9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi
|
|
- Hortense Hill
- 5 years ago
- Views:
Transcription
1 COMP 535 Lecture 6: Routing Security September 3, 2015 Andrew Chi Includes content used with permission by Angelos Keromytis (Columbia), Philip Smith (APNIC), and Steve Kent (BBN) Agenda Routing Attacks in the News Introduction to the Internet Threats to Routing IETF solution RPKI BGPSEC BBN RPKI software BGPSEC (current IETF work) In the News 1997: AS 7007 Internet routing black hole by MAI (American ISP) 2004 TTNet (Turkish ISP) routes most Internet traffic through Turkey 2008 Pakistan Telecom YouTube incident 2010 China Telecom incident 2013 Iceland/Belarus hijacks 2014 Bitcoin BGP hijacking 1
2 Introduction to the Internet Topologies and Definitions IP Addressing Internet Hierarchy ( Pecking Order ) Routing in the Internet BGP Gluing it all together Topologies and Definitions ISPs build networks covering regions Region can mean country, sub-continent, or even globe Each region has points of presence built by the ISP Routers are the infrastructure Physical circuits run between routers Point of Presence (PoP) is the physical location of ISP s equipment Some ISPs use Multi-Protocol Label Switching (MPLS), built on top of router infrastructure mainly to provide VPN services Typical PoP Design Core routers high speed trunk connections Distribution routers higher port density, aggregating network edge to the network core Access routers high port density, connecting the end users to the network Border routers connections to other providers (focus of this talk) Service routers hosting and servers Some functions might be handled by a single router 2
3 Peering and Transit Peering Exchanging routing information and traffic Usually for no fee Sometimes called settlement free peering Transit Carrying traffic across a network Usually for a fee N.B. BGP peer is a generic protocol term, not to confused with these business-laden terms. Public vs Private Interconnect Private 2 ISPs agree (privately) to provision a circuit between border routers Public Internet exchange Point (IXP) A location/facility where several ISPs are present and connect to each other over a common shared media Why? To save money, reduce latency, improve performance Each of the 6 represents a border router in a different AS Switched interconnect Each provider establishes a peering relationship with other providers at IXP Private Public IP Addressing Internet uses classless routing Concept of IPv4 class A, class B or class C is no more Engineers talk in terms of prefix length, for example the class B is now called /16 All routers must be CIDR capable Classless Inter Domain Routing RFC1812 Router Requirements Longest prefix match IPv6 adoption IANA s free pool of IPv4 has run out; so has APNIC Image Source: ss_inter-domain_routing 3
4 Where do I get IP addresses? IP address space is a resource shared amongst all Internet users. 5 Regional Internet Registries delegated allocation responsibility by the IANA RIRs allocate address space to ISPs and Local Internet Registries. Aka Provider Independent (PI) space. Portable. ISPs/LIRs assign address space to end customers or other ISPs. Aka Provider Aggregatable (PA) space. Non-portable. All usable IPv4 address space has been allocated to the RIRs by IANA The time for IPv6 is now Internet Pecking Order Global Transit Providers Connect to each other Provide connectivity to Regional Transit Providers Regional Transit Providers Connect to each other Provide connectivity to Content Providers Provide connectivity to Access Providers Access Providers Connect to each other across IXPs (free peering) Provide access to the end user Internet Pecking Order 4
5 Routing in the Internet Two abstractions: control plane vs. data plane Two types: intra-domain (internal) vs. inter-domain (external) Internal within ISP, company OSPF or IS-IS IS-IS used more in practice; easier for IPv6 transition Both are Dijkstra s algorithm: robust for smaller networks. Each node announces its connectivity, and each node reannounces all information received from peers. Each node learns full map of the network Does not scale External between ISPs, large enterprises: BGP (Border Gateway Protocol) Border Gateway Protocol BGP is classified as a path vector routing protocol (RFC 1322) Entire path, not just metric BGP is the control plane Actual data traffic (forwarding plane) flows in the reverse direction of BGP messages Warning: asymmetric routing! Gluing it together Who runs the Internet? No one (Definitely not ICANN, nor the RIRs, nor the US, ) How does it keep working? Inter-provider business relationships and the need for customer reachability ensures that the Internet by and large functions for the common good Any facilities to help keep it working? Not really. But Engineers keep working together! 5
6 What about security? History of Routing Security Radia Perlman s dissertation: Network Layer Protocols with Byzantine Robustness, Bellovin s Security Problems in the TCP/IP Protocol Suite (1989) More work starting around 1996 Kent et al., 2000 (S-BGP) Many more, no adoption IETF Secure Inter-Domain Routing WG (2006 present) starting to see real deployment Generic Threats to Routing The Enemy s Goal Hard to detect: neither X nor Y has knowledge of Z s connectivity. 6
7 Generic Threats to Routing Bad guys play games with routing protocols. Traffic is diverted. Enemy can see the traffic. Enemy can easily modify the traffic. Enemy can drop the traffic. Cryptography (SSL/IPsec) can mitigate effects, but not stop them. It s a really hard problem getting routing to work well is hard enough. Security problems are not due to bad code, but are more fundamental: a dishonest participant. Hop-by-hop authentication is insufficient (transitive trust). Generic Threats to Routing Using a Tunnel for Packet Reinjection Achieve MITM from edge routers! Border Gateway Protocol (BGP) X X = 1.2.3/ NOTE: BGP is complicated. This simplified view highlights the path vector aspect, which is relevant to RPKI/BGPSEC. 7
8 BGP Attack False Origin X 2 7 X X = 1.2.3/ Address space hijacking : Autonomous System 1 announces a false advertisement for IP prefix X. In the Pakistan-Youtube case, it announced a more-specific prefix. BGP Attack False Path X X X = 1.2.3/ False path : AS 4 wants to draw traffic from AS 2, and announces shorter path to IP prefix X, without violating. A false path using a combination of loop detection and longest prefix can be used to set up MITM (Kapela-Pilosov got the most recent publicity). IETF Solution: RPKI + BGPSEC RPKI X X = 1.2.3/24 BGPSEC 4 5 The IETF approach splits the problem into two domains: origin validation (address space ownership) and path validation (multi-hop routing updates). Resource PKI: sign the route originations BGPSEC: sign each hop on the AS-path 5 8
9 Crypto Interlude Historical solution (symmetric key) Alice and Bob must establish the key beforehand. If n parties, then O(n 2 ) key establishments. Key Innovation: Utilize Asymmetry Asymmetries in the real world Breaking a wine glass, cooking an egg Asymmetries in algorithms Multiplication vs factoring, hashing vs. pre-image Physical analogy for public key cryptography: Easy Hard (combo required) Exercise 1: Asymmetric cryptography Alice and Bob have never met before. How can Alice send a message to Bob that is secure against a passive eavesdropper (Eve)? You can use a combination lock and a chest. 9
10 Exercise 1: Asymmetric cryptography Bob, we need to talk. Here s my combo-lock: B <Message> B Private combo for B: Exercise 2: Digital Signature How do you modify this scheme to accomplish a different goal: digital signature? You may have to modify the primitive as well. What if the attacker is active? Resource Public Key Infrastructure How do we determine ownership of IP address and Autonomous System (AS) numbers? Resource Public Key Infrastructure (RPKI) 10
11 Resource Public Key Infrastructure Internet Assigned Numbers Authority (IANA) coordinates hierarchical IPv4/IPv6 assignment, through the 5 Regional Internet Registries (RIRs), who then suballocate to ISPs. Resource Public Key Infrastructure Available at APNIC s rsync publication point Credit: Geoff Huston, APNIC RPKI Certificate (abbreviated) Field Example/Comment Issuer Name RIR or parent ISP (*) Authority Key Id hash(issuer_pubkey) Subject Name UNC Chapel Hill (*) Subject Key Id hash(subject_pubkey) Subject PubKey Information NotAfter IPv4 and IPv6 Address blocks (RFC 3779 ext) AS numbers (RFC 3779 ext) Subject Info Access Signature RSA Algorithm ID, 2048 bit RSA pubkey Expiration date / / :0028:3090::/48 None (**) rsync://rpki.unc.edu/s ome/directory/ 0x2f3d4401a89a RPKI certificate An X.509 certificate with RFC 3779 extensions: IP addresses and AS numbers (*) Names in certificates IANA, RIRs, NIRs, and ISPs are NOT naming authorities (unlike DNS registrars) To avoid having them vouch for the right-to-use of names, subject/issuer names are NOT actually meaningful They usually consist of a common name (typically hex) and, if needed, serial number CommonName = F57320B9A926 SerialNumber = (**) AS nums for BGPSEC 11
12 Route Origination Authorization Field End entity certificate AS Number Prefixes w/ Maxlength Signature Usage: Comment/Example Embedded certificate that is limited to be a leaf node (no certificate children) / / :0028:3090::/ xf3a3512ee An ISP receiving a BGP update verifies the origin AS against the ROA. (RFC 6811) ROAs Authorizes an AS (ISP) to originate a route to a set of one or more prefixes CMS signed object envelope containing EE certificate payload (AS# + prefixes) Signature Prefix range Maxlength field (e.g. 19) defines longest prefix allowed to be advertised Example: RPKI in Action Huston, Geoff, and Randy Bush. "Securing BGP with BGPSEC." The Internet Protocol Journal. Vol. 14. No What does a router do with ROAs? RPKI Route Announcement Validity (details in RFC 6811) When a network operator creates a ROA for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity of one or more route announcements. They can be: VALID The route announcement is covered by at least one ROA INVALID The prefix is announced from an unauthorised AS The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix and AS NOTFOUND The prefix in this announcement is not covered (or only partially covered) by an existing ROA This trichotomy allows gradual deployment. NOTFOUND is equivalent to the current state of BGP routes. 12
13 The RPKI Repository System This repository is unusual in that ALL of the data is signed and verifiable via certificate path validation (unlike LDAP or the DNS) Most repositories used for certificates and CRLs, e.g., LDAP and the DNS, assume searching & selective retrieval of entries The RPKI retrieval model is very different Every ISP will fetch ALL new/changed entries since the last time it checked Most ISPs will access the repository system several times a day This suggests a different repository design 37 Repository System Elements Distributed database of signed objects A publication point for each resource holder Certificates & CRLs Route Origination Authorizations Statements by an address space holder about which ASes are authorized to originate routes to its address space Manifests Statements about what objects belong at each publication point and which version is current Ghostbusters record A pointer to publication point maintainer contact info 38 What s a Manifest? The repository system holds only signed objects, which is good, but tampering is still possible! An older version of a valid object can be put in place of the current version, if that version has not expired A valid entry can be removed from the repository, without detection by a relying party A manifest is a signed object that enumerates all the other signed objects at a publication point It uses a CRL-like validity interval It has the hash of each file as well as the file name Error conditions are tricky! 39 13
14 RPKI Operations Model RPKI Status All 5 RIRs offer production service today Over 4,000 certificates have been issued to resource holders Open source relying party software is available from BBN, Dragon, and RIPE Cisco & Juniper ship code that receives processed RPKI data (from a server) and validates BGP UPDATE messages with respect to origin AS assertions IANA has not yet signed any objects, nor has it issued certificates to the RIRs, so we have 5 trust anchors today 41 Are we safe? 14
15 BGP Attack False Origin X 2 7 X X = 1.2.3/ Address space hijacking : Autonomous System 1 announces a false advertisement for IP prefix X. In the Pakistan-Youtube case, it announced a more-specific prefix. BGP Attack False Path X X X = 1.2.3/ False path : AS 4 wants to draw traffic from AS 2, and announces shorter path to IP prefix X, without violating. A false path using a combination of loop detection and longest prefix can be used to set up MITM (Kapela-Pilosov got the most recent publicity). BGPSEC The Next Step The RPKI prevents configuration errors by an ISP from hijacking address space The RPKI does not protect against attacks on BGP, e.g., bogus routes terminating in a valid origin To protect against attacks, one needs to enable every AS to verify that the route received via a BGP UPDATE message is accurate: each AS along the path received the AS path info from the preceding AS and forwarded it to the next AS BGPSEC is the name given to the protocol that provides this capability 45 15
16 BGPSEC Basics BGPSEC makes use of a new, optional, transitive attribute, to carry digitally signed route info BGPSEC support is negotiated between routers (potentially on an asymmetric basis), so that a non-bgpsec router will not be burdened by big UPDATE messages BGPSEC data is never sent through non- BGPSEC ASes, so secure paths exist only for contiguous sequences of ASes Incremental deployment is viable 46 How Does BGPSEC Work? Huston, Geoff, and Randy Bush. "Securing BGP with BGPSEC." The Internet Protocol Journal. Vol. 14. No How Does BGPSEC Work? Every BGP router receives a certificate under the RPKI, issued by the AS operator of the router The router for the origin AS generates a path signature attribute that covers the NLRI, its AS#, and the next hop AS# When a router sends a BGPSEC UPDATE, it includes a BGPSEC path signature attribute, that covers the previous signature and the next hop AS# Up receipt, a router verifies the chain of signatures on the AS path info and matches the NLRI and origin AS against ROA data 48 16
17 Additional References IETF Secure Inter-Domain Routing WG docs Routing attacks and RPKI in the news chinese-internet-traffic-fix.html RPKI Deployment Statistics BBN RPSTIR software Hurricane Electric BGP Toolkit BGPSEC Attributes Secure Path Data AS X pcount X AY Y pcount Y AS Z pcount Z Signature Block 1 Algorithm Suite 1 SKI X1 Signature X1 SKI Y1 Signature Y1 SKI Z1 Signature Z1 Signature Block 2 Algorithm Suite 2 SKI X1 Signature X1 SKI Y1 Signature Y1 SKI Z1 Signature Z1 A second signature block is present only during transition to a new signature/hash algorithm suite. The secure path data enumerates the list of ASes traversed by the BGP update. The pcount value accommodates AS pre/post-pending and transparent IXPs. Each signature block contains one signature by each AS along the path, under one algorithm suite. The SKI value identifies the public key of the signer. Each SKI/Signature pair is called a Signature Segment. 50 Input to each Signature Segment The number of the AS to which the data is being sent Target AS Number Signer s ASN Signer s pcount value Signature of previous Signer The AS number and pcount value for the AS that is adding its signature, plus the signature of the previous signer The ID of the algorithm suite used to sign the data Algorithm Suite ID NLRI (prefix & length) The address prefix (and length) advertised for this route The sequence of signature segments in a signature block are cryptographically linked, because of the overlapping scope of the signatures
18 BGPSEC Status Threat document published: RFC 7132 Requirements document published: RFC 7353 Protocol architecture & specification awaiting requirements document approval Algorithm profile and router certificate documents will progress with protocol document NIST has a software implementation Router vendors are working on designs for real implementations 52 RPKI Operations Model A typical ISP will play both roles Certification Authority (Publisher) Each ISP uploads new certificates, CRLs, ROAs, and manifests, to a repository as needed, e.g., daily. Relying Party Each ISP downloads all certificates, CRLs, ROAs, and manifests from all repositories (several times per day). Relying party software (e.g., in a server) verifies these digitally signed objects, and extracts the ROA data. Servers distribute the ROA data to BGP routers, enabling these routers to check the origin AS in BGP UPDATE messages. An ISP could, instead, use the validated ROA data to generate route filters for its routers. 53 BBN RPSTIR System Architecture 18
Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies
Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies Presentation Outline The BGP security problem RPKI overiew Address & AS number allocation system Certificates
More informationIntroduction to The Internet
Introduction to The Internet ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok Last updated 5 th May 2015 1 Introduction to the Internet p Topologies and Definitions p IP Addressing p
More informationIntroduction to The Internet
Introduction to The Internet ITU/APNIC/MOIC IPv6 Workshop 19 th 21 st June 2017 Thimphu These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationNetworking 101 ISP/IXP Workshops
Networking 101 ISP/IXP Workshops 1 Network Topology and Definitions Definitions and icons Network topologies PoP topologies Interconnections and IXPs IP Addressing Gluing it all together 2 Topologies and
More informationIntroducción al RPKI (Resource Public Key Infrastructure)
Introducción al RPKI (Resource Public Key Infrastructure) Roque Gagliano rogaglia@cisco.com 4 Septiembre 2013 Quito, Equator 2011 Cisco and/or its affiliates. All rights reserved. 1 Review of problem to
More informationIntroduction to Networking. Topologies and Definitions. Network Topology and Definitions. Some Icons. Network Topologies. Network Topologies
Network Topology and Definitions Definitions and icons Network topologies PoP topologies Introduction to Networking Interconnections and s ISP/ IP Addressing Gluing it all together 1 2 Some Icons Router
More informationISP 1 AS 1 Prefix P peer ISP 2 AS 2 Route leak (P) propagates Prefix P update Route update P Route leak (P) to upstream 2 AS 3 Customer BGP Update messages Route update A ISP A Prefix A ISP B B leaks
More informationThe RPKI and BGP Origin Validation
The RPKI and BGP Origin Validation APRICOT / New Delhi 2012.02.27 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2012.02.27
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: February 2012
Internet Engineering Task Force (IETF) G. Huston Request for Comments: 6483 G. Michaelson Category: Informational APNIC ISSN: 2070-1721 February 2012 Abstract Validation of Route Origination Using the
More informationResource Public Key Infrastructure
Resource Public Key Infrastructure A pilot for the Internet2 Community to secure the global route table Andrew Gallo The Basics The Internet is a self organizing network of networks. How do you find your
More informationBGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationNetwork Security - ISA 656 Routing Security
Network Security - ISA 656 Angelos Stavrou December 4, 2007 What is? What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy s Goal? Bad guys play games
More informationUpdate on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008 Address and Routing Security What we have had for many years is a relatively insecure interdomain routing system
More informationSome Lessons Learned from Designing the Resource PKI
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007 Address and Routing Security The basic security questions that need to be answered are: Is this a valid
More informationRouting Security* CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring * Thanks to Steve Bellovin for slide source material.
Routing Security* CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring 2008 * Thanks to Steve Bellovin for slide source material. 1 Routing 101 Network routing exists to provide hosts desirable
More informationSecure Routing with RPKI. APNIC44 Security Workshop
Secure Routing with RPKI APNIC44 Security Workshop Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationNetwork Security - ISA 656 Routing Security
What is? Network Security - ISA 656 Angelos Stavrou What is Routing Security? History of Routing Security Why So Little Work? How is it Different? Bad guys play games with routing protocols. Traffic is
More informationSecuring BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC
Securing BGP: The current state of RPKI Geoff Huston Chief Scientist, APNIC Incidents What happens when I announce your addresses in BGP? All the traffic that used to go to you will now come to me I can
More informationLife After IPv4 Depletion
1 Life After IPv4 Depletion Jon Worley Analyst Securing Core Internet Functions Resource Certification, RPKI Mark Kosters Chief Technology Officer 2 Core Internet Functions: Routing & DNS The Internet
More informationProblem. BGP is a rumour mill.
Problem BGP is a rumour mill. We want to give it a bit more authorita We think we have a model AusNOG-03 2009 IP ADDRESS AND ASN CERTIFICATION TO IMPROVE ROUTING SECURITY George Michaelson APNIC R&D ggm@apnic.net
More informationSteven M. Bellovin AT&T Labs Research Florham Park, NJ 07932
Steven M. Bellovin! " $#"##%& '( ) * 973-360-8656 AT&T Labs Research Florham Park, NJ 07932 Steven M. Bellovin June 13, 2003 1 What is? Bad guys play games with routing protocols. Traffic is diverted.
More informationInternet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!
Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil! Who is allowed to do what?! BGP (the Internet s inter-domain routing protocol) runs by rumor Participants assert reachability
More informationRPKI. Resource Pubic Key Infrastructure
RPKI Resource Pubic Key Infrastructure Purpose of RPKI RPKI replaces IRR or lives side by side? Side by side: different advantages Security, almost real time, simple interface: RPKI Purpose of RPKI Is
More informationMisdirection / Hijacking Incidents
Security Tutorial @ TWNOG SECURE ROUTING WITH RPKI 1 Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationRobust Inter-Domain Routing
Establishing the Technical Basis for Trustworthy Networking Robust Inter-Domain Routing Addressing Systemic Vulnerabilities in BGP Doug Montgomery (dougm@nist.gov) Manager, Internet and Scalable Systems
More informationDeploying RPKI An Intro to the RPKI Infrastructure
Deploying RPKI An Intro to the RPKI Infrastructure VNIX-NOG 24 November 2016 Hanoi, Vietnam Issue Date: Revision: Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours)
More informationSecuring Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO
Securing Core Internet Functions Resource Certification, RPKI Mark Kosters ARIN CTO Core Internet Functions: Routing & DNS The Internet relies on two critical resources DNS: Translates domain names to
More informationDecentralized Internet Resource Trust Infrastructure
Decentralized Internet Resource Trust Infrastructure Bingyang Liu, Fei Yang, Marcelo Bagnulo, Zhiwei Yan, and Qiong Sun Huawei UC3M CNNIC China Telecom 1 Critical Internet Trust Infrastructures are Centralized
More informationModule: Routing Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Routing Security Professor Patrick McDaniel Spring 2009 1 Routing 101 Network routing exists to provide hosts desirable paths from the source
More informationSome Thoughts on Integrity in Routing
Some Thoughts on Integrity in Routing Geoff Huston Chief Scientist, APNIC What we want We want the routing system to advertise the correct reachability information for legitimately connected prefixes at
More informationRPKI and Internet Routing Security ~ The regional ISP operator view ~
RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1 Agenda Routing practices of the regional ISP today How this may
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationResource Certification. Alex Band, Product Manager DENIC Technical Meeting
Resource Certification Alex Band, Product Manager DENIC Technical Meeting Internet Routing Routing is non-hierarchical, open and free Freedom comes at a price: - You can announce any address block on your
More informationResource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC
Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC Target Audience Knowledge of Internet Routing(specially BGP) Fair idea on Routing Policy No need to know Cryptography Basic knowledge
More informationSecuring BGP. Geoff Huston November 2007
Securing BGP Geoff Huston November 2007 Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions An Introduction to BGP Background to Internet Routing The routing architecture
More informationInternetworking: Global Internet and MPLS. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
Internetworking: Global Internet and MPLS Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 10/19/2016 CSCI 445 Fall 2016 1 Acknowledgements Some pictures
More informationRoute Security for Inter-domain Routing
Route Security for Inter-domain Routing Alvaro Retana (aretana@cisco.com) Distinguished Engineer, Cisco Services 3 This could happen to YOUR network 4 This could happen be happening to YOUR network 5 Agenda
More informationSecuring the Internet at the Exchange Point Fernando M. V. Ramos
Securing the Internet at the Exchange Point Fernando M. V. Ramos 18.09.2017 Securing the Internet at the Exchange Point Fernando M. V. Ramos 18.09.2017 There are vulnerabilities in the Internet architecture
More informationIETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet
IETF81 Secure IDR Rollup TREX Workshop 2011 David Freedman, Claranet Introduction to Secure IDR (SIDR) You are in a darkened room at the IETF. You are surrounded by vendors. A lone operator stands quietly
More informationRPKI Trust Anchor. Geoff Huston APNIC
RPKI Trust Anchor Geoff Huston APNIC Public Keys How can you trust a digital signature?? What if you have never met the signer and have no knowledge of them or their keys? One approach is transitive trust
More informationInternet-Draft Intended status: Standards Track July 4, 2014 Expires: January 5, 2015
Network Working Group M. Lepinski, Ed. Internet-Draft BBN Intended status: Standards Track July 4, 2014 Expires: January 5, 2015 Abstract BGPSEC Protocol Specification draft-ietf-sidr-bgpsec-protocol-09
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More informationInterdomain routing CSCI 466: Networks Keith Vertanen Fall 2011
Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business relationships between ASes Interdomain routing using BGP Advertisements Routing policy Integration with intradomain routing
More informationAPNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013
APNIC s role in stability and security Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013 Overview Introducing APNIC Working with LEAs The APNIC Whois Database
More informationFacilitating Secure Internet Infrastructure
Facilitating Secure Internet Infrastructure RIPE NCC http://www.ripe.net About the RIPE NCC RIPE Network Coordination Centre Bottom-up, self-regulated, membership association, notfor-profit Regional Internet
More informationRPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:
RPKI Introduction APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By: 1 Content Why do we need RPKI What is RPKI How to deploy RPKI Configuration case Misdirection / Hijacking Incidents
More informationInternet Engineering Task Force (IETF) Category: Informational. D. Ward Cisco Systems August 2014
Internet Engineering Task Force (IETF) Request for Comments: 7353 Category: Informational ISSN: 2070-1721 S. Bellovin Columbia University R. Bush Internet Initiative Japan D. Ward Cisco Systems August
More informationThe RPKI & Origin Validation
The RPKI & Origin Validation RIPE / Praha 2010.05.03 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2010.05.03 RIPE RPKI
More informationRPKI and Routing Security
Presentation September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) What is the Purpose of
More informationVendor: Alcatel-Lucent. Exam Code: 4A Exam Name: Alcatel-Lucent Border Gateway Protocol. Version: Demo
Vendor: Alcatel-Lucent Exam Code: 4A0-102 Exam Name: Alcatel-Lucent Border Gateway Protocol Version: Demo QUESTION 1 Upon the successful establishment of a TCP session between peers, what type of BGP message
More informationThe RPKI & Origin Validation
The RPKI & Origin Validation NANOG / Denver 2011.06.12 Randy Bush Rob Austein Steve Bellovin Michael Elkins And a cast of thousands!
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: September 2017
Internet Engineering Task Force (IETF) Request for Comments: 8211 Category: Informational ISSN: 2070-1721 S. Kent BBN Technologies D. Ma ZDNS September 2017 Adverse Actions by a Certification Authority
More informationBGP Routing Security and Deployment Strategies
Bachelor Informatica Informatica Universiteit van Amsterdam BGP Routing Security and Deployment Strategies Bryan Eikema June 17, 2015 Supervisor(s): Benno Overeinder (NLnet Labs), Stavros Konstantaras
More informationIntroduction. Keith Barker, CCIE #6783. YouTube - Keith6783.
Understanding, Implementing and troubleshooting BGP 01 Introduction http:// Instructor Introduction Keith Barker, CCIE #6783 CCIE Routing and Switching 2001 CCIE Security 2003 kbarker@ine.com YouTube -
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. BBN September 2017
Internet Engineering Task Force (IETF) Request for Comments: 8209 Updates: 6487 Category: Standards Track ISSN: 2070-1721 M. Reynolds IPSw S. Turner sn3rd S. Kent BBN September 2017 Abstract A Profile
More informationPKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006
PKI-An Operational Perspective NANOG 38 ARIN XVIII October 10, 2006 Briefing Contents PKI Usage Benefits Constituency Acceptance Specific Discussion of Requirements Certificate Policy Certificate Policy
More informationResource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018
Resource PKI NetSec Tutorial NZNOG2018 - Queenstown 24 Jan 2018 1 Fat-finger/Hijacks/Leaks Bharti (AS9498) originates 103.0.0.0/10 Dec 2017 (~ 2 days) No damage more than 8K specific routes! Google brings
More informationThe Transition to BGP Security Is the Juice Worth the Squeeze?
The Transition to BGP Security Is the Juice Worth the Squeeze? RPKI Sharon Goldberg Boston University November 2013 Work with Kyle Brogle (Stanford), Danny Cooper (BU), Ethan Heilman (BU), Robert Lychev
More informationAuto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes? Geoff Huston APNIC @RIPE 50 May 2005 1 Address Hijacking Is the unauthorized use of an address prefix as an advertised route object on the Internet It s not a bogon the
More informationIP Addressing & Interdomain Routing. Next Topic
IP Addressing & Interdomain Routing Next Topic IP Addressing Hierarchy (prefixes, class A, B, C, subnets) Interdomain routing Application Presentation Session Transport Network Data Link Physical Scalability
More informationRPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager
RPKI deployment at AFRINIC Status Update Alain P. AINA RPKI Project Manager What is Resource Certifcation? Resource Certifcation is a security framework for verifying the association between resource holders
More informationSecuring Routing: RPKI Overview. Mark Kosters Chief Technology Officer
Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer Why are DNSSEC and RPKI important? Two of the most critical resources DNS Routing Hard to tell when resource is compromised Focus of
More informationIntroduction to IP Routing. Geoff Huston
Introduction to IP Routing Geoff Huston Routing How do packets get from A to B in the Internet? A Internet B Connectionless Forwarding Each router (switch) makes a LOCAL decision to forward the packet
More informationSecuring Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO
Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN Mark Kosters CTO What is RPKI? Resource Public Key Infrastructure Attaches digital certificates to network resources AS Numbers
More informationCNT Computer and Network Security: BGP Security
CNT 5410 - Computer and Network Security: BGP Security Professor Kevin Butler Fall 2015 Internet inter-as routing: BGP BGP (Border Gateway Protocol): the de facto standard BGP provides each AS a means
More informationLink State Routing & Inter-Domain Routing
Link State Routing & Inter-Domain Routing CS640, 2015-02-26 Announcements Assignment #2 is due Tuesday Overview Link state routing Internet structure Border Gateway Protocol (BGP) Path vector routing Inter
More informationSupporting Internet Growth and Evolution: The Transition to IPv6
2010/TEL41/DSG/WKSP2/004 Agenda Item: Panel Discussion 1 Supporting Internet Growth and Evolution: The Transition to IPv6 Submitted by: APNIC Workshop for IPv6: Transforming the Internet Chinese Taipei
More informationCSCD 433/533 Network Programming Fall Lecture 14 Global Address Space Autonomous Systems, BGP Protocol Routing
CSCD 433/533 Network Programming Fall 2012 Lecture 14 Global Address Space Autonomous Systems, BGP Protocol Routing 1 Topics Interdomain Routing BGP Interdomain Routing Benefits vs. Link State Routing
More informationIntroduction to BGP. ISP Workshops. Last updated 30 October 2013
Introduction to BGP ISP Workshops Last updated 30 October 2013 1 Border Gateway Protocol p A Routing Protocol used to exchange routing information between different networks n Exterior gateway protocol
More informationBGP Origin Validation (RPKI)
University of Amsterdam System & Network Engineering BGP Origin Validation (RPKI) July 5, 2013 Authors: Remy de Boer Javy de Koning Supervisors: Jac Kloots
More informationIdealized BGPsec: Formally Verifiable BGP
Idealized BGPsec: Formally Verifiable BGP JaNOG 27.5 / Tokyo 2011.04.14 Randy Bush for the Informal BGPsec Design Group 2011.04.14 JaNOG BGPsec 1 Informal BGPsec Group chris morrow (google)
More informationJust give me a button!
Just give me a button! The challenges of routing security RIPE NCC Members organisation founded in 1992 Manages IP and ASN allocations in Europe, Middle East and former Soviet Union - Ensure unique holdership
More informationAPNIC elearning: BGP Basics. 30 September :00 PM AEST Brisbane (UTC+10) Revision: 2.0
APNIC elearning: BGP Basics 30 September 2015 1:00 PM AEST Brisbane (UTC+10) Issue Date: 07 July 2015 Revision: 2.0 Presenter Nurul Islam (Roman) Senior Training Specialist, APNIC Nurul maintains the APNIC
More informationSecuring the Border Gateway Protocol. Dr. Stephen Kent Chief Scientist - Information Security
Securing the Border Gateway Protocol Dr. Stephen Kent Chief Scientist - Information Security Outline BGP Overview BGP Security S-BGP Architecture Deployment Issues for S-BGP Alternative Approaches to BGP
More informationCSC458 Lecture 6. Administrivia. Inter-domain Routing IP Addressing. Midterm will Cover Following Topics (2) Midterm will Cover Following Topics
CSC458 Lecture 6 Inter-domain Routing IP Addressing Administrivia Homework: #2 due today #3 out today, due in two weeks (same date as midterm) No lecture next week Reading Week Midterm in two weeks 60
More informationIntroduction to BGP. ISP/IXP Workshops
Introduction to BGP ISP/IXP Workshops 1 Border Gateway Protocol A Routing Protocol used to exchange routing information between different networks Exterior gateway protocol Described in RFC4271 RFC4276
More informationBGP Anomaly Detection. Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage.
BGP Anomaly Detection Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage balmusawi@swin.edu.au Centre for Advanced Internet Architectures (CAIA) Swinburne University
More informationUsing Resource Certificates Progress Report on the Trial of Resource Certification
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC From the RIPE Address Policy Mail List 22 25 Sept 06, address-policy-wg@lists.ripe.net
More informationAPNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston Motivation: Address and Routing Security What we have today is a relatively insecure system that is
More informationSecuring Routing Information
Securing Routing Information Findings from an Internet Society Roundtable September 2009 Internet Society Galerie Jean-Malbuisson, 15 CH-1204 Geneva Switzerland Tel: +41 22 807 1444 Fax: +41 22 807 1445
More informationInternet Engineering Task Force (IETF) BCP: 185 January 2014 Category: Best Current Practice ISSN:
Internet Engineering Task Force (IETF) R. Bush Request for Comments: 7115 Internet Initiative Japan BCP: 185 January 2014 Category: Best Current Practice ISSN: 2070-1721 Abstract Origin Validation Operation
More informationCSE 461 Interdomain routing. David Wetherall
CSE 461 Interdomain routing David Wetherall djw@cs.washington.edu Interdomain routing Focus: Routing across internetworks made up of different parties Route scaling Application Route policy Transport The
More informationAPNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes ARIN XVII Open Policy Meeting George Michaelson Geoff Huston Motivation: Address and Routing Security What we have today is a relatively insecure system
More informationinternet technologies and standards
Institute of Telecommunications Warsaw University of Technology internet technologies and standards Piotr Gajowniczek BGP (Border Gateway Protocol) structure of the Internet Tier 1 ISP Tier 1 ISP Google
More informationNetwork Working Group. Intended status: Informational Expires: January 9, 2014 July 8, 2013
Network Working Group G. Huston Internet-Draft G. Michaelson Intended status: Informational APNIC Expires: January 9, 2014 July 8, 2013 Abstract RPKI Validation Reconsidered draft-huston-rpki-validation-00.txt
More informationRouting Basics. ISP Workshops
Routing Basics ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated 26
More informationJumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira
Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira Prefix hijacking Victim Path: 111 AS X AS 111 Boston University BGP Ad. AS 666 Data flow 2 Prefix
More informationUsing Resource Certificates Progress Report on the Trial of Resource Certification
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC Sound Familiar? 4:30 pm Mail: Geoff, mate, I ve been dealing with your phone people and
More informationBGP security. 19 april 2018 Copenhagen
BGP security 19 april 2018 Copenhagen Agenda 14:30 Welcome and registration 15:00 Presentation 17:00 Questions 17:30 Beer & Burgers & 2 Who are we? Lucas Senior network engineer @ NL-ix in ISP business
More informationIPv4 Run-Out, Trading, and the RPKI
IPv4 Run-Out, Trading, and the RPKI RIPE 56 / Berlin 2008.05.07 Randy Bush http://rip.psg.com/~randy/080507.ripe-v4-trad-rpki.pdf 2008.05.07 RIPE v4 Trade RPKI 2 Internet Initiative Japan
More informationEECS 122, Lecture 17. The Distributed Update Algorithm (DUAL) Optimization Criteria. DUAL Data Structures. Selecting Among Neighbors.
EECS 122, Lecture 17 Kevin Fall kfall@cs.berkeley.edu edu The Distributed Update Algorithm (DUAL) J.J. Garcia-Luna Luna-Aceves [SIGCOMM 89] Aims at removing transient loops in both DV and LS routing protocols
More informationInter-domain Routing. Outline. Border Gateway Protocol
Inter-domain Routing Outline Border Gateway Protocol Internet Structure Original idea CS 640 2 Internet Structure Today CS 640 3 Route Propagation in the Internet Autonomous System (AS) corresponds to
More informationSupporting Internet Growth and Evolution: The Transition to IPv6
Supporting Internet Growth and Evolution: The Transition to IPv6 Bali IPv6 Summit, Bali 9 June 2010 Sanjaya Services Director, APNIC 1 Overview Recap About APNIC Reality check: where are we now? Transition
More informationResource Certification
Resource Certification CISSP, science group manager RIPE NCC robert@ripe.net 1 Contents Motivation for Resource Certification (RPKI) Architecture overview Participating in RPKI Most importantly: use cases
More informationMeasuring RPKI Route Origin Validation in the Wild
Master Thesis Measuring RPKI Route Origin Validation in the Wild Andreas Reuter Matr. 4569130 Supervisor: Prof. Dr. Matthias Wählisch Institute of Computer Science, Freie Universität Berlin, Germany January
More informationAPNIC elearning: Internet Registry Policies. Revision:
APNIC elearning: Internet Registry Policies Issue Date: 01/04/2015 Revision: Overview Allocation and Assignment Portable and Non-Portable Addresses IRM Objectives and Goals APNIC Policy Environment APNIC
More informationCS 457 Networking and the Internet. The Global Internet (Then) The Global Internet (And Now) 10/4/16. Fall 2016
CS 457 Networking and the Internet Fall 2016 The Global Internet (Then) The tree structure of the Internet in 1990 The Global Internet (And Now) A simple multi-provider Internet 1 The Global Internet Some
More informationNetwork Security: Routing security. Aapo Kalliola T Network security Aalto University, Nov-Dec 2012
Network Security: Routing security Aapo Kalliola T-110.5241 Network security Aalto University, Nov-Dec 2012 Outline 1. Structure of internet 2. Routing basics 3. Security issues 4. Attack 5. Solutions
More informationMultihoming. Copy Rights
Multihoming or provider independent addressing (possible usage) János Mohácsi NIIF/HUNGARNET Copy Rights This slide set is the ownership of the 6DISS project via its partners The Powerpoint version of
More information