maxlength considered harmful to the rpki
play

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , - PowerPoint PPT Presentation

Dec 08, 2022 •394 likes •741 views

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston University Outline Background How does BGP work? How does RPKI work? What is the maxLength? How maxLength causes problems

  1. MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston University

  2. Outline Background ❖ How does BGP work? ➢ How does RPKI work? ➢ What is the “maxLength”? ➢ How maxLength causes problems ❖ How to fix the problems caused by maxLength ❖

  3. Border Gateway Protocol (BGP) Path: AS 111 168.122.0.0/16 AS 111 AS 222 168.122.0.0/16

  4. Problem: Subprefix Hijack Path: AS 111 168.122.0.0/16 AS 111 AS 222 AS 666 168.122.0.0/16

  5. Problem: Subprefix Hijack Path: AS 666 168.122.0.0/24 Path: AS 111 168.122.0.0/16 AS 111 AS 222 AS 666 168.122.0.0/16

  6. Problem: Subprefix Hijack BGP routers perform a longest-prefix match Path: AS 666 168.122.0.0/24 Path: AS 111 168.122.0.0/16 /24 destinations AS 111 AS 222 AS 666 168.122.0.0/16

  7. Solution: RPKI ROA: AS 111 RPKI 168.122.0.0/16 AS 111 AS 222 168.122.0.0/16

  8. Solution: RPKI ROA: AS 111 RPKI RPKI 168.122.0.0/16 ✓ Path: AS 111 168.122.0.0/16 RPKI VALID AS 111 AS 222 168.122.0.0/16

  9. Solution: RPKI ROA: AS 111 RPKI 168.122.0.0/16 Path: AS 666 ✓ Path: AS 111 168.122.0.0/24 168.122.0.0/16 RPKI VALID AS 111 AS 222 AS 666 168.122.0.0/16

  10. Solution: RPKI ROA: AS 111 RPKI AS 666 fails to attract traffic! 168.122.0.0/16 ✘ Path: AS 666 ✓ Path: AS 111 168.122.0.0/24 RPKI INVALID 168.122.0.0/16 RPKI VALID AS 111 AS 222 AS 666 168.122.0.0/16

  11. MaxLength in RPKI Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17 . . . . AS 111 Path: AS 111 168.122.0.0/16 168.122.255.0/24

  12. MaxLength in RPKI ROA: AS 111 Path: AS 111 168.122.0.0/17 168.122.0.0/17 ROA: AS 111 Path: AS 111 168.122.128.0/17 168.122.128.0/17 . . . . . . . . AS 111 ROA: AS 111 Path: AS 111 168.122.255.0/24 168.122.0.0/16 168.122.255.0/24

  13. MaxLength in RPKI ROA: AS 111 Path: AS 111 168.122.0.0/17 168.122.0.0/17 ROA: AS 111 Path: AS 111 168.122.128.0/17 168.122.128.0/17 ROA: AS 111 168.122.0.0/16 . . . . . . . . to maxLength 24 AS 111 AS 111 ROA: AS 111 Path: AS 111 168.122.255.0/24 168.122.0.0/16 168.122.255.0/24

  14. Outline Background ❖ How does BGP work? ➢ How does RPKI work? ➢ What is the “maxLength”? ➢ How maxLength causes problems ❖ Forged-Origin Subprefix Hijack ➢ How to fix the problems caused by maxLength ❖

  15. Forged-Origin Subprefix Hijack ROA: AS 111 RPKI 168.122.0.0/16 to maxLength 24 ✓ Path: AS 111 168.122.0.0/16 RPKI VALID AS 111 AS 222 168.122.0.0/16

  16. Forged-Origin Subprefix Hijack ROA: AS 111 RPKI 168.122.0.0/16 to maxLength 24 Path: AS 666, AS111 ✓ Path: AS 111 168.122.0.0/24 168.122.0.0/16 RPKI VALID AS 111 AS 222 AS 666 168.122.0.0/16

  17. Forged-Origin Subprefix Hijack ROA: AS 111 RPKI 168.122.0.0/16 to maxLength 24 ✓ Path: AS 666, AS111 ✓ Path: AS 111 168.122.0.0/24 RPKI VALID 168.122.0.0/16 RPKI VALID AS 111 AS 222 AS 666 168.122.0.0/16

  18. Forged-Origin Subprefix Hijack ROA: AS 111 RPKI 168.122.0.0/16 AS 666 is the ONLY path to the subprefix! to maxLength 24 ✓ Path: AS 666, AS111 ✓ Path: AS 111 168.122.0.0/24 RPKI VALID 168.122.0.0/16 RPKI VALID AS 111 AS 222 AS 666 168.122.0.0/16

  19. Maxlength almost always creates vulnerabilities! ➢ In June 2017: ▪ 12% of the prefixes in ROAs have a maxLength > prefix length. ▪ 84% of these are vulnerable to forged-origin subprefix hijacks!

  20. Outline Background ❖ How does BGP work? ➢ How does RPKI work? ➢ What is the “maxLength”? ➢ How maxLength causes problems ❖ How to fix the problems caused by maxLength ❖

  21. Minimal ROAs stop forged origin subprefix hijacks A ROA is minimal when it includes only those prefixes that the AS announces in BGP, and no other prefixes. Minimal ROA Path: AS 111 168.122.0.0/16 ROA: AS 111 Path: AS 111 168.122.0.0/16 168.122.0.0/17 168.122.0.0/17 168.122.128.0/17 Path: AS 111 168.122.0.0/18 168.122.128.0/17 Path: AS 111 168.122.0.0/18 AS 111

  22. Minimal ROAs stop forged origin subprefix hijacks ROA: AS 111 RPKI 168.122.0.0/16 168.122.0.0/17 168.122.128.0/17 168.122.0.0/18 Path: AS 111 168.122.0.0/16 Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17 Path: AS 111 168.122.0.0/18 AS 222 AS 111

  23. Minimal ROAs stop forged origin subprefix hijacks ROA: AS 111 RPKI 168.122.0.0/16 168.122.0.0/17 168.122.128.0/17 168.122.0.0/18 Path: AS 666, AS111 Path: AS 111 168.122.0.0/16 168.122.0.0/24 Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17 Path: AS 111 168.122.0.0/18 AS 222 AS 666 AS 111

  24. Minimal ROAs stop forged origin subprefix hijacks ROA: AS 111 RPKI 168.122.0.0/16 168.122.0.0/17 168.122.128.0/17 168.122.0.0/18 ✘ Path: AS 666, AS111 Path: AS 111 168.122.0.0/16 168.122.0.0/24 RPKI INVALID Path: AS 111 168.122.0.0/17 Path: AS 111 168.122.128.0/17 Path: AS 111 168.122.0.0/18 AS 222 AS 666 AS 111

  25. How minimal ROAs affect filtering rules Non-minimal ROA ROA: AS 111 168.122.0.0/16 to maxLength 24 Path: AS 111 168.122.0.0/16 Path: AS 111 insecure ✘ 168.122.0.0/17 Path: AS 111 168.122.128.0/17 Path: AS 111 168.122.0.0/18 AS 111

  26. How minimal ROAs affect filtering rules Non-minimal ROA ROA: AS 111 168.122.0.0/16 to maxLength 24 Path: AS 111 168.122.0.0/16 Path: AS 111 insecure ✘ 168.122.0.0/17 Path: AS 111 1 filtering rule 168.122.128.0/17 Path: AS 111 168.122.0.0/18 (AS 111, 168.122.0.0, len: 16, maxlen: 24) AS 111

  27. How minimal ROAs affect filtering rules Non-minimal Minimal ROA ROA (no maxlen!) ROA: AS 111 ROA: AS 111 168.122.0.0/16 168.122.0.0/16 168.122.0.0/17 to maxLength 24 168.122.128.0/17 Path: AS 111 168.122.0.0/18 168.122.0.0/16 Path: AS 111 insecure ✘ 168.122.0.0/17 secure! Path: AS 111 1 filtering rule 4 filtering rules 168.122.128.0/17 Path: AS 111 168.122.0.0/18 AS 111

  28. How minimal ROAs affect filtering rules Non-minimal Minimal ROA Minimal ROA ROA (no maxlen!) (compressed!) ROA: AS 111 ROA: AS 111 ROA: AS 111 168.122.0.0/16 168.122.0.0/16 168.122.0.0/16 168.122.0.0/17 to maxLength 17 to maxLength 24 168.122.128.0/17 Path: AS 111 168.122.0.0/18 168.122.0.0/18 168.122.0.0/16 Path: AS 111 insecure ✘ secure! 168.122.0.0/17 secure! Path: AS 111 2 filtering rules 1 filtering rule 4 filtering rules 168.122.128.0/17 Path: AS 111 168.122.0.0/18 Our compress_roas software converts a minimal ROA (no maxlen) to a compressed minimal ROA! AS 111

  29. How minimal ROAs affect RPKI-validating routers more prefixes in ROAs More filtering rules

  30. How minimal ROAs affect RPKI-validating routers more prefixes in ROAs More filtering rules

  31. How minimal ROAs affect RPKI-validating routers more prefixes in ROAs Insecure case! Every IPv4 prefix has More maxLength = 32 & filtering is vulnerable to forged rules origin sub-prefix hijack!

  32. How minimal ROAs affect RPKI-validating routers more prefixes in ROAs secure! More uses our filtering compress_roas rules software!

  33. Summary ➢ Operators (and RPKI configuration interfaces) should ○ be cautious when using maxLength attribute ○ use minimal ROAs whenever possible ○ follow our recommendations in IETF draft-yossigi-rpkimaxlen ➢ In an RPKI full deployment scenario: ○ maxLength does reduce overhead at routers ○ but our compression tool gives comparable results

  34. Summary ➢ Operators (and RPKI configuration interfaces) should ○ be cautious when using maxLength attribute ○ use minimal ROAs whenever possible ○ follow our recommendations in IETF draft-yossigi-rpkimaxlen ➢ In an RPKI full deployment scenario: ○ maxLength does reduce overhead at routers ○ but our compression tool gives comparable results Thanks!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

rsync considered inefficient and harmful ggm@apnic.net bje@apnic.net

rsync considered inefficient and harmful ggm@apnic.net bje@apnic.net

rsync considered inefficient and harmful ggm@apnic.net bje@apnic.net 1 RPKI uses rsync RPKI uses rsync as its data publica>on protocol for wider

681 views • 47 slides
Cloning Considered Harmful Considered Harmful Cory Kapser and Michael W. Godfrey David R.

Cloning Considered Harmful Considered Harmful Cory Kapser and Michael W. Godfrey David R.

Cloning Considered Harmful Considered Harmful Cory Kapser and Michael W. Godfrey David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, Canada A Commonly Cited Belief Cloning considered harmful

881 views • 30 slides
QjackCtl Considered Harmful QjackCtl Considered Harmful rncbc a.k.a. a.k.a. Rui Nuno Capela Rui

QjackCtl Considered Harmful QjackCtl Considered Harmful rncbc a.k.a. a.k.a. Rui Nuno Capela Rui

LAC2018 @ c-base Berlin LAC2018 @ c-base Berlin QjackCtl Considered Harmful QjackCtl Considered Harmful rncbc a.k.a. a.k.a. Rui Nuno Capela Rui Nuno Capela rncbc rncbc.org rncbc.org June 2018 June 2018 (1) 2003-2004 Dawn of Qstuff* Dawn of

131 views • 11 slides
Ad Hoc Synchroniza/on Considered Harmful Weiwei Xiong, Soyoen

Ad Hoc Synchroniza/on Considered Harmful Weiwei Xiong, Soyoen

Ad Hoc Synchroniza/on Considered Harmful Weiwei Xiong, Soyoen Park, Jiaqi Zhang, Yuanyuan Zhou and Zhiqiang Ma UC San Diego University of

530 views • 39 slides
DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS resolvers abstract complexity and offer the possibility of improved performance and better scalability . Why are they harmful? 3 Resolvers Are Vulnerable

618 views • 34 slides
In-Flight IPv6 Extension Header Insertion Considered Harmful

In-Flight IPv6 Extension Header Insertion Considered Harmful

In-Flight IPv6 Extension Header Insertion Considered Harmful draft-smith-6man-in-flight-eh-insertion-harmful IETF-106 Mark Smith markzzzsmith@gmail.com Naveen Kottapalli naveen.sarma@gmail.com Ron Bonica rbonica@juniper.net Fernando Gont

506 views • 34 slides
Semantically Far Inspirations Considered Harmful? Accounting For Cognitive States In

Semantically Far Inspirations Considered Harmful? Accounting For Cognitive States In

Semantically Far Inspirations Considered Harmful? Accounting For Cognitive States In Collaborative Ideation Joel Chan 1 , Pao Siangliulue 2 , Denisa Qori McDonald 3 , Ruixue Liu 3 , Reza Moradinezhad 3 , Safa Aman 3 , Erin T. Solovey 3 ,

468 views • 44 slides
MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm

MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm

MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm Fingerprint of data easy to synthesize (push here), hard to fake (grow this) Known since 1997 it was theoretically not so hard to create

573 views • 35 slides
A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

583 views • 43 slides
Can Some Programming Languages Be Considered Harmful? S.Janssens U.P.Schultz V.Zaytsev

Can Some Programming Languages Be Considered Harmful? S.Janssens U.P.Schultz V.Zaytsev

CHESE @ PLATEAU @ SPLASH 2017 Can Some Programming Languages Be Considered Harmful? S.Janssens U.P.Schultz V.Zaytsev Meet the ones responsible: Edsger W. Dijkstra Sabine Janssens Ulrik Pagh Schultz Vadim Zaytsev Computing pioneer

301 views • 12 slides
Penetra'on Tes'ng Considered Harmful (haroon@thinkst.com) Who i am..

Penetra'on Tes'ng Considered Harmful (haroon@thinkst.com) Who i am..

Penetra'on Tes'ng Considered Harmful (haroon@thinkst.com) Who i am.. (& Why this talk?) haroon@thinkst.com Some Tools Some Papers Some Books So ? Some

1.38k views • 137 slides
DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined somewhere else (another file in our project, a library, etc) In compiler-speak, we want symbols with external linkage I only really care

563 views • 39 slides
Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security

Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security

Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security F. Fischer * , K. Bttinger * , H.Xiao * , C. Stransky , Y. Acar , M. Backes , S. Fahl * Fraunhofer AISEC CISPA, Saarland

739 views • 44 slides
SFS: Random Write Considered Harmful in Solid State Drives Changwoo Min 1, 2 , Kangnyeon Kim 1 ,

SFS: Random Write Considered Harmful in Solid State Drives Changwoo Min 1, 2 , Kangnyeon Kim 1 ,

SFS: Random Write Considered Harmful in Solid State Drives Changwoo Min 1, 2 , Kangnyeon Kim 1 , Hyunjin Cho 2 , Sang-Won Lee 1 , Young Ik Eom 1 1 Sungkyunkwan University, Korea 2 Samsung Electronics, Korea Outline Background Design

367 views • 34 slides
Semaphores considered Edsger s perspective harmful During system conception it transpired

Semaphores considered Edsger s perspective harmful During system conception it transpired

Semaphores considered Edsger s perspective harmful During system conception it transpired that we used the semaphores in Semaphores are low-level primitives. Small two completely different ways. The difference is so marked that,

328 views • 19 slides
Sequential consistency considered harmful Viktor Vafeiadis Max Planck Institute for Software

Sequential consistency considered harmful Viktor Vafeiadis Max Planck Institute for Software

Sequential consistency considered harmful Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 7 November 2017 The standard WMC talk . . . Sequential consistency (SC) CPU CPU Interleaving semantics read write

514 views • 15 slides
Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

February 2019 Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Lets understand the problem.. What is the connection between routing security

346 views • 19 slides
Simulating Routing Schemes on Large- Scale Topologies Luc Hogie (INRIA, Fr), Dimitri

Simulating Routing Schemes on Large- Scale Topologies Luc Hogie (INRIA, Fr), Dimitri

Simulating Routing Schemes on Large- Scale Topologies Luc Hogie (INRIA, Fr), Dimitri Papadimitriou (A-L Bell Labs, Be), Issam Tahiri (INRIA, Fr), Frederic Majorczyk (Univ.Bordeaux/LaBRI, Fr) IEEE PADS Workshop Atlanta Georgia Tech. May

741 views • 28 slides
Resilience of the Domain Name System: A case study for .nl Lars Bade | Radboud University

Resilience of the Domain Name System: A case study for .nl Lars Bade | Radboud University

Resilience of the Domain Name System: A case study for .nl Lars Bade | Radboud University Nijmegen, SIDN 21 March 2016, ICT.Open Agenda 1. Research question 2. Domain Name System 3. Methodology & Results 4. Conclusion 5. Time for asking

525 views • 38 slides
Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott

Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott

Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott Wakelin 4/27/2004 1 Road Map Road Map Project Goals and Overview Project Status Network Infrastructure ISP Topology ISP

554 views • 30 slides
How Netflix directs 1/3rd of Haley Tucker QCon San Francisco Mohit Vora Nov 16, 2015 Playback

How Netflix directs 1/3rd of Haley Tucker QCon San Francisco Mohit Vora Nov 16, 2015 Playback

How Netflix directs 1/3rd of Haley Tucker QCon San Francisco Mohit Vora Nov 16, 2015 Playback Overview DATA PLANE NETFLIX STREAM DEVICE (CDN) CONTROL PLANE Project 366 #59; 280212 Days Gone By..., CC BY-SA, Pete 2012, Flickr VIDEO

1.26k views • 112 slides
Classification of BGP anomalies using decision trees and fuzzy rough sets Article October 2014

Classification of BGP anomalies using decision trees and fuzzy rough sets Article October 2014

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/288205491 Classification of BGP anomalies using decision trees and fuzzy rough sets Article October 2014 DOI: 10.1109/SMC.2014.6974096

549 views • 7 slides
OpenDaylight: An Open Source SDN for Your OpenStack Cloud Stephan Baucke, Ericsson Kyle Mestery,

OpenDaylight: An Open Source SDN for Your OpenStack Cloud Stephan Baucke, Ericsson Kyle Mestery,

OpenDaylight: An Open Source SDN for Your OpenStack Cloud Stephan Baucke, Ericsson Kyle Mestery, Cisco Anees Shaikh, IBM Chris Wright, Red Hat Nov 6, 2013 www.opendaylight.org Where is this talk going? OpenDaylight overview What is

571 views • 20 slides
Bootstrapping evolvability for inter-domain routing Raja Sambasivan , David Tran-Lam, Aditya

Bootstrapping evolvability for inter-domain routing Raja Sambasivan , David Tran-Lam, Aditya

Bootstrapping evolvability for inter-domain routing Raja Sambasivan , David Tran-Lam, Aditya Akella, Peter Steenkiste Inter-domain routing is stagnant Many proposed fi xes/replacements for BGP E.g., LISP [RFC 6830], S-BGP [SAC00], Wiser,

350 views • 23 slides

More recommend