[PPT] - MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , PowerPoint Presentation

SLIDE 1

MaxLength Considered Harmful to the RPKI

Yossi Gilad, Omar Sagga, Sharon Goldberg Boston University

SLIDE 2

Outline

❖ Background ➢ How does BGP work? ➢ How does RPKI work? ➢ What is the “maxLength”? ❖ How maxLength causes problems ❖ How to fix the problems caused by maxLength

SLIDE 3

Border Gateway Protocol (BGP)

AS 111

168.122.0.0/16

AS 222

Path: AS 111 168.122.0.0/16

SLIDE 4

Problem: Subprefix Hijack

AS 111

168.122.0.0/16

AS 222 AS 666

Path: AS 111 168.122.0.0/16

SLIDE 5

Problem: Subprefix Hijack

AS 111

168.122.0.0/16

AS 222

Path: AS 111 168.122.0.0/16

AS 666

Path: AS 666 168.122.0.0/24

SLIDE 6

Problem: Subprefix Hijack

AS 111

168.122.0.0/16

AS 222

Path: AS 111 168.122.0.0/16

AS 666

BGP routers perform a longest-prefix match

Path: AS 666 168.122.0.0/24

/24 destinations

SLIDE 7

Solution: RPKI

AS 111

168.122.0.0/16

AS 222 RPKI

ROA: AS 111 168.122.0.0/16

SLIDE 8

Solution: RPKI

AS 111

168.122.0.0/16

ROA: AS 111 168.122.0.0/16

RPKI RPKI

Path: AS 111 168.122.0.0/16

✓

RPKI VALID

AS 222

SLIDE 9

Solution: RPKI

AS 111

168.122.0.0/16

Path: AS 111 168.122.0.0/16

✓

RPKI VALID

AS 666

ROA: AS 111 168.122.0.0/16

RPKI

Path: AS 666 168.122.0.0/24

AS 222

SLIDE 10

Solution: RPKI

AS 111

168.122.0.0/16

Path: AS 111 168.122.0.0/16

✓

RPKI VALID

AS 666 fails to attract traffic! AS 666

ROA: AS 111 168.122.0.0/16

RPKI

Path: AS 666 168.122.0.0/24

✘

RPKI INVALID

AS 222

SLIDE 11

MaxLength in RPKI

AS 111

Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17 Path: AS 111 168.122.255.0/24

. . . .

168.122.0.0/16

SLIDE 12

MaxLength in RPKI

AS 111

ROA: AS 111 168.122.0.0/17 ROA: AS 111 168.122.128.0/17 ROA: AS 111 168.122.255.0/24

. . . .

Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17 Path: AS 111 168.122.255.0/24

. . . .

168.122.0.0/16

SLIDE 13

MaxLength in RPKI

AS 111

ROA: AS 111 168.122.0.0/16 to maxLength 24

AS 111

ROA: AS 111 168.122.0.0/17 ROA: AS 111 168.122.128.0/17 ROA: AS 111 168.122.255.0/24

. . . .

Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17 Path: AS 111 168.122.255.0/24

. . . .

168.122.0.0/16

SLIDE 14

❖ Background ➢ How does BGP work? ➢ How does RPKI work? ➢ What is the “maxLength”? ❖ How maxLength causes problems ➢ Forged-Origin Subprefix Hijack ❖ How to fix the problems caused by maxLength

Outline

SLIDE 15

Forged-Origin Subprefix Hijack

AS 111

168.122.0.0/16

Path: AS 111 168.122.0.0/16

✓

RPKI VALID ROA: AS 111 168.122.0.0/16 to maxLength 24

RPKI AS 222

SLIDE 16

Forged-Origin Subprefix Hijack

AS 111

168.122.0.0/16

AS 222

Path: AS 111 168.122.0.0/16

✓

RPKI VALID

Path: AS 666, AS111 168.122.0.0/24

AS 666

ROA: AS 111 168.122.0.0/16 to maxLength 24

RPKI

SLIDE 17

Forged-Origin Subprefix Hijack

AS 111

168.122.0.0/16

AS 222

Path: AS 111 168.122.0.0/16

✓

RPKI VALID

Path: AS 666, AS111 168.122.0.0/24

AS 666

ROA: AS 111 168.122.0.0/16 to maxLength 24

RPKI

✓

RPKI VALID

SLIDE 18

Forged-Origin Subprefix Hijack

AS 111

168.122.0.0/16

AS 222

Path: AS 111 168.122.0.0/16

✓

RPKI VALID

AS 666

AS 666 is the ONLY path to the subprefix!

ROA: AS 111 168.122.0.0/16 to maxLength 24

RPKI

Path: AS 666, AS111 168.122.0.0/24

✓

RPKI VALID

SLIDE 19

➢ In June 2017: ▪ 12% of the prefixes in ROAs have a maxLength > prefix length. ▪ 84% of these are vulnerable to forged-origin subprefix hijacks!

Maxlength almost always creates vulnerabilities!

SLIDE 20

Outline

❖ Background ➢ How does BGP work? ➢ How does RPKI work? ➢ What is the “maxLength”? ❖ How maxLength causes problems ❖ How to fix the problems caused by maxLength

SLIDE 21

Minimal ROAs stop forged origin subprefix hijacks

A ROA is minimal when it includes only those prefixes that the AS announces in BGP, and no other prefixes.

ROA: AS 111 168.122.0.0/16 168.122.0.0/17 168.122.128.0/17 168.122.0.0/18

Minimal ROA

Path: AS 111 168.122.0.0/16 Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17

AS 111

Path: AS 111 168.122.0.0/18

SLIDE 22

Minimal ROAs stop forged origin subprefix hijacks

AS 111 AS 222

Path: AS 111 168.122.0.0/16 Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17 Path: AS 111 168.122.0.0/18

RPKI

ROA: AS 111 168.122.0.0/16 168.122.0.0/17 168.122.128.0/17 168.122.0.0/18

SLIDE 23

Minimal ROAs stop forged origin subprefix hijacks

AS 111 AS 222 AS 666

Path: AS 111 168.122.0.0/16 Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17 Path: AS 111 168.122.0.0/18

RPKI

ROA: AS 111 168.122.0.0/16 168.122.0.0/17 168.122.128.0/17 168.122.0.0/18

Path: AS 666, AS111 168.122.0.0/24

SLIDE 24

Minimal ROAs stop forged origin subprefix hijacks

AS 111 AS 222 AS 666

Path: AS 111 168.122.0.0/16 Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17 Path: AS 111 168.122.0.0/18

RPKI

ROA: AS 111 168.122.0.0/16 168.122.0.0/17 168.122.128.0/17 168.122.0.0/18

Path: AS 666, AS111 168.122.0.0/24

✘

RPKI INVALID

SLIDE 25

How minimal ROAs affect filtering rules

ROA: AS 111 168.122.0.0/16 to maxLength 24

Path: AS 111 168.122.0.0/16 Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17

AS 111

Path: AS 111 168.122.0.0/18

insecure✘

Non-minimal ROA

SLIDE 26

How minimal ROAs affect filtering rules

ROA: AS 111 168.122.0.0/16 to maxLength 24

Path: AS 111 168.122.0.0/16 Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17

AS 111

Path: AS 111 168.122.0.0/18

1 filtering rule

(AS 111, 168.122.0.0, len: 16, maxlen: 24)

insecure✘

Non-minimal ROA

SLIDE 27

How minimal ROAs affect filtering rules

ROA: AS 111 168.122.0.0/16 168.122.0.0/17 168.122.128.0/17 168.122.0.0/18 ROA: AS 111 168.122.0.0/16 to maxLength 24

Path: AS 111 168.122.0.0/16 Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17

AS 111

Path: AS 111 168.122.0.0/18

1 filtering rule

insecure✘

4 filtering rules

secure!

Non-minimal ROA Minimal ROA (no maxlen!)

SLIDE 28

How minimal ROAs affect filtering rules

ROA: AS 111 168.122.0.0/16 168.122.0.0/17 168.122.128.0/17 168.122.0.0/18 ROA: AS 111 168.122.0.0/16 to maxLength 24

Path: AS 111 168.122.0.0/16 Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17

AS 111

Path: AS 111 168.122.0.0/18

ROA: AS 111 168.122.0.0/16 to maxLength 17 168.122.0.0/18

Non-minimal ROA

1 filtering rule

insecure✘

4 filtering rules

secure!

2 filtering rules

secure!

Minimal ROA (no maxlen!) Minimal ROA (compressed!) Our compress_roas software converts a minimal ROA (no maxlen) to a compressed minimal ROA!

SLIDE 29

How minimal ROAs affect RPKI-validating routers

more prefixes in ROAs More filtering rules

SLIDE 30

How minimal ROAs affect RPKI-validating routers

more prefixes in ROAs More filtering rules

SLIDE 31

How minimal ROAs affect RPKI-validating routers

more prefixes in ROAs More filtering rules

Insecure case! Every IPv4 prefix has maxLength = 32 & is vulnerable to forged

rigin sub-prefix hijack!

SLIDE 32

How minimal ROAs affect RPKI-validating routers

more prefixes in ROAs More filtering rules

secure! uses our compress_roas software!

SLIDE 33

Summary

➢ Operators (and RPKI configuration interfaces) should ○ be cautious when using maxLength attribute ○ use minimal ROAs whenever possible ○ follow our recommendations in IETF draft-yossigi-rpkimaxlen ➢ In an RPKI full deployment scenario: ○ maxLength does reduce overhead at routers ○ but our compression tool gives comparable results

SLIDE 34

Summary

➢ Operators (and RPKI configuration interfaces) should ○ be cautious when using maxLength attribute ○ use minimal ROAs whenever possible ○ follow our recommendations in IETF draft-yossigi-rpkimaxlen ➢ In an RPKI full deployment scenario: ○ maxLength does reduce overhead at routers ○ but our compression tool gives comparable results Thanks!