Hosted vs. Delegated RPKI

Thumbnail for post.

So you’ve decided that it’s time to go beyond creating ROAs and you want to deploy RPKI on your network. In the course you will learn more about the differences between hosted RPKI and delegated RPKI and their use cases.

We will discuss different scenarios in which delegated RPKI could be useful, for example, large enterprises, NRENs and organisations that have gone through mergers and acquisitions. With delegated RPKI, you can run your own RPKI Certification Authority, manage your ROAs and publish them in your own repository. It also allows you to further delegate Certification Authorities.

Outline

This course will cover the following topics:

  • An overview of the differences between Hosted and Delegated RPKI;
  • Why Delegated RPKI might be a good option for your organisation;
  • An overview of the features available with Delegated RPKI;
  • Publishing ROAs with APNIC or publishing yourself;
  • System, uptime and failover requirements.

Course Materials

Demystifying AS0

Thumbnail for post.

Overview

Global BGP routing defines Autonomous System (AS) Number 0 as “special” to mark prefixes as unroutable. Resource certification (RPKI) has taken this concept further, using AS0 to signal prefixes which should not be routed, unless another ROA exists with a different AS, for the prefix in question. This means that AS0 can be used to do two things: 

  1. Exclude as-yet undeployed resources from global BGP, by creating an AS0 ROA signed by APNIC for the prefixes still held in reserve
  2. Confirm that specific resources are only to be used if an RPKI ROA exists, signed by the delegate.

In 2019, APNIC was requested to work on a system to deploy AS0 for all unassigned and unallocated resources under APNIC management as a policy proposal. Across 2019 and 2020 we deployed a standalone system to do this.

The course explores how AS0 works, how we deployed it, and how BGP speakers can interact with the APNIC AS0 ROA, and with their own use of AS0 for delegated resources.

Outline

This course covers the following topics:

  • What is AS0?
  • What is RPKI, and the “TAL” and ROAs? What is SLURM?
  • What is an AS0 ROA and how is it made?
  • What is the APNIC AS0 RPKI system, and the AS0 “TAL”?
  • How does the APNIC AS0 ROA relate to resources overall?
  • How does it differ from individual INR holders AS0 ROA?
  • How do I use a ROA? How do I use the AS0 ROA from APNIC
  • What about the other RIR, or NIR?
  • What does the future hold for RPKI and AS0?

Course Materials

George Michaelson

Thumbnail for post.

George is the Product Manager at APNIC For Information products (REX, DASH and NetOX). He is a computer scientist originally from the UK, with 40 years experience in networking and IT management. He participates in IETF standardization, and attends RIR and NOG meetings.

RPKI Deployment

Thumbnail for post.

Overview

Webinar Overview

The webinar will focus on the different steps involved in deploying/implementing RPKI (from an operator’s point of view) – how to sign resources (ROA creation) through the MyAPNIC Portal, how to verify/check the ROAs, how to deploy RPKI validators, how to configure a RTR session between BGP speaking routers and the validator, how to interpret the validation states of received routes, and how to act (drop or apply policies) the validation states on the routers.

Outline

This webinar will cover the following topics:

  • What is RPKI
  • Benefits of RPKI
  • RPKI Building Blocks
  • RPKI Profile
  • Trust Anchor (TA)
  • Issuing Party
  • Single Trust Anchor
  • Routing Origin Authorization (ROA)
  • Relying Party (RPKI Validator)
  • Origin Validation
  • Validation States
  • Policies Based on Validation
  • RPKI Caveats
  • Create (Publish) Your ROA
  • Check Your ROA
  • Deploy RPKI Validator
  • RIPE – Validator
  • Dragon Research – Validator
  • Routinator – Validator
  • Configuration (IOS)
  • Configuration (JunOS)

RPKI Deployment

Thumbnail for post.

Overview

Release date: 5 May 2020

The course focuses on the different steps involved in deploying/implementing RPKI (from an operator’s point of view) – how to sign resources (ROA creation) through the MyAPNIC Portal, how to verify/check the ROAs, how to deploy RPKI validators, how to configure a RTR session between BGP speaking routers and the validator, how to interpret the validation states of received routes, and how to act (drop or apply policies) the validation states on the routers.

Course Outline

This course will cover the following topics:

  • What is RPKI
  • Benefits of RPKI
  • RPKI Building Blocks
  • RPKI Profile
  • Trust Anchor (TA)
  • Issuing Party
  • Single Trust Anchor
  • Routing Origin Authorization (ROA)
  • Relying Party (RPKI Validator)
  • Origin Validation
  • Validation States
  • Policies Based on Validation
  • RPKI Caveats
  • Create (Publish) Your ROA
  • Check Your ROA
  • Deploy RPKI Validator
  • RIPE – Validator
  • Dragon Research – Validator
  • Routinator – Validator
  • Configuration (IOS)
  • Configuration (JunOS)

Course Material

To access slides and guides click here.

Quiz & Certificate

Click the link below to go to the Quiz.

Go to Course Quiz

Tashi Phuntsho

Thumbnail for post.

Tashi has experience in IP and transmission network design, operation, and maintenance having worked as a transmission engineer and IP core network engineer for more than a decade. He has been involved in capacity development in the APNIC community by providing technical assistance and training in number of technical areas such as Routing & Switching, Network Architecture, IXP design and deployment, Network Security, IPv6 deployment, DNSSEC, and so on.

Tashi completed his undergraduate studies in Electrical and Electronics engineering from India, complemented by research studies in next generation networks from Japan and postgraduate studies in Network Systems from Australia.