RPKI->RTR Protocol
1
IETF- sidr / Maastricht 2010.07.28
Randy Bush <[email protected]> Rob Austein <[email protected]>
draft-ymbk-rpki-rtr-protocol-06.txt
2010.07.28 sidr rpki-rtr 1
2010.07.28 sidr rpki-rtr 2
Mac
Publication Point
Issued ROAs
My Misc Config
Options
Public RPKI Keys
ID=Me
Internal CA Data
Keys for Talking to
IR BackEnd
Certs Issued to
DownStreams
Up/Down EE Public Keys
Front End GUI &
Management
RPKI Engine
Contract Out To Google
Using the RPKI
Resources [OrgID]
My RightsToRoute
Delegations to Custs
User Web GUI
98% of an RIR’s Users 10% of an RIR’s IP Space
Up / Down Protocol
2% of an RIR’s Users 90% of an RIR’s IP Space
Publication Protocol
IR’s Database(s)
Internal
Protocol
Received from One Parent
2010.07.28 sidr rpki-rtr 3
What I Did With It
2010.07.28 sidr rpki-rtr 4
RCynic Cache Gatherer
RCynic Gatherer Validated
Cache
Trust Anchor
(cynical rsync)
IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
SIA
SIA
SIA
SIA
5 5 2010.07.28 sidr rpki-rtr 5
Global RPKI
RPKI -> Router
RCynic Gatherer
RPKI to Rtr
Protocol
Near/In PoP
BGP Decision Process
Cache / Server
Object Security RCynic
Transport Security
ssh
6 6 2010.07.28 sidr rpki-rtr 6
Typical Exchange
7
Cache Router | <----- Reset Query -------- | R requests data | | | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial ~ ~ | -------- Notify ----------> | (optional) | | | <----- Serial Query ------- | R requests data | | | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial ~ ~
7 2010.07.28 sidr rpki-rtr 7
Reset Query
8
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 2 | | +-------------------------------------------+ | | | Length=8 | | | `-------------------------------------------'
2010.07.28 sidr rpki-rtr 8
Cache Response
9
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 3 | | +-------------------------------------------+ | | | Length=8 | | | `-------------------------------------------'
2010.07.28 sidr rpki-rtr 9
IPv4 Prefix
10
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | Color | | 0 | 4 | | +-------------------------------------------+ | | | Length=20 | | | +-------------------------------------------+ | | Prefix | Max | Data | | Flags | Length | Length | Source | | | 0..32 | 0..32 | RPKI/IRR | +-------------------------------------------+ | | | IPv4 prefix | | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
10 2010.07.28 sidr rpki-rtr 10
IPv6 Prefix
11
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | Color | | 0 | 6 | | +-------------------------------------------+ | | | Length=40 | | | +-------------------------------------------+ | | Prefix | Max | Data | | Flags | Length | Length | Source | | | 0..128 | 0..128 | RPKI/IRR | +-------------------------------------------+ | | +--- ---+ | | +--- IPv6 prefix ---+ | | +--- ---+ | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
11 2010.07.28 sidr rpki-rtr 11
End of Data
12
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 7 | | +-------------------------------------------+ | | | Length=12 | | | +-------------------------------------------+ | | | Serial Number | | | `-------------------------------------------'
2010.07.28 sidr rpki-rtr 12
Notify (Think DNS)
13
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 0 | | +-------------------------------------------+ | | | Length=12 | | | +-------------------------------------------+ | | | Serial Number | | | `-------------------------------------------'
2010.07.28 sidr rpki-rtr 13
Serial Query
14
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 1 | | +-------------------------------------------+ | | | Length=12 | | | +-------------------------------------------+ | | | Serial Number | | | `-------------------------------------------'
2010.07.28 sidr rpki-rtr 14
Error Response
15
0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | Error Number | | 0 | 10 | | +-------------------------------------------+ | | | Length | | | +-------------------------------------------+ | | | Length of Encapsulated PDU | | | +-------------------------------------------+ | | ~ Copy of Erroneous PDU ~ | | +-------------------------------------------+ | | | Length of Error Text | | | +-------------------------------------------+ | | | Arbitrary Text | | of | ~ Error Diagnostic Message ~ | | `-------------------------------------------' 2010.07.28 sidr rpki-rtr 15
Changing Caches
2010.07.28 sidr rpki-rtr 16
• Running on cache A happily • A goes bad (A down, sends error, ...) • Router decides to break off relationship with A • Router keeps using old data from A • Router tries other caches in priority order • Router starts to load from B, in a separate buffer, but still runs on old data from A
• Router finishes loading data from B • Router flushes all data from A and installs all data from B
• Router reevaluates installed prefixes against new data
2010.07.28 sidr rpki-rtr 17
Global RPKI
Asia Cache
NoAm Cache
Euro Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
Cust Facing
Cust Facing
Cust Facing
Cust Facing
Cust Facing
High Priority
Lower Priority
Extremely Large ISP Deployment
Good Dog! RP/0/1/CPU0:r0.dfw#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24 Versions: Process bRIB/RIB SendTblVer Speaker 132327 132327 Last Modified: Oct 2 01:06:47.630 for 13:33:12 Paths: (6 available, best #3) Advertised to peers (in unique update groups): 204.69.200.26 Path #1: Received by speaker 0 2914 1299 6939 6939 27318 157.238.224.149 from 157.238.224.149 (129.250.0.85) Origin IGP, metric 0, localpref 100, valid, external, \ origin validity state: valid Community: 2914:420 2914:2000 2914:3000 4128:380 Path #2: Received by speaker 0 ...
18 18 2010.07.28 sidr rpki-rtr 18
Bad Dog! RP/0/1/CPU0:r0.dfw#sh bgp 64.9.224.0 BGP routing table entry for 64.9.224.0/20 Versions: Process bRIB/RIB SendTblVer Speaker 0 0 Last Modified: Oct 2 17:38:27.630 for 4d22h Paths: (6 available, no best path) Not advertised to any peer Path #1: Received by speaker 0 2914 3356 36492 157.238.224.149 from 157.238.224.149 (129.250.0.85) Origin IGP, metric 2, localpref 100, valid, external,\ origin validity state: invalid Community: 2914:420 2914:2000 2914:3000 4128:380
19 19 2010.07.28 sidr rpki-rtr 19
Strange Dog! RP/0/1/CPU0:r0.dfw#sh bgp 147.28.0.0 BGP routing table entry for 147.28.0.0/16 Versions: Process bRIB/RIB SendTblVer Speaker 337691 337691 Last Modified: Oct 2 17:40:16.630 for 4d22h Paths: (6 available, best #1) Advertised to peers (in unique update groups): 204.69.200.26 Path #1: Received by speaker 0 2914 3130 157.238.224.149 from 157.238.224.149 (129.250.0.85) Origin IGP, metric 68, localpref 100, valid, external, \ origin validity state: not found Community: 2914:410 2914:2000 2914:3000 4128:380
20 20 2010.07.28 sidr rpki-rtr 20
Open Source (BSD Lisc) Running Code
https://subvert-rpki.hactrn.net/
Test Code in Routers Talk to Ed Kern
21 21 2010.07.28 sidr rpki-rtr 21
Work Supported By • US Government
THIS PROJECT IS SPONSORED BY THE DEPARTMENT OF HOMELAND SECURITY UNDER AN INTERAGENCY AGREEMENT WITH THE AIR FORCE RESEARCH LABORATORY (AFRL).
• Internet Initiative Japan
• Cisco, Juniper, Google, NTT, Equinix
22 22 2010.07.28 sidr rpki-rtr 22