[148692] in North American Network Operators' Group
Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
daemon@ATHENA.MIT.EDU (Alex Band)
Fri Jan 20 09:41:17 2012
From: Alex Band <alexb@ripe.net>
In-Reply-To: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net>
Date: Fri, 20 Jan 2012 15:39:19 +0100
To: "nanog@nanog.org list" <nanog@nanog.org>
Cc: Yang Xiang <xiangy08@csnet1.cs.tsinghua.edu.cn>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
If you want to play around with RPKI Origin Validation, you can download =
the RIPE NCC RPKI Validator here: =
http://ripe.net/certification/tools-and-resources
It's simple to set up and use: just unzip the package on a *NIX system, =
run ./bin/rpki-validator and browse to http://localhost:8080
EuroTransit have a public one running here:
http://rpki01.fra2.de.euro-transit.net:8080/
You can see it's pointing to several Trust Anchors, downloads and =
validates all ROA periodically, you can apply ignore filters and white =
lists, see a BGP announcement validity preview based on route collector =
data, integrates with existing (RPSL based) workflows and can talk to =
RPKI-capable routers.
If you want to get an idea of how an RPKI-capable router would be =
configured, here's some sample config for Cisco and Juniper:
http://www.ripe.net/certification/router-configuration
You can also log into a public RPKI-capable Juniper here: 193.34.50.25, =
193.34.50.26
telnet username: rpki
password: testbed
With additional documentation available here:
http://rpki01.fra2.de.euro-transit.net/documentation.html
Have fun,
Alex
On 20 Jan 2012, at 13:08, Arturo Servin wrote:
>=20
> You could use RPKI and origin validation as well.
>=20
> We have an application that does that.=20
>=20
> http://www.labs.lacnic.net/rpkitools/looking_glass/
>=20
> For example you can periodically check if your prefix is valid:
>=20
> =
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.8=
4.0/23/
>=20
> If it were invalid for a possible hijack it would look like:
>=20
> =
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.3=
1.18.0/24/
>=20
> Or you can just query for any state:
>=20
> =
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12=
.0/22/
>=20
>=20
>=20
> Regards,
> as
>=20
> On 20 Jan 2012, at 07:47, Yang Xiang wrote:
>=20
>> Hi,
>>=20
>> I build a system =91Argus=92 to real-timely alert prefix hijackings.
>> Argus monitors the Internet and discovers anomaly BGP updates which =
caused
>> by prefix hijacking.
>> When Argus discovers a potential prefix hijacking, it will advertise =
it in
>> a very short time,
>> both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the
>> mailing list (argus@csnet1.cs.tsinghua.edu.cn).
>>=20
>> Argus has been running in the Internet for more than eight months,
>> it usually can discover potential prefix hijackings in ten seconds =
after
>> the first anomaly BGP update announced.
>> Several hijacking alarms have been confirmed by network operators.
>> For example: =
http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/61544/ has
>> been confirmed by the network operators of AS23910 and AS4538,
>> it was a prefix hijacking caused by a mis-configuration of route =
filter.
>>=20
>> If you are interest in BGP security, welcome to visit our website and
>> subscribe the mailing list.
>> If you are interest in the system itself, you can find our paper =
which
>> published in ICNP 2011 (FIST workshop)
>> http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=3D6089080.
>>=20
>> Hope Argus will be useful for you.
>> _________________________________
>> Yang Xiang . about.me/xiangyang
>> Ph.D candidate. Tsinghua University
>> Argus: argus.csnet1.cs.tsinghua.edu.cn
>=20
>=20
