From rags to RPKI-riches-1. Connecting route validation in ВGP

Hello! I work as a senior network engineer at DataLine, have been involved in networking since 2009 and have had time to observe from the outside how companies were attacked due to the vulnerability of the BGP routing protocol. BGP Hijacking alone is worth it: a couple of years ago, hackers stole $ 137,000 by intercepting BGP routes .

With the transition to remote control, companies organize access from home through secure connections using NGFW, IPS / IDS, WAF and other solutions. But BGP security is sometimes forgotten. In a series of articles, I'll show you how each service provider's customer can secure themselves with RPKI, a global routing protection tool on the Internet. In the first article I will explain with an example how it works and how to set up client-side protection in a couple of clicks. In the second, I will share my experience of implementing RPKI in BGP using the example of Cisco routers. 

What is important to know about RPKI, and what does the refrigerator have to do with it

RPKI (Resource Public Key Infrastructure) – . , . 

. (), ( ), , - .

. RPKI X.509 PKI, RFC3779. . , , :

:

IANA (Internet Address Number Authority) – . - IANA, IP- . (AS) – IP- , . AS .

RIR (Regional Internet Registry) – -, IANA . 5 – RIPE NCC, ARIN, APNIC, AfriNIC, LACNIC. 

LIR (Local Internet Registry) – -, , -. RIR LIR’, . 

RPKI. , . IANA RIR, – LIR.  

, . RPKI RIR – " ", Trust Anchors.

. , , ROA.

ROA (Route Origin Authorisation) – c , , AS  - .  ROA 3 :

• AS, ;

  
  
  
  
  

• ( IP- : xxx.xxx.xxx.xxx/yy);

  
  
  
  
  

• .

  
  
  
  
  

, AS . , . , .

, ROA :

• VALID – ROA, ROA.  AS AS_PATH AS ROA, ROA, . 

  
  
  
  
  

• INVALID – ROA, ROA.

  
  
  
  
  

• UNKNOWN – , ROA Trust Anchor RIR. , . RPKI, . UNKNOWN .

  
  
  
  
  

. , .../22, AS N.   ROA. Trust Anchor, UNKNOWN.   

ROA c : AS N, .../22, – /23. AS N - /22 /23 , /22 . VALID.   

/24 AS N /22 (/23+/23) AS P, INVALID. , /24 , . , ROA ROA.

:

1. RPKI-. 

   
   
   
   
   

2. - RPKI.

   
   
   
   
   

. - . 

. - RPKI ROA Trust Anchors RSYNC RRDP . RPKI- ROA . ROA, RPKI-RTR. TCP- 8282. .

 

, – -.  AS /24 IP-, eBGP , full view , . , RPKI .

ROA , . 

RIPE NCC :

1. RIPE https://my.ripe.net. Resourses, – RPKI Dashboard. 

   
   
   
   
   

   

   , RIPE EULA.

   
   
   
   
   

   (Certificate Authority, CA):

   
   
   
   
   

   - Hosted – RIPE; 

   
   
   
   
   

   - Non-Hosted – . 

   
   
   
   
   

   Hosted. Non-Hosted XML-, . RIPE NCC XML-, RPKI CA. 

   
   
   
   
   

2. RPKI Dashboard BGP Announncements. Show All.

   
   
   
   
   

   

3. - Origin AS. ROA Create ROAs for selected BGP announcements.

   
   
   
   
   

   

4. , ROA. :

   
   
   
   
   

   

   Publish!

   
   
   
   
   

   

, ! !

PI- RIPE .  Wizard RIPE NCC: https://portal.ripe.net/rpki-enduser.

RPKI. BGP , , , – . 

-,   RPKI. 

, !