Open Tutorial: RPKI ROA/ROV (0.5 days)
Synopsis
- Why do we keep seeing news headlines about major networks not being reachable because traffic got rerouted to somewhere else? BGP mishaps are very common and frighteningly very easy. Examples are malicious route hijacking, mis-origination (fat fingers), and bad filters (route leaks). We need better mechanism(s) to ensure no one can inject false information into the global routing system that easily.
- This tutorial will look at current route filtering tools/techniques, how RPKI is just a piece in the puzzle, and what we should do to secure the internet routing.
Target audience
- Anyone interested to understand the RPKI framework and how it helps secure Internet Routing.
Prerequisites
For those who manage IP resources for your organisations (technical or corporate contacts), please do come with MFA (OTP) enabled for your MyAPNIC account, as well as ensure you have permission from your Corporate Contacts to certifiy your resources – let us create ROAs for your prefixes!
This workshop is not an introduction. It is assumed that the workshop participants have a working knowledge of:
- IP Routing (esp BGP)
- How to use a router command line interface (Cisco IOS configuration syntax).
- Basic Linux command line (CLI) skills.
We recommend the following Academy courses be completed before the start of the tutorial:
- Routing Basics: https://academy.apnic.net/en/course/routing-fundamentals-course/
- Deploying BGP (cisco) virtual lab: https://academy.apnic.net/en/virtual-labs?labId=69078
- Linux Virtual Lab: https://academy.apnic.net/en/virtual-labs?labId=87395
Other requirements
- Online – Participants are advised to bring their own laptop or desktop computers with high-speed internet access and administrative access to system. It is also recommended that computers have Intel i5 or i7 processor, >=8GB of RAM and 30GB of free hard disk space.
- Software: SSH Client, Telnet Client, VirtualBox/VMware
- Confirm Secure SHell (SSH) is allowed from the office or home network to access the lab infrastructure? Test ssh connectivity, try to connect to route-views.routeviews.org. For example from the CLI type: ssh [email protected]
- Attendees must have an APNIC Academy login account. If you don’t have one already, you can create an account for free at https://academy.apnic.net/
- Please test the speed of your Internet connection to the servers where the Virtual Machines (VMs) are hosted at the Learn on Demand data centres, using the speed test tool at https://www.learnondemandsystems.com/speedtest/
Course outline
- Recent routing incidents
- Current BGP filtering techniques
- Resource PKI fundamentals
- Installation and configuration of RPKI validators
- BGP filtering with ROA (Route Origin Validation)