secure routing with rpki status challenges and the smart
play

Secure Routing with RPKI: Status, Challenges and the Smart-Validator - PowerPoint PPT Presentation

Jul 14, 2023 •320 likes •687 views

Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of Connec2cut, Bar Ilan Univ, Fraunhofer SIT Joint project with Tomas Hlavacek, Yafim Kazak, Rafi Peretz, Fabian Sauer and Haya Shulman Route-Hijacking:

  1. Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of Connec2cut, Bar Ilan Univ, Fraunhofer SIT Joint project with Tomas Hlavacek, Yafim Kazak, Rafi Peretz, Fabian Sauer and Haya Shulman

  2. Route-Hijacking: Real-Life Example A"ack Goals: Eavesdropping Spam/phishing Malware distribu2on Censorship - Many proposed/deployed defenses, over many years… - Challenge & focus : deployable yet effecBve defenses Denial of service Traffic Analysis

  3. Pre%ix Hijacking: prefer shorter route 1 1.2.0.0/16 1.2.0.0/16 Route: 22-333 Route: 666 22 666 1.2.0.0/16 333 Route: 333 BGP Data flow Inter-domain announcement to 1.2.0.0/16 link 3 ….

  4. Subpre>ix Hijacking: always prefer longest matching pre%ix 1 1.2.0.0/16 1.2.3.0/24 Route: 333 Route: 6-666 333 6 666 BGP Data flow Inter-domain announcement to 1.2.3.0/24 link 4 ….

  5. Idea: prevent hijacks using Route Origin Validation (ROV) How?? Route Origin 1.2.0.0/16 1.2.0.0/16 1 ValidaBon (ROV) Route: 22-333 Route: 666 22 666 333 BGP Ann. Data flow Domain 1 uses the (longer but correct) route 22-333, since 5 only domain 333 is authorized origin for prefix 1.2.0.0/16

  6. How to do Route Origin Validation (ROV) ??

  7. How to do Route Origin Validation (ROV) ?? Naïvely: keep a list of valid (authorized) origin ASes for each prefix Online check: consult DBs, e.g., Internet Rou2ng Registries (IRRs) Offline: digitally-signed Route Origin AuthorizaBon (ROA)

  8. Route Origin Validation (ROV) prevents Pre%ix and Subpre%ix Hijacks ROA: 1.2.0.0/16 Origin 333 Route Origin 1.2.0.0/16 1.2.0.0/16 1 ValidaBon (ROV) Route: 22-333 Route: 666 22 666 333 BGP Ann. Data flow Domain 1 uses the (longer but correct) route 22-333, since 8 only domain 333 is authorized origin for prefix 1.2.0.0/16

  9. RPKI: Resource Public Key Infrastructure • IETF standard [RFC 6480]; main goal: prevent (sub)prefix hijacks (false origin domain) • Allows signing Route Origin AuthorizaBons (ROAs) : Prefix: 1.2.0.0/16 Origin: 333 Max-length: 20 • Facilitates Route Origin ValidaBon (ROV): • Drop BGP announcements where origin AS conflicts with ROA • I.e.: Origin AS is not 333 Or: more specific than /20

  10. RPKI Deployment: Agenda • RPKI: What and Why [done] • State of Deployment • ROA adop2on: trends • Wrong ROA: causes and damages • ROV adop2on status, challenges • Impact of par2al ROV adop2on • Improving deployment: The Smart Validator • Phase I • Demo • Phase II • Conclusions

  11. ROA Adoption History Drop BGP announcements è lose (good?) traffic … So, how many domains do Route Origin Validation? Announced without ROA: 647,192 (93%) Valid ROAs: 43,796 (6.3%) Wrong ROAs: 5,015 (0.7%) About 10% wrong ROAs!! Consistently!!

  12. Wrong ROAs?? • Requires both authoriza2ons (ROAs) and valida2on (ROV) • Risk: ROV with Wrong ROA è drop legit-yet-invalid announcements • Does wrong-ROAs happen? – Typical, real-life example: Legend: RIPE Resource 194.2.0.0/15 Cer2ficate Domain 3215 Orange (France telecom) Wrong ROA 194.2.0.0/15 Legit-yet-Invalid BGP Announcement 194.2.35.0/24 194.3.118.0/24 Domain 1272 (Danone) 194.2.155.0/24 Domain 34444 (Eutelsat) Domain 8361 (Ubisor)

  13. Measuring Adoption of Route Origin Validation - Challenge: no direct way to measure the adop2on of ROV è no published measurements - Idea: use Route-View-project’s BGP-collectors – and wrong ROAs! - Observa2on: if collector receives invalid announcement è En2re route does not enforce ROV ! ROA: 1.2.0.0/16 Domain 333 1.2.0.0/16 1 A Route: C-A-1 1.2.0.0/16 Collector B C 2 1.2.0.0/16 D Route: F-E-D-2 1.2.0.0/16 E Collector F 13 13

  14. Measuring Adoption of Route Origin Validation - Challenge: no direct way to measure the adop2on of ROV è no published measurements - Observa2on : if collector receives invalid announcement è En2re route does not enforce ROV ! At least 80 of 100 largest domains do not enforce ROV ! Can we meaure more precisely? ROA: 1.2.0.0/16 1 A More precise results: very very few domains Domain 333 1.2.0.0/16 enforce ROV (skipping details – ask me) B C Collector 2 D 1.2.0.0/16 E Collector F 14 14

  15. Better ROV Measurements… • Dependency on exis2ng wrong ROAs may be misleading • More reliable: publish correct/wrong ROAs (same origin) • Three different controlled experiments, mul2ple 2mes: • Use RouteView Collectors (as before) • Use Trace-route to RIPE atlas probes • Use `echo’ from servers (ICMP ping or TCP SYN/ACK) • Experiments s2ll ongoing • Ini2al results: only handful of domains enforce ROV • None of the 100 largest domains (cf. <20) • Similar results apparently from measurements by Randy Bush and others (didn’t yet see details) • What’s the impact of par2al-deployment of ROV?

  16. Partial Adoption of ROV: Collateral damage • Domains not doing ROV might cause ROV-enforcing domains to fall vic2m to prefix hijacking • Control-Plane vs. Data-Plane Mismatch: domain discards invalid announcement, yet data flows to awacker To: 1.1.1.0/24 666 Domain 2 adver2ses both route: 2-666 Domain 3 enforces ROV: valid and invalid routes discards invalid subprefix route 2 3 ROA: 1.1.0.0/16 Domain 2 uses invalid route Origin 1 To: 1.1.0.0/16 for subprefix è traffic to route: 2-1 1.1.1.0/24 s2ll hijacked! 16 1

  17. Partial Adoption of ROV: Collateral bene%it Adopters protect domains behind them by discarding invalid announcements ROA: 1.1.0.0/16 Domain 1 To: 1.1.1.0/24 Domain 3 is only 666 route: 666 offered valid routes 2 3 To: 1.1.0.0/16 route: 2-1 Origin 1 Drawback: less incen2ve to deploy (`free-riders’)

  18. Security in Partial ROV Adoption: Simulation Framework • Use Internet domain topology of CAIDA ROA: 1.1.0.0/16 Origin: A • Pick vic2m & awacker • Vic2m’s prefix has a ROA A • Pick domains doing ROV B • Find domains sending to vic2m C vs. domains sending to awacker D E F G H I J Empirically-derived topology from CAIDA. Includes inferred K peering links [Giotsas et al., L SIGCOMM’13] 18

  19. Security with Partial ROV Adoption • Subprefix-hijack success rate for adop2on by x largest domains • Compare: 100% vs. 25% adop2on by other domains • Significant benefit - but only if almost all large domains adopt – and most other domains adopt too • We are very far from this! Subprefix hijack success rate

  20. RPKI Deployment: Agenda • RPKI: What and Why • State of Deployment • ROA adop2on: trends • Wrong ROA: causes and damages • ROV adop2on status, challenges • Impact of par2al ROV adop2on • Improving deployment: The Smart Validator • Phase I • Demo • Phase II • Conclusions

  21. Fixing ROAs and ROV deployment • Improve deployment of ROAs • ROAlert.org: idenBfy wrong ROAs • email alerts when sysadmin-email located: 40% fixed! • è Should be deployed `officially’ • Smart validator (h"ps://github.com/SmartValidator/SmartValidator ) • Encourage, improve adop2on of Route Origin Valida2on (ROV) • Free, open source; extends RIPE’s RPKI validator • Phase I: `easy and safe deployment’ – Do No Harm • Fix Conflic2ng-ROAs [conflic2ng with long-lived BGP announcments] • Ready, experiments beginning – join us ! • Phase II: improved security, incen2ves • In development, will be based on new version of RIPE validator

  22. Idea: Hijacks are Short Lived Possible Hijacks duraBon [Days] from 08-2016 -> 06-2017 60% [BGPStream.com] 50% è Allowing long-lived (>3weeks) 40% BGP announcements, even if conflic2ng with ROA, would s2ll 30% catch most hijacks! 20% 10% 0% 1 Day 1 Week 2 Weeks 3 Weeks 4 Weeks 1-2 months 2 months+ Serie1 60,90% 8,84% 28,46% 0,56% 0,38% 0,44% 0,42%

  23. Smart-Validator: Phase I • Easy and safe to deploy: `plug and play’ • Do No Harm • Recommend Mode (default): • Observes ROAs and BGP announcements • Recommend BGP announcement filters • Operator manually applies BGP announcement filters • `What-if’ measurements: impact of safe-deployment modes • Safe-deployment modes • Ignore mode : ignore conflic2ng-ROAs • Extend mode: add auto-ROAs to cancel conflicts • Experiments: Cisco, LinkedIn, … You?? • Based on RIPE’s validator; free, open source

  24. Smart-Validator: Architecture Data warehouse Dashboard The engine Data resources

  25. Smart Validator Dashboard Examples Recommend mode Extend safe-deployment mode

  26. Demo ( github.com/SmartValidator/SmartValidator )

  27. Smart-Validator: Phase II • Extend phase I with new ROV features: • ROV++ : • Prefer ROV++ compliant providers • When learning of awack… or always/usually • Reduces risk of collateral-damage • An incenBve to deploy • Path-end validaBon: easy, strong extension to RPKI • Prevent `origin hijacking’ by extending ROA to iden2fy neighbor AS • SigComm16 paper shows: surprisingly effec2ve!!

  28. Beyond BGP: Routing Against DoS • BGP is limited to single fixed route • Easier to congest – e.g., in Denial-of-Service (DoS) • BGP isn’t conges2on-sensi2ve • Route does not depend on conges2on, delays, loss • Slow response to link failure • IP provides only best-effort service • No quality guarantees (max delay, max loss rate) • Quality-of-Service (QoS) extensions: only within domain • è Secure Accountable Inter-domain Forwarding • On going project – talk to me…

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

889 views • 51 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

660 views • 27 slides
AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

662 views • 54 slides
Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon

Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon

BFOC13. Boston University Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon Goldberg Leonid Reyzin Princeton University Boston University How Secure is Internet Routing Today? (1) I am

375 views • 14 slides
Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Applied Networking Research Workshop 2020 acm sigcomm Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer SIT Motivation - Resource Public Key Infrastructure (RPKI) secures the interdomain routing

586 views • 39 slides
Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure Routing? Current routing protocols assume trusted environment! Even misconfigurations severely disrupt Internet routing Secure routing

245 views • 22 slides
A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

583 views • 43 slides
Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of

Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of

Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of conventional routing schemes Proactive wireless routing Hierarchical routing Reactive (on demand) wireless routing Geographic routing

893 views • 60 slides
Internet Resource Certification (RPKI) Building a More Secure Internet Sint-Maarten Internet Week

Internet Resource Certification (RPKI) Building a More Secure Internet Sint-Maarten Internet Week

Internet Resource Certification (RPKI) Building a More Secure Internet Sint-Maarten Internet Week Carlos Mar2nez Cagnazzo carlos @ lacnic.net A9acks on rou;ng: IP hijacks How Internet number resources are managed IANA ARIN LACNIC APNIC

788 views • 31 slides
Secure Routing for Mobile Ad hoc Networks Panagiotis Papadimitratos &amp; Zygmunt J. Haas

Secure Routing for Mobile Ad hoc Networks Panagiotis Papadimitratos &amp; Zygmunt J. Haas

Secure Routing for Mobile Ad hoc Networks Panagiotis Papadimitratos &amp; Zygmunt J. Haas Presented by Leland Smith CS 6204, Spring 2005 1 Overview What are MANETs? Motivation Secure Routing Protocol Protocol Description

560 views • 15 slides
Routing Table Status Report November 2005 IPv4 Routing Table Size - Aug IPv4 Routing Table Size

Routing Table Status Report November 2005 IPv4 Routing Table Size - Aug IPv4 Routing Table Size

Geoff Huston APNIC Routing Table Status Report November 2005 IPv4 Routing Table Size - Aug IPv4 Routing Table Size - Nov Data assembled from Route Views data. Each colour represents a time series for a single AS. The major point here is

686 views • 45 slides
Smart City Mission Status Report Contents Introduction Smart city initiative

Smart City Mission Status Report Contents Introduction Smart city initiative

Smart City Mission Status Report Contents Introduction Smart city initiative Strategies, Selection Process, Implementation of Smart cities, Mission Monitoring and Financing of Smart Cities Current Status Selected

355 views • 22 slides
Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1 Thursday, August 1, 13 RPKI Tools The authors believe the information already contained in the RPKI has value in itself, even for operators not

305 views • 11 slides
UPM DAY 1: SMART GRIDS TABLE 1: TECHNOLOGICAL CHALLENGES RELATED WITH SMART GRIDS DEVELOPMENT

UPM DAY 1: SMART GRIDS TABLE 1: TECHNOLOGICAL CHALLENGES RELATED WITH SMART GRIDS DEVELOPMENT

Guillermo del Campo UPM DAY 1: SMART GRIDS TABLE 1: TECHNOLOGICAL CHALLENGES RELATED WITH SMART GRIDS DEVELOPMENT INTERNATIONAL SUMMER SCHOOL SMART GRIDS AND SMART CITIES Barcelona, 6-8 June 2017 Context Dramatic growth of energy

618 views • 16 slides
EE 6882 Statistical Methods for Video Indexing and Analysis Fall 2004 Prof. Shih-Fu Chang

EE 6882 Statistical Methods for Video Indexing and Analysis Fall 2004 Prof. Shih-Fu Chang

EE 6882 Statistical Methods for Video Indexing and Analysis Fall 2004 Prof. Shih-Fu Chang http://www.ee.columbia.edu/~sfchang Lecture 1 - part B (9/7/04) 1 Run-through of a simple image search system Color, Texture, distance metrics, and

859 views • 39 slides
Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016

Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016

Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016 Chad Holliday Chairman Royal Dutch Shell plc Royal Dutch Shell | May 24, 2016 Definitions &amp; The New Lens Scenarios are part of an ongoing

197 views • 19 slides
Atmospheric Infrared Sounder (AIRS) Atmospheric Infrared Sounder (AIRS) Project Status Project

Atmospheric Infrared Sounder (AIRS) Atmospheric Infrared Sounder (AIRS) Project Status Project

National Aeronautics and National Aeronautics and Space Administration Space Administration Jet Propulsion Laboratory Jet Propulsion Laboratory California Institute of Technology California Institute of Technology Pasadena, California

539 views • 27 slides
IETF Technical Plenary Session Monday, 21 July 2014 Toronto, Canada Transcript provided by

IETF Technical Plenary Session Monday, 21 July 2014 Toronto, Canada Transcript provided by

IETF Technical Plenary Session Monday, 21 July 2014 Toronto, Canada Transcript provided by Brewer &amp; Darrenougue Corrections provided by Cindy Morgan and Andrew Sullivan --BEGIN TRANSCRIPT-- &gt;&gt; RUSS HOUSLEY: We're going to start the

628 views • 37 slides
3D-Printed Detectors and Detector Integration modern manufacturing technologies and

3D-Printed Detectors and Detector Integration modern manufacturing technologies and

3D-Printed Detectors and Detector Integration modern manufacturing technologies and functional materials in detector system design ATLAS and CMS Endcap Design and Engineering Challenges Christian J. Schmidt 13.06.2018 Christian J.

346 views • 23 slides
CROSS-CORRELATION IN THE HIGH-Z SKY FEDERICO BIANCHINI THE QUEST FOR Energy Density Dark

CROSS-CORRELATION IN THE HIGH-Z SKY FEDERICO BIANCHINI THE QUEST FOR Energy Density Dark

CROSS-CORRELATION IN THE HIGH-Z SKY FEDERICO BIANCHINI THE QUEST FOR Energy Density Dark Energy is z 1 z Learn about the Dark Energy/Gravity sector 2 THE QUEST FOR Energy Density Dark Energy is TOMOGRAPHY z 1 z Learn

824 views • 43 slides
Space McGill COMP 765 Sept 7 th , 2017 * The topology of quantum worm- holes will be left for

Space McGill COMP 765 Sept 7 th , 2017 * The topology of quantum worm- holes will be left for

Representing and Modeling Space McGill COMP 765 Sept 7 th , 2017 * The topology of quantum worm- holes will be left for self-study. Goals today Introduce models of a robots movements in space Introduce models to represent the space

900 views • 67 slides
Tools for Physicists: Statistics Wolfgang Gradl Peter Weidenkaff Institut fr Kernphysik

Tools for Physicists: Statistics Wolfgang Gradl Peter Weidenkaff Institut fr Kernphysik

Tools for Physicists: Statistics Wolfgang Gradl Peter Weidenkaff Institut fr Kernphysik Summer semester 2019 The scientific method: how we create knowledge Tools for physicists: Statistics 2 | SoSe 2019 | Theory / model

1.66k views • 131 slides

More recommend