JANOG35_RPKIやってみませんか? 20150120
Preview:
Citation preview
- 1. Copyright GREE, Inc. All Rights Reserved.Copyright GREE,
Inc. All Rights Reserved. RPKI
- 2. Copyright GREE, Inc. All Rights Reserved. 2002 2006
2011
- 3. Copyright GREE, Inc. All Rights Reserved. 1,867201409
&
- 4. Copyright GREE, Inc. All Rights Reserved. 1. RPKI 2. 3.
Production 4. 5.
- 5. Copyright GREE, Inc. All Rights Reserved. 1. RPKI
- 6. Copyright GREE, Inc. All Rights Reserved. Security Prex/IP
NAT1Prex 1Prex Mis-OriginationBGP RPKI
- 7. Copyright GREE, Inc. All Rights Reserved. RPKI
ASPrexMis-Origination ROABGP attribute ASPrexMis-Origination
BGPMON/ ASMis-Origination
- 8. Copyright GREE, Inc. All Rights Reserved. 2.
- 9. Copyright GREE, Inc. All Rights Reserved. ROA JPNICROA
(AS55394)PrexROA VMware ESXi5.1 CISCO CSR1000v Juniper FireFly
MakerSiteDownload
- 10. Copyright GREE, Inc. All Rights Reserved. CSR1000v OS :
IOS-XE 3.10.03.S IP :192.168.1.48/24 AS : 65000 Firefly OS : JUNOS
12.1X46-D10 IP :192.168.1.49/24 AS : 65001 ESXi Gateway
192.168.1.0/24 192.41.192.218 (JPNIC ROA) RPKI BGP Peer 10.0.0.0/8
116.93.144.0/20 IPNAT Origin Validation route-map origin-validation
permit 10 match rpki invalid set local-preference 90 route-map
origin-validation permit 20 match rpki not-found set
local-preference 100 route-map origin-validation permit 30 match
rpki valid set local-preference 110
- 11. Copyright GREE, Inc. All Rights Reserved.
ROAOriginValidation csr1000v#show ip bgp Status codes: s
suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x
best-external, a additional-path, c RIB-compressed, Origin codes: i
- IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I
invalid, N Not found Network Next Hop Metric LocPrf Weight Path
I*> 116.93.144.0/20 192.168.1.49 90 0 65001 i N*> 10.0.0.0/8
192.168.1.49 100 0 65001 i csr1000v#show ip bgp rpki table | inc
116.93.144.0 116.93.144.0/20 24 55394 0 192.41.192.218/323
116.93.144.0 ROAAS55394-Origin65001-OriginInvalid LP90 10.0.0.0
ROANot Found LP100 JPNICROA
- 12. Copyright GREE, Inc. All Rights Reserved. 3.
Production
- 13. Copyright GREE, Inc. All Rights Reserved. ASR9000 Route
ReectorOriginValidation BGP-RouterRPKI Local Preference
invalidLocal Preference-50 not-foundPass validLocal Preference+50
ROA ()
- 14. Copyright GREE, Inc. All Rights Reserved. ASR9000Route
Reflector ASR9000 (Route Reector) ASR9000 (Route Reector) Route
ReectorValidationClient Origin Validation TransitRouter
TransitRouter TransitRouter Validation RPKI RPKI RPKI
- 15. Copyright GREE, Inc. All Rights Reserved. RPKIiBGP RFC()
External eBGP RouterValidation RouterOS AS Validation
- 16. Copyright GREE, Inc. All Rights Reserved. 4. Cisco
- 17. Copyright GREE, Inc. All Rights Reserved. IPv4IPv6()
IPv4ROAIPv6 IPv4/IPv6Sync ROA(1) IPv4/IPv6
- 18. Copyright GREE, Inc. All Rights Reserved.
RPKIMaxlen(MaxPrexLength) ROA(2) Maxlen Network Maxlen Origin-AS
Source Neighbor 2.0.0.0/16 16 3215 0 210.173.170.254/323 2.0.0.0/12
16 3215 0 210.173.170.254/323 2.1.0.0/16 16 3215 0
210.173.170.254/323 2.2.0.0/16 16 3215 0 210.173.170.254/323
2.3.0.0/16 16 3215 0 210.173.170.254/323 2.4.0.0/16 16 3215 0
210.173.170.254/323 2.5.0.0/16 16 3215 0 210.173.170.254/323
2.6.0.0/16 16 3215 0 210.173.170.254/323 2.8.0.0/16 16 3215 0
210.173.170.254/323 2.9.0.0/16 16 3215 0 210.173.170.254/323
2.10.0.0/16 16 3215 0 210.173.170.254/323 2.11.0.0/16 16 3215 0
210.173.170.254/323 2.12.0.0/16 16 3215 0 210.173.170.254/323
2.13.0.0/16 16 3215 0 210.173.170.254/323 2.14.0.0/16 16 3215 0
210.173.170.254/323
- 19. Copyright GREE, Inc. All Rights Reserved. (1)
OriginValidation OriginValidationRoute[map/Policy] Ext] community
Local Preference attribute Invalid = Mis-Origination
alert(snmp/syslog)
- 20. Copyright GREE, Inc. All Rights Reserved. (2) Reboot Reboot
Route(map/Policy)NotFound 1. RouterOS 2. BGP-Neighbor 3. ROAPeer
ROARoute[map/Policy] Not-foundFIB 4. RPKI FIBFIB clear ip bgp
(soft)FIB (eem)
- 21. Copyright GREE, Inc. All Rights Reserved. (3)
Cisco(ASR9000/CSR1000v) ASR9000(IOS-XR) Production CiscoCisco RPKI2
User
- 22. Copyright GREE, Inc. All Rights Reserved. ROA PublicROA
EndUser Validation Validation 2Transit/IX Transit ValidationPrex
ROAValidation IX(Internet Exchange) Route SeverValidationPrex
ROAValidation
- 23. Copyright GREE, Inc. All Rights Reserved. 5.
- 24. Copyright GREE, Inc. All Rights Reserved. RPKI ROA RIR +
APNICROA + RIR RPKI Router RPKIMaker Maker
- 25. Copyright GREE, Inc. All Rights Reserved. RPKI BGPSEC
BGPSEC=Origin Validation+Path Validation Origin Validation BGPSEC
RPKI RPKI
- 26. Copyright GREE, Inc. All Rights Reserved. 1. No!!! 2.Secure
3.PrexRouting
- 27. Copyright GREE, Inc. All Rights Reserved. RPKI
https://www.nic.ad.jp/ja/rpki/ BGPSEC
https://www.ipa.go.jp/security/fy23/reports/tech1-tg/b_07.html
JANOG http://www.janog.gr.jp/meeting/janog30/program/rpk.html
http://www.janog.gr.jp/meeting/janog31/program/rpki.html
http://www.janog.gr.jp/meeting/janog32/program/rpki.html Nanog
https://www.nanog.org/meetings/nanog52/presentations/Sunday/110612.nanog-origin-validation.pdf
https://www.nanog.org/meetings/nanog49/presentations/Tuesday/bgp-origin-validation-FINAL.pdf
- 28. Copyright GREE, Inc. All Rights Reserved.Copyright GREE,
Inc. All Rights Reserved.