French Internet Resilience Observatory Franois Contat, Guillaume - - PowerPoint PPT Presentation

french internet resilience observatory
SMART_READER_LITE
LIVE PREVIEW

French Internet Resilience Observatory Franois Contat, Guillaume - - PowerPoint PPT Presentation

Jul 21, 2023 589 likes •1.05k views

French Internet Resilience Observatory Franois Contat, Guillaume Valadon Agence nationale de la scurit des systmes d'information http://www.ssi.gouv.fr/en RIPE 67 - October 15 th , 2013 ANSSI - http://www.ssi.gouv.fr/observatoire 1/31

slide-1
SLIDE 1

French Internet Resilience Observatory

François Contat, Guillaume Valadon

Agence nationale de la sécurité des systèmes d'information http://www.ssi.gouv.fr/en

RIPE 67 - October 15th, 2013

ANSSI - http://www.ssi.gouv.fr/observatoire 1/31

slide-2
SLIDE 2

The observatory in a nutshell

Prior issues

  • the Internet is misunderstood;
  • network incidents analysis are rarely France-oriented;
  • the usage of best current practices is unknown.

Some of our objectives

  • study the French Internet in details;
  • develop technical interactions with the networking community;
  • publish anonymized results;
  • publish recommendations and best practices.

ANSSI - http://www.ssi.gouv.fr/observatoire 2/31

slide-3
SLIDE 3

Internet resilience?

«Resilience is the ability to respond to a major crisis and to quickly restore a normal service.»

The French White Paper on defence and national security, 2008

The Internet is often considered as a regular industry. Its resilience is mainly studied through:

  • the dependency on electricity;
  • the location of physical infrastructures.

The observatory aims to study the Internet resilience from a technical point of view.

ANSSI - http://www.ssi.gouv.fr/observatoire 3/31

slide-4
SLIDE 4

Who?

The observatory is under the supervision of the ANSSI. . Created on July 7th 2009, the ANSSI is the national authority for the defence and the security of information systems:

  • in French, ANSSI, Agence nationale de la sécurité des systèmes

d’information;

  • in English, French Network and Information Security Agency.

Main missions are:

  • prevention;
  • defence of information systems.

One of its priorities is the Internet resilience. http://www.ssi.gouv.fr/en/

ANSSI - http://www.ssi.gouv.fr/observatoire 4/31

slide-5
SLIDE 5

Who else?

.

Afnic

The French Registry for the .fr zone as well as overseas territories. http://www.afnic.fr/en/ Afnic has been co-leading the project since the beginning.

French network actors

ISPs, IXP, transit providers…

ANSSI - http://www.ssi.gouv.fr/observatoire 5/31

slide-6
SLIDE 6

What can be observed?

Two main possible directions:

  • services (HTTPS usage, mail…);
  • Internet structure (routing, name services).

Today, the observatory is focusing solely on the Internet structure through BGP and DNS.

ANSSI - http://www.ssi.gouv.fr/observatoire 6/31

slide-7
SLIDE 7

How to observe?

Several technical indicators were defined:

  • 7 indicators for BGP (route objects, hijacks, RPKI…);
  • 5 indicators for DNS (topological distribution, DNSSEC…).

In the report, each indicator contains:

  • 1. a description;
  • 2. a methodology and its limitations;
  • 3. an analysis.

ANSSI - http://www.ssi.gouv.fr/observatoire 7/31

slide-8
SLIDE 8

Border Gateway Protocol

slide-9
SLIDE 9

Data and indicators

RIS project - BGP updates

Data: AS origin, prefix, AS_PATH… Indicators: hijacks classification, connectivity, IPv6, BCP…

RIPE-NCC Whois database

Data: route, route6, aut-num… Indicators: hijacks classification, connectivity, IPv6, BCP…

ANSSI - http://www.ssi.gouv.fr/observatoire 9/31

slide-10
SLIDE 10

Identifying the French Internet

Exisiting databases are not adequate: some ASes are missing.

Finding French AS

  • more than 40,000 ASes in the Internet;
  • automatically identify French ASes using an unsupervised learn-

ing algorithm.

Results

  • 1270 French ASes;
  • compared to existing public databases (Cymru, RIPE):
  • 9 ASes missing in our database;
  • 40 and 70 more ASes.

ANSSI - http://www.ssi.gouv.fr/observatoire 10/31

slide-11
SLIDE 11

Connectivity

Motivations

  • are French ASes well connected to each other?
  • are there Single Point Of Failure (SPOF)?

Methodology

  • build a representative graph of the French Internet:
  • use AS_PATH seen by the RIS collectors;
  • extract the subgraph of French ASes.
  • identify the critical ASes (SPOF) for the French Internet:
  • highlight ASes whose loss can lead to a loss of connectivity.

ANSSI - http://www.ssi.gouv.fr/observatoire 11/31

slide-12
SLIDE 12

Connectivity

IPv4

. .

Blue: French ASes. Red: ASes whose loss leads to a loss of connectivity. . . There are few ASes whose loss can significantly impact the French Internet.

ANSSI - http://www.ssi.gouv.fr/observatoire 12/31

slide-13
SLIDE 13

Connectivity

IPv4

. .

Blue: French ASes. Red: ASes whose loss leads to a loss of connectivity. . . There are few ASes whose loss can significantly impact the French Internet.

ANSSI - http://www.ssi.gouv.fr/observatoire 12/31

slide-14
SLIDE 14

Prefix conflicts

. . AS1 . . AS2 . AS3 . . AS4 . .

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24 AS2 AS1 192.0.2.0/24 AS4

. BGP

  • prefix announcements between ASes: routes are exchanged;

both ASes announce the same prefix: hijack? could be anycast, DDoS protection, customer… This conflict must be named differently: event.

ANSSI - http://www.ssi.gouv.fr/observatoire 13/31

slide-15
SLIDE 15

Prefix conflicts

. . AS1 . . AS2 . AS3 . . AS4 . .

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24 AS2 AS1 192.0.2.0/24 AS4

. BGP

  • prefix announcements between ASes: routes are exchanged;
  • both ASes announce the same prefix: hijack?

could be anycast, DDoS protection, customer… This conflict must be named differently: event.

ANSSI - http://www.ssi.gouv.fr/observatoire 13/31

slide-16
SLIDE 16

Prefix conflicts

. . AS1 . . AS2 . AS3 . . AS4 . .

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24 AS2 AS1 192.0.2.0/24 AS4

. BGP

  • prefix announcements between ASes: routes are exchanged;
  • both ASes announce the same prefix: hijack?
  • could be anycast, DDoS protection, customer…

This conflict must be named differently: event.

ANSSI - http://www.ssi.gouv.fr/observatoire 13/31

slide-17
SLIDE 17

Prefix conflicts

. . AS1 . . AS2 . AS3 . . AS4 . .

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24 AS2 AS1 192.0.2.0/24 AS4

. BGP

  • prefix announcements between ASes: routes are exchanged;
  • both ASes announce the same prefix: hijack?
  • could be anycast, DDoS protection, customer…

This conflict must be named differently: event.

ANSSI - http://www.ssi.gouv.fr/observatoire 13/31

slide-18
SLIDE 18

How can we classify an announcement as valid?

. . AS1 . . AS2 . AS3 . . AS4 . .

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24 AS2 AS1 192.0.2.0/24 AS4

. BGP In this example, we look for the prefix 192.0.2.0/24 in whois database: $ whois -T route 192.0.2.0/24 descr: Route object example route: 192.0.2.0/24

  • rigin:

AS4 mnt-by: AS1-MNT

ANSSI - http://www.ssi.gouv.fr/observatoire 14/31

slide-19
SLIDE 19

How can we classify an announcement as valid?

. . AS1 . . AS2 . AS3 . . AS4 . .

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24

.

192.0.2.0/24 AS2 AS1 192.0.2.0/24 AS4

. BGP In this example, we look for the prefix 192.0.2.0/24 in whois database: $ whois -T route 192.0.2.0/24 descr: Route object example route: 192.0.2.0/24

  • rigin:

AS4 mnt-by: AS1-MNT

ANSSI - http://www.ssi.gouv.fr/observatoire 14/31

slide-20
SLIDE 20

Classifying events

. . .

valid

.

connected

.

abnormal

. .

400

.

800

.

1200

.

1600

.

2000

.

2400

.

2800

.

3200

.

3600

.

Number of events

.

100 %

.

events

.

events

.

events

.

events

Valid: a route object exists for the AS including the prefix. Connected: one of the ASes provides transit to the other. Abnormal: it might be a prefix hijack. . . After analysis, 7 abnormal events seem to be real hijacks.

ANSSI - http://www.ssi.gouv.fr/observatoire 15/31

slide-21
SLIDE 21

Classifying events

. . .

valid

.

connected

.

abnormal

. .

400

.

800

.

1200

.

1600

.

2000

.

2400

.

2800

.

3200

.

3600

.

Number of events

.

29 %

.

71 %

.

events

.

events

.

events

Valid: a route object exists for the AS including the prefix. Connected: one of the ASes provides transit to the other. Abnormal: it might be a prefix hijack. . . After analysis, 7 abnormal events seem to be real hijacks.

ANSSI - http://www.ssi.gouv.fr/observatoire 15/31

slide-22
SLIDE 22

Classifying events

. . .

valid

.

connected

.

abnormal

. .

400

.

800

.

1200

.

1600

.

2000

.

2400

.

2800

.

3200

.

3600

.

Number of events

.

29 %

.

48 %

.

23 %

.

events

Valid: a route object exists for the AS including the prefix. Connected: one of the ASes provides transit to the other. Abnormal: it might be a prefix hijack. . . After analysis, 7 abnormal events seem to be real hijacks.

ANSSI - http://www.ssi.gouv.fr/observatoire 15/31

slide-23
SLIDE 23

Classifying events

. . .

valid

.

connected

.

abnormal

. .

400

.

800

.

1200

.

1600

.

2000

.

2400

.

2800

.

3200

.

3600

.

Number of events

.

29 %

.

48 %

.

23 %

.

events

Valid: a route object exists for the AS including the prefix. Connected: one of the ASes provides transit to the other. Abnormal: it might be a prefix hijack. . . After analysis, 7 abnormal events seem to be real hijacks.

ANSSI - http://www.ssi.gouv.fr/observatoire 15/31

slide-24
SLIDE 24

Cross-check routing table and whois database

. . . 4289 French prefixes . 3771 French route objects . RIS LINX . Whois database . RIS LINX . Whois database . Prefix filtering . Whois consistency . uncovered prefixes . prefixes covered . unused route objects . matched route objects . unused route objects: 1183 . matched route objects: 2588 . 31% of route objects are unused in 2012 . uncovered prefixes: 660 . prefixes covered: 3629 . 15% of French prefixes could be blackholed . . prefixes announced with BGP should be cov- ered by route objects; preliminary step to RPKI.

ANSSI - http://www.ssi.gouv.fr/observatoire 16/31

slide-25
SLIDE 25

Cross-check routing table and whois database

. . 4289 French prefixes . 3771 French route objects . RIS LINX . Whois database . RIS LINX . Whois database . Prefix filtering . Whois consistency . uncovered prefixes . prefixes covered . unused route objects . matched route objects . unused route objects: 1183 . matched route objects: 2588 . 31% of route objects are unused in 2012 . uncovered prefixes: 660 . prefixes covered: 3629 . 15% of French prefixes could be blackholed . . prefixes announced with BGP should be cov- ered by route objects; preliminary step to RPKI.

ANSSI - http://www.ssi.gouv.fr/observatoire 17/31

slide-26
SLIDE 26

Cross-check routing table and whois database

. . . . . . 4289 French prefixes . 3771 French route objects . RIS LINX . Whois database . . RIS LINX . Whois database . Prefix filtering . Whois consistency . uncovered prefixes . prefixes covered . unused route objects . matched route objects . unused route objects: 1183 . matched route objects: 2588 . 31% of route objects are unused in 2012 . uncovered prefixes: 660 . prefixes covered: 3629 . 15% of French prefixes could be blackholed . . prefixes announced with BGP should be cov- ered by route objects; preliminary step to RPKI.

ANSSI - http://www.ssi.gouv.fr/observatoire 18/31

slide-27
SLIDE 27

Whois database consistency

. . . . . . 4289 French prefixes . 3771 French route objects . RIS LINX . Whois database . . RIS LINX . Whois database . Prefix filtering . Whois consistency . uncovered prefixes . prefixes covered . unused route objects . matched route objects . unused route objects: 1183 . matched route objects: 2588 . 31% of route objects are unused in 2012 . uncovered prefixes: 660 . prefixes covered: 3629 . 15% of French prefixes could be blackholed . . prefixes announced with BGP should be cov- ered by route objects; preliminary step to RPKI.

ANSSI - http://www.ssi.gouv.fr/observatoire 19/31

slide-28
SLIDE 28

Prefix filtering

. . . . . . 4289 French prefixes . 3771 French route objects . RIS LINX . Whois database . . RIS LINX . Whois database . Prefix filtering . Whois consistency . uncovered prefixes . prefixes covered . unused route objects . matched route objects . unused route objects: 1183 . matched route objects: 2588 . 31% of route objects are unused in 2012 . uncovered prefixes: 660 . prefixes covered: 3629 . 15% of French prefixes could be blackholed . . prefixes announced with BGP should be cov- ered by route objects; preliminary step to RPKI.

ANSSI - http://www.ssi.gouv.fr/observatoire 20/31

slide-29
SLIDE 29

Prefix filtering

. . . . . . . . 4289 French prefixes . 3771 French route objects . RIS LINX . Whois database . . RIS LINX . Whois database . Prefix filtering . Whois consistency . uncovered prefixes . prefixes covered . unused route objects . matched route objects . unused route objects: 1183 . matched route objects: 2588 . 31% of route objects are unused in 2012 . uncovered prefixes: 660 . prefixes covered: 3629 . 15% of French prefixes could be blackholed . .

  • prefixes announced with BGP should be cov-

ered by route objects;

  • preliminary step to RPKI.

ANSSI - http://www.ssi.gouv.fr/observatoire 21/31

slide-30
SLIDE 30

Domain Name System

slide-31
SLIDE 31

Data & tools

The DNSWitness platform is used to collect data.

Active measurements

Data: .fr domains retrieved from the whole .fr zone. Tool: DNSdelve. Indicators: number of DNS servers, IPv6 services, DNSSEC…

Passive measurements

Data: requests received by Afnic authoritative servers. Tool: DNSmezzo. Indicators: Kaminsky attack, IPv6 queries…

ANSSI - http://www.ssi.gouv.fr/observatoire 23/31

slide-32
SLIDE 32

Distribution of authoritative DNS servers

. . .

1

.

2

.

3

.

4

.

5

.

6+

.

0 %

.

10 %

.

20 %

.

30 %

.

40 %

.

50 %

.

60 %

.

Number of servers per .fr domain

.

0.3

.

30

.

7

.

49.3

.

2

.

11.4

A high number of servers per zone increases the resilience. . . There are enough servers per .fr domains.

ANSSI - http://www.ssi.gouv.fr/observatoire 24/31

slide-33
SLIDE 33

Distribution of authoritative DNS servers

. . .

1

.

2

.

3

.

4

.

5

.

6+

.

0 %

.

10 %

.

20 %

.

30 %

.

40 %

.

50 %

.

60 %

.

Number of servers per .fr domain

.

0.3

.

30

.

7

.

49.3

.

2

.

11.4

A high number of servers per zone increases the resilience. . . There are enough servers per .fr domains.

ANSSI - http://www.ssi.gouv.fr/observatoire 24/31

slide-34
SLIDE 34

Distribution of ASes per DNS zone

. . .

1

.

2

.

3

.

4

.

5

.

0 %

.

20 %

.

40 %

.

60 %

.

80 %

.

100 %

.

Number of ASes per .fr domain

.

81.9

.

12.6

.

3.9

.

0.9

.

0.6

A high number of AS per zone increases resilience. . . Most domains are located in one AS.

ANSSI - http://www.ssi.gouv.fr/observatoire 25/31

slide-35
SLIDE 35

Distribution of ASes per DNS zone

. . .

1

.

2

.

3

.

4

.

5

.

0 %

.

20 %

.

40 %

.

60 %

.

80 %

.

100 %

.

Number of ASes per .fr domain

.

81.9

.

12.6

.

3.9

.

0.9

.

0.6

A high number of AS per zone increases resilience. . . Most domains are located in one AS.

ANSSI - http://www.ssi.gouv.fr/observatoire 25/31

slide-36
SLIDE 36

DNSSEC deployment in .fr domains

DNSSEC prevents DNS cache poisoning.

Deployment history

  • .fr zone signed and published: September 14th, 2010;
  • .fr zone accepts signed delegation since April, 2011.

All .fr domains could be signed.

Deployment in practice

  • only 1.5% of the whole .fr zone is signed;
  • thanks to a single French DNS registrar.

. . DNSSEC is not widely deployed.

ANSSI - http://www.ssi.gouv.fr/observatoire 26/31

slide-37
SLIDE 37

DNSSEC deployment in .fr domains

DNSSEC prevents DNS cache poisoning.

Deployment history

  • .fr zone signed and published: September 14th, 2010;
  • .fr zone accepts signed delegation since April, 2011.

All .fr domains could be signed.

Deployment in practice

  • only 1.5% of the whole .fr zone is signed;
  • thanks to a single French DNS registrar.

. . DNSSEC is not widely deployed.

ANSSI - http://www.ssi.gouv.fr/observatoire 26/31

slide-38
SLIDE 38

IPv6 deployment of servers within .fr domains

. . .

DNS

.

Mail

.

Web

.

0 %

.

20 %

.

40 %

.

60 %

. . .

2010 .

.

2011 .

. .

2012

.

6.4

.

0.9

.

0.3

.

41.0

.

1.6

.

2.2

.

59.7

.

10.6

.

4.2

DNS: NS record points to a name with a AAAA record; mail: MX record points to a name with a AAAA record; web: www.zone.fr has a AAAA record. . . Insufficient IPv6 deployment besides DNS servers.

ANSSI - http://www.ssi.gouv.fr/observatoire 27/31

slide-39
SLIDE 39

IPv6 deployment of servers within .fr domains

. . .

DNS

.

Mail

.

Web

.

0 %

.

20 %

.

40 %

.

60 %

. . .

2010 .

.

2011 .

. .

2012

.

6.4

.

0.9

.

0.3

.

41.0

.

1.6

.

2.2

.

59.7

.

10.6

.

4.2

DNS: NS record points to a name with a AAAA record; mail: MX record points to a name with a AAAA record; web: www.zone.fr has a AAAA record. . . Insufficient IPv6 deployment besides DNS servers.

ANSSI - http://www.ssi.gouv.fr/observatoire 27/31

slide-40
SLIDE 40

IPv6 deployment of DNS cache and clients

. . .

IPv6 transport

.

0 %

.

20 %

.

40 %

.

60 %

.

80 %

.

Transport

. . .

AAAA/IPv6

.

A/IPv4

.

  • ther

.

0 %

.

20 %

.

40 %

.

60 %

.

80 %

.

Requests

.

. . . . 2011 . . 2012

.

7

.

11

.

11

.

72

.

17

.

13

.

64

.

23

Data received by Afnic servers is now analyzed based on:

  • transport: IP version preferred by DNS caches;

requests: IP version preferred by clients. . . Most traffic and queries are still related to IPv4.

ANSSI - http://www.ssi.gouv.fr/observatoire 28/31

slide-41
SLIDE 41

IPv6 deployment of DNS cache and clients

. . .

IPv6 transport

.

0 %

.

20 %

.

40 %

.

60 %

.

80 %

.

Transport

. . .

AAAA/IPv6

.

A/IPv4

.

  • ther

.

0 %

.

20 %

.

40 %

.

60 %

.

80 %

.

Requests

.

. . . . 2011 . . 2012

.

7

.

11

.

11

.

72

.

17

.

13

.

64

.

23

Data received by Afnic servers is now analyzed based on:

  • transport: IP version preferred by DNS caches;
  • requests: IP version preferred by clients.

. . Most traffic and queries are still related to IPv4.

ANSSI - http://www.ssi.gouv.fr/observatoire 28/31

slide-42
SLIDE 42

IPv6 deployment of DNS cache and clients

. . .

IPv6 transport

.

0 %

.

20 %

.

40 %

.

60 %

.

80 %

.

Transport

. . .

AAAA/IPv6

.

A/IPv4

.

  • ther

.

0 %

.

20 %

.

40 %

.

60 %

.

80 %

.

Requests

.

. . . . 2011 . . 2012

.

7

.

11

.

11

.

72

.

17

.

13

.

64

.

23

Data received by Afnic servers is now analyzed based on:

  • transport: IP version preferred by DNS caches;
  • requests: IP version preferred by clients.

. . Most traffic and queries are still related to IPv4.

ANSSI - http://www.ssi.gouv.fr/observatoire 28/31

slide-43
SLIDE 43

Conclusion & recommendations

« For BGP & DNS, the French Internet status is acceptable. However, there is no evidence that it will be true in the future. »

2012 report

Recommendations

  • 1. declare route objects, and keep declarations up-to-date, in order

to ease filtering and hijack detection;

  • 2. deploy IPv6 to anticipate problems;
  • 3. apply BGP best current practices;
  • 4. distribute authoritative DNS servers across several ASes.

ANSSI - http://www.ssi.gouv.fr/observatoire 29/31

slide-44
SLIDE 44

Future work

Tools

  • scale to handle 40k ASes;
  • reduce indicator limitations;
  • use more than one BGP collector from RIS.

The next report

  • will be published mid-2014;
  • indicators will be enhanced;
  • items will be written in English.

ANSSI - http://www.ssi.gouv.fr/observatoire 30/31

slide-45
SLIDE 45

Questions?

Published material (French only)

  • 2011 report;
  • 2012 report;
  • BGP configuration best practices.

ANSSI - http://www.ssi.gouv.fr/observatoire 31/31