Re: ROA coverage info

2020-08-24 Thread Rayhaan Jaufeerally (NANOG)
There's also this site run by NIST: https://rpki-monitor.antd.nist.gov/ which
contains further breakdowns

On Mon, Aug 24, 2020 at 4:46 PM Nathalie Trenaman  wrote:

> Hi Fabiano,
>
> Is this what you are looking for?
> https://stat.ripe.net/widget/rpki-by-trust-anchor
>
> Cheers,
> Nathalie Trenaman
> RIPE NCC
>
> Op 24 aug. 2020, om 15:21 heeft Fabiano D'Agostino <
> fabiano.dagostin...@gmail.com> het volgende geschreven:
>
> Hi all,
> I would like to ask you if there is some information about ROA coverage of
> IPv4/v6 address space in the different RIRs.
>
> Thanks in advance.
>
> Regards,
>
> Fabiano
>
>
>


Re: RPKI for dummies

2020-08-24 Thread Rayhaan Jaufeerally (NANOG)
[sorry if you're getting this twice, I accidentally sent from the wrong
address and it was rejected from the list]
Hi Dovid,

BGPSEC (as specified in RFC8205 ) is
the next level of routing security which provides the kind of in-band
guarantees that you describe. In my view, RPKI with its ROAs is a stepping
stone to get to an end state where BGPSEC can be deployed and routes
validated end-to-end in the BGP control plane itself. Specifically, RPKI
gets the roots of trust out there, and in use, and these can then be used
in the future to bootstrap the BGPSEC ecosystem (RFC 8209
 proposes a certificate profile for
BGPSEC based on the RPKI)

>From what I have seen, there are some roadblocks to widespread adoption of
BGPSEC, notably:

   - I'm not aware of any ready to use out of the box implementations of
   RFC8205 on off the shelf routers from major vendors,
  - There is a patch to BIRD
(site
  appears down ATM, but referenced from:
  https://bird.network.cz/pipermail/bird-users/2015-August/009877.html)
  and a variant of Quagga
  

which
  supports BGPSEC, though.
   - There will be increased memory and CPU requirements for routers
   performing these validations in the control plane

I think the offloading approach we've seen with RPKI validators running on
another host would be an interesting one to consider as it could relieve
the need for routers themselves to be upgraded with more performant
hardware to perform the required signature verifications etc.

I found this presentation

to
be very informative about BGPSEC's guarantees and failure modes, it's a few
years old but still provides a nice overview.

Hope that helps,
Rayhaan

Disclaimer: any and all views expressed here are those of myself in a
personal capacity, and not necessarily those of my employer.


On Sun, Aug 23, 2020 at 2:43 PM Dovid Bender  wrote:

> Ok. So here is another n00b question. Why don't we have something where
> when we advertise IP space we also pass along a cert that can
> independently be verified by going back to the RIR to see if that cert was
> signed by them. This would also stop someone spoofing my ASN.
>
>
> On Thu, Aug 20, 2020 at 10:53 AM Tom Beecher  wrote:
>
>> ROA = Route Origin Authorization . Origin is the key word.
>>
>> When you create an signed ROA and do all the publishing bits, RPKI
>> validator software will retrieve that , validate the signature, and pass
>> that up to routers, saying "This prefix range that originates from this ASN
>> is valid." Then, any BGP advertisement that contains a prefix in that
>> range, with an origin ASN that matches, is treated as valid. The
>> intermediary as-path isn't a factor.
>>
>> If another ASN ORIGINATES an announcement for your space, then RPKI
>> routers will treat that announcement as INVALID, because that isn't
>> authorized.
>>
>> If another ASN spoofs your ASN , pretending that they are your upstream,
>> RPKI won't solve that. But that is a different problem set.
>>
>> On Thu, Aug 20, 2020 at 10:02 AM Dovid Bender 
>> wrote:
>>
>>> Fabien,
>>>
>>> Thanks. So to sum it up there is nothing stopping a bad actor from
>>> impersonating me as if I am BGP'ing with them. It's to stop any other AS
>>> other then mine from advertising my IP space. Is that correct? How is
>>> verification done? They connect to the RIR and verify that there is  a cert
>>> signed by the RIR for my range?
>>>
>>>
>>>
>>> On Thu, Aug 20, 2020 at 9:51 AM Fabien VINCENT (NaNOG) via NANOG <
>>> nanog@nanog.org> wrote:
>>>
 Hi,

 In fact, RPKI does nothing about AS Path checks if it's your question.
 RPKI is based on ROA where signatures are published to guarantee you're the
 owner of a specific prefix with optionnal different maxLength from your
 ASN.

 So if the question is about if RPKI is sufficient to secure the whole
 BGP path, well, it's not. RPKI guarantee / permit only to verify the
 ressource announcements (IPvX block) is really owned by your ASN. But even
 if it's not sufficient, we need to deploy it to start securing resources',
 not the whole path.

 Don't know if it replies to your question, but you can read also the
 pretty good documentation on RPKI here :
 https://rpki.readthedocs.io/en/latest/rpki/introduction.html or the
 corresponding RFC ;)

 Le 20-08-2020 15:20, Dovid Bender a écrit :

 Hi,

 I am sorry for the n00b question. Can someone help point me in the
 right direction to understand how RPKI works? I understand that from my
 side that I create a key, submit the public portion to ARIN and then send a
 signed request