improving bgp routing security
play

Improving BGP routing security Job Job S Snijders NTT / / AS AS - PowerPoint PPT Presentation

Nov 28, 2022 •455 likes •906 views

Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net http tps:// //tw twitter.com/ om/Job JobSnijders Why are we doing any of this routing security? Creating EBGP routing filters based on

  1. Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net http tps:// //tw twitter.com/ om/Job JobSnijders

  2. Why are we doing any of this “routing security”? • Creating EBGP routing filters based on public data, forces malicious actors to leave a trail in IRR, WHOIS or other data sources: auditability • Bugs happen ! – your router may suddenly ignore parts of your configuration, you’ll then rely on your EBGP peer’s filters • Everyone makes mistakes – a typo is easily made! 2

  3. Alright – everybody aboard? 3

  4. IRR vs RPKI – they look alike… right?! 4

  5. A RPKI ROA in the wild for 2001:67c:208c::/48 Origin ASN …. Prefix……... 5

  6. A photo of an IRR route6 object job@vurt ~$ whois -h whois.ripe.net -- '-T route6 2001:67c:208c::/48' | grep -v % …. Prefix route6: 2001:67c:208c::/48 descr: NL-SNIJDERS-IT ………..… Origin ASN origin: AS15562 mnt-by: SNIJDERS-MNT created: 2015-08-31T14:16:27Z last-modified: 2015-08-31T14:16:27Z source: RIPE 6

  7. IRR vs RPKI – Tomato tomato? Or is it... 7

  8. The gist of it, IRR vs RPKI: IRR route object: ● An IRR route object only say something about the object itself, but not about other existence / absence of other routing information ● Route objects are not necessarily created by the resource holder ● Doesn’t tell us anything about BGP UPDATEs that don’t match the IRR object ● Unsuitable for filtering your upstream providers RPKI ROAs: ● RPKI is the first publication database available through all five RIRs ● ROAs are created by the resource holder, by definition ● RPKI ROAs are statements that supersede any other sources of routing information (LOAs, IRR route objects, emails) ● RFC 6811 is the game changer – “BGP Origin Validation” requires RPKI as input ● ROAs can be used on any type of EBGP session (transit/peering/customers) for filters!!!! 8

  9. OK – peering… where does that come into play ? A photo of the Internet http://as2914.net/ 9

  10. Isn’t RPKI Origin validation useless without BGPSEC? Isn’t RPKI Origin validation useless without…. path validation? 10

  11. Traditionally understood benefits of peering Scenario through transit, AS_PATH is 2 hops: XXX_15169 Intermediate ccTLD Google Provider operator AS 15169 AS XXX Scenario with direct peering: AS_PATH is 1 hop: _15169$ ● No dependency on the intermediate provider (simpler operations) ● Simplified capacity management ccTLD Google ● Good latency operator AS 15169 ● Spreading out DDoS absorption ● Etc etc 11

  12. The internet keeps growing 2019, Source: https://bgp.potaroo.net/as6447/ 12

  13. Also, the internet keeps connecting directly 4 2012 Source: https://labs.ripe.net/Members/mirjam/update-on-as-path-lengths-over-time 13

  14. Hijack / misconfiguration scenario 185.25.28.0/23 Intermediate Google Operator Intermediate providers AS 15169 providers Intermediate providers 185.25.28.0/24 Attacker Paths from AS ccTLDASN perspective: AS 15562 185.25.28.0/23 ccTLDASN_XXX_15169 185.25.28.0/23 ccTLDASN_YYY_15169 185.25.28.0/24 ccTLDASN_ZZZ_15562 (wins) 14

  15. Hijack / misconfiguration scenario – direct peering 185.25.28.0/23 Google Operator AS 15169 185.25.28.0/24 Attacker Paths from AS ccTLDASN perspective: AS 15562 185.25.28.0/23 ccTLDASN_15169 185.25.28.0/24 ccTLDASN_15562 (wins) 15

  16. Enter… a RPKI ROA Prefix: 185.25.28.0/23 Prefix description: Google Country code: CH Origin AS: 15169 Origin AS Name: GOOGLE - Google LLC, US RPKI status: ROA validation successful MaxLength: 23 First seen: 2016-01-08 Last seen: 2019-02-26 Seen by #peers: 40 16

  17. Hijack / misconfiguration scenario – RPKI ROA operator applying “invalid == reject” 185.25.28.0/ 23 Google Operator AS 15169 185.25.28.0/ 24 Attacker Paths from AS ccTLDASN perspective: AS 15562 185.25.28.0/23 ccTLDASN_15169 (wins) 185.25.28.0/24 ccTLDASN_15562 (rejected, wrong prefix length) 17

  18. Change of tactics: announce same prefix Operator applying “invalid == reject” 185.25.28.0/ 23 Google Operator AS 15169 185.25.28.0/ 23 Attacker Paths from AS ccTLDASN perspective: AS 15562 185.25.28.0/23 ccTLDASN_15169 (wins) 185.25.28.0/23 ccTLDASN_15562 (rejected, wrong Origin ASN) 18

  19. Change of tactics: spoof origin: NOT EFFECTIVE! Operator applying “invalid == reject” 185.25.28.0/ 23 Google Operator AS 15169 Attacker AS 15562 185.25.28.0/ 23 Paths from AS ccTLDASN perspective: 185.25.28.0/23 ccTLDASN_15169 (wins) Spoofed Google 185.25.28.0/23 ccTLDASN_15562_15169 (not shortest AS_PATH) AS 15169 19

  20. Summary for Network Operators like you and me ● RPKI based BGP Origin Validation protects you against other people’s misconfigurations, Origin Validation blocks out more- specifics (whether malicious or not). ● Shortest AS_PATH is now a security feature: keep peering ● Create ROAs for your own prefixes to help others help you ● Apply “Invalid = Reject” policies on your routers ● Ask your vendors (both ISPs and IXPs) to perform Origin Validation Direct peering, combined with RPKI, is extremely strong!!11oneleven! 20

  21. The path towards Origin Validation deployment It is quite simple. DEPLOY. NOW. RPKI based BGP Origin Validation, With “Invalid == reject” routing polices 21

  22. RIPE Labs RPKI checker tool https://ripe.net/s/rpki-test 22

  23. RIPE Labs RPKI checker tool https://ripe.net/s/rpki-test 23

  24. Industry trends ● Who is doing this? ● RIPE’s 2018-06 policy ● IRRd 4 developments 24

  25. Deployment update • YYCIX • AMSIO • Cloudfmare • BIT • AMS-IX • Coloclue • Telia Carrier • Telenor • DE-CIX • FCIX • Tata India • Atom86 • NAP Africa • KPN • Noris Network • Netnod • Workonline • Fusix Networks • France-IX • Seacomm • XS4ALL • INEX • AT&T • IETF meetjngs • Nordunet • RIPE meetjngs • INX • Many others...

  26. RIPE NWI-5 proposal & implementation: RIPE vs RIPE-NONAUTH • RIPE NCC’s IRR previously allowed anyone to register any non-RIPE-managed space if it had not yet been registered. *THIS IS DANGEROUS* Steps taken: • Cannot register non-RIPE-managed space any more • All non-RIPE space moved to separate “RIPE-NONAUTH” database More info: htups://www.ripe.net/manage-ips-and-asns/db/impact-analysis-for-nwi-5-implementatjon

  27. Applying Origin Validation to the IRR ● RPKI ROAs can be used for BGP Origin Validation ● But, what about applying the RFC 6811 “Origin Validation Procedure” to IRR data? ● Perhaps, we should consider unvalidated IRR data objects as if they are BGP announcements! 27

  28. RIPE 2018-06 policy: Using RPKI to clean up the IRR 28

  29. Applying Origin Validation to the IRR ● RPKI ROAs can be used for BGP Origin Validation ● But, what about applying the RFC 6811 “Origin Validation Procedure” to IRR data? ● Perhaps, we should consider unvalidated IRR data objects as if they are BGP announcements! 29

  30. An example route: 129.250.15.0/24 origin: AS60068 descr: AS60068 route object descr: this is a test of hijack possibilities with current state of RIPE/RADB security setup - this records covers IP address used for rr.ntt.net service descr: please note this is just a demonstrative object, with no real harmful intention mnt-by: DATACAMP-MNT created: 2018-02-10T16:57:07Z last-modified: 2018-09-04T19:07:32Z source: RIPE-NONAUTH 30

  31. The previous slide is in conflict with this ROA! $ whois -h whois.bgpmon.net 129.250.15.0/24 % This is the BGPmon.net whois Service % You can use this whois gateway to retrieve information % about an IP adress or prefix % We support both IPv4 and IPv6 address. % % For more information visit: % https://portal.bgpmon.net/bgpmonapi.php Prefix: 129.250.0.0/16 Prefix description: NTT Communications backbone Country code: US Origin AS: 2914 Origin AS Name: NTT-COMMUNICATIONS-2914 - NTT America, Inc., US RPKI status: ROA validation successful First seen: 2019-02-23 Last seen: 2019-05-22 Seen by #peers: 71 31

  32. RIPE-NONAUTH IRR cleanup “2018-06” Formal proposal: Apply the Origin Validation procedure to IRR objects in the RIPE- NONAUTH IRR database. The PDP applies here. This proposal remove wrong LACNIC, APNIC, ARIN, AFRINIC route registrations from RIPE-NONAUTH – If and only if there are RPKI ROAs covering the space Implications: - proposal does not apply to RIPE-managed space or legacy space - There is no efgect if you cannot (or will not) create RPKI ROAs for your space → THIS PROPOSAL MAY AFFECT AFRICAN IP SPACE IN RIPE-NONAUTH!!!!!!! <<-- 32

  33. RIPE-NONAUTH IRR cleanup Changes between version 1.0 and 2.0: ● Introduced a 7 day hold period ● Notifications should be send to the IRR route object holder (if RIPE NCC can). htups://www.ripe.net/partjcipate/policies/proposals/2018-06 Test tool: htups://github.com/job/ripe-proposal-2018-06 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security Required: authenticity and integrity of routing information o Link state routing: LSAs are originated by the routing process authorized to do so

345 views • 10 slides
Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia

Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia

Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia University January 18, 2007 1 / 9 What is Routing Security? Bad guys play games with routing protocols. What is Routing Security? How is it

95 views • 9 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
Interdomain Routing Two types of Routing Intradomain routing Security Accomplished via

Interdomain Routing Two types of Routing Intradomain routing Security Accomplished via

253 views • 10 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

February 2019 Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Lets understand the problem.. What is the connection between routing security

346 views • 19 slides
Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route Hijacking~ Mar 1 2007 in APRICOT 2007 NTT Communications Corp. Taka Mizuguchi Tomoya Yoshida What s BGP Route Hijacking? s BGP Route

583 views • 40 slides
Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

3/28/19 Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell at me if I dont notice?) Profs Peter Steenkiste &amp; Justine Sherry &amp; (Guest Lecturer) Sannan Slides almost entirely copied from

288 views • 18 slides
Security III: Availability, DDoS, and Routing Security 15-441 Fall 2019 Profs Peter Steenkiste

Security III: Availability, DDoS, and Routing Security 15-441 Fall 2019 Profs Peter Steenkiste

Security III: Availability, DDoS, and Routing Security 15-441 Fall 2019 Profs Peter Steenkiste &amp; Justine Sherry Your Feedback I like to think of Dr. Weiss as my teaching teacher They require students to go over algorithms weve

1.3k views • 79 slides
TRAM: Improving Fine-grained Communication Performance with Topological Routing and Aggregation

TRAM: Improving Fine-grained Communication Performance with Topological Routing and Aggregation

TRAM: Improving Fine-grained Communication Performance with Topological Routing and Aggregation of Messages Presented by Lukasz Wesolowski 11th Annual Charm++ Workshop 1 April 15 - 16, 2013 T opological R outing and A ggregation M odule

906 views • 35 slides
Routing Security Security Solutions CSE598K/CSE545 - Advanced Network Security Prof. McDaniel -

Routing Security Security Solutions CSE598K/CSE545 - Advanced Network Security Prof. McDaniel -

312 views • 16 slides
4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has columns for the destination network (or hosts) with the corresponding cost and the next router address to reach a destination. Additional

1.08k views • 84 slides
Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing [Kleinberg04] J. Kleinberg, A. Slivkins, T. Wexler. Triangulation and Embedding using Small Sets of Beacons. Proc. 45th IEEE Symposium on Foundations of

450 views • 32 slides
IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org /

IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org /

IPv6 prerequisite All about Routing Header extension Security implications Solutions and workaround IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org / philippe.biondi(at)eads.net arno(at)natisbad.org /

896 views • 61 slides
Improving performance for Improving performance for security enabled web security enabled web

Improving performance for Improving performance for security enabled web security enabled web

Improving performance for Improving performance for security enabled web security enabled web services services - Dr. Colm higeartaigh - Dr. Colm higeartaigh Agenda Introduction to Apache CXF WS-Security in CXF 3.0.0

490 views • 44 slides
Faculty of Applied Security Sremska Kamenica SERBIA IMPROVING ACADEMIC AND PROFESSIONAL

Faculty of Applied Security Sremska Kamenica SERBIA IMPROVING ACADEMIC AND PROFESSIONAL

Improving Academic and Professional Education Capacity in Serbia in the Area of Safety &amp; Security (by Means of Strategic Partnership with the EU) - IMPRESS EDUCONS UNIVERSITY Faculty of Applied Security Sremska Kamenica SERBIA IMPROVING

543 views • 11 slides
Internet The value of Internet is in global reachability Reachability comes from

Internet The value of Internet is in global reachability Reachability comes from

Lic.(Tech.) Marko Luoma (1/28) Lic.(Tech.) Marko Luoma (2/28) Internet The value of Internet is in global reachability Reachability comes from co-operative peering efforts Customer peering (Customer-Provider-Customer relationship)

336 views • 7 slides
Cryptography Markus Kuhn Computer Laboratory, University of Cambridge

Cryptography Markus Kuhn Computer Laboratory, University of Cambridge

Cryptography Markus Kuhn Computer Laboratory, University of Cambridge https://www.cl.cam.ac.uk/teaching/1920/Crypto/ These notes are merely provided as an aid for following the lectures. They are no substitute for attending the course. Lent

1.47k views • 115 slides
ISPs, Backbones and Peering 14-740: Fundamentals of Computer Networks Bill Nace Material from

ISPs, Backbones and Peering 14-740: Fundamentals of Computer Networks Bill Nace Material from

ISPs, Backbones and Peering 14-740: Fundamentals of Computer Networks Bill Nace Material from Computer Networking: A Top Down Approach, 6 th edition. J.F. Kurose and K.W. Ross Administrivia Norton2010 Paper Review for today Lab0 is

648 views • 37 slides
Direct finiteness of CV p ( G ) and PF p ( G ) Yemon Choi University of Saskatchewan

Direct finiteness of CV p ( G ) and PF p ( G ) Yemon Choi University of Saskatchewan

Direct finiteness of CV p ( G ) and PF p ( G ) Yemon Choi University of Saskatchewan International Conference on Abstract Harmonic Analysis Granada, 23rd May 2013 0 / 12 Directly finite algebras Definition A unital algebra A is directly

1.08k views • 22 slides
Tolls for heterogeneous selfish users in multicommodity networks and generalized congestion games

Tolls for heterogeneous selfish users in multicommodity networks and generalized congestion games

Tolls for heterogeneous selfish users in multicommodity networks and generalized congestion games Lisa Fleischer Kamal Jain Mohammad Mahdian July 30, 2004 Abstract 1 Introduction We prove the existence of tolls to induce multicommod- We

321 views • 10 slides
Ps trst r Prsss

Ps trst r Prsss

Ps trst r Prsss t P r

894 views • 70 slides
SEQUENCES AND THEIR APPLICA TION TO CRYPTOGRAPHY Ivan Landjev New Bulga rian Universit

SEQUENCES AND THEIR APPLICA TION TO CRYPTOGRAPHY Ivan Landjev New Bulga rian Universit

SEQUENCES AND THEIR APPLICA TION TO CRYPTOGRAPHY Ivan Landjev New Bulga rian Universit y Summer Sho ol Design and Seurit y of Cryptographi, F untions, Algo rithms and Devies, Alb ena, 30.06.05.07.2013

948 views • 52 slides
Reading data from a file INF1100 Lectures, Chapter 6: A file is a sequence of characters (text)

Reading data from a file INF1100 Lectures, Chapter 6: A file is a sequence of characters (text)

5mm. Reading data from a file INF1100 Lectures, Chapter 6: A file is a sequence of characters (text) Files, Strings, and Dictionaries We can read text in the file into strings in a program This is a common way for a program to get input data

459 views • 13 slides

More recommend