an introduction to bgp security
play

An introduction to BGP security Marco dItri <md@seeweb.it> - PowerPoint PPT Presentation

Feb 06, 2023 •738 likes •961 views

An introduction to BGP security Marco dItri <md@seeweb.it> @rfc1036 Seeweb s.r.l. Albanian Network Operators Group meeting - 14 November 2018 Internet: independent networks exchanging traffic The Internet is made of interconnected

  1. An introduction to BGP security Marco d’Itri <md@seeweb.it> @rfc1036 Seeweb s.r.l. Albanian Network Operators Group meeting - 14 November 2018

  2. Internet: independent networks exchanging traffic The Internet is made of interconnected independent networks , hence we need technical mechanisms and commercial agreements to allow every computer to reach every other computer. How does a network know how to reach a different network? There is no central coordination. Multiple paths are possible, and since they may break at any time a dynamic mechanism is needed. The BGP protocol allows each side of an interconnection to advertise to the other side which IP networks it desires to receive traffic for. An introduction to BGP security Marco d’Itri 2 / 20

  3. Internet: different kinds of interconnections Many commercial agreements are possible, the most commons are: Customer : they pay me to use my network to reach the rest of the Internet. Peering : we agree to directly exchange the traffic to each own’s customers. Transit : I am the customer, so I pay some other network to use them to reach the rest of the Internet. An introduction to BGP security Marco d’Itri 3 / 20

  4. Basic theory of interdomain routing Route Information that identifies a network, e.g. 192.175.48.0/24 , and how to reach it. Autonomous system An entity with a unique external routing policy. Identified by a number: e.g. Seeweb has been assigned AS12637. It announces to its neighbors the routes for which it wants to receive traffic. The BGP routing protocol Used to exchange routing information inside an autonomous system (internal BGP) o between different ASes (external BGP). E.g. between two peers or transit provider and customer. An introduction to BGP security Marco d’Itri 4 / 20

  5. Routing security You can send any route to your neighbors: it is up to them to decide which ones they want to accept. Received routes can be filtered by creating, more or less automatically, lists of routes and/or ASNs that will be checked by the router. Sometimes it is hard to filter some very large peers due to incomplete data, but we all must work to improve routing security. There is no justification to not filter our own customers. An introduction to BGP security Marco d’Itri 5 / 20

  6. Which routes should be announced by others? A customer or peer can publish their routes using: route or route6 records in the Internet Routing Registry (IRR), but they are authenticated only by some registries (e.g. RIPE) and may be out of date. Letters of authorization (LOA): can be forged, requires manual operations. In practice it is only used for customers, not much in Europe. Cryptographic attestation (RPKI): complex, not supported by some routers, creates more central control. But probably will be the future. An introduction to BGP security Marco d’Itri 6 / 20

  7. What is RPSL Routing Policy Specification Language Is a language which allows an autonomous system to describe their routing policy in detail and use it to generate the matching configurations of routers. Specified by RFC 2622 (1999) and others. An introduction to BGP security Marco d’Itri 7 / 20

  8. RPSL is complex Defined objects: mntner, person, role aut-num, route, inet-rtr, filter, peering as-set, route-set, rtr-set, filter-set, peering-set Please raise your hand if you have ever seen a rtr-set object. Almost all of these objects can be ignored in practice. An introduction to BGP security Marco d’Itri 8 / 20

  9. The aut-num object They document the relationships among autonomous systems and the routes exchanged by them. aut-num: AS12637 import: ... export: ... Their purpose is to provide information to configure your own router, but almost nobody uses them this way. For third parties they only have information value: you should either keep them up to date or keep them as simple as possible. An introduction to BGP security Marco d’Itri 9 / 20

  10. The route object A single route and the autonomous system which announces it: route: 37.9.239.0/24 origin: AS12637 The route6 object describes IPv6 routes. An introduction to BGP security Marco d’Itri 10 / 20

  11. The as-set object A list of autonomous systems: as-set: AS12637:AS-CUSTOMERS descr: Seeweb and its IPv4 customers members: AS12637, AS31076, AS6831, AS50627 members: AS12654 # RIPE RIS Routing Beacons An introduction to BGP security Marco d’Itri 11 / 20

  12. Routing Resilience Manifesto How to improve the security and resilience of the global routing system? Mutually Agreed Norms for Routing Security (MANRS) First recommendation published in september 2014. Minimal best practices to be implemented to improve the reliability and security of global routing. Shows a commitment by industry leaders: initiated by ISOC, some of the founding members are NTT, Level3, Comcast, CERNET. Seeweb joined in february 2015, as the first italian network. An introduction to BGP security Marco d’Itri 12 / 20

  13. How did we join MANRS? I sent an email to ISOC. If your network is well managed then you will not need to do anything else. MANRS is nothing fancy and nothing new: it is the bare minimum that everybody is supposed to have already implemented. An introduction to BGP security Marco d’Itri 13 / 20

  14. Goals Show the ability of the industry to self-regulate and creates awareness thanks to the partecipation of industry leaders. Minimal recommendations that can be easily implemented by everybody and are not controversial. Does not try to solve all routing problems: a well-managed network can and should adopt more advanced processes. Every little step helps. An introduction to BGP security Marco d’Itri 14 / 20

  15. The recommended actions Prevent propagation of incorrect routing information. Prevent traffic with spoofed source IP addresses. Facilitate global operational communication and coordination. Facilitate validation of routing information on a global scale. An introduction to BGP security Marco d’Itri 15 / 20

  16. Incorrect routing information Routing information received by customers must be validated to prevent unautorized use of networks of third parties (due to mistakes or fraud...). E.g.: Filter customers by prefix-list (checking the as-path is not enough!). Verify the legitimacy of each new customer prefix before it is accepted. It does not require to validate peers’ routes, but it is still a very good idea... An introduction to BGP security Marco d’Itri 16 / 20

  17. Traffic with spoofed source IP addresses Prevent direct customers from forging the source IP of their own traffic (i.e. IP spoofing). It is critical that the traffic generated by customers is filtered by mechanisms that allow them to only use IPs assigned to them. E.g.: BCP 38 (RFC 2827): may 2000! antispoofing ACLs ip verify unicast source reachable-via rx An introduction to BGP security Marco d’Itri 17 / 20

  18. Communication and coordination Publishing own’s contacts, to be able to be reach immediately by other operators if needed. E.g.: A role object in the RIPE whois database. The ANIX web site. PeeringDB. An introduction to BGP security Marco d’Itri 18 / 20

  19. Validation of routing information Allow other operators to validate your own routing information, by publishing the list of your own networks and the networks of your customers. E.g.: Publish as-set and route / route6 object for your networks. Require customers to do the same. This allows your peers to automatically validate your BGP announces. An introduction to BGP security Marco d’Itri 19 / 20

  20. Any questions? https: //www.linux.it/~md/text/bgp-security-alnog2.pdf (Google . . . Marco d’Itri . . . I feel lucky) An introduction to BGP security Marco d’Itri 20 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

ADVANCED COMPUTER SECURITY INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT IS SECURITY? A systems security policies describe What the system is supposed to do Store and provide access

479 views • 16 slides
Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security Council Security Council Practices and Charter Research Branch Security Council Affairs Division Department of Political Affairs United Nations August

490 views • 28 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security Council Security Council Affairs Division Department of Political Affairs United Nations August 2013 Outline What is the Security Council?

189 views • 16 slides
Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic algorithms 7.4 Digital signatures 7.5 Cryptography pragmatics 7.1. Introduction Why need security mechanisms in DS? Share of resources

364 views • 24 slides
Confidentiality and disclosure Mohamed Sayed Saidngar@yahoo.com Introduction - Introduction to

Confidentiality and disclosure Mohamed Sayed Saidngar@yahoo.com Introduction - Introduction to

Confidentiality and disclosure Mohamed Sayed Saidngar@yahoo.com Introduction - Introduction to data security. - Security requirements. - Types of security threats. - Security risks. - Technologies and security solutions. Introduction

411 views • 37 slides
Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1

Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1

Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics WWW HTTP: Hyper Text Transfer Protocol HTTP Security HTML Protocol HTML Security

1.09k views • 74 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security Landscape Meraki Security Demo Security Landscape The Growing Importance of Security MALWARE HAS RISEN BY MORE THAN 10X IN THE LAST YEAR 70% M ALW AR E

604 views • 35 slides
Com puter Security Last tim e Introduction Threat analysis Threats Introduction

Com puter Security Last tim e Introduction Threat analysis Threats Introduction

Com puter Security Last tim e Introduction Threat analysis Threats Introduction to access control Policy matrix Specification Design Implementation Operation and Maintenance Security in the Course Lectures

784 views • 40 slides
Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack surface Recent vulnerabilities Security response Defensive technologies Next steps Introduction Security nerd, recovering

790 views • 39 slides
Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

CSS441 Introduction Concepts Architecture Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

678 views • 23 slides
Abstraction by the rule of 10 Guy Davidson Meeting C++ 15/11/2019 @hatcat01 1 Good evening

Abstraction by the rule of 10 Guy Davidson Meeting C++ 15/11/2019 @hatcat01 1 Good evening

Abstraction by the rule of 10 Guy Davidson Meeting C++ 15/11/2019 @hatcat01 1 Good evening Guy @hatcat01 2 How many dots on this slide? @hatcat01 3 How many dots on this slide? @hatcat01 4 How many dots on this slide? @hatcat01 5

673 views • 43 slides
Graphics Primer Lecture 2 January 14, 2020 Introduction Computer Graphics vs. Visualization

Graphics Primer Lecture 2 January 14, 2020 Introduction Computer Graphics vs. Visualization

CS530 - Spring 2020 Introduction to Scientific Visualization Graphics Primer Lecture 2 January 14, 2020 Introduction Computer Graphics vs. Visualization Visualization methods transform data into primitives that are rendered using CG

719 views • 60 slides
Introduction to Geometric Modeling CS 395: Advanced Computer Graphics Amy Gooch 02.14.2003

Introduction to Geometric Modeling CS 395: Advanced Computer Graphics Amy Gooch 02.14.2003

Introduction to Geometric Modeling CS 395: Advanced Computer Graphics Amy Gooch 02.14.2003 Representation of Objects Raw Data Solids Point Cloud Voxels Range Image Polygon Soup High-level structures CSG

689 views • 17 slides
Du calcul de courbes dextrme de courbure sur une surface au calcul de la topologie de

Du calcul de courbes dextrme de courbure sur une surface au calcul de la topologie de

Differential Geometry Problem General Algebraic Problem Du calcul de courbes dextrme de courbure sur une surface au calcul de la topologie de courbes algbriques en gnral. Marc Pouget 1 1 LORIA, INRIA Nancy - Grand Est, VEGAS

599 views • 28 slides
How to represent real numbers In decimal scientific notation sign fraction base

How to represent real numbers In decimal scientific notation sign fraction base

How to represent real numbers In decimal scientific notation sign fraction base (i.e., 10) to some power Most of the time, usual representation 1 digit at left of decimal point Example: - 0.1234 x 10 6 A number is

379 views • 13 slides
Floa=ng-Point Numbers 2 Schedule Today Homework #2

Floa=ng-Point Numbers 2 Schedule Today Homework #2

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Floa=ng-Point Numbers 2 Schedule Today Homework #2

639 views • 27 slides
Floa=ng-Point Numbers 2 Schedule Today Finish up

Floa=ng-Point Numbers 2 Schedule Today Finish up

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Floa=ng-Point Numbers 2 Schedule Today Finish up

714 views • 32 slides
ADMIN Course paper topics due Fri Feb 24 via plain text email SI232 Set #10: More

ADMIN Course paper topics due Fri Feb 24 via plain text email SI232 Set #10: More

ADMIN Course paper topics due Fri Feb 24 via plain text email SI232 Set #10: More Computer Arithmetic (Chapter 3) 1 2 Exercise #1 Exercise #2 Do the following assuming 6 bit, twos complement numbers. Do the following

416 views • 5 slides

More recommend