disco sidestepping rpki s deployment barriers
play

DISCO: Sidestepping RPKIs Deployment Barriers Tomas Hlavacek 1 Italo - PowerPoint PPT Presentation

Oct 15, 2022 •182 likes •540 views

DISCO: Sidestepping RPKIs Deployment Barriers Tomas Hlavacek 1 Italo Cunha 23 Yossi Gilad 4 Amir Herzberg 5 Ethan Katz-Bassett 3 Michael Schapira 4 Haya Shulman 1 1 Fraunhofer SIT 2 Universidade Federal de Minas Gerais 3 Columbia University 4

  1. DISCO: Sidestepping RPKI’s Deployment Barriers Tomas Hlavacek 1 Italo Cunha 23 Yossi Gilad 4 Amir Herzberg 5 Ethan Katz-Bassett 3 Michael Schapira 4 Haya Shulman 1 1 Fraunhofer SIT 2 Universidade Federal de Minas Gerais 3 Columbia University 4 Hebrew University of Jerusalem 5 University of Connecticut

  2. The Border Gateway Protocol (BGP) ◮ The Internet is composed of many Autonomous Systems (ASes) ◮ Aka ISPs or Domains ◮ Inter-AS routing uses BGP ◮ Example: AS 10 announces it has prefix 1.2.0.0/16 to AS 2 Inter-AS routing with BGP: AS 10 announces prefix 1.2.0.0/16 to AS 2.

  3. The Border Gateway Protocol (BGP) ◮ The Internet is composed of many Autonomous Systems (ASes) ◮ Aka ISPs or Domains ◮ Inter-AS routing uses BGP ◮ Example: AS 10 announces it has prefix 1.2.0.0/16 to Inter-AS routing with BGP: AS 10 AS 2 announces prefix 1.2.0.0/16 to AS 2, ◮ AS 2 forwards to AS 3 who forwards to AS 3.

  4. The Border Gateway Protocol (BGP) ◮ The Internet is composed of many Autonomous Systems (ASes) ◮ Aka ISPs or Domains ◮ Inter-AS routing uses BGP ◮ Example: AS 10 announces it has prefix 1.2.0.0/16 to AS 2 Inter-AS routing with BGP: AS 10 ◮ AS 2 forwards to AS 3 announces prefix 1.2.0.0/16 to AS 2, who forwards to AS 3. Now AS 3 sends ◮ AS 3 routes to 1.2/16 via traffic to 1.2/16 (via AS 2). AS 2

  5. Internet Inter-Domain Routing (In)Security ◮ BGP has no built-in security mechanism ◮ Long history of attacks and problems: ◮ route manipulations, mostly prefix hijacks ◮ route leaks ◮ intentional and benign - but always painful... ◮ Example of prefix hijack: AS 666 claims to host 1.2.0.0/16. AS 666 announces prefix 1.2.0.0/16 to AS 3.

  6. Internet Inter-Domain Routing (In)Security ◮ BGP has no built-in security mechanism ◮ Long history of attacks and problems: ◮ route manipulations, mostly prefix hijacks ◮ route leaks ◮ intentional and benign - but always painful... AS 666 announces prefix 1.2.0.0/16 to AS 3. AS 3 sends traffic to 666 (e.g., shorter path)

  7. Internet Inter-Domain Routing (In)Security ◮ BGP has no built-in security mechanism ◮ Long history of attacks and problems: ◮ route manipulations, mostly prefix hijacks ◮ route leaks ◮ intentional and benign - but always painful... ◮ Defenses? ad-hod, proprietary (expensive), weak

  8. Internet Inter-Domain Routing (In)Security ◮ BGP has no built-in security mechanism ◮ Long history of attacks and problems: ◮ route manipulations, mostly prefix hijacks ◮ route leaks ◮ intentional and benign - but always painful... ◮ Defenses? ad-hod, proprietary (expensive), weak ◮ BGPsec (RFCs published in 2017) ◮ Ambitious: prevent all route manipulations

  9. Internet Inter-Domain Routing (In)Security ◮ BGP has no built-in security mechanism ◮ Long history of attacks and problems: ◮ route manipulations, mostly prefix hijacks ◮ route leaks ◮ intentional and benign - but always painful... ◮ Defenses? ad-hod, proprietary (expensive), weak ◮ BGPsec (RFCs published in 2017) ◮ Ambitious: prevent all route manipulations ◮ But deployment is hard/unlikely ◮ And: builds on RPKI... ◮ RPKI (RFCs published in 2012) ◮ (only) prevent prefix hijacks ◮ Our focus

  10. RPKI: Resource Public Key Infrastructure ◮ Routing Certificate (RC): binds IP prefix π to public key pk ◮ Route Origin Authorization (ROA): binds (prefix,origin) pair ◮ Max-Length : most-specific subprefix allowed ◮ Signed by public key pk (certified for π ) ◮ Route Origin Validation (ROV): validate origin in BGP announcements ◮ Deployed by BGP routers ◮ Discard announcement with ‘invalid’ (prefix,origin) pair (differ from ROA)

  11. RPKI: Resource Public Key Infrastructure ◮ Routing Certificate (RC): binds IP prefix π to public key pk ◮ Route Origin Authorization (ROA): binds (prefix,origin) pair ◮ Max-Length : most-specific subprefix allowed ◮ Signed by public key pk (certified for π ) ◮ Route Origin Validation (ROV): validate origin in BGP announcements ◮ Deployed by BGP routers ◮ Discard announcement with ‘invalid’ (prefix,origin) pair (differ from ROA) ◮ 18.5% of (prefix,origin) pairs are ‘valid’, 0.8% ‘invalid’ [NIST] ◮ Others (81.7%): no ROA ◮ Concern: most ‘invalid’ due to ‘wrong’ ROA, not to hijack ◮ Limited security benefits - esp. for partial adoption ◮ ⇒ Slow adoption

  12. Research on Deploying RPKI ◮ RPKI ecosystem and deployment: Wahlisch*CCR12, Iamartino*PAM15, Wahlisch*HotNet15, Gilad*NDSS17, Gilad*HotNts18, Reuters*CCR18, Hlavacek*DSN18, Chung*IMC19, Testart*PAM20 ◮ RPKI security concerns, extensions: ◮ Misbehaving authority: Cooper*HotNts13, Heilman*SigCom14 ◮ ‘Path-end’ extension: Cohen*SigComm16 ◮ Max-Length considered harmful: Gilad*CoNext17

  13. Research on Deploying RPKI ◮ RPKI ecosystem and deployment: Wahlisch*CCR12, Iamartino*PAM15, Wahlisch*HotNet15, Gilad*NDSS17, Gilad*HotNts18, Reuters*CCR18, Hlavacek*DSN18, Chung*IMC19, Testart*PAM20 ◮ RPKI security concerns, extensions: ◮ Misbehaving authority: Cooper*HotNts13, Heilman*SigCom14 ◮ ‘Path-end’ extension: Cohen*SigComm16 ◮ Max-Length considered harmful: Gilad*CoNext17 ◮ This work ( DISCO ): ◮ Complementary, automated Routing Certification mechanism ◮ Goal: easy-to-issue and correct ROAs, RCs

  14. Pitfalls with RPKI Issuing of RCs, ROAs ◮ Routing Certificates (RCs): ◮ Manual application by Origin-AS network manager ◮ Errors have legal/business implications! ◮ Room for errors, e.g., forgotten/wrong prefix, origin-AS ◮ No (immediate) feedback on errors ◮ Validation: manual - based on records of assignment, transfer ◮ Route Origin Authorizations (ROAs): ◮ Manual issuing by Origin-AS network manager ◮ Errors have legal/business implications! ◮ Large space for errors ◮ Forgotten prefix/originAS/subprefix, wrong/missing Max-Length,. . . ◮ No validation, no (immediate) feedback on errors

  15. Pitfalls with RPKI Issuing of RCs, ROAs ◮ Routing Certificates (RCs): ◮ Manual application by Origin-AS network manager ◮ Errors have legal/business implications! ◮ Room for errors, e.g., forgotten/wrong prefix, origin-AS ◮ No (immediate) feedback on errors ◮ Validation: manual - based on records of assignment, transfer ◮ Route Origin Authorizations (ROAs): ◮ Manual issuing by Origin-AS network manager ◮ Errors have legal/business implications! ◮ Large space for errors ◮ Forgotten prefix/originAS/subprefix, wrong/missing Max-Length,. . . ◮ No validation, no (immediate) feedback on errors ◮ Like Waltz: great - if done well... But few do it (right)! ◮ Let’s DISCO: easier, and: ‘fool-proof’

  16. DISCO Decentralized Infrastructure for Securing & Certifying Origins ◮ Automated to reduce errors, ease adoption ◮ Let’s focus on issuing of Route Certificate (RC) ◮ ROAs: later ◮ DISCO -agent distributes (prefix π , pk) via BGP ◮ Registrar-agents (1) validate, (2) certify and send to repositories ◮ Details: next DISCO : automated issuing of RC for prefix π . DISCO registrars validate the ( π , pk) pair sent by agent.

  17. DISCO Decentralized Infrastructure for Securing & Certifying Origins ◮ Automated to reduce errors, ease adoption ◮ Let’s focus on issuing of Route Certificate (RC) ◮ ROAs: later ◮ DISCO -agent distributes (prefix π , pk) via BGP ◮ Registrar-agents (1) validate, (2) certify and send to repositories ◮ Details: next DISCO : automated issuing of RC for ◮ DISCO RCs complement prefix π . DISCO registrars validate the RPKI RCs ( π , pk) pair sent by agent. ◮ Conflict handling TBD

  18. DISCO : (1) automated validation of (pk, π ) to issue RC ◮ DISCO -agent announces prefix π , via iBGP, as optional transitive attribute ◮ RFC: should relay such attributes ◮ Experiments: relayed by almost all ASes DISCO : automated issuing of RCs. DISCO Registrars validate the ( π , pk) pair sent by agent. Agent encodes pk in transitive attribute.

  19. DISCO : (1) automated validation of (pk, π ) to issue RC ◮ DISCO -agent announces prefix π , via iBGP, as optional transitive attribute ◮ RFC: should relay such attributes ◮ Experiments: relayed by almost all ASes ◮ Registrars validate same pk received from (most) announcements of π DISCO : automated issuing of RCs. DISCO Registrars validate the ( π , pk) ◮ Same or different origin AS pair sent by agent. Agent encodes pk in transitive attribute.

  20. DISCO : (1) automated validation of (pk, π ) to issue RC ◮ DISCO -agent announces prefix π , via iBGP, as optional transitive attribute ◮ RFC: should relay such attributes ◮ Experiments: relayed by almost all ASes ◮ Registrars validate same pk received from (most) announcements of π DISCO : automated issuing of RCs. DISCO Registrars validate the ( π , pk) ◮ Same or different origin AS pair sent by agent. Agent encodes pk in ◮ Works for ≥ 97% of prefixes transitive attribute. ◮ N/A for un-announced prefixes, multi-home ( < 1%)

  21. DISCO : (2) automated issuing, distributing RC (after validation) ◮ Each DISCO registrar R i has a share of threshold signing-key s i ◮ Registrar R i uses share s i to partially-sign (pk, π ) pair, and sends to repository DISCO : automated issuing of RCs. Registrar R i validates the ( π , pk) pair, then partially-signs it and sends to repositories. Repositories combine partial-signatures to create RC for π .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania December 10, 2019 Research supported by NSF EAGER Award #1748362 Global RPKI Deployment ASes Validating Routes 5%, 5 3%, 3 9%, 8 12%, 11 71%, 65

216 views • 8 slides
A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

583 views • 43 slides
Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabin Meja Why and who? BGP origin validation based on RPKI is in early stages of deployment. It is necessary to

314 views • 13 slides
IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6

IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6

IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6 Deployment WG Chair Takashi Arano (Intec NetCore, Inc.) IPv6 Deployment Guideline solves barriers for deployment I cant see IPv6s

319 views • 7 slides
Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

889 views • 51 slides
NOTICE OF PROPOSED RULEMAKING . Accelerating Wireless Broadband Deployment by Removing Barriers

NOTICE OF PROPOSED RULEMAKING . Accelerating Wireless Broadband Deployment by Removing Barriers

NOTICE OF PROPOSED RULEMAKING . Accelerating Wireless Broadband Deployment by Removing Barriers to Infrastructure Investment . WT Docket No. 1779 Jeffrey Steinberg, Deputy Chief Jill Springer, Acting Federal Preservation Officer

514 views • 22 slides
Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1 Thursday, August 1, 13 RPKI Tools The authors believe the information already contained in the RPKI has value in itself, even for operators not

305 views • 11 slides
AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

662 views • 54 slides
From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

660 views • 27 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
Unlocking Barriers to Large Scale Deployment of Mini-Grids in Nigeria Upscaling Mini grid for

Unlocking Barriers to Large Scale Deployment of Mini-Grids in Nigeria Upscaling Mini grid for

Unlocking Barriers to Large Scale Deployment of Mini-Grids in Nigeria Upscaling Mini grid for least cost and timely access to electricity Action Leaning Event Abuja 4 th - 8 th December INTRODUCTION 3 ACHIEVING THE RURAL ELECTRIFICATION AGENCY

400 views • 20 slides
RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI Overview Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 2 Simply put 3 parts - Create certificates - Install/run validator -

562 views • 17 slides
Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Applied Networking Research Workshop 2020 acm sigcomm Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer SIT Motivation - Resource Public Key Infrastructure (RPKI) secures the interdomain routing

586 views • 39 slides
Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0 Project: New RPKI system DNSSEC v2.0 Project: New DNSSEC signer IETF activities: Identity and join key WGs and RGs African Internet Resources

308 views • 13 slides
A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Validator http://rpki.net/ A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts Connection Counts Objects/Connection Seconds/Object Rob Austein

663 views • 32 slides
Deployment on BGP Security Alexandru tefnescu alex.stefa@gmail.com Benno Overeinder

Deployment on BGP Security Alexandru tefnescu alex.stefa@gmail.com Benno Overeinder

Effects of RPKI Deployment on BGP Security Alexandru tefnescu alex.stefa@gmail.com Benno Overeinder Guillaume Pierre NLnetLabs VU Amsterdam benno@nlnetlabs.nl gpierre@cs.vu.nl VU Amsterdam 12 July 2011 Outline BGP Routing

402 views • 26 slides
Modeling Islamist Extremist Communications on Social Media using Religion, Ideology and Hate

Modeling Islamist Extremist Communications on Social Media using Religion, Ideology and Hate

Modeling Islamist Extremist Communications on Social Media using Religion, Ideology and Hate Contexts Ugur Kursuncu, PhD University of South Carolina @UgurKursuncu Ugur Kursuncu, Manas Gaur, Carlos Castillo, Amanuel Alambo, Krishnaprasad

660 views • 26 slides
Lazy Spilling for a Time-Predictable Stack Cache: Implementation and Analysis Sahar Abbaspour,

Lazy Spilling for a Time-Predictable Stack Cache: Implementation and Analysis Sahar Abbaspour,

Lazy Spilling for a Time-Predictable Stack Cache: Implementation and Analysis Sahar Abbaspour, Alexander Jordan Florian Brandner Embedded Systems Engineering Sect. Unit e dInformatique et dIng. des Syst` emes Technical University of

805 views • 80 slides
Photon BackTracker in LArSoft J. Stock, J Reichenbacher. South Dakota School of Mines and

Photon BackTracker in LArSoft J. Stock, J Reichenbacher. South Dakota School of Mines and

Photon BackTracker in LArSoft J. Stock, J Reichenbacher. South Dakota School of Mines and Technology. December 14, 2016. Photon Detector Sim/Reco Meeting./SNB-LowEnergy Meeting Why do we need Photon Backtracking? Position Studies. The

677 views • 14 slides
PostgreSQL, pgAdmin, and JOINs PDBM 7.37.3.1.5 Dr. Chris Mayfield Department of Computer

PostgreSQL, pgAdmin, and JOINs PDBM 7.37.3.1.5 Dr. Chris Mayfield Department of Computer

PostgreSQL, pgAdmin, and JOINs PDBM 7.37.3.1.5 Dr. Chris Mayfield Department of Computer Science James Madison University Feb 06, 2020 What is PostgreSQL? PostgreSQL is a powerful, open source object-relational database system. . .

768 views • 18 slides
A RELOAD Usage for Distributed Conference Control (DisCo) Update draft-knauf-p2psip-disco-02

A RELOAD Usage for Distributed Conference Control (DisCo) Update draft-knauf-p2psip-disco-02

A RELOAD Usage for Distributed Conference Control (DisCo) Update draft-knauf-p2psip-disco-02 Alexander Knauf, Gabriel Hege Thomas Schmidt, Matthias Whlisch alexander.knauf@haw-hamburg.de, hege@fhtw-berlin.de,

251 views • 14 slides
Presented by Jonathan Walpole (based on a slide set from Vidhya Sivasankaran) Outline Goal

Presented by Jonathan Walpole (based on a slide set from Vidhya Sivasankaran) Outline Goal

Disco : Running commodity operating systems on scalable multiprocessors Edouard et al. Presented by Jonathan Walpole (based on a slide set from Vidhya Sivasankaran) Outline Goal Problems &amp; Solution Virtual Machine Monitors(VMM)

585 views • 25 slides
MULTIPROCESSORS AND HETEROGENEOUS ARCHITECTURES Hakim Weatherspoon CS6410 Slides borrowed

MULTIPROCESSORS AND HETEROGENEOUS ARCHITECTURES Hakim Weatherspoon CS6410 Slides borrowed

1 MULTIPROCESSORS AND HETEROGENEOUS ARCHITECTURES Hakim Weatherspoon CS6410 Slides borrowed liberally from past presentations from Deniz Altinbuken, Ana Smith, Jonathan Chang Overview Systems for heterogeneous multiprocessor architectures

751 views • 52 slides
Modern systems: multicore issues By Paul Grubbs Portions of this talk were taken from Deniz

Modern systems: multicore issues By Paul Grubbs Portions of this talk were taken from Deniz

Modern systems: multicore issues By Paul Grubbs Portions of this talk were taken from Deniz Altinbukens talk on Disco in 2009: http://www.cs.cornell.edu/courses/cs6410/2009fa/lectures/09-multiprocessors.ppt What papers will we be discussing?

404 views • 26 slides

More recommend