steve@puluka.comRouting security has been an issue from the start of the internet. ISP must take a number of manual efforts to insure only those authorized inject routes into the internet table. RPKI was created as a way to sign routes using standard public key certificates so that they can be verified as belonging to a particular entity. This will prevent both accidental route leaks and malicious route high jacking.
Below are resources in a recommended order to first learn how the process works and implement this on Juniper Junos routing platforms.
MANRS training
MANRS (Mutually Agreed Norms for Routing Security) is an organization to encourage ISPs to implement RPKI.
- Introduction
- IRRs, RPKI & Peering DB
- Filtering: Preventing propagation of incorrect routing information
- Anti-Spoofing: Preventing traffic with spoofed souce IP addresses
- Coordination: Global communications between network operators
MANRS Implementation Guide
MANRS Implementation Guide – Online Version
MANRS week videos 2021: RPKI Week
Juniper Documentation
Juniper Day One: routing Security PDF version 2
https://www.juniper.net/documentation/en_US/day-one-books/DO_BGP_SecureRouting2.0.pdf
Junos Documentation:
BGP Route Authentication | BGP User Guide | Juniper Networks TechLibrary
Resources
ARIN RPKI Resource Certification (RPKI)
Peering DB: https://ccc.dqecom.com/dashboard
CAIDA Spoofer: Spoofer
Hurricane Electric: RPKI rollout at Hurricane Electric | APNIC Blog
NANOG Presentation 2021: https://www.nanog.org/news-stories/nanog-tv/nanog-u/webinar-state-of-routing-security/
Verify which prefixes have verified ROA payloads
https://bgpstuff.net/vrps/701
Originally posted: 8/16/2021
updated: 6/11/2022
