BGPSec Interoperability Test QuaggaSRx and BIRD bgpsec IETF 97 - - PowerPoint PPT Presentation

bgpsec interoperability test
SMART_READER_LITE
LIVE PREVIEW

BGPSec Interoperability Test QuaggaSRx and BIRD bgpsec IETF 97 - - PowerPoint PPT Presentation

Oct 02, 2022 120 likes •304 views

BGPSec Interoperability Test QuaggaSRx and BIRD bgpsec IETF 97 Trustworthy Networking Program Seoul, South Korea Nov. 17, 2016 Oliver Borchert (oliver.borchert@nist.gov) NaNonal InsNtute of Standards and Technology 1 Tested Systems:

slide-1
SLIDE 1

Trustworthy Networking Program

BGPSec Interoperability Test QuaggaSRx and BIRD bgpsec

IETF 97

Seoul, South Korea

  • Nov. 17, 2016

Oliver Borchert (oliver.borchert@nist.gov) NaNonal InsNtute of Standards and Technology

1

slide-2
SLIDE 2

Trustworthy Networking Program

Tested Systems:

QuaggaSRx BGPSEC-IO*

(hUps://bgpsrx.antd.nist.gov)

BIRD bgpsec

(hUps://bgpsrx.antd.nist.gov)

*BGPSEC Traffic Generator

2

slide-3
SLIDE 3

Trustworthy Networking Program

Topology Scenario S1

AS10 QuaggaSRx AS20 BIRD bgpsec AS50 QuaggaSRx AS30 BIRD bgpsec AS40 QuaggaSRx AS100 BGPSEC-IO 10.10.0.0/16 10.10.1.0/24 10.10.2.0/24 10.10.0.0/16 10.10.1.0/24 10.10.2.0/24

3

ROA’s 10.10.0.0/16-24, 10 AS100 aUempts to hijack the traffic of AS10

slide-4
SLIDE 4

Trustworthy Networking Program

StarNng AS 10, 20, 30, 40, 50

4

slide-5
SLIDE 5

Trustworthy Networking Program

StarNng AS 10, 20, 30, 40, 50

5

slide-6
SLIDE 6

Trustworthy Networking Program

Switching to AS40

6

slide-7
SLIDE 7

Trustworthy Networking Program

Switching to AS40

7

slide-8
SLIDE 8

Trustworthy Networking Program

Adding Traffic using BGPSEC-IO

8

slide-9
SLIDE 9

Trustworthy Networking Program

Adding Traffic using BGPSEC-IO

9

slide-10
SLIDE 10

Trustworthy Networking Program

Adding Traffic using BGPSEC-IO

10

BGPSEC Path ValidaNon RPKI Origin ValidaNon

slide-11
SLIDE 11

Trustworthy Networking Program

Result

  • The Prefix Hijack was unsuccessful:

– Announced prefixes passed path validaNon – Announcement failed RPKI origin valida-on

  • Policy is prefer valid

– no switch to shorter invalid route

11

slide-12
SLIDE 12

Trustworthy Networking Program

Topology Scenario S2

AS10 QuaggaSRx AS20 BIRD bgpsec AS50 QuaggaSRx AS30 BIRD bgpsec AS40 QuaggaSRx AS100 BGPSEC-IO AS10 10.10.0.0/16 10.10.1.0/24 10.10.2.0/24 10.10.0.0/16 10.10.1.0/24 10.10.2.0/24

12

ROA’s 10.10.0.0/16-24, 10 AS100 aUempts to hijack the traffic of AS10 by pre-pending AS10

slide-13
SLIDE 13

Trustworthy Networking Program

RestarNng Traffic using BGPSEC-IO

13

slide-14
SLIDE 14

Trustworthy Networking Program

RestarNng Traffic using BGPSEC-IO

14

slide-15
SLIDE 15

Trustworthy Networking Program

RestarNng Traffic using BGPSEC-IO

15

BGPSEC Path ValidaNon RPKI Origin ValidaNon

slide-16
SLIDE 16

Trustworthy Networking Program

Result

  • The Prefix Hijack was unsuccessful:

– Announced prefixes failed path valida-on – Announcement passed RPKI origin validaNon

  • Policy is prefer valid

– no switch to shorter invalid route

16

slide-17
SLIDE 17

Trustworthy Networking Program

QuesNons ?

  • liver.borchert@nist.gov

NaNonal InsNtute of Standards and Technology

17