from the consent of the routed
play

From the Consent of the Routed: Improving the Transparency of the - PowerPoint PPT Presentation

Jul 01, 2023 •379 likes •660 views

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

  1. From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014

  2. Overview Motivation: The RPKI* (2011 to present) secures interdomain routing, … but creates a new danger of misbehaving authorities. Route is reachable during … Drop RPKI invalid routes? BGP attack RPKI misbehavior X Yes RPKI X No We propose changes to the RPKI to detect misbehavior. • We have a window of opportunity to influence RPKI design. • Changes being still being made to RPKI specification. • Concurrent to our work, IETF is drafting misbehavior defenses * RPKI = Resource Public Key Infrastructure [RFC 6480]

  3. Outline 1. Background. 1. Interdomain routing is not secure: BGP Prefix hijacks. 2. How the RPKI is designed to prevent these attacks. 3. Misbehaving RPKI authorities and takedowns. 2. Our proposed changes.

  4. The RPKI is designed to prevent prefix hijacks.

  5. The Indosat prefix hijack incident from 03/04/2014 AS 71 15.195.160.0/20 Indosat AS 4761 AS 4761 HP 15.195.160.0/20 AS 71 1600 prefixes were hijacked. Source: http://portal.bgpmon.net/data/indosat-us.txt

  6. What is the fundamental vulnerability? Problem: Route origin announcements are not authenticated. Solution: The RPKI authenticates route origins. AS 71 15.195.160.0/20 Indosat AS 4761 AS 4761 HP 15.195.160.0/20 AS 71 ROA AS 71 RPKI 15.195.160.0/20 (Route Origin Authorization)

  7. The structure of the RPKI RIPE (Réseaux IP Européens) RIPE’s Publication point RC: 79.132.96.0/19 Resource Cert (RC) DARS manifest DARS Publication Point ROA: Dartel LTD ROA: DARS AS 51813 AS 43782 manifest 79.132.96.0/24 79.132.96.0/19 Route Origin Authorization (ROA) Deployment Status of the RPKI: • Today: ROAs cover about 4% of interdomain routes. • Goal: Cover all routes!

  8. How relying parties sync to the RPKI Relying Party DARS Publication Point Alice RPKI Prefix, AS Router filename – hash 25c.cert – 61F… AS 4761 8e1.roa – 3E5 … 0fa.roa – 71A… 15.195.160.0/20 Status of the RPKI today: • Today, few routers discard “RPKI invalid” routes Indosat AS 4761

  9. Misbehaving RPKI authorities. • Prior to the RPKI, authorities could allocate IPs but not revoke them. • But RPKI authorities can revoke allocations! • Creates a risk that the RPKI can be used for unilateral takedowns. – Law enforcement? Business disputes? Extortion? – The RPKI designed to secure routing, not enable takedowns. – [Mueller- Kuerbis’11, Mueller -Schmidt- Kuerbis’13, Amante’12, FCC’13,…] • States seem to want the ability to takedown IP prefixes… – Dutch court ordered RIPE to takedown prefixes (Nov’11) – US court issued a writ of attachment on Iran’s IP prefixes (June’14) – IP allocation does not reflect jurisdiction. # of RIPE ROAs by country (from our model RPKI)

  10. An RPKI takedown? RIPE (Réseaux IP Européens) RIPE’s Publication point RC: 79.132.96.0/19 DARS DARS Publication Point ROA: Dartel LTD ROA: DARS Dec 19 2013 AS 51813 AS 43782 79.132.96.0/24 79.132.96.0/19 Is this legitimate AS 51813 behavior, a ( Dartel LTD ) 79.132.96.0/24 takedown, or a business dispute? We can’t tell ! AS51813

  11. Proposed changes to the RPKI • Design Goals: – Transparency: Relying parties audit the RPKI & alarm on problems. – Consent : RCs can indicate their consent to be revoked. Alarms are raised for revocations without consent. – Consistency : Relying parties have the same view of the RPKI. • Our Threat Model: – Similar to the threat model used in certificate transparency [RFC 6962] Alice – Relying parties are honest – Everyone else (including RPKI authorities) is untrusted RPKI

  12. How consent works. RIPE (Réseaux IP Européens) RIPE’s Publication point RC: 79.132.96.0/19 DARS DARS Publication Point RC: 79.132.96.0/24 ROA: DARS Dartel LTD AS 43782 79.132.96.0/19 Dartel LTD Publication Point ROA: Dartel LTD AS 51813 79.132.96.0/24 If an authority wants to revoke IP prefixes from a child RC, it needs consent from that child & its impacted* descendant RCs. *Descendants aren’t always impacted by changes to the parent; ask me why later!

  13. How consent works. RIPE (Réseaux IP Européens) RIPE’s Publication point RC: 79.132.96.0/19 DARS DARS Publication Point RC: 79.132.96.0/24 ROA: DARS Dartel LTD Dartel consents! AS 43782 .dead 79.132.96.0/19 Dartel LTD Publication Point ROA: Dartel LTD AS 51813 79.132.96.0/24 If an authority wants to revoke IP prefixes from a child RC, it needs consent from that child & its impacted* descendant RCs. *Descendants aren’t always impacted by changes to the parent; ask me why later!

  14. What about alarms between syncs? Afternoon Night Morning Morning RC RC RC ROA ROA ROA ROA Alice syncs in the morning & misses violations Alice between syncs! Why does Alice need to catch alarms between syncs? 1) So relying parties can audit the RPKI 2) So we can have consistency (explained later)

  15. Catching alarms between syncs. RC RC ROA ROA Alice Alice How Alice checks a publication point: 1. Sync to the publication point 2. Use hints file to reconstruct intermediate manifests 3. Verify the hash chain & signature of the latest manifest 4. Alarm if a consent violation is detected.

  16. Catching alarms between syncs. RC RC Hints File (contains diffs) ROA ROA Alice Alice How Alice checks a publication point: 1. Sync to the publication point 2. Use hints file to reconstruct intermediate manifests 3. Verify the hash chain & signature of the latest manifest 4. Alarm if a consent violation is detected.

  17. Catching alarms between syncs. RC RC RC ROA ROA ROA ROA Alice Alice How Alice checks a publication point: 1. Sync to the publication point 2. Use hints file to reconstruct intermediate manifests 3. Verify the hash chain & signature of the latest manifest 4. Alarm if a consent violation is detected.

  18. Catching alarms between syncs. RC RC RC Hash Hash Hash ROA ROA ROA ROA Alice Alice How Alice checks a publication point: 1. Sync to the publication point 2. Use hints file to reconstruct intermediate manifests 3. Verify the hash chain & signature of the latest manifest 4. Alarm if a consent violation is detected.

  19. Catching alarms between syncs. .dead RC RC RC Hash Hash Hash ROA ROA ROA ROA Alice Alice How Alice checks a publication point: 1. Sync to the publication point 2. Use hints file to reconstruct intermediate manifests Theorem: Valid Remains Valid. 3. Verify the hash chain & signature of the latest manifest Once a relying party has seen a valid RC, 4. Alarm if a consent violation is detected. that RC remains valid until it consents to be deleted/modified.

  20. How many parties need to consent? • RIPE How many ASes need to be involved (Réseaux IP Européens) when an RC is revoked? RC: 79.132.96.0/19 2 DARS • Production RPKI • average 1.5 ASes / leaf RC RC: 79.132.96.0/24 ROA: DARS Dartel LTD AS 43782 • Model fully-deployed RPKI 79.132.96.0/19 • average 1.6 ASes / leaf RC • 99.3% need <10 ASes / leaf RC ROA: Dartel LTD • AS 51813 0.02% need >100 ASes / leaf RC 79.132.96.0/24 Results: production RPKI 1000 500 # RCs 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16+ # of ASes involved in revoking a leaf RC

  21. How many parties need to consent? • RIPE How many ASes need to be involved (Réseaux IP Européens) when an RC is revoked? RC: 79.132.96.0/19 2 DARS • Production RPKI • average 1.5 ASes / leaf RC RC: 79.132.96.0/24 ROA: DARS Dartel LTD AS 43782 • Model fully-deployed RPKI 79.132.96.0/19 • average 1.6 ASes / leaf RC • 99.3% need <10 ASes / leaf RC ROA: Dartel LTD • AS 51813 0.02% need >100 ASes / leaf RC 79.132.96.0/24 “With great power comes great responsibility” - Voltaire, Spiderman

  22. Proposed changes to the RPKI • Design Goals: – Transparency: Relying parties audit the RPKI through alarms. – Consent : If an authority wants to revoke IP prefixes from a child RC, it needs consent from the child RC & its impacted descendant RCs. – Consistency : Relying parties have the same view of the RPKI.

  23. Mirror world attacks. Relying parties RPKI Alice Bob Mirror world attack: RPKI Authority presents one view to a relying parties and a different view to others.

  24. Detecting mirror worlds using manifest hash chains Night Afternoon Morning Alice Night Bob Hash( ) Bob sends a hash of his latest manifest & Alice finds it in her hashchain. Theorem: No mirror worlds. If the consistency check passes, relying parties saw the same valid objects.

  25. The challenge of asynchronous validity changes. RIPE DARS DARS’ new publication point.

  26. Summary. Motivation: RPKI secures interdomain routing, but creates a new danger of misbehaving authorities. • Our proposed changes: • Consent through .dead objects. • Consistency through via hints files, hash-chained manifests, & checks between relying parties. • Our changes are practical and effective: • We extend existing mechanisms within the RPKI. • Consent requires minimal work for ASes (see paper for details). • Window of opportunity to influence RPKI design: • Changes being still being made to RPKI specification. • Concurrent to our work, IETF is drafting misbehavior defenses [draft-kent-sidr-suspenders-01].

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Informed Consent R Jane McKay Informed Consent Consent why and when do we need it ?

Informed Consent R Jane McKay Informed Consent Consent why and when do we need it ?

Informed Consent R Jane McKay Informed Consent Consent why and when do we need it ? Patient Autonomy All individuals have right to determine what is done to them Treatment is much broader than surgery involves IM

471 views • 32 slides
Scaling Up OpenStack Networking with Routed Networks Carl Baldwin, Neutron Developer, IBM Cloud

Scaling Up OpenStack Networking with Routed Networks Carl Baldwin, Neutron Developer, IBM Cloud

Scaling Up OpenStack Networking with Routed Networks Carl Baldwin, Neutron Developer, IBM Cloud @CarlNBaldwin Miguel Lavalle, Neutron Development Lead, IBM Linux Technology Center Agenda Why Routed Networks Layer 2 and layer-3

397 views • 27 slides
Informed Consent in Research consent has been firmly established in clinical practice and

Informed Consent in Research consent has been firmly established in clinical practice and

2014/9/18 Requirement of Informed Consent In Japan, like many other countries, the doctrine of informed Informed Consent in Research consent has been firmly established in clinical practice and research. in Japan: A Case for Broad Consent In the

533 views • 6 slides
MDF Recovery: Recycled MDF technologies for routed and laminated applications. Dr Graham

MDF Recovery: Recycled MDF technologies for routed and laminated applications. Dr Graham

MDF Recovery: Recycled MDF technologies for routed and laminated applications. Dr Graham Ormondroyd Dr Rob Elias Dr Simon Curling BioComposites Centre Bangor UK COST FP1303 28 th February 1st March 2017 Sofia, Bulgaria The technology

329 views • 3 slides
Axon: A Flexible Substrate for Source-routed Ethernet

Axon: A Flexible Substrate for Source-routed Ethernet

Axon: A Flexible Substrate for Source-routed Ethernet Jeffrey Shafer Brent Stephens Michael Foss

423 views • 38 slides
Power Power Efficiency Efficiency of of Wavelength Wavelength- -Routed Routed Optical

Power Power Efficiency Efficiency of of Wavelength Wavelength- -Routed Routed Optical

Power Power Efficiency Efficiency of of Wavelength Wavelength- -Routed Routed Optical Optical NoC NoC Topologies Topologies for Global for Global Connectivity of 3D Multi- Connectivity of 3D Multi -Core Processors Core Processors Luca

345 views • 31 slides
Presentation Outline Consent a Key Principle in PHIPA General Consent Provisions of

Presentation Outline Consent a Key Principle in PHIPA General Consent Provisions of

Consent Requirements Under the Personal Health Information Protection Act Debra Grant Debra Grant Office of the Information and Privacy Commissioner of Ontario EHIL Webinar May 11, 2011 Presentation Outline Consent a Key Principle in

520 views • 14 slides
Informed Consent in Research in Japan: A Case for Broad Consent Addendum: I regret I could not

Informed Consent in Research in Japan: A Case for Broad Consent Addendum: I regret I could not

Informed Consent in Research in Japan: A Case for Broad Consent Addendum: I regret I could not give adequate explanations in response to the questions posed after my presentation in Bali Convention Center on August 22, 2014. Supplemental slides

241 views • 21 slides
CONSENT PROCESS SPECIAL POPULATIONS CONSENT Com m on Rule ANPRM Current provisions of the

CONSENT PROCESS SPECIAL POPULATIONS CONSENT Com m on Rule ANPRM Current provisions of the

S E S S I O N 3 CONSENT PROCESS SPECIAL POPULATIONS CONSENT Com m on Rule ANPRM Current provisions of the The regulations would be revised to provide greater specificity Common Rule provide only about how consent forms should

218 views • 3 slides
Tamarind Hearing presentation Applications for marine consent and marine discharge consent under

Tamarind Hearing presentation Applications for marine consent and marine discharge consent under

Tamarind Hearing presentation Applications for marine consent and marine discharge consent under the EEZ-CS Act (2012) Before the EPA Board of Inquiry, 8 th November 2018 Lyndon DeVantier, PhD Opposed. Cumulative Effects Assessments for

424 views • 23 slides
Re-allocation at consent expiry September 2017 What the RMA says about existing infrastructure

Re-allocation at consent expiry September 2017 What the RMA says about existing infrastructure

Re-allocation at consent expiry September 2017 What the RMA says about existing infrastructure When considering an application [for renewal of resource consent] a consent authority must have regard to the value of the investment of the

169 views • 4 slides
The Development Consent Process The Role of Local Authorities / GLA The Development Consent

The Development Consent Process The Role of Local Authorities / GLA The Development Consent

The Development Consent Process The Role of Local Authorities / GLA The Development Consent Process DEVELOPER PI NS SofS Decision Acceptance Pre-application Exam ination Pre-examination Recom m endation 1 Year + 1 Year Thames Tideway

432 views • 14 slides
LeGare Consent Decree For 2017-2018 What is LeGare? The LeGare Consent Decree (1995) Each

LeGare Consent Decree For 2017-2018 What is LeGare? The LeGare Consent Decree (1995) Each

LeGare Consent Decree For 2017-2018 What is LeGare? The LeGare Consent Decree (1995) Each student with a disability or English Language Learner (ELL) has an equal opportunity to attend a criteria based high school and or programs that are

587 views • 21 slides
LeGare Consent Decree For 2017-2018 What is LeGare? The LeGare Consent Decree (1995) Each

LeGare Consent Decree For 2017-2018 What is LeGare? The LeGare Consent Decree (1995) Each

LeGare Consent Decree For 2017-2018 What is LeGare? The LeGare Consent Decree (1995) Each student with a disability or English Language Learner (ELL) has an equal opportunity to attend a criteria based high school and or programs that are

703 views • 20 slides
PSION: Combining Logical Topology and Physical Layout Optimization for Wavelength-Routed ONoCs

PSION: Combining Logical Topology and Physical Layout Optimization for Wavelength-Routed ONoCs

PSION: Combining Logical Topology and Physical Layout Optimization for Wavelength-Routed ONoCs Alexandre Truppel + , Tsun-Ming Tseng + , Davide Bertozzi * , Jos Carlos Alves # , Ulf Schlichtmann + + Technical University of Munich, Germany *

472 views • 29 slides
K-periodically routed graphs Julien Boucaron Anthony Coadou EPI Aoste Basics Motivation

K-periodically routed graphs Julien Boucaron Anthony Coadou EPI Aoste Basics Motivation

K-periodically routed graphs Julien Boucaron Anthony Coadou EPI Aoste Basics Motivation Introducing control in data-flow process networks while ensuring strong desirable properties such as determinism , decidable safety and liveness .

331 views • 30 slides
Minimizing MAXLIVE For Spill-Free Register Allocation Shashi Deepa Arcot, Henry Gordon Dietz,

Minimizing MAXLIVE For Spill-Free Register Allocation Shashi Deepa Arcot, Henry Gordon Dietz,

Minimizing MAXLIVE For Spill-Free Register Allocation Shashi Deepa Arcot, Henry Gordon Dietz, &amp; Sarojini Priyadarshini Rajachidambaram University of Kentucky Electrical &amp; Computer Engineering Register Allocation Is Critical Memory

458 views • 28 slides
Parsimony Small Parsimony and Search Algorithms Genome 559: Introduction to Statistical and

Parsimony Small Parsimony and Search Algorithms Genome 559: Introduction to Statistical and

Parsimony Small Parsimony and Search Algorithms Genome 559: Introduction to Statistical and Computational Genomics Elhanan Borenstein A quick review The parsimony principle: Find the tree that requires the fewest evolutionary changes!

508 views • 24 slides
Modeling and Infering a Spatio-temporal Dynamic For Apple Scab in Orchards R. Senoussi * , C.

Modeling and Infering a Spatio-temporal Dynamic For Apple Scab in Orchards R. Senoussi * , C.

Modeling and Infering a Spatio-temporal Dynamic For Apple Scab in Orchards R. Senoussi * , C. Gros ** , L. Parisi ** Inra, * Centre dAvignon, * * Gotheron Avignon May 2012 motivation Goal: To describe and statistically infer

373 views • 19 slides
Learning to Generate Fast Signal Processing Implementations Bryan Singer Joint work with Manuela

Learning to Generate Fast Signal Processing Implementations Bryan Singer Joint work with Manuela

Learning to Generate Fast Signal Processing Implementations Bryan Singer Joint work with Manuela Veloso Shorter version to be presented at ICML-2001 Overview Background and Motivation Key Signal Processing Observations Predicting

814 views • 53 slides
FINANCIAL AID 101 PRESENTER: CHERYL SUSZYNSKI LEAF ADVISOR csuszynski@leaf-ohio.org AGENDA

FINANCIAL AID 101 PRESENTER: CHERYL SUSZYNSKI LEAF ADVISOR csuszynski@leaf-ohio.org AGENDA

FUNDING YOUR COLLEGE EDUCATION: FINANCIAL AID 101 PRESENTER: CHERYL SUSZYNSKI LEAF ADVISOR csuszynski@leaf-ohio.org AGENDA What is Financial Aid? How do colleges award Financial Aid? What is the Financial Aid application process

400 views • 29 slides
priorityQueue-ADTLPO.li Stores a collection of pairs ( item , priority ) are from - Priorities

priorityQueue-ADTLPO.li Stores a collection of pairs ( item , priority ) are from - Priorities

Priority Queue ! Heaps priorityQueue-ADTLPO.li Stores a collection of pairs ( item , priority ) are from - Priorities ordered set some ( For simplicity , we use priorities &quot; ) &quot; highest priority from with 0 , 1,2 , 0 . . . - Main

747 views • 38 slides
e-Science Introduction Eric Yen e-Science Workshop, March 2011 Outline Workshop Overview

e-Science Introduction Eric Yen e-Science Workshop, March 2011 Outline Workshop Overview

e-Science Introduction Eric Yen e-Science Workshop, March 2011 Outline Workshop Overview E-Science Basics Landscape of e-Science Application Development Concept Security Infrastructure Exemplar Applications 2 e-Science

648 views • 63 slides
Snabb: Open Source Meets Dataplane RIPE77, October 2018, Amsterdam Andy Wingo | wingo@igalia.com

Snabb: Open Source Meets Dataplane RIPE77, October 2018, Amsterdam Andy Wingo | wingo@igalia.com

Snabb: Open Source Meets Dataplane RIPE77, October 2018, Amsterdam Andy Wingo | wingo@igalia.com | @andywingo this Why? The problem solved by Snabb talk How? Snabb from the ground up What? Whats in the box Who? Snabb in the wild why?

582 views • 28 slides

More recommend