Internet Routing Registry RPKI Tutorial Nurul Islam Roman

Internet Routing Registry & RPKI Tutorial Nurul Islam Roman, APNIC

Objectives • To provide an introduction to the APNIC Routing Registry – Explain concepts of the global RR – Outline the benefits of the APNIC Routing Registry – Discuss Routing Policy Specification Language (RPSL) • New Initiative RPKI

Overview • What is IRR? • Whois DB Recap • APNIC database and the IRR • Using the Routing Registry • Using RPSL in practice • Benefit of using IRR

What is IRR?

Prefix Advertise to Internet • Ingress prefix from downstream: – Option 1: Customer single home and non portable prefix • Customer is not APNIC member prefix received from upstream ISP – Option 2: Customer single home and portable prefix • Customer is APNIC member receive allocation as service provider but no AS number yet – Option 3: Customer multihome and non portable prefix • Customer is not APNIC member both prefix and ASN received from upstream ISP – Option 4: Customer multihome and portable prefix • Customer is APNIC member both prefix and ASN received from APNIC

Prefix Filtering BCP [Single home] • Option 1: Customer single home and non portable prefix Internet ISP Prefix 3 fff: ffff: : /32 AS 17821 Static 3 fff: ffff: dcdc: : /48 to customer WAN Interface No Lo. A Check of Cust prefix upstream NO BGP Customer Prefix 3 fff: ffff: dcdc: : /48 Static Default to ISP WAN Interface downstream

Prefix Filtering BCP [Single home] • Option 2: : Customer single home and portable prefix Internet ISP Prefix 3 fff: ffff: : /32 AS 17821 Static 2001: 0 DB 8: : /32 to customer WAN Interface BGP network 2001: 0 DB 8: : /32 AS 17821 i Check Lo. A of Cust prefix upstream NO BGP Customer Prefix 2001: 0 DB 8: : /32 Static Default to ISP WAN Interface Static 2001: 0 DB 8: : /32 null 0 downstream

Prefix Filtering [Multihome] • Option 3: Customer multihome and non portable prefix Internet ISP Prefix 3 fff: ffff: : /32 AS 131107 Check Lo. A of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI Nearly same filter requirement as other ISP upstream can change AS 64500 AS 17821 e. BGP peering with customer WAN interface No Lo. A Check of Cust prefix upstream can not change e. BGP peering with both ISP WAN Interface BGP network 3 fff: ffff: dcdc: : /48 AS 64500 i or aggregate address from gateway router Customer Prefix 3 fff: ffff: dcdc: : /48

Prefix Filtering [Multihome] • Option 4: Customer multihome and portable prefix Internet ISP Prefix 3 fff: ffff: : /32 AS 131107 Check Lo. A of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI Nearly same filter requirement as other ISP upstream can change AS 17821 Check Lo. A of Cust prefix Manual process e-mail to tech-c Automated process route object or RPKI AS 64500 upstream can change e. BGP peering with both ISP WAN Interface BGP network 2001: 0 DB 8: : /32 AS 64500 i or aggregate address from gateway router Customer Prefix 2001: 0 DB 8: : /32

What is a Routing Registry? • A repository (database) of Internet routing policy information • Autonomous Systems exchanges routing information via BGP • Exterior routing decisions are based on policy based rules • However BGP does not provides a mechanism to publish/communicate the policies themselves • RR provides this functionality • Routing policy information is expressed in a series of objects • Stability and consistency of routing • Network operators share information

What is a Routing Registry? ARIN, Arc. Star, FGC, Verio, Bconnex, Optus, Telstra, . . . RIPE CW RADB APNIC Connect IRR = APNIC RR + RIPE DB + RADB + C&W + ARIN + …

What is Routing Policy? • Description of the routing relationship between autonomous systems – Who are my BGP peers? • Customer, peers, upstream – What routes are: • • Originated by each neighbour? Imported from each neighbour? Exported to each neighbour? Preferred when multiple routes exist? – What to do if no route exists? – What routes to aggregate?

Representation of Routing Policy AS 1 AS 2 NET 1 In order for traffic to flow from NET 2 to NET 1 between AS 1 and AS 2: AS 1 has to announce NET 1 to AS 2 via BGP And AS 2 has to accept this information and use it Resulting in packet flow from NET 2 to NET 1 NET 2

Representation of Routing Policy AS 1 AS 2 NET 1 NET 2 In order for traffic to flow towards from NET 1 to NET 2: AS 2 must announce NET 2 to AS 1 And AS 1 has to accept this information and use it Resulting in packet flow from NET 1 to NET 2

RPSL • Routing Policy Specification Language – Object oriented language • Based on RIPE-181 RFC 2622 – Structured whois objects • Higher level of abstraction than access lists • Describes things interesting to routing policy: – Routes, AS Numbers … – Relationships between BGP peers – Management responsibility RFC 2725 RFC 2650

Routing Policy - Examples Basic concept AS 1 AS 2 “action pref” - the lower the value, the preferred the route aut-num: AS 1 … import: from AS 2 action pref= 100; accept AS 2 export: to AS 2 announce AS 1 aut-num: AS 2 … import: from AS 1 action pref=100; accept AS 1 export: to AS 1 announce AS 2

Routing Policy - Examples AS 123 AS 4 AS 5 More complex example • AS 4 gives transit to AS 5, AS 10 • AS 4 gives local routes to AS 123 AS 10

Routing Policy - Examples AS 123 AS 4 AS 5 aut-num: AS 4 import: from AS 123 action pref=100; accept AS 123 import: from AS 5 action pref=100; accept AS 5 import: from AS 10 action pref=100; accept AS 10 export: to AS 123 announce AS 4 export: to AS 5 announce AS 4 AS 10 export: to AS 10 announce AS 4 AS 5 Not a path AS 10

Routing Policy - Examples transit traffic over link 2 AS 123 AS 4 link 3 AS 6 private link 1 More complex example • AS 4 and AS 6 private link 1 • AS 4 and AS 123 main transit link 2 • backup all traffic over link 1 and link 3 in event of link 2 failure

Routing Policy - Examples transit traffic over link 2 AS 123 AS 4 link 3 private link 1 AS 6 AS representation aut-num: AS 4 import: from AS 123 action pref=100; accept ANY full routing received import: from AS 6 action pref=50; accept AS 6 import: from AS 6 action pref=200; accept ANY export: to AS 6 announce AS 4 higher cost for backup route export: to AS 123 announce AS 4

Whois Database Recap

APNIC Database • Public network management database – APNIC whois database contains: • Internet resource information and contact details – APNIC Routing Registry (RR) contains: • routing information • APNIC RR is part of IRR – Distributed databases that mirror each other

Database Object • An object is a set of attributes and values • Each attribute of an object. . . • • Has a value Has a specific syntax Is mandatory or optional Is single- or multi-valued • Some attributes. . . • Are primary (unique) keys • Are lookup keys for queries • Are inverse keys for queries – Object “templates” illustrate this structure

Person Object Example – Person objects contain contact information Attributes person: address: country: phone: fax-no: e-mail: nic-hdl: mnt-by: changed: source: Values Test Person Example. Net Service Provider 2 Pandora St Boxville Wallis and Futuna Islands TC +680 -368 -0844 +680 -367 -1797 tperson@example. com TP 17 -AP MAINT-ENET-TC tperson@example. com 20090731 APNIC

Database Queries – Flags used for inetnum queries None find exact match - l find one level less specific matches - L find all less specific matches - m find first level more specific matches - M find all More specific matches - x find exact match (if no match, nothing) - d enables use of flags for reverse domains - r turn off recursive lookups

Database Protection • Authorisation – “mnt-by” references a mntner object • Can be found in all database objects • “mnt-by” should be used with every object! • Authentication – Updates to an object must pass authentication rule specified by its maintainer object

Prerequisite for Updating Objects • Create person objects for contacts • • Create a mntner object • • To provide contact info in other objects To provide protection of objects Protect your person object

APNIC Database and the IRR

APNIC Database & the IRR • APNIC whois Database – Two databases in one • Public Network Management Database – “whois” info about networks & contact persons • IP addresses, AS numbers etc • Routing Registry – contains routing information • routing policy, routes, filters, peers etc. – APNIC RR is part of the global IRR

Integration of Whois and IRR • Integrated APNIC Whois Database & Internet Routing Registry IP, ASNs, reverse domains, contacts, maintainers etc inetnum, aut-num, domain, person, role, maintainer APNIC Whois IRR Internet resources & routing information routes, routing policy, filters, peers etc route, aut-num, asset, inet-rtr, peering -set etc.

Inter-related IRR Objects aut-num: AS 1 … tech-c: KX 17 -AP mnt-by: MAINT-EX … route: 202. 0. 16/24 origin: AS 1 … mnt-by: MAINT-EX inetnum: 202. 0. 16. 0 - 202. 0. 16. 255 … tech-c: KX 17 -AP mnt-by: MAINT-EX person: … nic-hdl: KX 17 -AP … mntner: MAINT-EX …

Inter-related IRR Objects route-set: AS 2: RS-routes members: 218. 2/20, 202. 0. 16/20 as-set: AS 1: AS-customers members: AS 10, AS 11 , AS 2 aut-num: AS 10 … route: 218. 2/20 … origin: AS 2 route: 202. 0. 16/20 … origin: AS 2 inetnum: … … … 218. 2. 0. 0 - 218. 2. 15. 255 aut-num: AS 11 … aut-num: AS 2 … … 202. 0. 16. 0 -202. 0. 31. 255 aut-num: AS 2 …

Hierarchical Authorisation • mnt-routes – authenticates creation of route objects • creation of route objects must pass authentication of mntner referenced in the mnt-routes attribute – Format: • mnt-routes: <mntner> In: inetnum aut-num route

Authorisation Mechanism inetnum: netname: descr: … mnt-by: mnt-lower: mnt-routes: 202. 137. 181. 0 – 202. 137. 196. 255 SPARKYNET-TC Sparky. Net Service Provider APNIC-HM MAINT-SPARKYNET 1 -TC MAINT-SPARKYNET 2 -TC This object can only be modified by APNIC Creation of more specific objects within this range has to pass the authentication of MAINT-SPARKYNET 1 -TC Creation of route objects matching/within this range has to pass the authentication of MAINT-SPARKYNET 2 -TC

Creating Route Objects • Multiple authentication checks: – Originating ASN • mntner in the mnt-routes is checked • If no mnt-routes, mnt-lower is checked • If no mnt-lower, mnt-by is checked – AND the address space • Exact match & less specific route – mnt-routes etc aut-num inetnum route – AND the route object mntner itself • The mntner in the mnt-by attribute route

Creating Route Objects route 4 2 1 route: 202. 137. 240/20 origin: AS 1 AS number IP address range inetnum: 202. 137. 240. 0 – 202. 137. 255 mnt-routes: MAINT-WF-EXNET 5 aut-num: AS 1 mnt-routes: MAINT-WF-EXNET maintainer 3 mntner: MAINT-WF-EXNET auth: CRYPT-PW klsdfji 9234 1. Create route object and submit to APNIC RR database 2. DB checks aut-num obj corresponding to the ASN in route obj 3. Route obj creation must pass auth of mntner specified in aut-num mnt-routes attribute. 4. DB checks inetnum obj matching/encompassing IP range in route obj 5. Route obj creation must pass auth of mntner specified in inetnum mnt-routes attribute.

Using RPSL in practice

Overview • Review examples of routing policies expression – – Peering policies Filtering policies Backup connection Multihoming policies

RPSL - review • Purpose of RPSL – Allows specification of your routing configuration in the public IRR • Allows you to check “Consistency” of policies and announcements – Gives opportunities to consider the policies and configuration of others

Address Prefix Range Operator Meanings ^- Exclusive more specifics of the address prefix: E. g. 128. 9. 0. 0/16^- contains all more specifics of 128. 9. 0. 0/16 excluding 128. 9. 0. 0/16 ^+ Inclusive more specific of the address prefix: E. g. 5. 0. 0. 0/8^+ contains all more specifics of 5. 0. 0. 0/8 including 5. 0. 0. 0/8

Address Prefix Operator (cont. ) Operator Meanings ^n n = integer, stands for all the length “n” specifics of the address prefix: E. g. 30. 0/8^16 contains all the more specifics of 30. 0/8 which are length of 16 such as 30. 9. 0. 0/16 ^n-m m = integer, stands for all the length “n” to length “m” specifics of the address prefix: E. g. 30. 0/8^24 -32 contains all the more specifics of 30. 0/8 which are length of 24 to 32 such as 30. 9. 9. 96/28

AS-path regular expressions • Regular expressions – A context-independent syntax that can represent a wide variety of character sets and character set orderings – These character sets are interpreted according to the current The Open Group Base Specifications (IEEE) • Can be used as a policy filter by enclosing the expression in “<“ and “>”.

Filter List- Regular Expression • Like Unix regular expressions Match one character * Match any number of preceding expression + Match at least one of preceding expression ^ Beginning of line $ End of line Escape a regular expression character _ Beginning, end, white-space, brace | Or () Brackets to contain expression [ ] Brackets to contain number ranges. Source: www. cisco. com

AS-path Regular Expression Operator Meanings <AS 3> Route whose AS-path contains AS 3 <^AS 1> Routes whose AS-path starts with AS 1 <AS 2$> Routes whose AS-path end with AS 2 <^AS 1 AS 2 AS 3$> Routes whose AS-path is exactly “ 1 2 3” <^AS 1. * AS 2$> AS-path starts with AS 1 and ends in AS 2 with any number ASN in between <^AS 3+$> AS-path starts with AS 3 and ends in AS 3 and AS 3 is the first member of the path and AS 3 occurs one or more times in the path and no other AS can be present in the path after AS 3

AS-path Regular Expression (cont. ) Operator Meanings <AS 3|AS 4> Routes whose AS-path is with AS 3 or AS 4 <AS 3 AS 4> Routes whose AS-path with AS 3 followed by AS 4

Common Peering Policies ISP (Transit provider) Internet AS 1 • Peering policies of an AS – Registered in an aut-num object Customer AS 2 AS 3 AS 4 AS 5

Common Peering Policies • Policy for AS 3 in the AS 2 aut-num object aut-num: AS 2 as-name: SAMPLE-NET dsescr: Sample AS import: from AS 1 accept ANY import: from AS 3 accept <^AS 3+$> export: to AS 3 announce AS 2 export: to AS 1 announce AS 2 AS 3 admin-c: TP 1 -AP tech-c: TP 2 -AP mtn-by: MAINT-SAMPLE-AP changed: sample@sample. net

Transit Provider Policies ISP (Transit provider) Internet AS 1 • Peering policies of an AS – Registered in an aut-num object Customer AS 2 AS 3 AS 4 AS 5

ISP Customer – Transit Provider Policies • Policy for AS 3 and AS 4 in the AS 2 aut-num object aut-num: AS 2 import: from AS 1 accept ANY import: from AS 3 accept <^AS 3+$> import: from AS 4 accept <^AS 4+$> export: to AS 3 announce ANY export: to AS 4 announce ANY export: to AS 1 announce AS 2 AS 3 AS 4

AS-set Object • Describe the customers of AS 2 as-set: AS 2: AS-CUSTOMERS members: AS 3 AS 4 changed: sample@sample. net source: APNIC

Aut-num Object referring as-set Object aut-num: AS 2 import: from AS 1 accept ANY import: from AS 2: AS-CUSTOMERS accept <^AS 2: AS-CUSTOMERS+$> export: to AS 2: AS-CUSTOMERS announce ANY export: to AS 1 announce AS 2: AS-CUSTOMERS aut-num: AS 1 import: from AS 2 accept <^AS 2+AS 2: AS-CUSTOMERS+$> export: ………

Express Filtering Policy • To limit the routes one accepts from a peer – To prevent the improper use of unassigned address space – To prevent malicious use of another organisation’s address space

Filtering Policy 7. 7. 0. 0/20 allocated by RIR Internet AS 2 AS 3 wants to announce part or all of 7. 7. 0. 0/20 on the global Internet. AS 2 wants to be certain that it only accepts announcements from AS 3 for address space that has been properly allocated to AS 3.

Aut-num Object with Filtering Policy aut-num: AS 2 import: from AS 3 accept { 7. 7. 0. 0/20^20 -24 } ……. For an ISP with a growing or changing customer base, this mechanism will not scale well. Route-set object can be used.

IRRTool. Set • Set of tools developed for using the Internet Routing Registry (IRR) • Work with Internet routing policies – These policies are stored in IRR in the Routing Policy Specification Language (RPSL) • The goal of the IRRTool. Set is to make routing information more convenient and useful for network engineers – Tools for automated router configuration, – Routing policy analysis – On-going maintenance etc.

IRRTool. Set • Download: ftp: //ftp. isc. org/isc/IRRTool. Set/ • Installation needs: lex, yacc and C++ compiler root@bofh: ~ #wget ftp: //ftp. isc. org/isc/IRRTool. Set 5. 0. 1/irrtoolset-5. 0. 1. tar. gz root@bofh: ~ # tar –zxvf irrtoolset-5. 0. 1. tar. gz root@bofh: ~ # cd irrtoolset-5. 0. 1 root@bofh: ~irrtoolset-5. 0. 1#. /configure root@bofh: ~irrtoolset-5. 0. 1# make install

IRRTool. Set root@bofh: ~ whois –h whois. apnic. net AS 17821 #####snipped###### mp-import: afi any. unicast { from AS-ANY accept ANY AND NOT RS-MARTIANS; } refine { from AS-ANY action pref = 50; accept community. contains(17821: 50); from AS-ANY action pref = 30; accept community. contains(17821: 70); from AS-ANY action pref = 10; accept community. contains(17821: 90); from AS-ANY action pref = 0; accept ANY; } refine afi ipv 4. unicast {

IRR Toolset, RPSL: rtconfig(Contd) Cisco Specific @rtconfig set cisco_map_name = <map-name> @rtconfig set cisco_map_first_no = <no> @rtconfig set cisco_map_increment_by = <no> @rtconfig set cisco_prefix_acl_no = <no> @rtconfig set cisco_aspath_acl_no = <no> @rtconfig set cisco_pktfilter_acl_no = <no> @rtconfig set cisco_community_acl_no = <no> @rtconfig set cisco_access_list_no = <no> @rtconfig set cisco_max_preference = <no> @rtconfig networks <ASN-1> @rtconfig inbound_pkt_filter <if-name> <ASN-1> <rtr-1> <ASN -2> <rtr-2>

IRR Toolset, RPSL: rtconfig(Contd) Junos Specific @rtconfig set junos_policy_name = <policy-name> @rtconfig networks <ASN-1>

IRR Toolset, RPSL: rtconfig Input File(Provision) router bgp 17821 neighbor 103. 4. 108. 54 remote-as 131107 neighbor 103. 4. 108. 54 version 4 ! # X Communication Ltd @Rt. Config set cisco_access_list_no = 500 @Rt. Config set cisco_map_name = "AS 58715 -IN" @Rt. Config import AS 131208 103. 4. 108. 62 AS 58715 @Rt. Config set cisco_access_list_no = 599 @Rt. Config set cisco_map_name = "ANY" @Rt. Config export AS 131208 103. 4. 108. 62 AS 58715 ! # xyz Ltd @Rt. Config set cisco_access_list_no = 501 @Rt. Config set cisco_map_name = "AS 58656 -IN" @Rt. Config import AS 131208 103. 4. 108. 94 AS 58656 @Rt. Config set cisco_access_list_no = 599 @Rt. Config set cisco_map_name = "ANY" @Rt. Config export AS 131208 103. 4. 108. 94 AS 58656 ! end 103. 4. 108. 61 103. 4. 108. 93

Use of RPSL - Rt. Config • part of IRRTool. Set • Reads policy from IRR (aut-num, route & -set objects) and generates router configuration – vendor specific: • Cisco, Bay's BCC, Juniper's Junos and Gated/RSd – Creates route-map and AS path filters – Can also create ingress / egress filters

IRR Toolset, RPSL: Uploading Configuration Various ways to upload configuration: – SNMP Write – NETCONF XML Based – Automated Script using expect

Why use IRR and Rt. Config? • Benefits of Rt. Config – Avoid filter errors (typos) – Expertise encoded in the tools that generate the policy rather than engineer configuring peering session – Filters consistent with documented policy • (need to get policy correct though)

New Initiative RPKI

What is RPKI? • Resource Public Key Infrastructure (RPKI) • A robust security framework for verifying the association between resource holder and their Internet resources • Created to address the issues in RFC 4593 “Generic Threats to Routing Protocols” • Helps to secure Internet routing by validating routes – Proof that prefix announcements are coming from the legitimate holder of the resource 65

Benefits of RPKI - Routing • Similar objective as IRR but in a robust and scalable way • Prevents route hijacking – A prefix originated by an AS without authorization – Reason: malicious intent • Prevents mis-origination – A prefix that is mistakenly originated by an AS which does not own it – Also route leakage – Reason: configuration mistake / fat finger 66

BGP Security (BGPsec) • Extension to BGP that provides improved security for BGP routing • Currently an IETF Internet draft • Implemented via a new optional non-transitive BGP path attribute that contains a digital signature • Two things: – BGP Prefix Origin Validation (using RPKI) – BGP Path Validation • Similar efforts in the early days – IDR working group, S-BGP 67

RPKI Infrastructure • A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents • Main Components – Certificate Authority (CA) – Relying Party (RP) – Routers with RPKI support 68

Issuing Party • Internet Registries (RIR, NIR, Large LIRs) • Acts as a Certificate Authority and issues certificates for customers • Provides a web interface to issue ROAs for customer prefixes • Publishes the ROA records APNIC RPKI Engine publication Repository rpki. apnic. net My. APNIC GUI 69

Route Origin Authorization (ROA) • A digital object that contains a list of address prefixes and one AS number • It is an authority created by a prefix holder to authorize an AS Number to originate one or more specific route advertisements • Publish an ROA using My. APNIC 70

X. 509 Certificate with 3779 Extension X. 509 Certificate RFC 3779 Extension SIA • Resource certificates are based on the X. 509 v 3 certificate format (RFC 5280) • Extended by RFC 3779 – binds a list of resources (IP, ASN) to the subject of the certificate • SIA – Subject Information Access; contains a URI that references the directory Owner's Public Key 71

Relying Party (RP) 72

RPKI Components 73

Router Origin Validation • Router must support RPKI • Checks an RP cache / validator • Validation returns 3 states: – Valid = when authorization is found for prefix X – Invalid = when authorization is found for prefix X but not from ASN Y – Unknown = when no authorization data is found • Vendor support: – – Cisco IOS – solid in 15. 2 Cisco IOS/XR – shipped in 4. 3. 2 Juniper – shipped in 12. 2 Alcatel Lucent – in development 74

How to start? • Create ROA records in My. APNIC • Build an RP cache • Configure your router to use the cache (or a public one) • Create BGP policies 75

How to build RP Cache • Download and install from rpki. net • Instructions here: https: //trac. rpki. net/wiki/doc/RPKI/Installation/Ubuntu. Packa ges 76

Configure Router to Use Cache router bgp 17821 … bgp rpki server tcp 10. 0. 0. 3 port 43779 refresh 60 Bgp rpki server tcp 147. 28. 0. 84 port 93920 refresh 60 77

How does it look in BGP Table r 0. sea#sh ip bgp Path Network Next Hop Metric Loc. Prf Weight * i I 198. 180. 150. 0 144. 232. 9. 61 100 0 1239 3927 i *> I 199. 238. 113. 9 * I 129. 250. 11. 41 0 2914 3927 i *> V 198. 180. 152. 0 199. 238. 113. 9 0 2914 4128 i * V 129. 250. 11. 41 0 2914 4128 i *> N 198. 180. 155. 0 199. 238. 113. 9 0 2914 22773 i * N 129. 250. 11. 41 0 2914 22773 i *> 5752 * 5752 N 198. 180. 160. 0 i N i 199. 238. 113. 9 0 2914 23308 13408 129. 250. 11. 41 0 2914 23308 13408 RPKI Lab – Randy Bush 78

Member Services Helpdesk -One point of contact for all member enquiries -Online chat services Helpdesk hours 9: 00 am - 9: 00 pm (AU EST, UTC + 10 hrs) ph: +61 7 3858 3188 fax: 61 7 3858 3199 • More personalised service – Range of languages: Bahasa Indonesia, Bengali, Cantonese, English, Hindi, Mandarin, Thai, etc. • Faster response and resolution of queries – IP resource applications, status of requests, obtaining help in completing application forms, membership enquiries, billing issues & database enquiries

80

Thank You