janog35_rpkiやってみませんか? 20150120
TRANSCRIPT
- 1. Copyright GREE, Inc. All Rights Reserved.Copyright GREE, Inc. All Rights Reserved. RPKI
- 2. Copyright GREE, Inc. All Rights Reserved. 2002 2006 2011
- 3. Copyright GREE, Inc. All Rights Reserved. 1,867201409 &
- 4. Copyright GREE, Inc. All Rights Reserved. 1. RPKI 2. 3. Production 4. 5.
- 5. Copyright GREE, Inc. All Rights Reserved. 1. RPKI
- 6. Copyright GREE, Inc. All Rights Reserved. Security Prex/IP NAT1Prex 1Prex Mis-OriginationBGP RPKI
- 7. Copyright GREE, Inc. All Rights Reserved. RPKI ASPrexMis-Origination ROABGP attribute ASPrexMis-Origination BGPMON/ ASMis-Origination
- 8. Copyright GREE, Inc. All Rights Reserved. 2.
- 9. Copyright GREE, Inc. All Rights Reserved. ROA JPNICROA (AS55394)PrexROA VMware ESXi5.1 CISCO CSR1000v Juniper FireFly MakerSiteDownload
- 10. Copyright GREE, Inc. All Rights Reserved. CSR1000v OS : IOS-XE 3.10.03.S IP :192.168.1.48/24 AS : 65000 Firefly OS : JUNOS 12.1X46-D10 IP :192.168.1.49/24 AS : 65001 ESXi Gateway 192.168.1.0/24 192.41.192.218 (JPNIC ROA) RPKI BGP Peer 10.0.0.0/8 116.93.144.0/20 IPNAT Origin Validation route-map origin-validation permit 10 match rpki invalid set local-preference 90 route-map origin-validation permit 20 match rpki not-found set local-preference 100 route-map origin-validation permit 30 match rpki valid set local-preference 110
- 11. Copyright GREE, Inc. All Rights Reserved. ROAOriginValidation csr1000v#show ip bgp Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path I*> 116.93.144.0/20 192.168.1.49 90 0 65001 i N*> 10.0.0.0/8 192.168.1.49 100 0 65001 i csr1000v#show ip bgp rpki table | inc 116.93.144.0 116.93.144.0/20 24 55394 0 192.41.192.218/323 116.93.144.0 ROAAS55394-Origin65001-OriginInvalid LP90 10.0.0.0 ROANot Found LP100 JPNICROA
- 12. Copyright GREE, Inc. All Rights Reserved. 3. Production
- 13. Copyright GREE, Inc. All Rights Reserved. ASR9000 Route ReectorOriginValidation BGP-RouterRPKI Local Preference invalidLocal Preference-50 not-foundPass validLocal Preference+50 ROA ()
- 14. Copyright GREE, Inc. All Rights Reserved. ASR9000Route Reflector ASR9000 (Route Reector) ASR9000 (Route Reector) Route ReectorValidationClient Origin Validation TransitRouter TransitRouter TransitRouter Validation RPKI RPKI RPKI
- 15. Copyright GREE, Inc. All Rights Reserved. RPKIiBGP RFC() External eBGP RouterValidation RouterOS AS Validation
- 16. Copyright GREE, Inc. All Rights Reserved. 4. Cisco
- 17. Copyright GREE, Inc. All Rights Reserved. IPv4IPv6() IPv4ROAIPv6 IPv4/IPv6Sync ROA(1) IPv4/IPv6
- 18. Copyright GREE, Inc. All Rights Reserved. RPKIMaxlen(MaxPrexLength) ROA(2) Maxlen Network Maxlen Origin-AS Source Neighbor 2.0.0.0/16 16 3215 0 210.173.170.254/323 2.0.0.0/12 16 3215 0 210.173.170.254/323 2.1.0.0/16 16 3215 0 210.173.170.254/323 2.2.0.0/16 16 3215 0 210.173.170.254/323 2.3.0.0/16 16 3215 0 210.173.170.254/323 2.4.0.0/16 16 3215 0 210.173.170.254/323 2.5.0.0/16 16 3215 0 210.173.170.254/323 2.6.0.0/16 16 3215 0 210.173.170.254/323 2.8.0.0/16 16 3215 0 210.173.170.254/323 2.9.0.0/16 16 3215 0 210.173.170.254/323 2.10.0.0/16 16 3215 0 210.173.170.254/323 2.11.0.0/16 16 3215 0 210.173.170.254/323 2.12.0.0/16 16 3215 0 210.173.170.254/323 2.13.0.0/16 16 3215 0 210.173.170.254/323 2.14.0.0/16 16 3215 0 210.173.170.254/323
- 19. Copyright GREE, Inc. All Rights Reserved. (1) OriginValidation OriginValidationRoute[map/Policy] Ext] community Local Preference attribute Invalid = Mis-Origination alert(snmp/syslog)
- 20. Copyright GREE, Inc. All Rights Reserved. (2) Reboot Reboot Route(map/Policy)NotFound 1. RouterOS 2. BGP-Neighbor 3. ROAPeer ROARoute[map/Policy] Not-foundFIB 4. RPKI FIBFIB clear ip bgp (soft)FIB (eem)
- 21. Copyright GREE, Inc. All Rights Reserved. (3) Cisco(ASR9000/CSR1000v) ASR9000(IOS-XR) Production CiscoCisco RPKI2 User
- 22. Copyright GREE, Inc. All Rights Reserved. ROA PublicROA EndUser Validation Validation 2Transit/IX Transit ValidationPrex ROAValidation IX(Internet Exchange) Route SeverValidationPrex ROAValidation
- 23. Copyright GREE, Inc. All Rights Reserved. 5.
- 24. Copyright GREE, Inc. All Rights Reserved. RPKI ROA RIR + APNICROA + RIR RPKI Router RPKIMaker Maker
- 25. Copyright GREE, Inc. All Rights Reserved. RPKI BGPSEC BGPSEC=Origin Validation+Path Validation Origin Validation BGPSEC RPKI RPKI
- 26. Copyright GREE, Inc. All Rights Reserved. 1. No!!! 2.Secure 3.PrexRouting
- 27. Copyright GREE, Inc. All Rights Reserved. RPKI https://www.nic.ad.jp/ja/rpki/ BGPSEC https://www.ipa.go.jp/security/fy23/reports/tech1-tg/b_07.html JANOG http://www.janog.gr.jp/meeting/janog30/program/rpk.html http://www.janog.gr.jp/meeting/janog31/program/rpki.html http://www.janog.gr.jp/meeting/janog32/program/rpki.html Nanog https://www.nanog.org/meetings/nanog52/presentations/Sunday/110612.nanog-origin-validation.pdf https://www.nanog.org/meetings/nanog49/presentations/Tuesday/bgp-origin-validation-FINAL.pdf
- 28. Copyright GREE, Inc. All Rights Reserved.Copyright GREE, Inc. All Rights Reserved.