1. 1. Copyright GREE, Inc. All Rights Reserved.Copyright GREE, Inc. All Rights Reserved. RPKI
2. 2. Copyright GREE, Inc. All Rights Reserved. 2002 2006 2011
3. 3. Copyright GREE, Inc. All Rights Reserved. 1,867201409 &
4. 4. Copyright GREE, Inc. All Rights Reserved. 1. RPKI 2. 3. Production 4. 5.
5. 5. Copyright GREE, Inc. All Rights Reserved. 1. RPKI
6. 6. Copyright GREE, Inc. All Rights Reserved. Security Prex/IP NAT1Prex 1Prex Mis-OriginationBGP RPKI
7. 7. Copyright GREE, Inc. All Rights Reserved. RPKI ASPrexMis-Origination ROABGP attribute ASPrexMis-Origination BGPMON/ ASMis-Origination
8. 8. Copyright GREE, Inc. All Rights Reserved. 2.
9. 9. Copyright GREE, Inc. All Rights Reserved. ROA JPNICROA (AS55394)PrexROA VMware ESXi5.1 CISCO CSR1000v Juniper FireFly MakerSiteDownload
10. 10. Copyright GREE, Inc. All Rights Reserved. CSR1000v OS : IOS-XE 3.10.03.S IP :192.168.1.48/24 AS : 65000 Firefly OS : JUNOS 12.1X46-D10 IP :192.168.1.49/24 AS : 65001 ESXi Gateway 192.168.1.0/24 192.41.192.218 (JPNIC ROA) RPKI BGP Peer 10.0.0.0/8 116.93.144.0/20 IPNAT Origin Validation route-map origin-validation permit 10 match rpki invalid set local-preference 90 route-map origin-validation permit 20 match rpki not-found set local-preference 100 route-map origin-validation permit 30 match rpki valid set local-preference 110
11. 11. Copyright GREE, Inc. All Rights Reserved. ROAOriginValidation csr1000v#show ip bgp Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path I*> 116.93.144.0/20 192.168.1.49 90 0 65001 i N*> 10.0.0.0/8 192.168.1.49 100 0 65001 i csr1000v#show ip bgp rpki table | inc 116.93.144.0 116.93.144.0/20 24 55394 0 192.41.192.218/323 116.93.144.0 ROAAS55394-Origin65001-OriginInvalid LP90 10.0.0.0 ROANot Found LP100 JPNICROA
12. 12. Copyright GREE, Inc. All Rights Reserved. 3. Production
13. 13. Copyright GREE, Inc. All Rights Reserved. ASR9000 Route ReectorOriginValidation BGP-RouterRPKI Local Preference invalidLocal Preference-50 not-foundPass validLocal Preference+50 ROA ()
14. 14. Copyright GREE, Inc. All Rights Reserved. ASR9000Route Reflector ASR9000 (Route Reector) ASR9000 (Route Reector) Route ReectorValidationClient Origin Validation TransitRouter TransitRouter TransitRouter Validation RPKI RPKI RPKI
15. 15. Copyright GREE, Inc. All Rights Reserved. RPKIiBGP RFC() External eBGP RouterValidation RouterOS AS Validation
16. 16. Copyright GREE, Inc. All Rights Reserved. 4. Cisco
17. 17. Copyright GREE, Inc. All Rights Reserved. IPv4IPv6() IPv4ROAIPv6 IPv4/IPv6Sync ROA(1) IPv4/IPv6
18. 18. Copyright GREE, Inc. All Rights Reserved. RPKIMaxlen(MaxPrexLength) ROA(2) Maxlen Network Maxlen Origin-AS Source Neighbor 2.0.0.0/16 16 3215 0 210.173.170.254/323 2.0.0.0/12 16 3215 0 210.173.170.254/323 2.1.0.0/16 16 3215 0 210.173.170.254/323 2.2.0.0/16 16 3215 0 210.173.170.254/323 2.3.0.0/16 16 3215 0 210.173.170.254/323 2.4.0.0/16 16 3215 0 210.173.170.254/323 2.5.0.0/16 16 3215 0 210.173.170.254/323 2.6.0.0/16 16 3215 0 210.173.170.254/323 2.8.0.0/16 16 3215 0 210.173.170.254/323 2.9.0.0/16 16 3215 0 210.173.170.254/323 2.10.0.0/16 16 3215 0 210.173.170.254/323 2.11.0.0/16 16 3215 0 210.173.170.254/323 2.12.0.0/16 16 3215 0 210.173.170.254/323 2.13.0.0/16 16 3215 0 210.173.170.254/323 2.14.0.0/16 16 3215 0 210.173.170.254/323
19. 19. Copyright GREE, Inc. All Rights Reserved. (1) OriginValidation OriginValidationRoute[map/Policy] Ext] community Local Preference attribute Invalid = Mis-Origination alert(snmp/syslog)
20. 20. Copyright GREE, Inc. All Rights Reserved. (2) Reboot Reboot Route(map/Policy)NotFound 1. RouterOS 2. BGP-Neighbor 3. ROAPeer ROARoute[map/Policy] Not-foundFIB 4. RPKI FIBFIB clear ip bgp (soft)FIB (eem)
21. 21. Copyright GREE, Inc. All Rights Reserved. (3) Cisco(ASR9000/CSR1000v) ASR9000(IOS-XR) Production CiscoCisco RPKI2 User
22. 22. Copyright GREE, Inc. All Rights Reserved. ROA PublicROA EndUser Validation Validation 2Transit/IX Transit ValidationPrex ROAValidation IX(Internet Exchange) Route SeverValidationPrex ROAValidation
23. 23. Copyright GREE, Inc. All Rights Reserved. 5.
24. 24. Copyright GREE, Inc. All Rights Reserved. RPKI ROA RIR + APNICROA + RIR RPKI Router RPKIMaker Maker
25. 25. Copyright GREE, Inc. All Rights Reserved. RPKI BGPSEC BGPSEC=Origin Validation+Path Validation Origin Validation BGPSEC RPKI RPKI
26. 26. Copyright GREE, Inc. All Rights Reserved. 1. No!!! 2.Secure 3.PrexRouting
27. 27. Copyright GREE, Inc. All Rights Reserved. RPKI https://www.nic.ad.jp/ja/rpki/ BGPSEC https://www.ipa.go.jp/security/fy23/reports/tech1-tg/b_07.html JANOG http://www.janog.gr.jp/meeting/janog30/program/rpk.html http://www.janog.gr.jp/meeting/janog31/program/rpki.html http://www.janog.gr.jp/meeting/janog32/program/rpki.html Nanog https://www.nanog.org/meetings/nanog52/presentations/Sunday/110612.nanog-origin-validation.pdf https://www.nanog.org/meetings/nanog49/presentations/Tuesday/bgp-origin-validation-FINAL.pdf
28. 28. Copyright GREE, Inc. All Rights Reserved.Copyright GREE, Inc. All Rights Reserved.