Are primary (unique) keys• Are lookup keys for queries• Are inverse keys for queries
– Object “templates” illustrate this structure
![Page 24: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/24.jpg)
Person Object Example
– Person objects contain contact information
person:address:
address:address:
country:phone:fax-no:e-mail:nic-hdl:mnt-by:
changed:source:
Attributes Values
Test PersonExampleNet Service Provider2 Pandora St BoxvilleWallis and Futuna IslandsTC+680-368-0844+680-367-1797tperson@[email protected] 20090731APNIC
![Page 25: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/25.jpg)
Database Queries
– Flags used for inetnum queries
None find exact match
- l find one level less specific matches
- L find all less specific matches
- m find first level more specific matches
- M find all More specific matches
- x find exact match (if no match, nothing)
- d enables use of flags for reverse domains
- r turn off recursive lookups
![Page 26: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/26.jpg)
Database Protection
• Authorisation– “mnt-by” references a mntner object
• Can be found in all database objects• “mnt-by” should be used with every object!
• Authentication– Updates to an object must pass authentication rule specified by its
maintainer object
![Page 27: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/27.jpg)
Prerequisite for Updating Objects
• Create person objects for contacts• To provide contact info in other objects
• Create a mntner object• To provide protection of objects
• Protect your person object
![Page 28: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/28.jpg)
APNIC Database and the IRR
![Page 29: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/29.jpg)
APNIC Database & the IRR
• APNIC whois Database– Two databases in one
• Public Network Management Database– “whois” info about networks & contact persons
• IP addresses, AS numbers etc
• Routing Registry – contains routing information
• routing policy, routes, filters, peers etc.
– APNIC RR is part of the global IRR
![Page 30: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/30.jpg)
Integration of Whois and IRR
• Integrated APNIC Whois Database & Internet Routing Registry
APNIC Whois
IRR
IP, ASNs,reverse domains,
contacts,maintainers
etc routes, routingpolicy, filters,
peers etcinetnum, aut-num, domain, person, role, maintainer
route, aut-num, as-set, inet-rtr, peering-set etc.
Internet resources & routing information
![Page 31: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/31.jpg)
Inter-related IRR Objects
inetnum: 202.0.16.0 - 202.0.16.255 … tech-c: KX17-AP mnt-by: MAINT-EX
aut-num: AS1 …tech-c: KX17-APmnt-by: MAINT-EX…
route: origin:…mnt-by: MAINT-EX
person: …nic-hdl: KX17-AP…
mntner: MAINT-EX…
202.0.16/24AS1
![Page 32: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/32.jpg)
Inter-related IRR Objects
aut-num: AS2…
inetnum:202.0.16.0-202.0.31.255…
aut-num: AS10…
route: 202.0.16/20… origin: AS2…
as-set: AS1:AS-customersmembers: AS10, AS11
route-set: AS2:RS-routesmembers: 218.2/20, 202.0.16/20
route: 218.2/20 …origin: AS2 …
aut-num: AS2…
inetnum:218.2.0.0 - 218.2.15.255…
aut-num: AS11…
, AS2
![Page 33: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/33.jpg)
Hierarchical Authorisation
• mnt-routes– authenticates creation of route objects
• creation of route objects must pass authentication of mntner referenced in the mnt-routes attribute
– Format:• mnt-routes: <mntner>
In:
routeaut-numinetnum
![Page 34: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/34.jpg)
Authorisation Mechanism
inetnum: 202.137.181.0 – 202.137.196.255netname: SPARKYNET-TCdescr: SparkyNet Service Provider…mnt-by: APNIC-HMmnt-lower: MAINT-SPARKYNET1-TCmnt-routes: MAINT-SPARKYNET2-TC
This object can only be modified by APNIC
Creation of more specific objects within this range has to pass the authentication of MAINT-SPARKYNET1-TC
Creation of route objects matching/within this range has to pass the authentication of MAINT-SPARKYNET2-TC
![Page 35: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/35.jpg)
Creating Route Objects• Multiple authentication checks:
– Originating ASN• mntner in the mnt-routes is checked• If no mnt-routes, mnt-lower is checked• If no mnt-lower, mnt-by is checked
– AND the address space• Exact match & less specific route
– mnt-routes etc
– AND the route object mntner itself• The mntner in the mnt-by attribute
aut-num
inetnum
route
route
![Page 36: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/36.jpg)
Creating Route Objects
mntner: MAINT-WF-EXNETauth: CRYPT-PW klsdfji9234
maintainer
inetnum: 202.137.240.0 – 202.137.255.255mnt-routes: MAINT-WF-EXNET
IP address range
aut-num: AS1mnt-routes: MAINT-WF-EXNET
AS number
1route: 202.137.240/20origin: AS1
route
1. Create route object and submit to APNIC RR database
4. DB checks inetnum obj matching/encompassing IP range in route obj5. Route obj creation must pass auth of mntner specified in inetnum mnt-routes attribute.
3. Route obj creation must pass auth of mntner specified in aut-num mnt-routes attribute. 2. DB checks aut-num obj corresponding to the ASN in route obj
2
35
4
![Page 37: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/37.jpg)
Using RPSL in practice
![Page 38: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/38.jpg)
Overview
• Review examples of routing policies expression– Peering policies– Filtering policies– Backup connection– Multihoming policies
![Page 39: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/39.jpg)
RPSL - review
• Purpose of RPSL– Allows specification of your routing configuration in the public IRR
• Allows you to check “Consistency” of policies and announcements
– Gives opportunities to consider the policies and configuration of others
![Page 40: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/40.jpg)
Address Prefix Range Operator
Operator Meanings
^- Exclusive more specifics of the address prefix:E.g. 128.9.0.0/16^- contains all more specifics of 128.9.0.0/16 excluding 128.9.0.0/16
^+ Inclusive more specific of the address prefix:E.g. 5.0.0.0/8^+ contains all more specifics of 5.0.0.0/8 including 5.0.0.0/8
![Page 41: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/41.jpg)
Address Prefix Operator (cont.)
Operator Meanings
^n n = integer, stands for all the length “n” specifics of the address prefix:E.g. 30.0.0.0/8^16 contains all the more specifics of 30.0.0.0/8 which are length of 16 such as 30.9.0.0/16
^n-m m = integer, stands for all the length “n” to length “m” specifics of the address prefix:E.g. 30.0.0.0/8^24-32 contains all the more specifics of 30.0.0.0/8 which are length of 24 to 32 such as 30.9.9.96/28
![Page 42: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/42.jpg)
AS-path regular expressions
• Regular expressions– A context-independent syntax that can represent a wide variety of
character sets and character set orderings– These character sets are interpreted according to the current The
Open Group Base Specifications (IEEE)
• Can be used as a policy filter by enclosing the expression in “<“ and “>”.
![Page 43: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/43.jpg)
Filter List- Regular Expression
• Like Unix regular expressions. Match one character
* Match any number of preceding expression
+ Match at least one of preceding expression
^ Beginning of line
$ End of line
\ Escape a regular expression character
_ Beginning, end, white-space, brace
| Or
() Brackets to contain expression
[ ] Brackets to contain number ranges
Source: www.cisco.com
![Page 44: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/44.jpg)
AS-path Regular ExpressionOperator Meanings
<AS3> Route whose AS-path contains AS3
<^AS1> Routes whose AS-path starts with AS1
<AS2$> Routes whose AS-path end with AS2
<^AS1 AS2 AS3$> Routes whose AS-path is exactly “1 2 3”
<^AS1 . * AS2$> AS-path starts with AS1 and ends in AS2 with any number ASN in between
<^AS3+$> AS-path starts with AS3 and ends in AS3 and AS3 is the first member of the path and AS3 occurs one or more times in the path and no other AS can be present in the path after AS3
![Page 45: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/45.jpg)
AS-path Regular Expression (cont.)
Operator Meanings
<AS3|AS4> Routes whose AS-path is with AS3 or AS4
<AS3 AS4> Routes whose AS-path with AS3 followed by AS4
![Page 46: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/46.jpg)
Common Peering Policies
• Peering policies of an AS– Registered in an aut-num object
Internet
AS 1 AS 2 AS 3
ISP(Transit provider) Customer
AS 4 AS 5
![Page 47: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/47.jpg)
Common Peering Policies
• Policy for AS3 in the AS2 aut-num object
aut-num: AS2as-name: SAMPLE-NETdsescr: Sample ASimport: from AS1 accept ANYimport: from AS3 accept <^AS3+$>export: to AS3 announce AS2export: to AS1 announce AS2 AS3admin-c: TP1-APtech-c: TP2-APmtn-by: MAINT-SAMPLE-APchanged: [email protected]
![Page 48: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/48.jpg)
Transit Provider Policies
• Peering policies of an AS– Registered in an aut-num object
Internet
AS 1 AS 2 AS 3
ISP(Transit provider) Customer
AS 4 AS 5
![Page 49: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/49.jpg)
ISP Customer – Transit Provider Policies• Policy for AS3 and AS4 in the AS2 aut-num object
aut-num: AS2import: from AS1 accept ANYimport: from AS3 accept <^AS3+$>import: from AS4 accept <^AS4+$>export: to AS3 announce ANYexport: to AS4 announce ANYexport: to AS1 announce AS2 AS3 AS4
![Page 50: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/50.jpg)
AS-set Object
• Describe the customers of AS2
as-set: AS2:AS-CUSTOMERSmembers: AS3 AS4changed: [email protected]: APNIC
![Page 51: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/51.jpg)
Aut-num Object referring as-set Object
aut-num: AS2import: from AS1 accept ANYimport: from AS2:AS-CUSTOMERS accept
<^AS2:AS-CUSTOMERS+$> export: to AS2:AS-CUSTOMERS announce ANYexport: to AS1 announce AS2 AS2:AS-CUSTOMERS
aut-num: AS1import: from AS2 accept <^AS2+AS2:AS-CUSTOMERS+$> export: ………
![Page 52: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/52.jpg)
Express Filtering Policy
• To limit the routes one accepts from a peer– To prevent the improper use of unassigned address space– To prevent malicious use of another organisation’s address space
![Page 53: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/53.jpg)
Filtering Policy
AS 2 AS 3
7.7.0.0/20 allocated by RIR
AS3 wants to announce part or all of 7.7.0.0/20 on the global Internet.
AS2 wants to be certain that it only accepts announcements from AS3 for address space that has been properly allocated to AS3.
Internet
![Page 54: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/54.jpg)
Aut-num Object with Filtering Policy
aut-num: AS2import: from AS3 accept { 7.7.0.0/20^20-24 }…….
For an ISP with a growing or changing customer base, this mechanism will not scale well.
Route-set object can be used.
![Page 55: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/55.jpg)
IRRToolSet
• Set of tools developed for using the Internet Routing Registry (IRR)
• Work with Internet routing policies– These policies are stored in IRR in the Routing Policy
Specification Language (RPSL)
• The goal of the IRRToolSet is to make routing information more convenient and useful for network engineers– Tools for automated router configuration,– Routing policy analysis– On-going maintenance etc.
![Page 56: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/56.jpg)
IRRToolSet
• Download: ftp://ftp.isc.org/isc/IRRToolSet/• Installation needs: lex, yacc and C++ compiler
root@bofh:~ #wget ftp://ftp.isc.org/isc/IRRToolSet/IRRToolSet-5.0.1/irrtoolset-5.0.1.tar.gz
root@bofh:~ # tar –zxvf irrtoolset-5.0.1.tar.gz
root@bofh:~ # cd irrtoolset-5.0.1
root@bofh:~irrtoolset-5.0.1# ./configure
root@bofh:~irrtoolset-5.0.1# make
root@bofh:~irrtoolset-5.0.1# make install
![Page 57: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/57.jpg)
IRRToolSet
root@bofh:~ whois –h whois.apnic.net AS17821
#####snipped######
mp-import: afi any.unicast {
from AS-ANY accept ANY AND NOT RS-MARTIANS;
} refine {
from AS-ANY action pref = 50;
accept community.contains(17821:50); from AS-ANY action pref = 30;
accept community.contains(17821:70); from AS-ANY action pref = 10;
accept community.contains(17821:90); from AS-ANY action pref = 0; accept ANY;
} refine afi ipv4.unicast {
![Page 58: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/58.jpg)
IRR Toolset, RPSL: rtconfig(Contd)
Cisco Specific
@rtconfig set cisco_map_name = <map-name>
@rtconfig set cisco_map_first_no = <no>
@rtconfig set cisco_map_increment_by = <no>
@rtconfig set cisco_prefix_acl_no = <no>
@rtconfig set cisco_aspath_acl_no = <no>
@rtconfig set cisco_pktfilter_acl_no = <no>
@rtconfig set cisco_community_acl_no = <no>
@rtconfig set cisco_access_list_no = <no>
@rtconfig set cisco_max_preference = <no>
@rtconfig networks <ASN-1>
@rtconfig inbound_pkt_filter <if-name> <ASN-1> <rtr-1> <ASN-2> <rtr-2>
![Page 59: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/59.jpg)
IRR Toolset, RPSL: rtconfig(Contd)
Junos Specific
@rtconfig set junos_policy_name = <policy-name>
@rtconfig networks <ASN-1>
![Page 60: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/60.jpg)
Page 60
IRR Toolset, RPSL: rtconfig Input File(Provision)
router bgp 17821
neighbor 103.4.108.54 remote-as 131107
neighbor 103.4.108.54 version 4
!
# X Communication Ltd
@RtConfig set cisco_access_list_no = 500
@RtConfig set cisco_map_name = "AS58715-IN"
@RtConfig import AS131208 103.4.108.62 AS58715 103.4.108.61
@RtConfig set cisco_access_list_no = 599
@RtConfig set cisco_map_name = "ANY"
@RtConfig export AS131208 103.4.108.62 AS58715 103.4.108.61
!
# xyz Ltd
@RtConfig set cisco_access_list_no = 501
@RtConfig set cisco_map_name = "AS58656-IN"
@RtConfig import AS131208 103.4.108.94 AS58656 103.4.108.93
@RtConfig set cisco_access_list_no = 599
@RtConfig set cisco_map_name = "ANY"
@RtConfig export AS131208 103.4.108.94 AS58656 103.4.108.93
!
end
![Page 61: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/61.jpg)
Use of RPSL - RtConfig
• RtConfig• part of IRRToolSet
• Reads policy from IRR (aut-num, route & -set objects) and generates router configuration– vendor specific:
• Cisco, Bay's BCC, Juniper's Junos and Gated/RSd
– Creates route-map and AS path filters– Can also create ingress / egress filters
![Page 62: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/62.jpg)
IRR Toolset, RPSL: Uploading Configuration
Various ways to upload configuration:– SNMP Write– NETCONF XML Based– Automated Script using expect
![Page 63: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/63.jpg)
Why use IRR and RtConfig?
• Benefits of RtConfig– Avoid filter errors (typos)– Expertise encoded in the tools that generate the policy rather than
engineer configuring peering session– Filters consistent with documented policy
• (need to get policy correct though)
![Page 64: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/64.jpg)
New Initiative RPKI
![Page 65: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/65.jpg)
What is RPKI?
• Resource Public Key Infrastructure (RPKI)
• A robust security framework for verifying the association between resource holder and their Internet resources
• Created to address the issues in RFC 4593 “Generic Threats to Routing Protocols”
• Helps to secure Internet routing by validating routes– Proof that prefix announcements are coming from the legitimate
holder of the resource
65
![Page 66: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/66.jpg)
Benefits of RPKI - Routing
• Similar objective as IRR but in a robust and scalable way
• Prevents route hijacking– A prefix originated by an AS without authorization– Reason: malicious intent
• Prevents mis-origination– A prefix that is mistakenly originated by an AS which does not own it– Also route leakage– Reason: configuration mistake / fat finger
66
![Page 67: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/67.jpg)
BGP Security (BGPsec)
• Extension to BGP that provides improved security for BGP routing
• Currently an IETF Internet draft
• Implemented via a new optional non-transitive BGP path attribute that contains a digital signature
• Two things:– BGP Prefix Origin Validation (using RPKI)– BGP Path Validation
• Similar efforts in the early days – IDR working group, S-BGP
67
![Page 68: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/68.jpg)
RPKI Infrastructure
• A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents
• Main Components– Certificate Authority (CA)– Relying Party (RP)– Routers with RPKI support
68
![Page 69: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/69.jpg)
Issuing Party
• Internet Registries (RIR, NIR, Large LIRs)
• Acts as a Certificate Authority and issues certificates for customers
• Provides a web interface to issue ROAs for customer prefixes
• Publishes the ROA records
69
APNICRPKI
Engine
publication
MyAPNIC GUI
Repository
rpki.apnic.net
![Page 70: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/70.jpg)
Route Origin Authorization (ROA)
• A digital object that contains a list of address prefixes and one AS number
• It is an authority created by a prefix holder to authorize an AS Number to originate one or more specific route advertisements
• Publish an ROA using MyAPNIC
70
![Page 71: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/71.jpg)
X.509 Certificate with 3779 Extension
71
• Resource certificates are basedon the X.509 v3 certificate format(RFC 5280)
• Extended by RFC 3779 – binds alist of resources (IP, ASN) to thesubject of the certificate
• SIA – Subject Information Access;contains a URI that referencesthe directory
X.509 Certificate
RFC 3779Extension
SIA
Owner's Public Key
![Page 72: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/72.jpg)
Relying Party (RP)
72
![Page 73: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/73.jpg)
RPKI Components
73
![Page 74: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/74.jpg)
Router Origin Validation
• Router must support RPKI
• Checks an RP cache / validator
• Validation returns 3 states:– Valid = when authorization is found for prefix X– Invalid = when authorization is found for prefix X but not from ASN Y– Unknown = when no authorization data is found
• Vendor support:– Cisco IOS – solid in 15.2– Cisco IOS/XR – shipped in 4.3.2– Juniper – shipped in 12.2– Alcatel Lucent – in development
74
![Page 75: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/75.jpg)
How to start?
• Create ROA records in MyAPNIC
• Build an RP cache
• Configure your router to use the cache (or a public one)
• Create BGP policies
75
![Page 76: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/76.jpg)
How to build RP Cache
• Download and install from rpki.net
• Instructions here: https://trac.rpki.net/wiki/doc/RPKI/Installation/UbuntuPackages
76
![Page 77: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/77.jpg)
Configure Router to Use Cache
router bgp 17821
…
bgp rpki server tcp 10.0.0.3 port 43779 refresh 60
Bgp rpki server tcp 147.28.0.84 port 93920 refresh 60
77
![Page 78: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/78.jpg)
How does it look in BGP Table
78
Network Next Hop Metric LocPrf WeightPath
* i I198.180.150.0 144.232.9.61 100 0 1239 3927 i
*>
*
*>
*
*>
*
I
I
V198.180.152.0
V
N198.180.155.0
N
199.238.113.9
129.250.11.41
199.238.113.9
129.250.11.41
199.238.113.9
129.250.11.41
0 2914 3927 i
0 2914 3927 i
0 2914 4128 i
0 2914 4128 i
0 2914 22773 i
0 2914 22773 i
199.238.113.9
129.250.11.41
*> N198.180.160.05752 i
* N5752 i
0 2914 23308 13408
0 2914 23308 13408
RPKI Lab – Randy Bush
24
r0.sea#sh ip bgp
![Page 79: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/79.jpg)
• More personalised service– Range of languages:
Bahasa Indonesia, Bengali, Cantonese, English, Hindi, Mandarin, Thai, etc.
• Faster response and resolution of queries– IP resource applications, status of requests, obtaining help in
completing application forms, membership enquiries, billing issues & database enquiries
Member Services Helpdesk-One point of contact for all member enquiries-Online chat services
Helpdesk hours 9:00 am - 9:00 pm (AU EST, UTC + 10 hrs)
ph: +61 7 3858 3188 fax: 61 7 3858 3199
![Page 80: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/80.jpg)
80
![Page 81: Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]](https://reader035.vdocuments.site/reader035/viewer/2022081508/5562eb2fd8b42a38778b5131/html5/thumbnails/81.jpg)
Thank You