protecting routing w ith rpki
play

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN - PowerPoint PPT Presentation

Aug 19, 2023 •362 likes •889 views

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

  1. Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN

  2. Agenda •Operational routing •RPKI Statistics challenges •IRR Status •Do we have a •Research solution? Opportunities •Using ARIN’s RPKI components @ TeamARIN 1

  3. Core Internet Functions: Routing & DNS •The Internet relies on two critical resources • DNS: Translates domain names to IP addresses and IP addresses to domain names • Routing: Tells us how to get to an IP address •These critical resources are not secure •DNSSEC and RPKI secure these critical resources @ TeamARIN 2

  4. Operational Routing Challenges @ TeamARIN 3

  5. Focus on Interconnections •Started out as informal arrangements to route address blocks •Address reachability based on ISP to ISP “trust” •Moved into contracts •Moved from a small set of “trustable” ISPs into a worldwide group – some have questionable business practices @ TeamARIN 4

  6. Focus on Interconnections (cont’d) •Technology was incomplete at best to deal with automation to filter •Misconfigurations/nefarious events on these interconnections have occurred to affect significant parts of the Internet •IAB Statement on Routing – Routing is based on rumors @ TeamARIN 5

  7. Case Study: YouTube • Pakistan Telecom was ordered to block YouTube • Naturally, they originated their own route for YouTube’s IP address block • YouTube’s traffic was temporarily diverted to Pakistan • This incident could have been prevented with widespread adoption of RPKI @ TeamARIN 6

  8. Case Study: Turk Telekom •Turkish President ordered censorship of Twitter •Turk Telekom’s DNS servers were configured to return false IP addresses • So people started using Google’s DNS (8.8.8.8) •Turk Telekom hijacked Google’s IP addresses in BGP •Could have been prevented with RPKI @ TeamARIN 7

  9. Many More Examples • Late 2013 & early 2014, Dell Secure Works noticed /24 announcements being hijacked • Many networks routed to a small network in Canada • Intercepted communications between between Bitcoin miners and Bitcoin data pools • In April, 2017, AS12389 (PJSC Rostelecom) announced 37 new routes • These 37 prefixes belonged to various financial institutions and credit card processors (Visa International, MasterCard Technologies LLC, etc.) @ TeamARIN 8

  10. Many More Examples • In April, 2018, Amazon’s Route 53 DNS infrastructure service hijacked • Used both BGP and DNS within their attack • Traffic to the cryptocurrency website MyEtherWallet.com was redirected to a server hosted in Russia • Served up a phishing site to collect private keys to accounts • In June, 2019, Cloudflare, Amazon, Akamai, etc. sent through AS396531 (a steel plant) • Route Optimizer to blame • Upstream (Verizon) did not filter the “optimized” routes @ TeamARIN 9

  11. Do w e have a solution? @ TeamARIN 10

  12. Ways that are used today • Existing Technologies dealing with Routes with the ISP of origin: • IRR registries • LOAs • or just “Seems legit” • Monitoring BGP Announcements • BGPmon, Qrator, Thousand Eyes, etc • Do we have an alternative? @ TeamARIN 11

  13. Enter RPKI •Resource Public Key Infrastructure •Cryptographically certifies network resources • AS Numbers • IP Addresses •Also certifies route announcements • Route Origin Authorizations (ROAs) allow you to authorize your block to be routed @ TeamARIN 12

  14. RPKI Basics •All of ARIN’s RPKI data is publicly available in a repository •RFC 3779 certificates show who has each resource •ROAs show which AS numbers are authorized to announce blocks •CRLs show revoked records •Manifests list all data from each organization @ TeamARIN 13

  15. Hierarchy of Resource Certificates ICANN 0.0.0.0/0 0::/0 RIPE ARIN LACNIC AFRINIC APNIC 128.0.0.0/8 192.0.0.0/8 NCC Other Small ISP Regional ISP 192.78.12.0/24 128.177.0.0/16 Some Small ISP 128.177.46.0/20 @ TeamARIN 14

  16. Route Origin Authorizations ICANN 0.0.0.0/0 0::/0 RIPE ARIN LACNIC AFRINIC APNIC 128.0.0.0/8 192.0.0.0/8 NCC Regional ISP Other Small ISP 192.78.12.0/24 128.177.0.0/16 128.177.0.0/16 192.78.12.0/24 AS17025 AS2000 Some Small ISP 128.177.46.0/20 128.177.46.0/20 AS53659 @ TeamARIN 15

  17. Current Practices RIPE ARIN LACNIC AFRINIC APNIC 128.0.0.0/8 192.0.0.0/8 NCC 128.177.46.0/20 AS53659 Other Small ISP Regional ISP 128.177.0.0/16 192.78.12.0/24 128.177.0.0/16 192.78.12.0/24 AS17025 AS2000 @ TeamARIN 16

  18. Using a RPKI Repository (Theory) • Pull down these files using a manifest-validating mechanism • Validate the ROAs contained in the repository • Communicate with the router to mark routes: • Valid • Invalid • Unknown • Ultimately, the ISP uses local policy on how to route to use this information. @ TeamARIN 17

  19. What does RPKI Protect • Protects unauthorized origination attacks • Stops ISPs to announce routes with a direct AS path to the upstream • What it does not stop today • AS padding • Man-in-the-middle route attacks • RPKI is envisioned to use future technologies to stop these in-path attacks • First attempt failed – too complex • Second attempt underway using a variant of Secure Origin BGP – ASPA @ TeamARIN 18

  20. Steps to use RPKI •Provision your networks tying your networks to your origin AS •Fetch and configure a validator •Look at the results •Configure your validator to feed these results to your edge routers •Filter them based on validation rules @ TeamARIN 19

  21. Using ARIN’s RPKI System @ TeamARIN 20

  22. Using ARIN’s RPKI Repository •Provisioning RPKI •Using RPKI @ TeamARIN 21

  23. Provisioning Your Routes in RPKI •Determine if you want to allow ARIN to host your Certificate Authority (CA), or if you want ARIN to delegate to your Certificate Authority •Sign up with ARIN Online •Create Resource Certificates and ROAs @ TeamARIN 22

  24. Hosted vs. Delegated RPKI •Hosted • ARIN has done all of the heavy lifting for you • Think “point click ship” • Available via web site or RESTful interface •Delegated using Up/Down Protocol • A whole lot more work • Might make sense for very large networks @ TeamARIN 23

  25. Hosted RPKI - ARIN Online •Pros • Easy-to-use web interface • ARIN-managed (buying/deploying HSMs, etc. is expensive and time consuming) •Cons • Downstream customers can’t use RPKI • Large networks would probably need to use the RESTful interface to avoid tedious management • We hold your private key @ TeamARIN 24

  26. Delegated RPKI w ith Up/Dow n •Pros • Allows you to keep your private key • Follows the IETF up/down protocol • Allows downstream customers to use RPKI •Cons • Extremely hard to set up • Requires operating your own RPKI environment • High cost of time and effort @ TeamARIN 25

  27. Delegated w ith Up/Dow n •You have to do all the ROA creation •Need to set up a Certificate Authority •Have a highly available repository •Create a CPS @ TeamARIN 26

  28. Using ARIN’s RPKI Repository 1. Get the RIPE NCC RPKI Validator @ TeamARIN 27

  29. Using ARIN’s RPKI Repository 2. Get the ARIN TAL • https://www.arin.net/resources/rpki/tal.html 3. Visually validate @ TeamARIN 28

  30. Using ARIN’s RPKI Repository 4. Plug the validator into your routing policy engine: • Directly to the router via RTR protocol • Configuration recipes for Junos OS, Cisco IOS, Nokia SR OS at: • https://www.ripe.net/manage-ips-and-asns/resource- management/certification/router-configuration • Software Solutions • BIRD • OpenBGPD • FRROUTING • GOBGP • VyOS • You’re now a part of the RPKI ecosystem! @ TeamARIN 29

  31. Using ARIN’s RPKI Repository – Other Validators • RIPE is not the the only validator (and this is not an exhaustive list) • Dragon Research • rpki.net • NLNET Routinator • https://github.com/NLnetLabs/routinator • OpenBSD rpki-client and GoRTR • https://github.com/openbsd/src/tree/master/usr.sbin/rpki-client • RIPSTR • https://github.com/bgpsecurity/rpstir • The FORT Project • https://fortproject.net • RPKI validation services • Cloudflare Validates and you get the results • https://github.com/cloudflare/gortr @ TeamARIN 30

  32. RPKI Statistics @ TeamARIN 31

  33. RPKI Usage Oct Apr Oct 2013 Apr 2014 Oct 2014 Apr 2015 Oct 2015 Apr 2016 Oct 2016 Apr 2017 Oct 2017 Apr 2018 Sep 2018 Apr 2019 Sep 2019 2012 2013 591 793 Certified Orgs 47 68 108 153 187 220 250 268 292 328 361 434 19 60 106 162 239 308 338 370 414 470 538 604 1013 4519 5454 ROAs Covered 5816 7514 30 82 147 258 332 430 482 528 577 640 741 825 1953 Resources Up/Down 0 0 0 1 2 1 2 2 2 1 1 1 1 Delegated @ TeamARIN 32

  34. RPKI vs The Routing Table: Global Global: Validation Snapshot of Unique P/O Pairs 831,319 Unique IPv4 Prefix/ Origin Pairs Not-Found 84% Valid 15% Invalid 1% @ TeamARIN 33

  35. RPKI vs The Routing Table: RIPE RIPE: Validation Snapshot of Unique P/O Pairs 217,406 Unique IPv4 Prefix/ Origin Pairs Valid 27% Not-Found 72% Invalid 1% @ TeamARIN 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

660 views • 27 slides
AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

662 views • 54 slides
Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of

Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of

Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of Connec2cut, Bar Ilan Univ, Fraunhofer SIT Joint project with Tomas Hlavacek, Yafim Kazak, Rafi Peretz, Fabian Sauer and Haya Shulman Route-Hijacking:

687 views • 36 slides
Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Applied Networking Research Workshop 2020 acm sigcomm Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer SIT Motivation - Resource Public Key Infrastructure (RPKI) secures the interdomain routing

586 views • 39 slides
A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

583 views • 43 slides
Distributed Privacy-Protecting Routing in DTN: Concealing the Information Indispensable in

Distributed Privacy-Protecting Routing in DTN: Concealing the Information Indispensable in

Distributed Privacy-Protecting Routing in DTN: Concealing the Information Indispensable in Routing * Kang Chen 1 and Haiying Shen 2 1 Dept. of ECE, Southern Illinois University, IL, USA 2 Dept. of CS, University of Virginia, VA, USA * Majority

260 views • 23 slides
Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1 Thursday, August 1, 13 RPKI Tools The authors believe the information already contained in the RPKI has value in itself, even for operators not

305 views • 11 slides
Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon

Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon

BFOC13. Boston University Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon Goldberg Leonid Reyzin Princeton University Boston University How Secure is Internet Routing Today? (1) I am

375 views • 14 slides
Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania December 10, 2019 Research supported by NSF EAGER Award #1748362 Global RPKI Deployment ASes Validating Routes 5%, 5 3%, 3 9%, 8 12%, 11 71%, 65

216 views • 8 slides
RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI Overview Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 2 Simply put 3 parts - Create certificates - Install/run validator -

562 views • 17 slides
Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0 Project: New RPKI system DNSSEC v2.0 Project: New DNSSEC signer IETF activities: Identity and join key WGs and RGs African Internet Resources

308 views • 13 slides
A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Validator http://rpki.net/ A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts Connection Counts Objects/Connection Seconds/Object Rob Austein

663 views • 32 slides
Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabin Meja Why and who? BGP origin validation based on RPKI is in early stages of deployment. It is necessary to

314 views • 13 slides
4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has columns for the destination network (or hosts) with the corresponding cost and the next router address to reach a destination. Additional

1.08k views • 84 slides
Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing [Kleinberg04] J. Kleinberg, A. Slivkins, T. Wexler. Triangulation and Embedding using Small Sets of Beacons. Proc. 45th IEEE Symposium on Foundations of

450 views • 32 slides
Communication Systems Cryptography University of Freiburg Computer Science Computer Networks

Communication Systems Cryptography University of Freiburg Computer Science Computer Networks

Communication Systems Cryptography University of Freiburg Computer Science Computer Networks and Telematics Prof. Christian Schindelhauer Organization I. Data and voice communication in IP networks II. Security issues in

479 views • 18 slides
Public Key Infrastructure Chester Rebeiro IIT Madras Recollect Diffie-Hellman Key Exchange

Public Key Infrastructure Chester Rebeiro IIT Madras Recollect Diffie-Hellman Key Exchange

Public Key Infrastructure Chester Rebeiro IIT Madras Recollect Diffie-Hellman Key Exchange Key Establishment : Alice and Bob want to use a block cipher for encryption. How do they agree upon the secret key Alice and Bob agree upon a

972 views • 56 slides
In Root we Trust Pavan Chander Lisa Bui OWASP Toronto: Feb 20, 2019 Who are we? Pavan Chander

In Root we Trust Pavan Chander Lisa Bui OWASP Toronto: Feb 20, 2019 Who are we? Pavan Chander

In Root we Trust Pavan Chander Lisa Bui OWASP Toronto: Feb 20, 2019 Who are we? Pavan Chander Lisa Bui pchander@deloitte.ca libui@deloitte.ca Pavan is a Manager with Deloittes Lisa is a consultant in Deloittes Risk Cyber Risk

385 views • 21 slides
JALIEN THE NEW ALICE HIGH-PERFORMANCE AND HIGH-SCALABILITY GRID FRAMEWORK

JALIEN THE NEW ALICE HIGH-PERFORMANCE AND HIGH-SCALABILITY GRID FRAMEWORK

A Large Ion Collider Experiment JALIEN THE NEW ALICE HIGH-PERFORMANCE AND HIGH-SCALABILITY GRID FRAMEWORK Miguel.Martinez.Pedreira@cern.ch | Track 3: Distributed Computing | 12/07/2018 A Large Ion Collider Experiment COMPUTING CHALLENGE

501 views • 11 slides
RES212 Lab #1 Certificates, TLS and VPN The goal of this lab is to let you become acquainted with

RES212 Lab #1 Certificates, TLS and VPN The goal of this lab is to let you become acquainted with

https://res212.telecom-paristech.fr TP01v2 2018/05/22 RES212 Lab #1 Certificates, TLS and VPN The goal of this lab is to let you become acquainted with creating and managing cryptographic certificates for use in your application, for the Web

851 views • 16 slides
SPS State of Technology Presented by: Christopher Perry CACI May 30 June 1, 2017 Hyatt

SPS State of Technology Presented by: Christopher Perry CACI May 30 June 1, 2017 Hyatt

DEFENSE PROCUREMENT AND ACQUISITION POLICY PROCURE-TO-PAY TRAINING SYMPOSIUM SPS State of Technology Presented by: Christopher Perry CACI May 30 June 1, 2017 Hyatt Regency Orlando FL 1 Agenda Software Component Architecture

590 views • 19 slides
Electronic Mail Security Slide 1 Characteristics File transfer, except... sender, receiver

Electronic Mail Security Slide 1 Characteristics File transfer, except... sender, receiver

email 1 Electronic Mail Security Slide 1 Characteristics File transfer, except... sender, receiver may not be present at the same time diversity (character sets, headers, ...) not a transparent channel (8 bit data, CRLF) often

699 views • 16 slides
CYBERSECURITY: ARE YOU PREPARED FOR WHATS NEXT? January 23, 2018 1 Com Combat ating Cyb g

CYBERSECURITY: ARE YOU PREPARED FOR WHATS NEXT? January 23, 2018 1 Com Combat ating Cyb g

CYBERSECURITY: ARE YOU PREPARED FOR WHATS NEXT? January 23, 2018 1 Com Combat ating Cyb g Cyber Thr r Threat ats Cyber Security Seminar January 23, 2018 Dan Desko Eric Wright 1 Eric W Eric Wright ight Technology Advisors

726 views • 56 slides

More recommend