internet resource certification rpki building a more
play

Internet Resource Certification (RPKI) Building a More Secure - PowerPoint PPT Presentation

Sep 09, 2022 •460 likes •788 views

Internet Resource Certification (RPKI) Building a More Secure Internet Sint-Maarten Internet Week Carlos Mar2nez Cagnazzo carlos @ lacnic.net A9acks on rou;ng: IP hijacks How Internet number resources are managed IANA ARIN LACNIC APNIC

  1. Internet Resource Certification (RPKI) Building a More Secure Internet Sint-Maarten Internet Week Carlos Mar2nez Cagnazzo carlos @ lacnic.net

  2. A9acks on rou;ng: IP hijacks

  3. How Internet number resources are managed IANA ARIN LACNIC APNIC RIPE NCC AfriNIC ISP #1 ISP NIC.br NIC.MX LIRs/ISPs LIRs/ISPs End users ISP mx

  4. How Internet number resources are managed (ii) • What do we mean by resources – IPv4 Addresses – IPv6 Addresses – Autonomous System Numbers • Both 16 and 32 bits • Founda;onal document: RFC 2050 – “ IP Registry Alloca1on Guidelines ” • Each RIR is the authorita(ve source on the rela;onship between users/holders and resources – Each RIR operates a registry database

  5. Rou;ng in the Internet ASN 20 announces 10.1.0.0/16 ASN 2 ASN 3 ASN1 ASN 20 ASN 10 The 10.1.0.016 prefix propagates across ASs (via BGP ASN 10 receives sessions) the prefix A9ributes: 10.1.0.0/16 10.1.0.0/16 AS_PATH ASN1 ASN3 ASN20

  6. Rou;ng in the Internet (ii) • BGP chooses routes using a decision algorithm and the ASN 2 values of the available ASN 3 ASN1 ASN 20 a=ributes ASN 10 • AS_PATH is a list of the autonomous systems a given UPDATE has traversed In this case ASN 20 is – The first entry is the AS the "origin-as" for origina;ng the route ("origin- 10.1/16 as")

  7. Who has the "right" to use resources? • When an ISP obtains resources from its RIR (IPv6/IPv4/ ASN): – The ISP has to no;fy its upstream ASNs which prefixes are going to be announced via BGP – This is usually done via e-mail, web forms or by upda;ng an IRR ( Internet Rou1ng Registry) • Upstreams verify ( or at least they should ) the right of use for the announced resources – RIR WHOIS Text-based and not really suitable for automa;c usage – IRR WHOIS Non-signed informa;on, li9le addi;onal tools provided for verifica;on of usage rights except for names, phone numbers and email POCs • This verifica;on process is some;mes not as thorough as it should be

  8. Checking usage rights for a resource • Network administrators – Local checks in rou;ng infrastructure • Require previous step (registering the route object with an IRR) – Router protec;on – Rou;ng protocol integrity • Peer authen;ca;on • Filtering known-invalid routes – RFC 1918 prefix filtering – Bogon filtering • In the end the integrity of the rou;ng system depends on ad-hoc trust rela(onships between peers

  9. Route Hijacking • When an en;ty par;cipa;ng in Internet rou;ng announces a prefix without authoriza;on we face a route hijack • It can be either malicious or due to opera;onal mistakes • Some well-known cases: – Pakistan Telecom vs. You Tube (2008) – China Telecom (2010) – Google in Eastern Europe (various ASs, 2010) – Some ocurrences in our region (January/February 2011)

  10. Route Hijacking (ii) AS 6057 announces 200.40/16 AS 15358 AS 8158 gets announces 200.40.0.0/16 200.40/24 AS 8158 gets and 200.40.0.0/16 200.40.235.0/24 200.40.0.0/16 AS_PATH ASN1 ASN3 ASN6057 200.40.235.0/24 AS_PATH ASN1 ASN3 ASN6057

  11. Route Hijacking (iii) • RIPE NCC Video – h9p://www.youtube.com/watch?v=IzLPKuAOe50

  12. Resource PKI • Resource Public Key Infraestructure – Goal: create a system that allows the cer;fica;on of usage rights for Internet numbering resources – High-level overview • Use of X.509 v3 cer;ficates • Apply RFC 3779 extensions to these cer;ficates. These extensions allow Internet resources (IPv4/IPv6/ASNs) fields within cer;ficates • A way to automa;cally validate the origin-as of a BGP UPDATE – Standardiza;on Ac;vi;es • IETF SIDR working group – Implementa;on Ac;vi;es • RIRs

  13. Resource PKI (ii) • Automated origin valida(on for route announcements • The en;ty with usage rights for a resource signs the origin-as field of a PKI object • The following procedures are applied to validate RPKI cer;ficates and rou;ng informa;on objects: – The cryptographic validity of the RPKI cer;ficate chain (just like any other PKI) – The CIDR inclusion proper;es of IP addresses • In this way it becomes more difficult for a third party to inject invalid data into the rou;ng system

  14. Resource PKI (iii) RPKI Management System Cache Repository

  15. Resource PKI (iv) • All RPKI signed objects are listed in public repositories • Aqer verifica;on, these objects can be used to configure filtering in routers • Valida;on Process – Signed objects have references to the cer;ficate used to sign them – Each cer;ficate has a pointer to an upper level cer;ficate – The resources listed in a cer;ficate MUST be valid subsets of the resources listed in its parent's cer;ficate – In this way a trust chain can be traced to a "trust anchor" both cryptographically as well as in CIDR terms

  16. RPKI Structure RTA is the self- signed cer;ficate LACNIC RTA in the hierarchy LACNIC resources Signature chain LACNIC Produc;on <<INHERITED>> ISP #2 ISP #1 ISP #2 Resources ISP #1 Resources End User CA ROA ROA #1 End En;ty cert. End En;ty cert. (EU #1 Resources) ROA ROA End En;ty cert. End En;ty cert.

  17. RPKI Structure (ii) • CAs – Cer;ficate-signing en;ty (CA bit = 1) • ISPs can use this cer;ficate to sign their client's cer;ficates • Cer;ficate Repository – The repository contains cer;ficates, CRLs, ROAs and manifests – Accesible via “rsync” • Management Interface – Web interface for those who prefer "hosted" mode

  18. RPKI Management for Users • "Hosted" mode – LACNIC emits the resource cer;ficate for an organiza;on and guards both private and public keys • Cer;ficates are emi9ed when requested by LACNIC member organiza;ons – Users can manage their RPKI objects using a user-friendly web interface provided by LACNIC • "Delegated" mode – An organiza;on creates its own resource cer;ficate – This cer;ficate is submi9ed to LACNIC for signing. LACNIC returns the signed cer;ficate. • "Up-down" protocol

  19. Services provided by the RPKI CA • Emiung child resource cer;ficates when changes to the registry database occur or when solicited by a resource holder • Child cer;ficate revoca;on when solicited by a resource holder • CRL periodic update • Publishing child cer;ficates, trust anchor and auxiliary objects in a public repository (rsync)

  20. Resource Cer;ficate

  21. ROAs • ROAs: Rou;ng Origin Authoriza;on – ROAs contain data on the allowed origin-as for a set of prefixes – ROAs are signed using the cer;ficates generated by the RPKI – Signed ROAs are copied to the repository

  22. ROAs (ii) • A simplified ROA contains the following informa;on: • These ROAs states that: – "The prefix 200.40.0.0/17 will be originated by ASN 6057 and could be de-aggregated up to /20" "This statement is valid star1ng on Jan 2, 2011 un1l Jan 1, 2012" • Other ROA content – ROAs contain cryptographic material that allows valida(on of the ROAs content

  23. ROAs (iii) • Contents of a ROA – An end-en;ty cer;ficate with resources – A list of "route origin a9esta;ons" ROA End En;ty 200.40.0.0/20-24 -> AS 100 172.17.0.0/16-19 -> AS 100 Cer;ficate 200/8 172.17/16

  24. ROAs (iii) - Valida;on • In order to validate a ROA three steps have to be performed – Crypto valida;on of the public keys and signatures included in the EE cer;ficates inside each ROA – CIDR inclusion checking of resources listed in the EE cer;ficate – CIDR inclusion checking of resources in the route origin a9esta;ons. These resources have to be included in the resources listed in the EE cer;ficate

  25. RPKI in Ac;on UPDATE Routers assign a "validity status" to the route included in an UPDATE Cache periodically updates the router with a list of validated prefixes

  26. RPKI in Ac;on (ii) • The valida;on process is split in two parts – Crypto and CIDR valida;on of ROAs and cer;ficates • Performed by the valida;n cache – Valida;on of routes in BGP UPDATEs • Performed by the BGP speakers in the network • A special protocol called RTR is being worked on by the IETF for Router - Cache communica;on

  27. RPKI in Ac;on (iii) • Cache – Repository content is downloaded via RSYNC – Cer;ficates and ROAs are validated • Cryptographically (signature chain) • Correct CIDR resource inclusion • In the routers – A database of prefix <-> origin-as rela;onships is built

  28. BGP interac;on • Routers build a database with the informa;on they receive from the caches • This table contains – Prefix – Min length – Max length – Origin-AS • By applying a set of rules a validity status is assigned to each UPDATE prefix

  29. BGP interac;on (ii) VALID IP prefix/[min_len – max_len] Origin AS UPDATE 200.0.0.0/9 172.16.0.0 / [16-20] 10 ORIGIN-AS 20 200.0.0.0/[8-21] 20 • If the "UPDATE pfx" is not covered by any entry in the DB -> " not found" • If the "UPDATE pfx" is covered by at least one entry in the DB, and the origin-AS matches the ASNs in the DB -> " valid " • If the origin-AS does NOT match -> " invalid "

  30. CASA DE INTERNET DE LATINOAMÉRICA Y EL CARIBE twi9er.com/LACNIC facebook.com/ LACNIC youtube.com/user/lacnicstaff gplusme.at/LACNIC

  31. Thank you!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

662 views • 54 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ?

What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ?

Resource Certification What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ? Resource Certification is is a security framework for verifying the association between resource holders and their

569 views • 20 slides
Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Applied Networking Research Workshop 2020 acm sigcomm Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer SIT Motivation - Resource Public Key Infrastructure (RPKI) secures the interdomain routing

586 views • 39 slides
A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

583 views • 43 slides
Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0 Project: New RPKI system DNSSEC v2.0 Project: New DNSSEC signer IETF activities: Identity and join key WGs and RGs African Internet Resources

308 views • 13 slides
Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet Server Client Attack vectors MAN DNS LAN Client Internet Back Bone Router Networking WWW overview MITM (Man In The Middle) 3 2 4 5 LAN

244 views • 23 slides
Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

889 views • 51 slides
Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1 Thursday, August 1, 13 RPKI Tools The authors believe the information already contained in the RPKI has value in itself, even for operators not

305 views • 11 slides
From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

660 views • 27 slides
Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania December 10, 2019 Research supported by NSF EAGER Award #1748362 Global RPKI Deployment ASes Validating Routes 5%, 5 3%, 3 9%, 8 12%, 11 71%, 65

216 views • 8 slides
BGP Joeri de Ruiter Agenda BGP recap BGP security RPKI / ROA BGPsec

BGP Joeri de Ruiter Agenda BGP recap BGP security RPKI / ROA BGPsec

Advanced Network Security BGP Joeri de Ruiter Agenda BGP recap BGP security RPKI / ROA BGPsec Startng (almost) from scratch 2 Autonomous systems (AS) Internet is divided into Autonomous Systems (AS) Controlled by

815 views • 39 slides
Voluntary EU certification for Voluntary EU certification for non-residential buildings

Voluntary EU certification for Voluntary EU certification for non-residential buildings

Voluntary EU certification for Voluntary EU certification for non-residential buildings Definition of an Energy Performance Scale Jana Bendalov BUILDING TESTING AND RESEARCH INSTITUTE / Slovakia 09 January 2012 1 Context

609 views • 19 slides
RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI Overview Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 2 Simply put 3 parts - Create certificates - Install/run validator -

562 views • 17 slides
Certificate Policy &amp; Certification Practices Statement Internet Drafts Steve Kent BBN

Certificate Policy &amp; Certification Practices Statement Internet Drafts Steve Kent BBN

Certificate Policy &amp; Certification Practices Statement Internet Drafts Steve Kent BBN Technologies Context RFC 3647 (Informational) provides an outline and explanatory text for defining A certificate policy (CP) A certification

349 views • 11 slides
Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon

Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon

BFOC13. Boston University Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon Goldberg Leonid Reyzin Princeton University Boston University How Secure is Internet Routing Today? (1) I am

375 views • 14 slides
BGP FlowSpec extensions for Routing Policy Distribution(RPD) draft-li-idr-flowspec-rpd-01

BGP FlowSpec extensions for Routing Policy Distribution(RPD) draft-li-idr-flowspec-rpd-01

BGP FlowSpec extensions for Routing Policy Distribution(RPD) draft-li-idr-flowspec-rpd-01 Zhenbin Li(lizhenbin@huawei.com) Liang Ou(oul@gsta.com) Yujia Luo(luoyuj@gsta.com) Sujian Lu(jasonlu@tencent.com) Shunwan

575 views • 13 slides
A Back-end System for an Autonomous Parking and Charging System for Electric Vehicles Julian

A Back-end System for an Autonomous Parking and Charging System for Electric Vehicles Julian

Institute of Operating Systems and Computer Networks A Back-end System for an Autonomous Parking and Charging System for Electric Vehicles Julian Timpner, Lars Wolf IEVC 2012 Motivation Software Architecture Conclusion V-Charge Project

462 views • 25 slides
Perturbations on autonomous and non-autonomous systems Francisco Balibrea balibrea@um.es

Perturbations on autonomous and non-autonomous systems Francisco Balibrea balibrea@um.es

Perturbations on autonomous and non-autonomous systems Francisco Balibrea balibrea@um.es Departamento de Matem aticas Universidad de Murcia (Spain) ICDEA, Barcelona. July 2012 Two introductory examples x n +1 = ax n where a &gt; 0 x n +1 =

584 views • 39 slides
PNT in smart cities are we ready for autonomous driving? Dorota A. Grejner-Brzezinska

PNT in smart cities are we ready for autonomous driving? Dorota A. Grejner-Brzezinska

PNT in smart cities are we ready for autonomous driving? Dorota A. Grejner-Brzezinska Satellite Positioning and Inertial Navigation (SPIN) Lab IGNSS 2018, February 5-9 , Sydney, Australia Content Smart and connected communities/smart

913 views • 42 slides
LACNIC LACNIC Regional Registry at your services Regional Registry at your services

LACNIC LACNIC Regional Registry at your services Regional Registry at your services

LACNIC LACNIC Regional Registry at your services Regional Registry at your services Sergio Rojas. Sergio Rojas. sergio@lacnic.net sergio@lacnic.net How the Internet work? Is a network of connected devices The

617 views • 16 slides
BGP AS / ISP Security Ranking Raphal Vinot raphael.vinot@gmail.com Conostix Workshop Hack.lu

BGP AS / ISP Security Ranking Raphal Vinot raphael.vinot@gmail.com Conostix Workshop Hack.lu

BGP AS / ISP Security Ranking Raphal Vinot raphael.vinot@gmail.com Conostix Workshop Hack.lu 2010 Raphal Vinot (Conostix) BGP AS / ISP Security Ranking Hack.lu 2010 1 / 33 Table of contents Introduction 1 Basics terms Resources

771 views • 33 slides
Verification of Robotics and Autonomous Deep Learning Verification Systems Safety Definition

Verification of Robotics and Autonomous Deep Learning Verification Systems Safety Definition

Verification of Robotics and Autonomous Systems Xiaowei Huang Challenges Verification of Robotics and Autonomous Deep Learning Verification Systems Safety Definition Challenges Approaches Experimental Results Verification in Xiaowei

1.21k views • 99 slides
IP Int nter ernet networ orking king 1 Internetworking Arbitrary collection of physical

IP Int nter ernet networ orking king 1 Internetworking Arbitrary collection of physical

CMPE 252A: Computer Networks Set 9a : IP Int nter ernet networ orking king 1 Internetworking Arbitrary collection of physical networks interconnected to provide an end-to-end (host-to- host) packet delivery service. Networks

412 views • 13 slides

More recommend