Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)

[Alex Band <alexb () ripe net>]

If you want to play around with RPKI Origin Validation, you can download the RIPE NCC RPKI Validator here: 
http://ripe.net/certification/tools-and-resources
It's simple to set up and use: just unzip the package on a *NIX system, run ./bin/rpki-validator and browse to 
http://localhost:8080

EuroTransit have a public one running here:
http://rpki01.fra2.de.euro-transit.net:8080/

You can see it's pointing to several Trust Anchors, downloads and validates all ROA periodically, you can apply ignore 
filters and white lists, see a BGP announcement validity preview based on route collector data, integrates with 
existing (RPSL based) workflows and can talk to RPKI-capable routers.

If you want to get an idea of how an RPKI-capable router would be configured, here's some sample config for Cisco and 
Juniper:
http://www.ripe.net/certification/router-configuration

You can also log into a public RPKI-capable Juniper here: 193.34.50.25, 193.34.50.26
telnet username: rpki
password: testbed

With additional documentation available here:
http://rpki01.fra2.de.euro-transit.net/documentation.html

Have fun,

Alex

On 20 Jan 2012, at 13:08, Arturo Servin wrote:

>       You could use RPKI and origin validation as well.
>
>       We have an application that does that. 
>
>       http://www.labs.lacnic.net/rpkitools/looking_glass/
>
>       For example you can periodically check if your prefix is valid:
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/
>
>       If it were invalid for a possible hijack it would look like:
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/
>
>       Or you can just query for any state:
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/
>
>
>
> Regards,
> as
>
> On 20 Jan 2012, at 07:47, Yang Xiang wrote:
>
> > Hi,
> >
> > I build a system ‘Argus’ to real-timely alert prefix hijackings.
> > Argus monitors the Internet and discovers anomaly BGP updates which caused
> > by prefix hijacking.
> > When Argus discovers a potential prefix hijacking, it will advertise it in
> > a very short time,
> > both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the
> > mailing list (argus () csnet1 cs tsinghua edu cn).
> >
> > Argus has been running in the Internet for more than eight months,
> > it usually can discover potential prefix hijackings in ten seconds after
> > the first anomaly BGP update announced.
> > Several hijacking alarms have been confirmed by network operators.
> > For example: http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/61544/ has
> > been confirmed by the network operators of AS23910 and AS4538,
> > it was a prefix hijacking caused by a mis-configuration of route filter.
> >
> > If you are interest in BGP security, welcome to visit our website and
> > subscribe the mailing list.
> > If you are interest in the system itself, you can find our paper which
> > published in ICNP 2011 (FIST workshop)
> > http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=6089080.
> >
> > Hope Argus will be useful for you.
> > _________________________________
> > Yang Xiang . about.me/xiangyang
> > Ph.D candidate. Tsinghua University
> > Argus: argus.csnet1.cs.tsinghua.edu.cn