Trends in RPKI deployment LACNIC 33
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Trends in RPKI deploymentLACNIC 33
2
• Non-profit foundation: Open Source, Open Standards, Open Internet
• Specialised in DNS & Routing: Security, Stability, Privacy
• DNS: NSD, Unbound, OpenDNSSEC
• RPKI: Routinator, Krill, Analytics
3
• Paper at Internet Measurement Conference 2019 • Using routing information from various sources:
- RIPE RIS - Routeviews - Akamai
• Historic information on RPKI repositories: https://ftp.ripe.net/rpki/
• Read more: https://dl.acm.org/authorize?N695009
RPKI is Coming of Age A Longitudinal Study of RPKI Deployment and Invalid Route Origins
4
• Routing information from Routeviews
• Historic information on RPKI repositories: https://ftp.ripe.net/rpki/
• Historic information RIR assignments to regions: https://www.nro.net/about/rirs/statistics/
ROA Uptake and Accuracy Maps
5
Coverage April 2018
6
Accuracy April 2018
INVALID == REJECT
2018
8
Use of ROAs in routing decisions
9
• Before mid 2018 there were early adopters: • Colombia was very active, as were others in Latin
America • Small networks in Europe, especially the
Netherlands
• The route53 leak was a pivotal moment • enough is enough
ASNs dropping invalids
10
• Ben Cox did active probing measurements: • September 2018: 50 ASNs • September 2019: 616 ASNs
https://www.youtube.com/watch?v=fn9xrCoRYLQ
• Many public announcements, including tier-1
11
https://twitter.com/JobSnijders/status/1256326712347881473
C. Testart, P. Richter, A. King, A. Dainotti, and D. Clark, "To Filter or not to Filter: Measuring the Benefits of Registering in the RPKI Today", in Passive and Active
Measurement Conference (PAM), Jan 2020.
12
Accuracy April 2020
13
Accuracy 90-100% Trend
Accuracy below 90% is shown as white! https://nlnetlabs.nl/static/rpki_maps/accuracy-90-latam.mp4 https://nlnetlabs.nl/static/rpki_maps/accuracy-90-world.mp4
14
Coverage Trend
Coverage keeps increasing https://nlnetlabs.nl/static/rpki_maps/coverage-latam.mp4 https://nlnetlabs.nl/static/rpki_maps/coverage-world.mp4
ASNs dropping invalids
15
• General advice: Monitor before dropping
• Train your help desk if you start dropping! ➡ Educate your customers and peers ➡ Put in temporary exceptions
• Very strong incentive to keep ROAs up to date!
• Coverage keeps rising
2019
17
Delegated RPKI CAs under NIC.BR
ACME.BRACME.BRACME.BR
LACNIC
NIC.BR
ACME.BR
REPOSITORY.BR
certificate
certificate
publish ROAs etc
➡ nic.br does not have a hosted service (yet), users run their own CA ➡ nic.br provides a publication service
18
Delegated RPKI CAs under RIRs
ACME.BRACME.BRACME.BR
ACME INT'L
ACME SOKOVIA
ACME REPO
certificates
certificate
publish ROAs etc
publish
RIR BRIR A
➡ RIRs also have the option to run your delegated CAs ➡ APNIC has a repository service, other RIRs not yet
19
Tools
• RPKID by Dragon Research Labs • In use at several NIRs and some delegated CAs
21
Why Run a Delegated CA?
✓ Run a single CA under multiple RIRs
✓ Delegate space to others (customers, teams)
✓ Use API to integrate with routing work flow (ipam)
✓ Local control of who can access, rather than web portal
- Hardware requirements are low, but needs to be maintained
- Need to host an RPKI repository (unless under nic.br)
22
Running Krill
• Build it yourself: https://rpki.readthedocs.io/en/latest/krill/installation.html
• Docker: https://rpki.readthedocs.io/en/latest/krill/docker.html
• Looking at Krill packages (debian, FreeBSD, others)
• Use 'krillmanager' • Digital Ocean Marketplace: https://youtu.be/qunvH2t6rqU • AWS coming • Looking at generic (own infrastructure) support
23
Some Statistics
• NIC.BR - December 2019: Launch of service - May 1 2020:
- 113 Delegations to members - 523 Prefixes in ROAs - Coverage 2.7% - Accuracy 99.1%
• RIRs - May 2020: ARIN 3, RIPE 3, APNIC 2
24
Issues Found
• Publishing to 'localhost' • Fixed in Krill 0.5.0 (February 2020)
• Some operators stop their CA • Their repository goes stale, then expires • NIC.BR is monitoring
25
Conclusions
• Delegated CAs are seeing uptake: • nic.br members do not have a portal • early adopters in other regions
• Some initial issues, getting fixed
• Good uptake and data quality
• Managed repositories needed!
Questions?! https://rpki.nl
! https://github.com/nlnetlabs/routinator
! https://github.com/nlnetlabs/krill
Related Documents
![RIRS 1200VE EKO 3.0 RIRS 1200VW EKO 3.0 RIRS 1200 VW … 1200VE-VW EKO 3.0_P0037_AQ_0001.pdf2 RIRS 1200VE EKO 3.0 / RIRS 1200VW EKO 3.0 / RIRS 1200VW EKO 3.0 RHX [ lt ] [ dk ] Turinys](https://static.cupdf.com/doc/110x72/5d27e02f88c993c82d8c52e5/rirs-1200ve-eko-30-rirs-1200vw-eko-30-rirs-1200-vw-1200ve-vw-eko-30p0037aq0001pdf2.jpg)
![rirs 2500He/HW ekO 3 · rirs 2500He/HW ekO 3.0 [ dk ] [ ru ] indhold Transport og opbevaring 4 Beskrivelse 4 Sikkerhedsforanstaltninger 4 Komponenter 5 Driftsbetingelser 5 Vedligeholdelse](https://static.cupdf.com/doc/110x72/5f37a4402d200910a35a2cae/rirs-2500hehw-eko-3-rirs-2500hehw-eko-30-dk-ru-indhold-transport-og-opbevaring.jpg)
![RIRS V EKO - SALDA V EKO 3.0... · 2017. 11. 17. · Δ Pstat [Pa] P [W] Δ Pstat [Pa] Δ Pstat [Pa] RIRS V EKO 400V EKO 3.0 Lwa total, dB(A) LWA, dB(A) 125 Hz 250 Hz 500 Hz 1 kHz](https://static.cupdf.com/doc/110x72/61202d4177ba887c871ea57d/rirs-v-eko-v-eko-30-2017-11-17-pstat-pa-p-w-pstat-pa-.jpg)
![RIRS 400HE/HW EKO 3 - SALDA 400 HE... · AHU WITH HEAT RECOVERY LÜFTUNGSGERÄTE MIT WÄRMERÜCKGEWINNUNG RIRS 400HE/HW EKO 3.0 Techninis vadovas [ lt ] Teknisk manual [ se ] Technical](https://static.cupdf.com/doc/110x72/5e4f631a2e879c4716398600/rirs-400hehw-eko-3-400-he-ahu-with-heat-recovery-loeftungsgerte-mit-wrmeroeckgewinnung.jpg)