 Ladies and gentlemen, meet Sylvan from Switzerland. Can I have some applause, please? Thank you. Sylvan came all the long way from Switzerland to make a talk about security, the internet and authorization. And I thought, I have no clue, but let's let him explain what happens next. The stage is yours. Hey, good afternoon. So I need a picture. I'm still trying to get a picture, yeah, we have a picture. So my slide is going to be in German, but I heard that there are some people who would like to hear it in English. My talk is going to be a little bit shortly for people who are not that technically at how the internet works, what's BGP, why we should do RPKI in the future, and how you would do something. How do you actually verify that what you get from the internet is legit? So this is the internet. On a serious note, what is IP? IP, or as a lot of people start to call it IP legacy because it really shouldn't be the standard anymore. IPv4, it has been introduced in 1981. And IPv6, which we call IP now, is more than 18 years old. So it can even drink alcohol legally. But still, there's people that don't use it. One term that we're going to use when you're talking about an ISP network is a prefix. This is practically the fixed part of a network. So if you do routing, if you have a destination, a prefix is what's always the subnet. And on the other side of your address is the host part. How many bits in your mask are actually free to use for individual hosts? So what's the internet? Well, the internet is just a bunch of networks. Many networks, in the meantime, more than 60,000 individual networks in the world that had been assigned a number, they're called Autonomous System. And Autonomous System is someone who, as an organization, runs their own network. It can be multiple sites. It can be multiple countries. It can be multiple continents. Or it is a bunch of servers or a single router somewhere in a basement. You don't know. All those Autonomous Systems, they do have an identification number. And you would get that from an organization like RIPE. And when you have an Autonomous System, you probably want some routing. You want some network traffic. So you're normally assigned some kind of prefixes, some kind of IP addresses. You can use in the prefix. You get online through a peering, through a transit provider. You probably have some friends. You could throw a cable over, you know, your neighbor. And otherwise, sometimes you have to pay for it. So you go to a transit provider and you get online through them. And sometimes it looks like that. So BGP, that's practically on version V4, a standard protocol that you're using nowadays in the Internet. It is used to just exchange information. Information can be, hey, I have this prefix that I want to bring online. I have this V6, V4 prefix. BGP is also capable of carrying other information like MPLS. If you want to have virtual tunnels in your network, you can do a lot of it with BGP. It is pretty flexible. What you normally have is within your BGP routing process is an AS number. So we come back again. You always have your identification number. And it does scale pretty well. Nowadays we have about 778,000 routes in the Internet, just on V4. That's V4 only. V6, about 50,000 nowadays. So let's talk a little bit of problems that we have nowadays in the Internet. Well, the Internet, when it was built with BGP more than 10 years ago, like 30 years ago, it was based on trust. So in the early times, all you had to do is, hey, I have this prefix. Let's send traffic to me for all those IP addresses. What could possibly go wrong? Well, it turns out a lot of things can go wrong. So people started to have a little bit of filtering. Hey, I don't want all the stuff coming in. Hey, only send me 10,000 routes. Only send me these routes that you told me you're going to send me. Well, it's kind of a gentleman's agreement with those route filters if you do it in a small scale. Problem is, how do you filter when you have 100, 1,000, 10,000 customers? How do you actually filter? How do you actually process those manual filters? So you need something better. Introduce a database. So if I, with my own ISP, can go online into a database, I can declare, hey, I have those IP addresses, this prefix, and I will announce it with this and this AS. Well, that's cool. On the other hand, not everyone verifies it. It's often slow. It's often outdated. And people were like, okay, can we do that more secure? Well, what's the most secure thing in the world? Definitely. Definitely a PKI. But nothing else was chosen so far. So hopefully that's not how your internet will look pretty soon. So let's talk a little bit about those RIRs. A RIR is a local regional entity. That's an organization. So for example, here in EMEA, we have RIPE. So as an ISP, if I want to be independent and I don't want to be a customer, let's say German telecom forever, but I want to be able to choose my suppliers freely, I have to become a RIPE member. As a RIPE member, I can get a certain amount of IP addresses. Nowadays, I think it used to be 1,000, should be 512 IP addresses pretty soon if they are changing their policy. So it is very hierarchical. So a very good anchor point for trust would be to go with those RIRs and I can actually get a cryptographic signature from them. So that's what I do. I go online and I can see my dashboard. My dashboard is looking like this. Hey, I have a V6 prefix, even for a foreign ISP. So my office is not with my own internet provider because if I have a problem, I'm offline so people can't call me to tell me something is wrong. So we have someone else. I can create a signature even for another ISP. But it's my network block so I can say, hey, that ISP is actually allowed to route my net block and I can create an ROA, a route origin authorization. And that's pretty cool because a couple of years ago, quite a few years ago, there was an incident with Pakistan Telecom where I think the telecommunications authority of Pakistan was saying, hey, you have to block YouTube. So they did. But they did a mistake. They created twice a route into nowhere, so the traffic just gets dropped into nowhere. But that was more specific than what Google was doing. And with RPKI, I can say, hey, I have this net block of a thousand routes and I don't only want to say this is only being routed for a specific AS number, in my case 41666. But I also want to say that nobody else should ever create, including me, should ever create a more specific route, a smaller route. Because if you do a smaller route, traffic goes to the more specific route. That's always the more specific. So with RPKI, I have a way to avoid my traffic to be hijacked without it even clocking up the routing table. Because nowadays, we have 778,000 routes. That's a lot. That's because half of them are the longest format possible. That's a slash 24, that's 256 IP addresses. It's incredible. It's really clocked up. This is a way to potentially reduce it without opening up the doors for more specific again. Because if I lose traffic, I really have to use my professional out-of-band management network. So what do I do to actually deploy RPKI? Well, I need a few components. I need some server to validate it. In my case, I use the RouteInager 3000. Because to be honest, the one from RIPE, which is the other competing software, it runs on Java. And Java is like, I always love those stickers, 3.3 billion devices run Java. That's a nightmare. So yeah. And what you also need is a router which supports it. I try to find a list on the internet which routing operating systems do it. I haven't found a conclusive list because the first source I found was from RIPE 63. And I think we're on RIPE 78, so that's like 10 years old or something. So that's really, really old. And in the end, you need something called a route map or another mechanism to say, hey, if I talk to this peer, so if I have an upstream, a transit, or a peer that tells me, hey, you can reach those routes from me, and I need to have a mechanism if I talk to that peer to actually tell my route to double check if that's valid. So what do you do? Well, as I said, I'm going to use RouteInager 3000. There's really nice tutorials in the internet. You need to go by the setup tutorial. It's easy to follow. You need a so-called TAL file for one of the five RERs because you're not allowed to distribute that file, so you need to download the file manually, place it to your server. And practically, you can start it with a single command if you try. You can also write a configuration file or you can use supervisor as a demon, so it just responds to the process if you want. Do however you want. You can use system D. You can not use system D. It's up to you. And in the end, that's how your service looks like. No, not really. That's actual production access point. So you have your router. In my case, I have Vios as my edge routing system. You have a line. It says, hey, configure me RPKI. Here's the route cache. Here's the IP address and the port. Done. It's a couple of lines. And then you have to define on your peer, which is your BGP configuration router. You have to tell it, hey. If RPKI is valid, do something with it. Because if you do a validation, you probably should be doing something. I mean, why would you verify anything if you don't do anything with it? For me, so far, because I don't want to block traffic yet, we're just in the middle of rolling it out, I just put a sticker on it. So a sticker is a community. It's just a label. I say, hey, if it's valid, give it 9100 as a sticker. Same thing. If it's an invalid route, an invalid route is not something like a two-specific route. So someone said on the right portal, hey, I only will announce up to a slash 22. But they actually announce a slash 23. That's an invalid route. That's a way too specific route. So I will drop it. Or in my case, because I don't want to drop traffic yet, I just mark it as, hey, this is probably bad. Some running some statistics. As a side note, this is how you can bend your fiber if your signal is too high or not. So I ran some statistics yesterday how the routes were looking like on my side. So on the button, I get 753,000 routes from the global table. So I think one of my ISPs isn't really giving me the full view. Out of that, I get already almost 100,000 routes. That's, for me, a pretty impressive amount, but still there's a lot of work to do. Valid routes, valid signatures. So if I were to only accept RPKI valid routes, I would lose routes for about six out of seven, I would lose. And then I can decide, do I just send that the default route, or will I drop the traffic? So far, I can't enforce anything on non-existing routes. So something that's not signed at all, well, yeah. And invalid routes, at the moment, I would lose about 4,500 routes. And if I recall right, I recently looked into it. And the most of it is stuff like invalid more specifics from three are far, so that would not totally kick me out. On your router, you should really, really sometimes clear your fans out. If you want to play with it with BGP, if you have some BGP infrastructure, here are some routes with RIPE. This is a resource I've used originally to go through it personally. There's a pretty nice tutorial online from many, many people. All my contact details, so that's also later on online on the slides. If you want to write me, you can also write me on a secure channel like Matrix, so we can also play with it. So a little interesting thing happened while I was here. Who here sent a postcard already on the C3 post? Raise your hands. Nobody sent a postcard? You guys really should. So I actually got one for the C3 knock. So someone asked, hey, are you actually dropping our PKI invalid routes? Thanks for your work. So we actually got that snail mail to the C3 knock. So I asked around, what's the current status? So well, to be honest, we do a few things in the knock here. We don't accept RFC 1980. That's private addresses. We don't really want that from the internet. We don't use 100 or something that's carrier grade not. We obviously don't want anyone telling us, hey, your own IP addresses, you can also reach that with me. So we drop our own space that's standard. No multicast. We don't want TV multicast or any weird stuff from the internet. We have the usual length. So anything more than a slash eight is weird because nobody has that as a net block. Same thing with V6. And we dropped the default route. So what's still missing, what hasn't been done is RPKI validation. It's always the question of, do we want to do that? Do we not want to do that? So yeah, question is always, yeah, it can also go wrong. And it's a PKI. So one of the things that have been a quite interesting discussion is if you have a PKI on a route, it's the same thing as with an SSL PKI. You can also get your certificate revoked. And RIPE is an organization under Dutch law and RIPE could potentially, that's something I have discussed with other people, could potentially be forced by a court to create an invalid route so traffic to certain IP addresses in the internet might be blocked. The question is, will that even work or will people just say, hey, I'm just going to whitelist those IP addresses and traffic gets allowed again? It's one of the problems with a PKI. The next problem with a PKI is, what was it, Diginotar that got hacked? Symantec who had some security issues, wasn't there even a third CA which had quite some issues? So, well, we're hoping that RIPE knows their stuff. We really have to hope that they know how to protect their key, but if stuff really goes wrong, then you might have someone signing a valid route which should not do. Do we want it or do we not use this system? For me personally, since I want to play with new things, I started using it. So this is my RPKI validating router. On this whole thing, interesting inception level happened. So if someone wants to play with BGP, but they don't have their own IP address block, there's a really, really cool project called DN42, it's practically a darknet running on BGP with sometimes encrypted, sometimes totally unencrypted traffic. So some people on the internet decided, hey, let's use private IP space, let's create our own private network. And I ended up discussing with people, hey, what about if we do RPKI on DN42? So apparently that's already been done, and I found a website of a person who writes a blog article about that, and I was like, wait, Mr. Sherman, well, it happens that that's the same person who sent the NOC a postcard. So whoever that person is, I don't know if my postcard with the return packet has already arrived, but hi from me. So on that, I would like to open it up for Q&A. Are there any questions? I come with a mic. Well, or I'm also around, find me at the NOC. So it's not clear to me how you get your own signing key. I mean, you can sign your own routes. Is that correct? So if you do the BGP announcement, you sign your own routes. You have to go through your local RIR, at least that's what I understand. And how I did it and how it seems to work is you actually go with your RIR, which is, in this case, it's the LIR portal. So if you're, for example, a write member, which I am, so I don't really know the situation of any other RIR, how they are doing the process, but for me personally, I can log in with my online account with write and I see, oh, these are your routes, you're announcing with the space that you got from us. Would you like to create an RAI? So I can click online and say, hey, generate me a key and let me generate the routes. So at the moment, the key handling for my own space that I got is completely with RIPE. Not sure if there's a better way if I could generate the key offline and then upload the route objects so far, that's not what I have done. Because there's even IXPs which verify my routing and I see that it is working. So it works. I don't know if that's the optimal way. Okay. And the TAL file, that's a trust anchor something? Yeah, it's a trust anchor and... How many trust anchors are in there? I think should be five trust anchors from the RIRs, yes. And the six trust anchor that I have not implemented yet would be with my pairing with the N42 which is this research network. And one of the anchor files for some weird copyright limitation you have to download manually and place it into your folder TAL. Anyone else? Questions? So just to clear up, currently the people behind the Routenator 3000 project, the Annalenet Labs, they are actually the project that they got the EU funding for is the Quil project which is about running your own RBI certificate chain. And at the moment RIPE NTC does not support delegation to your own certificate but they plan to do that at some point and discussions are going on of what the policy should be in that regard. But Quil might be, for instance, if you are running an AS number with address space from multiple different regions then it would make sense to have one place to manage it. Cool. I wasn't on RIPE 78 so I might have been slightly out of touch also with the newest discussion. Thanks. Anyone else? Then otherwise, hit me up, hit me for a beer when we can continue discussion. Thank you very much. All right. Thank you, Sylvan. Big round of applause.