Deploy360 Domain Name System Security Extensions (DNSSEC) Securing Border Gateway Protocol (BGP)

May 31 Deadline For $40,000 Cybersecurity Grant For DNSSEC, RPKI, BGP and more

ISOC Cybersecurity GrantDo you have an idea for a project related to DNSSEC, RPKI, BGP security or other security technologies? And will that project’s activities take place in the Asia-Pacific region?  (View the list of eligible countries and economies.)

If so, the Information Society Information Fund (ISIF) Asia is seeking proposals for projects that can be funded up to a maximum of $56,000 AUD (roughly $40,000 USD). This “Cybersecurity Grant” is sponsored by the Internet Society as part of our support for the Seed Alliance.


Please read the Cybersecurity Grant page for more information and follow the instructions for applying.  Please do remember that the project activities must be conducted within one of the economies that ISIF considers to be the Asia Pacific region.  ISIF also provides some guidelines for applicants and a FAQ.

As noted on the page, the focus is around practical solutions for resiliency and security in one of these areas:

  • Naming: innovative approaches to DNSSEC that enhance user confidence in Internet-based services.
  • Routing: support for wider deployment of secure routing technologies (RPKI, BGPSEC) and best practices (MANRS).
  • Measurement: investigate the nature and extent of deployment of security solutions on the Internet.
  • Traffic management: tools to measure Internet traffic congestion and/or traffic management practices OR analysis of traffic management policies and practices.
  • Confidential communications: strategies or solutions to enhance the confidentiality of Internet traffic.
  • Data security and integrity: options for improved data security and/or data breach detection and mitigation.
  • Internet of Things (IoT): security of IoT.
  • Critical Infrastructure: security of computer-controlled systems such as energy grids, transport networks, water supply, sewage, etc.) from cyber attacks.
  • End-user device security: options for improved end-user security.
  • Building security skills in your local community.

We hope that people and organizations within the AP region will apply for this excellent grant opportunity. The application period opened up February 24 – but we thought we’d give one final notice in case people weren’t aware.

We look forward to learning in September about how the recipients will work to make the Internet more secure and resilient!

Deploy360 Domain Name System Security Extensions (DNSSEC) Events

PhNOG: Thriller in Manila

PhNOG 2016Kevin Meynell and Jane Coffin from ISOC participated in the PhNOG Conference 2016 which was held on the 25th of January 2016 in Manila, The Philippines. This was organised by the Department of Science and Technology – Advanced Science and Technology Institute (DOST-ASTI), in partnership with the Philippine Network Operators’ Group (PhNOG) and the Trans-Eurasia Information Network Network Cooperation Center (TEIN*CC) with sponsorship provided by the Internet Society, APNIC, NSRC and others.

The event featured some interesting topics with a mixture of international and local speakers that attracted over 100 attendees. Credit must go to the Programme Committee for putting together such a good programme. The presentations have unfortunately not yet been made publicly available, but we believe they will be published soon and will let you know when they are.

Jane gave a presentation on the Management and Sustainability of IXPs with particular reference to the Philippines Open Internet Exchange (PHOpenIX). Kevin followed this up by providing an overview of Deploy360 and its resources on IPv6, DNSSEC, TLS and secure routing, as well as ISOC’s work in encouraging the development of Best Current Operational Practices (BCOPs) in the different regions around the world. He also introduced MANRS which aims to build a community of security minded operators promoting collaborative responsibility through filtering, anti-spoofing, coordination and global validation actions which elicited some interest from the audience.

It’s worth highlighting a couple of other presentations though. George Michaelson provided another excellent presentation, this time on the state of RPKI. As some may know, RPKI is an exercise in being able to validate that Internet number resources (IP addresses and AS numbers) are held by a particular Local Internet Registry (LIR), with the longer-term goal being secure BGP. George gave some very good examples of how absurdly easy it currently is for bad guys to fake authority in order to hijack or otherwise persuade others to route fake prefixes, and there were at least 2,000 known cases of this happening globally.

APNIC has developed a prototype tool to see which IP address ranges in each country/economy in the Asia-Pacific region are protected by a Route Origin Authorisation (ROA). ROAs attest that particular AS numbers are authorised to originate particular IP prefixes (i.e. specific ranges of IP addresses), and are cryptographically signed by the holders of these resources using RPKI certificates issued by Regional Internet Registries (RIRs) such as APNIC.

The Philippines actually has quite an impressive number of ROAs in comparison to many other countries/economies, although this still constitutes less than 5% of all prefixes. There needs to be a lot more signed prefixes in order to gain critical mass in being able to undertake reliable checks on who controls the number resources.

Another interesting presentation was from Kam-Sze Yeung on Akamai’s State of the Internet report for 2015. We have previously reported on this, but as a major content delivery network provider, Akamai is able to collate substantial amounts of data on many metrics including connection speeds, network availability, traffic patterns, and IPv6 adoption. Unfortunately, the Philippines does not feature particularly highly on many of the rankings which is no surprise to the local network operators, although is by no means bottom of the league in this respect.

All-in-all it was a useful and informative event to have attended, as well as having the opportunity to make contact with and engage with an active community of network operators. Following the PhNOG event, the ISOC staff also attended the co-located APAN 41 meeting.

Deploy360 Securing Border Gateway Protocol (BGP)

RPKI: How I signed go6lab IP resources (and survived)

Securing BGP

On July 1st I had few minutes of spare time on my hands, so I decided to go through the procedure of Resource Public Key Infrastructure(RPKI) signing go6lab IPv6 and IPv4 PI resources that I received years ago from RIPE-NCC. I had already setup the validation part on a BGP router previously, learned how that works, and how convenient a system like RPKI helps you with your routing decisions.

However, back then there was no easy way to sign your resources if you had PI address space. After some discussion in the community, RIPE-NCC decided to also deploy the system for PI holders.

With the help of RIPE’s Atlas probes I was able to measure the reachability and visibility of my ASN from many nodes across the global Internet. As you’ll see, nothing broke after I signed the resources. The sky did not fall, my AS remained reachable, nothing unexpected happened, and the entire process took me only 4 minutes 🙂

First about the process, if you are a PI holder in the RIPE region, go to the “RPKI for PI holders” page and read what you need for successful signing of your resources. After you make sure you have everything you need, start the wizard to set up Resource Certifiation for PI End User resources.

Here you’ll have to enter your ORG identifier, or prefixes that you would like to create ROAs for. Be sure that your maximum lengths match your announced lengths, or you’ll invalidate your prefixes immediately after publishing the ROAs. You can also press “Suggest ROAs” and see if the suggestion is correct, in my case it was. Then you press “Publish ROAs”, and after about 3 hours, needed for ROAs to propagate, you can go to your RPKI validator. Which you installed if you set up RPKI validation for your BGP router. There you can find your resources and also see what the view from the BGP perspective is. They’ll be either Valid, Invalid or Unknown.

View of signed resources in RIPE Lirportal
View of signed resources in RIPE Lirportal
Validity check on RPKI Validator
Validity check on RPKI Validator

After that you can go and check how your BGP routers see your own resources in their Routing Information Base(RIB) if you set up RPKI validation. Hopefully you get the status “valid”.

I’m always measuring the global reachability and visibility to the go6lab network. Below you can see, excerpted for clarity and simplicity, that nothing really happened in terms of reachability on July 1st.

Atlas measurements from IPv4 Internet towards Go6lab
Atlas measurements from IPv4 Internet towards Go6lab
Atlas measurements from IPv6 Internet towards Go6lab
Atlas measurements from IPv6 Internet towards Go6lab

Those 3 lines of breakage are because the owner of the building where Go6lab is decided to replace the main power switch with a new one. This caused 3 major outages throughout July 3rd that my UPS’s did not manage to cover 🙁

So, operators and netizens, please go and sign your IP resources and setup the RPKI route validation on your routers. If you follow RIPE’s advice and install invalid routes with localpref 90, and not reject the route, this can become a powerful tool to protect us all from route mis-originations. This tool will only be useful if everyone deploys it and starts using it. So please, go and deploy it 🙂

The next step, and possibly a topic for my next post, would be to invalidate ROAs and measure what happens. How many BGP routers on the Internet are rejecting invalid routes as opposed to installing them with a localpref 90? As suggested on RIPE-NCC RPKI resources set-up site.

For more information on Securing BGP visit our Securing BGP start page.