1 / 40

Sofía Silva Berenguer sofia @ lacnic.net

Sofía Silva Berenguer sofia @ lacnic.net. RPKI and Origin Validation Deployment in Ecuador. IETF 88 – Vancouver. Motivation. Chicken and Egg Situation I have no experiencie working with these technologies , so I don’ deploy them .

devaki
Download Presentation

Sofía Silva Berenguer sofia @ lacnic.net

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sofía Silva Berenguersofia@ lacnic.net RPKI andOriginValidationDeployment in Ecuador IETF 88 – Vancouver

  2. Motivation • Chicken and Egg Situation • I have no experiencieworkingwiththesetechnologies, so I don’ deploythem. • I don’tdeploythesetechnologies, so I don’tgainexperience. • Creationof “islandsoftrust” wherethesetechnologies are fullydeployed • Identifygaps. Whatisstoppingthedeployment?

  3. A Success Story • To overcome the chicken and egg problem perception, we decided to create a success story. • We expect that everyone can learn from it.

  4. Where and When? • Ecuador’s IXP (NAP.EC) • Managed by AEPROVIsince 2001 • 4th and 5th September (beingplannedsince IETF 81 (Quebec))

  5. 2 PointsofPresence

  6. NAP.ECCommunity • Operators connected directly to NAP.EC: ~97% of the total Internet users in Ecuador. • NAP.EC also allows the indirect interconnection of smaller providers: almost 100% of the total number of users and local traffic. • RESULT: the adoption of new technologies by NAP.EC and it’s community, in practice means a full adoption of the whole country.

  7. NAP.ECCommunity (2) • NAP.EC is an IXP with mandatory multilateral peering and route servers in each POP, which makes it easier to activate origin validation and to become an island of trust. • AEPROVI manages NAP.EC in an impartial and not-for-profit fashion. It represents it’s partners’ (ISPs) interests and is in constant colaboration with other organizations from the Internet ecosystem. • RESULT: These characteristics of the NAP.EC community give sustainability to the project.

  8. Participants • Large network operators • Small bussiness networks • Public and private organizations • All of them interested in addressing routing problems within the country.

  9. Action Plan • Identifygaps • Equipment renewal • Community outreach • Event planning • - Training materials • - Activity planning

  10. IdentifiedGaps • Human Capacity (RPKI and BGP) • Equipment (Routers andServers) • Tools • Automatization scripts • Validatorsinstrumentation • Monitoringtools • ROAscreation

  11. Human Capacity • July 2013 • Informative meeting withtechnical staff fromtheoperatorsconnectedtothe NAP • Whataboutthe IXP member'scustomers? Itwasdecidedto invite allnetworkoperatorsmembersandnotmembers • Topics • Impactoftheproject • Quickintroto RPKI, originvalidationand ROA creation • SomepeoplestartedcreatingtheirROAs

  12. Equipment • August 2013 • Two Cisco ASR-1001 routers wereinstalled as routeservers (one in Quito andone in Guayaquil) • For RPKI, redundantvalidatorswereimplemented: 2 VMs, eachonewith 2 differentprocesses (RIPE’s software andrpki.net software) • Originvalidationwasimplemented in therouteservers (no actionregarding RPKI validity status)

  13. Monitoring Tools http://www.labs.lacnic.net/rpkitools/looking_glass/

  14. Monitoring Tools (2) http://tools.labs.lacnic.net/rpki-chart/all?1

  15. Monitoring Tools (3) http://tools.labs.lacnic.net/announcement/result/UY-LACN-LACNIC?0

  16. ROAsCreation http://tools.labs.lacnic.net/roa-wizard

  17. ROAsCreation (2) http://tools.labs.lacnic.net/roa-wizard/result/UY-LACN-LACNIC?4

  18. MeasuringSuccess • Goals: • Achieve a coverage of 70-80 % of the country’s networks in the RPKI system. • Create a success story • Technology working at a production environment • Local capacity creation • Dissemination of results and acquired experience

  19. MainEvent • 4th and 5th Sep 2013 • Resourceholdersfrom Ecuador (notonlythoseconnectedtothe NAP) • ROA creationwasperformed at theendofthefirstdayandwascomplementedduringthesecondday

  20. Results • More than 90 % of coverage in IPv4 and IPv6 • Operators enthusiastic about using the technologies to manage their customer’s connections.

  21. Ecuador’s IPv4 space covered by ROAs

  22. Ecuador’sIPv6spacecovered by ROAs

  23. Impact

  24. RIR Stats – July 2013 Source: http://www.ietf.org/proceedings/87/slides/slides-87-sidr-14.pdf

  25. RIR Stats – October 2013 Source: http://rpki.surfnet.nl/perrir.html

  26. LACNIC Stats - July vs Oct July October

  27. Comparison • Announcements covered by ROAs • From 56,294to 60,853(4,500+ increment) • Valid announcemets • From 5,561to 10,612(5,000+ increment) • Invalid announcements • From 1,184 to 1,096 (almost 100 decrement) • Unknown announcements • From 49,549 to 48,943 (600+ decrement) • RPKI adoption rate • From 11.98 % to 19.57 %

  28. Organizations and Certificates LAC region Source: http://tools.labs.lacnic.net/rpki-chart/all?0

  29. Organizations and Certificates - EC Source: http://tools.labs.lacnic.net/rpki-chart/all/EC?3

  30. Allocations and ROAs LAC region Source: http://tools.labs.lacnic.net/rpki-chart/all?0

  31. Allocations and ROAs - EC Source: http://tools.labs.lacnic.net/rpki-chart/all/EC?3

  32. RPKI Stats– Quito IPv4validprefixes (green) vsIPv4invalidprefixes (blue) IPv4validprefixes (green) vsIPv4unknownprefixes (blue) Source: http://mon4.nap.ec/monitoreo/resumen-rpki-prefijos.html

  33. RPKI Stats– Quito (2) IPv6validprefixes (green) vsIPv6invalidprefixes (blue) IPv6validprefixes (green) vsIPv6unknownprefixes (blue) Source: http://mon4.nap.ec/monitoreo/resumen-rpki-prefijos.html

  34. RPKI Stats– Guayaquil IPv4validprefixes (green) vsIPv4invalidprefixes (blue) IPv4validprefixes (green) vsIPv4unknownprefixes (blue) Source: http://mon4.nap.ec/monitoreo/resumen-rpki-prefijos.html

  35. RPKI Stats– Guayaquil (2) IPv6validprefixes (green) vsIPv6invalidprefixes (blue) IPv6validprefixes (green) vsIPv6unknownprefixes (blue) Source: http://mon4.nap.ec/monitoreo/resumen-rpki-prefijos.html

  36. What are we working on? • We are working with the operators to help them fix their announcements or their ROAs when needed. • We are working on documenting the lessons learned so the process can be replicated by other communities • A technicalcomiteewillevaluatewhatto do withinvalidroutes • Wewillreplicatetheexperience in othercountries.

  37. Results’ Dissemination • RoqueGagliano wrote a post for a Cisco blog • http://cisco-latinoamerica.com/2013/10/10/pioneros-operadores-de-ecuador-cubren-todos-sus-recursos-dentro-del-sistema-rpki/ • A document for CITEL was written • The document was also sent to be published in SUPERTEL’s magazine

  38. LessonsLearned • Gaps (human capacity, equipmentandtools) • Fears (feartobreaksomething) • But, operators are not as conservative as wethought. • Tools weneedtoworkon

  39. Credits • AEPROVI (Fabián Mejía) • NAP.EC, operatorsandresourceholders • Cisco (Roque Gagliano, Álvaro Retana) • LACNIC (Arturo Servín, Carlos Martínez, Gerardo Rada) • Foodsponsorship: ISOC

  40. Thanks! sofia@lacnic.net

More Related