resource pubic key infrastructure · public key concept •private key: this key must be known only...
TRANSCRIPT
RPKIResourcePubicKeyInfrastructure
PurposeofRPKI
• RPKIreplacesIRRorlivessidebyside?• Sidebyside:differentadvantages• Security,almostrealtime,simpleinterface:RPKI
• PurposeofRPKI• IsthatASNauthorizedtooriginatethataddressrange?
2
ASPath
3
2001:DB8::/32 655516555065549i
65551
Ihave2001:DB8::/32
Sendapacketto2001:DB8::1
65553 65549
65550
65536Ihave2001:DB8::/32
2001:DB8::/32 6555265536i
65552
VALID
INVALID
RPKIDeployment
4
Phase1OriginValidation
Phase2PathValidation
Ihave2001:DB8::/32
Sendapacketto2001:DB8::1
65552 65549
65551 65550
InternetRegistry(IR)/RIR
• MaintainsInternetResourcessuchasIPaddressesandASNs,andpublishtheregistrationinformation• AllocationsforLocalInternetRegistries• Assignmentsforend-users
• APNICistheRegionalInternetRegistry(RIR)intheAsiaPacificregion• NationalInternetRegistry(NIR)existsinseveraleconomies
5
TheEco-System
6
GoalsofRPKI
• AbletoauthoritativelyprovewhoownsanIPPrefixandwhatAS(s)mayAnnounceIt• Reducingroutingleaks• Attachingdigitalcertificatestonetworkresources(ASNumber&IPAddress)
• PrefixOwnershipFollowstheAllocationHierarchyIANA,RIRs,ISPs,…
7
AdvantageofRPKI
• Useabletoolset• Noinstallationrequired• Easytoconfiguremanualoverrides
• Tightintegrationwithrouters• SupportedroutershaveawarenessofRPKIvaliditystates
• SteppingstoneforAS-PathValidation• PreventAttacksonBGP
8
RPKIImplementation
• TwoRPKIimplementationtype• Delegated:EachparticipatingnodebecomesaCAandrunstheirownRPKIrepository,delegatedbytheparentCA.• Hosted:TheRIRrunstheCAfunctionalityforinterestedparticipants.
9
TwoComponents
• CertificateAuthority(CA)• InternetRegistries(RIR,NIR,LargeLIR)• Issuecertificatesforcustomers• AllowcustomerstousetheCA’sGUItoissueROAsfortheirprefixes
• RelyingParty(RP)• SoftwarewhichgathersdatafromCAs
10
IssuingParty
• InternetRegistries(RIR,NIR,LargeLIRs)• ActsasaCertificateAuthorityandissuescertificatesforcustomers• ProvidesawebinterfacetoissueROAsforcustomerprefixes• PublishestheROArecords
11
APNICRPKIEngine
publication
MyAPNIC GUI
rpki.apnic.net
Repository
RelyingParty(RP)
12
IANARepo
APNICRepo RIPERepo
LIRRepo LIRRepo
RPCache(gather) Validated
Cache
RPKI-Rtr Protocol
rpki.ripe.net
SoftwarewhichgathersdatafromCAsAlsocalledRPcacheorvalidator
rpki.apnic.net
RPKIBuildingBlocks
1. TrustAnchors(RIR’s)2. RouteOriginationAuthorizations(ROA)3. Validators
13
1.PKI&TrustAnchors
PublicKeyConcept
• Privatekey:Thiskeymustbeknownonlybyitsowner.• Publickey:Thiskeyisknowntoeveryone(itispublic)• Relationbetweenbothkeys:Whatonekeyencrypts,theotheronedecrypts,andviceversa.Thatmeansthatifyouencryptsomethingwithmypublickey(whichyouwouldknow,becauseit'spublic:-),Iwouldneedmyprivatekeytodecryptthemessage.• SamealikehttpwithSSLakahttps
15
RPKIProfile
CertificatesareX.509certificatesthatconformtothePKIXprofile[PKIX].Theyalsocontainan
extensionfieldthatlistsacollectionofIPresources(IPv4addresses,IPv6
addressesandASNumbers)[RFC3779]
16
X.509Cert
RFC3779Extension
Describes IPResources(Addr &ASN)
SIA– URIforwherethisPublishes
Owner’sPublicKey
CA
Signed
byParent’sPrivateKey
X.509Certificates3779EXT
TrustAnchor
IANA
AFRINIC RIPE NCC ARIN APNIC LACNIC
NIR NIR
ISP ISP ISP ISP ISP
Trust Anchor CertificateResourceAllocationHierarchy
Issued Certificates
matchallocation actions
17
Source:http://isoc.org/wp/ietfjournal/?p=2438
RPKIChainofTrust
• TheRIRsholdaself-signedrootcertificateforalltheresourcesthattheyhaveintheregistry• Theyarethetrustanchorforthesystem
• Thatrootcertificateisusedtosignacertificatethatlistsyourresources• Youcanissuechildcertificatesforthoseresourcestoyourcustomers• Whenmakingassignmentsorsuballocations
18
2.ROARouteOriginAuthorizations
RouteOriginationAuthorizations(ROA)
• AROAisadigitallysignedobject thatprovidesameansofverifyingthatanIPaddressblockholder hasauthorized anAutonomousSystem(AS) tooriginateroutestooneormoreprefixes withintheaddressblock.• WithaROA,theresourceholderisattesting thattheoriginASnumberisauthorized toannounce theprefix(es).TheattestationcanbeverifiedcryptographicallyusingRPKI.
20
RouteOriginationAuthorizations(ROA)
• NexttotheprefixandtheASNwhichisallowedtoannounceit,theROAcontains:• Aminimumprefixlength• Amaximumprefixlength• Anexpirydate• OriginASN
• MultipleROAscanexistforthesameprefix• ROAscanoverlap
21
3.Validators
OriginValidation• RoutergetsROAinformationfromtheRPKICache• RPKIverificationisdonebytheRPKICache
• TheBGPprocesswillcheckeachannouncementwiththeROAinformationandlabeltheprefix
23
ValidatedRPKICache
RPKItoRTRprotocol
ResultofCheck
• Valid – IndicatesthattheprefixandASpairarefoundinthedatabase.• Invalid – Indicatesthattheprefixisfound,buteitherthecorrespondingASreceivedfromtheEBGPpeerisnottheASthatappearsinthedatabase,ortheprefixlengthintheBGPupdatemessageislongerthanthemaximumlengthpermittedinthedatabase.• NotFound /Unknown– Indicatesthattheprefixisnotamongtheprefixesorprefixrangesinthedatabase.
Valid>Unknown>Invalid
24
ROAExample
25
Prefix:10.0.0.0/16ASN:65420
ROA 65420 10.0.0.0/16 /18
OriginAS Prefix MaxLength
VALID AS65420 10.0.0.0/16
VALID AS65420 10.0.128.0/17
INVALID AS65421 10.0.0.0/16
INVALID AS65420 10.0.10.0/24
UNKNOWN AS65430 10.0.0.0/8
LocalPolicy
• Youcandefineyourpolicybasedontheoutcomes• Donothing• Justlogging• LabelBGPcommunities• Modifypreferencevalues• Rejectingtheannouncement
26
Insummary
• Asanannouncer/LIR• Youchooseifyouwantcertification• YouchooseifyouwanttocreateROAs• YouchooseAS,maxlength
• AsaRelyingParty• Youcanchooseifyouusethevalidator• YoucanoverridethelistsofvalidROAsinthecache,addingorremovingvalidROAslocally• YoucanchoosetomakeanyroutingdecisionsbasedontheresultsoftheBGPVerification(valid/invalid/unknown)
27
RPKICaveats
• WhenRTRsessiongoesdown,theRPKIstatuswillbenotfoundforallthebgp routeafterawhile• Invalid=>notfound• weneedseveralRTRsessionsorcareyourfilteringpolicy
• Incaseoftherouterreload,whichoneisfaster,receivingROAsorreceivingBGProutes?• IfreceivingBGPismatchfasterthanROA,therouterpropagatetheinvalidroutetoothers• WeneedtoputourCachevalidatorwithinourIGPscope
28
RPKIFurtherReading
• RFC5280:X.509PKICertificates• RFC3779:ExtensionsforIPAddressesandASNs• RFC6481-6493:ResourcePublicKeyInfrastructure
29
RPKIConfiguration
RPKIConfiguration
• Resources:• AS:131107[APNICTRAINING-DC]• IPv4:202.125.96.0/24• IPv6:2001:df2:ee00::/48
• Process• CreateROA• Setupcachevalidationserver• ValidatetheROA
31
ImplementationScenario
32
ASBR
{rtr}
DNS
Trust Anchors
DNS
Trust AnchorsDNS
Trust Anchors
DNS
RPKI Cache Validator
{rsync}{bgp4}
repository
upstream
• {bgp4}RoutersvalidateupdatesfromotherBGPpeers
• {rtr}CachesfeedsroutersusingRTRprotocolwithROAinformation
• {rsync}Cachesretrievesandcryptographicallyvalidatescertificates&ROAsfromrepositories
PhaseI- PublishingROA
33
• LogintoyourMyAPNIC portal• Requiredvalidcertificate• GotoResources>CertificationTab
PhaseI- PublishingROA
34
PhaseI- PublishingROA
• ShowavailableprefixforwhichyoucancreateROA
35
PhaseI- PublishingROA
36
PhaseI- CheckyourROA
37
# whois -h whois.bgpmon.net 2001:df2:ee00::/48
Prefix: 2001:df2:ee00::/48Prefix description: APNICTRAINING-DCCountry code: AUOrigin AS: 131107Origin AS Name: ASN for APNICTRAINING LAB DCRPKI status: ROA validation successfulFirst seen: 2016-06-30Last seen: 2017-01-03Seen by #peers: 160
PhaseI- CheckyourROA
38
# whois -h whois.bgpmon.net " --roa 131107 2001:df2:ee00::/48"
0 – Valid------------------------ROA Details------------------------Origin ASN: AS131107Not valid Before: 2016-09-07 02:10:04Not valid After: 2020-07-30 00:00:00 Expires in 3y208d1h39m28.7999999821186sTrust Anchor: rpki.apnic.netPrefixes: 2001:df2:ee00::/48 (max length /48) 202.125.96.0/24 (max length /24)
PhaseII- RPKIValidator
• Twooptions:
A.RIPENCCRPKIValidator• https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources
B.DragonResearchLabsRPKIToolkit• https://github.com/dragonresearch/rpki.net
39
PhaseII- RPKIValidator
A.RIPENCCRPKIValidator
• DownloadRPKIValidator• http://www.ripe.net/lir-services/resource-management/certification/tools-and-resources
• Installation
40
# tar -zxvf rpki-validator-app-2.21-dist.tar.gz# cd rpki-validator-app-2.21# ./rpki-validator.sh start
PhaseII- RPKIValidator
41
A.RIPENCCRPKIValidator
http://rpki-validator.apnictraining.net:8080/
PhaseII- RPKIValidator
B.DragonResearchLabsRPKIToolkit
• InstallationprocessinUbuntuXenial 16.04• https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-rp.md
• Installation
42
# wget -q -O /etc/apt/sources.list.d/rpki.listhttps://download.rpki.net/APTng/rpki.xenial.list# wget -q -O /etc/apt/trusted.gpg.d/rpki.asc https://download.rpki.net/APTng/apt-gpg-key.asc# apt update# apt install rpki-rp
PhaseII- RPKIValidator
• B.DragonResearchLabsRPKIToolkit
43
http://rpki-dragonresearch.apnictraining.net/rcynic/
PhaseIII- RouterConfiguration(JunOS)
http://pastebin.com/50bmnv9F
PhaseIII- RouterConfiguration(IOS)
http://pastebin.com/p30nWu0R
PhaseIII- RouterConfiguration(GoBGP)
http://pastebin.com/DwQbdq7A
Checkyourprefix
rpki-junos>show route protocol bgp 202.125.96.46/24
202.125.96.0/24 *[BGP/170] 3w5d 16:57:33, MED 0, localpref 110AS path: 3333 4608 131107 I, validation-state:
verified> to 193.0.19.254 via xe-1/3/0.0
• Junos
Checkyourprefix
rpki-ios>show ip bgp 202.125.96.0/24
BGP routing table entry for 202.125.96.0/24, version 70470025Paths: (2 available, best #2, table default)Not advertised to any peerRefresh Epoch 13333 1273 4637 1221 4608 131107 193.0.19.254 from 193.0.3.5 (193.0.0.56)Origin IGP, localpref 110, valid, externalCommunity: 83449328 83450313path 287058B8 RPKI State valid
• IOS
Checkyourprefix
fakrul@gobgp:~$ gobgp global rib 202.125.96.0/24
Network Next Hop AS_PATH Age Attrs
V*> 202.125.96.0/24 202.12.29.113 4608 1221 4826 131107 00:13:29 [{Origin: i} {Med: 0} {LocalPref: 110} {Communities: 4608:11101}]
• GoBGP
Commands
• Checksessionstatusofcachevalidatorservershow validation session detail
show bgp ipv4 unicast rpki servers
gobgp rpki server
JunOS
IOS
GoBGP
show validation database
show bgp ipv4 unicast rpki table
gobgp rpki table
JunOS
IOS
GoBGP
• Fullvalidationdatabase
!Caution!
51
Testbed
• Cisco(hostedbytheRIPENCC)• PublicCiscorouter:rpki-rtr.ripe.net• Telnetusername:ripe/Nopassword
• Juniper(hostedbyKaia GlobalNetworks)• PublicJuniperrouters:193.34.50.25,193.34.50.26• Telnetusername:rpki /Password:testbed
52
Configuration- ReferenceLink
• Cisco• http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html#wp3677719851
• Juniper• http://www.juniper.net/techpubs/en_US/junos12.2/topics/topic-map/bgp-origin-as-validation.html
53
54
www.apnic.net/roa
Thanks