[148706] in North American Network Operators' Group
Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
daemon@ATHENA.MIT.EDU (Richard Barnes)
Fri Jan 20 11:30:40 2012
In-Reply-To: <BD6966E1-AC38-4432-B1AC-5A87350B0417@ripe.net>
Date: Fri, 20 Jan 2012 11:29:51 -0500
From: Richard Barnes <richard.barnes@gmail.com>
To: Alex Band <alexb@ripe.net>
Cc: Yang Xiang <xiangy08@csnet1.cs.tsinghua.edu.cn>,
"nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
BBN has also released an initial version of their relying party
software. Core features are basically the same as the other
validators (namely, RPKI certificate validation), with
-- more fine-grained error diagnostics and
-- more robust support for the RTR protocol for distributing validated
information to routers.
<http://www.ietf.org/mail-archive/web/sidr/current/msg03854.html>
On Fri, Jan 20, 2012 at 9:39 AM, Alex Band <alexb@ripe.net> wrote:
> If you want to play around with RPKI Origin Validation, you can download =
the RIPE NCC RPKI Validator here: http://ripe.net/certification/tools-and-r=
esources
> It's simple to set up and use: just unzip the package on a *NIX system, r=
un ./bin/rpki-validator and browse to http://localhost:8080
>
> EuroTransit have a public one running here:
> http://rpki01.fra2.de.euro-transit.net:8080/
>
> You can see it's pointing to several Trust Anchors, downloads and validat=
es all ROA periodically, you can apply ignore filters and white lists, see =
a BGP announcement validity preview based on route collector data, integrat=
es with existing (RPSL based) workflows and can talk to RPKI-capable router=
s.
>
> If you want to get an idea of how an RPKI-capable router would be configu=
red, here's some sample config for Cisco and Juniper:
> http://www.ripe.net/certification/router-configuration
>
> You can also log into a public RPKI-capable Juniper here: 193.34.50.25, 1=
93.34.50.26
> telnet username: rpki
> password: testbed
>
> With additional documentation available here:
> http://rpki01.fra2.de.euro-transit.net/documentation.html
>
> Have fun,
>
> Alex
>
> On 20 Jan 2012, at 13:08, Arturo Servin wrote:
>
>>
>> =A0 =A0 =A0 You could use RPKI and origin validation as well.
>>
>> =A0 =A0 =A0 We have an application that does that.
>>
>> =A0 =A0 =A0 http://www.labs.lacnic.net/rpkitools/looking_glass/
>>
>> =A0 =A0 =A0 For example you can periodically check if your prefix is val=
id:
>>
>> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7=
.84.0/23/
>>
>> =A0 =A0 =A0 If it were invalid for a possible hijack it would look like:
>>
>> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200=
.31.18.0/24/
>>
>> =A0 =A0 =A0 Or you can just query for any state:
>>
>> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.=
12.0/22/
>>
>>
>>
>> Regards,
>> as
>>
>> On 20 Jan 2012, at 07:47, Yang Xiang wrote:
>>
>>> Hi,
>>>
>>> I build a system =91Argus=92 to real-timely alert prefix hijackings.
>>> Argus monitors the Internet and discovers anomaly BGP updates which cau=
sed
>>> by prefix hijacking.
>>> When Argus discovers a potential prefix hijacking, it will advertise it=
in
>>> a very short time,
>>> both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the
>>> mailing list (argus@csnet1.cs.tsinghua.edu.cn).
>>>
>>> Argus has been running in the Internet for more than eight months,
>>> it usually can discover potential prefix hijackings in ten seconds afte=
r
>>> the first anomaly BGP update announced.
>>> Several hijacking alarms have been confirmed by network operators.
>>> For example: http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/61544/=
has
>>> been confirmed by the network operators of AS23910 and AS4538,
>>> it was a prefix hijacking caused by a mis-configuration of route filter=
.
>>>
>>> If you are interest in BGP security, welcome to visit our website and
>>> subscribe the mailing list.
>>> If you are interest in the system itself, you can find our paper which
>>> published in ICNP 2011 (FIST workshop)
>>> http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=3D6089080.
>>>
>>> Hope Argus will be useful for you.
>>> _________________________________
>>> Yang Xiang . about.me/xiangyang
>>> Ph.D candidate. Tsinghua University
>>> Argus: argus.csnet1.cs.tsinghua.edu.cn
>>
>>
>
