origin Validation RPKIROAOrigin ASValidation Origin AS path Validation
- Slides: 12
origin Validation • RPKI/ROAによるOrigin ASの、Validation • 今回の事例では? Origin ASは正しいので残
path Validation • BGP UPDATEメッセージ中のNLRIの改竄を防ぐ技術 • 一つの想定例 AS 64496 Update: 192. 0/24 ASPATH: 64496 AS 64497 Update: 192. 0/24 ASPATH: 64496 64497 AS 64498 Update: 192. 0/24 ASPATH: 64496 64497 64498
path Validation • BGP UPDATEメッセージ中のNLRIの改竄を防ぐ技術 • 一つの想定例 BGPSECでは? AS 64496 Update: 192. 0/24 ASPATH: 64497 署名 署名 Update: 192. 0/24 壊れた署名 ASPATH: 64496 AS 64497 このUpdateお かしい! AS 64498
path validation Update: 192. 0/24 ASPATH: 64497 AS 64496 Update: 192. 0/24 ASPATH: 64496 署名 AS 64497 Update: 192. 0/24 ASPATH: 64496 署名 署名 Update: 192. 0/24 ASPATH: 64498 署名 Update: 192. 0/24 ASPATH: 64497 署名 Update: 192. 0/24 AS 64498 ASPATH: 64496 AS-PATHは意図通りなので残念 署名
IRR あの日 4000000 3500000 3000000 2500000 2000000 1500000 1000000 500000 0 19 20 21 22 23 24 25 26 27 28 29 30 31 1 2 3 4 5 6 7 8 9 10
ROA with Max-length • ROAのMax-LengthをDFZに流れるlength例えば 12とか16とかなら? ROA: 192. 0/16 -20 AS 64496 このUpdateお かしい! AS 64500 Update OK Update: 192. 0/24 AS 64496 Update: 192. 0/20 AS 64496 AS 64499 Update: 192. 0/24 AS 64496 理想論? このUpdateお かしい! AS 64497 Update: 192. 0/24 AS 64496 AS 64498 Update: 192. 0/24 AS 64496 このUpdateお かしい!
ROA with Max-length • でも、相手がValidationを導入していたら・・・ ROA: 192. 0/16 -20 AS 64496 Update OK Invalid! AS 64500 Update: 192. 0/20 AS 64496 AS 64499 AS 64497 Update: 192. 0/24 AS 64496 AS 64498 完全DFZのピアと個別ピアでCA分ける?
ROA with Max-length • 細かくしたい人はMax. Lenに 24って書くよなぁ ROA: 192. 0/16 -24 AS 64496 Update OK AS 64500 Update OK Update: 192. 0/24 AS 64496 Update: 192. 0/20 AS 64496 AS 64499 Update: 192. 0/24 AS 64496 Update OK AS 64497 Update: 192. 0/24 AS 64496 Update OK AS 64498 Update: 192. 0/24 AS 64496