9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi

Size: px

Start display at page:

Download "9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi"

Hortense Hill
5 years ago
Views:

COMP 535 Lecture 6: Routing Security September 3, 2015 Andrew Chi <achi@cs.unc.

Introduction to the Internet Threats to Routing IETF solution RPKI BGPSEC BBN RPKI software BGPSEC (current IETF work) In the News 1997: AS 7007 Internet

1 COMP 535 Lecture 6: Routing Security September 3, 2015 Andrew Chi Includes content used with permission by Angelos Keromytis (Columbia), Philip Smith (APNIC), and Steve Kent (BBN) Agenda Routing Attacks in the News Introduction to the Internet Threats to Routing IETF solution RPKI BGPSEC BBN RPKI software BGPSEC (current IETF work) In the News 1997: AS 7007 Internet routing black hole by MAI (American ISP) 2004 TTNet (Turkish ISP) routes most Internet traffic through Turkey 2008 Pakistan Telecom YouTube incident 2010 China Telecom incident 2013 Iceland/Belarus hijacks 2014 Bitcoin BGP hijacking 1

Introduction to the Internet Topologies and Definitions IP Addressing Internet Hierarchy ( Pecking Order ) Routing in

country, sub-continent, or even globe Each region has points of presence built by the ISP Routers are the infrastructure

Multi-Protocol Label Switching (MPLS), built on top of router infrastructure mainly to provide VPN services Typical PoP

the network core Access routers high port density, connecting the end users to the network Border routers connections to

2 Introduction to the Internet Topologies and Definitions IP Addressing Internet Hierarchy ( Pecking Order ) Routing in the Internet BGP Gluing it all together Topologies and Definitions ISPs build networks covering regions Region can mean country, sub-continent, or even globe Each region has points of presence built by the ISP Routers are the infrastructure Physical circuits run between routers Point of Presence (PoP) is the physical location of ISP s equipment Some ISPs use Multi-Protocol Label Switching (MPLS), built on top of router infrastructure mainly to provide VPN services Typical PoP Design Core routers high speed trunk connections Distribution routers higher port density, aggregating network edge to the network core Access routers high port density, connecting the end users to the network Border routers connections to other providers (focus of this talk) Service routers hosting and servers Some functions might be handled by a single router 2

Peering and Transit Peering Exchanging routing information and traffic Usually for no fee Sometimes called settlement free peering Transit Carrying traffic across a network Usually for a fee N.B.

Public vs Private Interconnect Private 2 ISPs agree (privately) to provision a circuit between border routers Public Internet exchange Point (IXP) A location/facility where several ISPs are present

To save money, reduce latency, improve performance Each of the 6 represents a border router in a different AS Switched interconnect Each provider establishes a peering relationship with other

3 Peering and Transit Peering Exchanging routing information and traffic Usually for no fee Sometimes called settlement free peering Transit Carrying traffic across a network Usually for a fee N.B. BGP peer is a generic protocol term, not to confused with these business-laden terms. Public vs Private Interconnect Private 2 ISPs agree (privately) to provision a circuit between border routers Public Internet exchange Point (IXP) A location/facility where several ISPs are present and connect to each other over a common shared media Why? To save money, reduce latency, improve performance Each of the 6 represents a border router in a different AS Switched interconnect Each provider establishes a peering relationship with other providers at IXP Private Public IP Addressing Internet uses classless routing Concept of IPv4 class A, class B or class C is no more Engineers talk in terms of prefix length, for example the class B is now called /16 All routers must be CIDR capable Classless Inter Domain Routing RFC1812 Router Requirements Longest prefix match IPv6 adoption IANA s free pool of IPv4 has run out; so has APNIC Image Source: ss_inter-domain_routing 3

Where do I get IP addresses? IP address space is a resource shared amongst all Internet users.

to ISPs and Local Internet Registries. Aka Provider Independent (PI) space. Portable.

Pecking Order Global Transit Providers Connect to each other Provide connectivity to Regional Transit

4 Where do I get IP addresses? IP address space is a resource shared amongst all Internet users. 5 Regional Internet Registries delegated allocation responsibility by the IANA RIRs allocate address space to ISPs and Local Internet Registries. Aka Provider Independent (PI) space. Portable. ISPs/LIRs assign address space to end customers or other ISPs. Aka Provider Aggregatable (PA) space. Non-portable. All usable IPv4 address space has been allocated to the RIRs by IANA The time for IPv6 is now Internet Pecking Order Global Transit Providers Connect to each other Provide connectivity to Regional Transit Providers Regional Transit Providers Connect to each other Provide connectivity to Content Providers Provide connectivity to Access Providers Access Providers Connect to each other across IXPs (free peering) Provide access to the end user Internet Pecking Order 4

5 Routing in the Internet Two abstractions: control plane vs. data plane Two types: intra-domain (internal) vs. inter-domain (external) Internal within ISP, company OSPF or IS-IS IS-IS used more in practice; easier for IPv6 transition Both are Dijkstra s algorithm: robust for smaller networks. Each node announces its connectivity, and each node reannounces all information received from peers. Each node learns full map of the network Does not scale External between ISPs, large enterprises: BGP (Border Gateway Protocol) Border Gateway Protocol BGP is classified as a path vector routing protocol (RFC 1322) Entire path, not just metric BGP is the control plane Actual data traffic (forwarding plane) flows in the reverse direction of BGP messages Warning: asymmetric routing! Gluing it together Who runs the Internet? No one (Definitely not ICANN, nor the RIRs, nor the US, ) How does it keep working? Inter-provider business relationships and the need for customer reachability ensures that the Internet by and large functions for the common good Any facilities to help keep it working? Not really. But Engineers keep working together! 5

What about security? History of Routing Security Radia Perlman s dissertation: Network Layer Protocols with Byzantine Robustness, 1988.

6 What about security? History of Routing Security Radia Perlman s dissertation: Network Layer Protocols with Byzantine Robustness, Bellovin s Security Problems in the TCP/IP Protocol Suite (1989) More work starting around 1996 Kent et al., 2000 (S-BGP) Many more, no adoption IETF Secure Inter-Domain Routing WG (2006 present) starting to see real deployment Generic Threats to Routing The Enemy s Goal Hard to detect: neither X nor Y has knowledge of Z s connectivity. 6

7 Generic Threats to Routing Bad guys play games with routing protocols. Traffic is diverted. Enemy can see the traffic. Enemy can easily modify the traffic. Enemy can drop the traffic. Cryptography (SSL/IPsec) can mitigate effects, but not stop them. It s a really hard problem getting routing to work well is hard enough. Security problems are not due to bad code, but are more fundamental: a dishonest participant. Hop-by-hop authentication is insufficient (transitive trust). Generic Threats to Routing Using a Tunnel for Packet Reinjection Achieve MITM from edge routers! Border Gateway Protocol (BGP) X X = 1.2.3/ NOTE: BGP is complicated. This simplified view highlights the path vector aspect, which is relevant to RPKI/BGPSEC. 7

8 BGP Attack False Origin X 2 7 X X = 1.2.3/ Address space hijacking : Autonomous System 1 announces a false advertisement for IP prefix X. In the Pakistan-Youtube case, it announced a more-specific prefix. BGP Attack False Path X X X = 1.2.3/ False path : AS 4 wants to draw traffic from AS 2, and announces shorter path to IP prefix X, without violating. A false path using a combination of loop detection and longest prefix can be used to set up MITM (Kapela-Pilosov got the most recent publicity). IETF Solution: RPKI + BGPSEC RPKI X X = 1.2.3/24 BGPSEC 4 5 The IETF approach splits the problem into two domains: origin validation (address space ownership) and path validation (multi-hop routing updates). Resource PKI: sign the route originations BGPSEC: sign each hop on the AS-path 5 8

Crypto Interlude Historical solution (symmetric key) Alice and Bob must establish the key beforehand.

Key Innovation: Utilize Asymmetry Asymmetries in the real world Breaking a wine glass, cooking an egg

pre-image Physical analogy for public key cryptography: Easy Hard (combo required) Exercise 1:

9 Crypto Interlude Historical solution (symmetric key) Alice and Bob must establish the key beforehand. If n parties, then O(n 2 ) key establishments. Key Innovation: Utilize Asymmetry Asymmetries in the real world Breaking a wine glass, cooking an egg Asymmetries in algorithms Multiplication vs factoring, hashing vs. pre-image Physical analogy for public key cryptography: Easy Hard (combo required) Exercise 1: Asymmetric cryptography Alice and Bob have never met before. How can Alice send a message to Bob that is secure against a passive eavesdropper (Eve)? You can use a combination lock and a chest. 9

10 Exercise 1: Asymmetric cryptography Bob, we need to talk. Here s my combo-lock: B <Message> B Private combo for B: Exercise 2: Digital Signature How do you modify this scheme to accomplish a different goal: digital signature? You may have to modify the primitive as well. What if the attacker is active? Resource Public Key Infrastructure How do we determine ownership of IP address and Autonomous System (AS) numbers? Resource Public Key Infrastructure (RPKI) 10

Resource Public Key Infrastructure Internet Assigned Numbers Authority (IANA) coordinates hierarchical IPv4/IPv6 assignment, through the 5 Regional Internet Registries (RIRs), who then suballocate to

html RPKI Certificate (abbreviated) Field Example/Comment Issuer Name RIR or parent ISP (*) Authority Key Id hash(issuer_pubkey) Subject Name UNC Chapel Hill (*) Subject Key Id hash(subject_pubkey)

11 Resource Public Key Infrastructure Internet Assigned Numbers Authority (IANA) coordinates hierarchical IPv4/IPv6 assignment, through the 5 Regional Internet Registries (RIRs), who then suballocate to ISPs. Resource Public Key Infrastructure Available at APNIC s rsync publication point Credit: Geoff Huston, APNIC RPKI Certificate (abbreviated) Field Example/Comment Issuer Name RIR or parent ISP (*) Authority Key Id hash(issuer_pubkey) Subject Name UNC Chapel Hill (*) Subject Key Id hash(subject_pubkey) Subject PubKey Information NotAfter IPv4 and IPv6 Address blocks (RFC 3779 ext) AS numbers (RFC 3779 ext) Subject Info Access Signature RSA Algorithm ID, 2048 bit RSA pubkey Expiration date / / :0028:3090::/48 None (**) rsync://rpki.unc.edu/s ome/directory/ 0x2f3d4401a89a RPKI certificate An X.509 certificate with RFC 3779 extensions: IP addresses and AS numbers (*) Names in certificates IANA, RIRs, NIRs, and ISPs are NOT naming authorities (unlike DNS registrars) To avoid having them vouch for the right-to-use of names, subject/issuer names are NOT actually meaningful They usually consist of a common name (typically hex) and, if needed, serial number CommonName = F57320B9A926 SerialNumber = (**) AS nums for BGPSEC 11

Route Origination Authorization Field End entity certificate AS Number 36850 Prefixes w/ Maxlength Signature Usage: Comment/Example Embedded certificate that is limited to be a leaf node (no

12 Route Origination Authorization Field End entity certificate AS Number Prefixes w/ Maxlength Signature Usage: Comment/Example Embedded certificate that is limited to be a leaf node (no certificate children) / / :0028:3090::/ xf3a3512ee An ISP receiving a BGP update verifies the origin AS against the ROA. (RFC 6811) ROAs Authorizes an AS (ISP) to originate a route to a set of one or more prefixes CMS signed object envelope containing EE certificate payload (AS# + prefixes) Signature Prefix range Maxlength field (e.g. 19) defines longest prefix allowed to be advertised Example: RPKI in Action Huston, Geoff, and Randy Bush. "Securing BGP with BGPSEC." The Internet Protocol Journal. Vol. 14. No What does a router do with ROAs? RPKI Route Announcement Validity (details in RFC 6811) When a network operator creates a ROA for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity of one or more route announcements. They can be: VALID The route announcement is covered by at least one ROA INVALID The prefix is announced from an unauthorised AS The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix and AS NOTFOUND The prefix in this announcement is not covered (or only partially covered) by an existing ROA This trichotomy allows gradual deployment. NOTFOUND is equivalent to the current state of BGP routes. 12

13 The RPKI Repository System This repository is unusual in that ALL of the data is signed and verifiable via certificate path validation (unlike LDAP or the DNS) Most repositories used for certificates and CRLs, e.g., LDAP and the DNS, assume searching & selective retrieval of entries The RPKI retrieval model is very different Every ISP will fetch ALL new/changed entries since the last time it checked Most ISPs will access the repository system several times a day This suggests a different repository design 37 Repository System Elements Distributed database of signed objects A publication point for each resource holder Certificates & CRLs Route Origination Authorizations Statements by an address space holder about which ASes are authorized to originate routes to its address space Manifests Statements about what objects belong at each publication point and which version is current Ghostbusters record A pointer to publication point maintainer contact info 38 What s a Manifest? The repository system holds only signed objects, which is good, but tampering is still possible! An older version of a valid object can be put in place of the current version, if that version has not expired A valid entry can be removed from the repository, without detection by a relying party A manifest is a signed object that enumerates all the other signed objects at a publication point It uses a CRL-like validity interval It has the hash of each file as well as the file name Error conditions are tricky! 39 13

receives processed RPKI data (from a server) and validates BGP UPDATE messages with respect to origin AS assertions IANA

14 RPKI Operations Model RPKI Status All 5 RIRs offer production service today Over 4,000 certificates have been issued to resource holders Open source relying party software is available from BBN, Dragon, and RIPE Cisco & Juniper ship code that receives processed RPKI data (from a server) and validates BGP UPDATE messages with respect to origin AS assertions IANA has not yet signed any objects, nor has it issued certificates to the RIRs, so we have 5 trust anchors today 41 Are we safe? 14

15 BGP Attack False Origin X 2 7 X X = 1.2.3/ Address space hijacking : Autonomous System 1 announces a false advertisement for IP prefix X. In the Pakistan-Youtube case, it announced a more-specific prefix. BGP Attack False Path X X X = 1.2.3/ False path : AS 4 wants to draw traffic from AS 2, and announces shorter path to IP prefix X, without violating. A false path using a combination of loop detection and longest prefix can be used to set up MITM (Kapela-Pilosov got the most recent publicity). BGPSEC The Next Step The RPKI prevents configuration errors by an ISP from hijacking address space The RPKI does not protect against attacks on BGP, e.g., bogus routes terminating in a valid origin To protect against attacks, one needs to enable every AS to verify that the route received via a BGP UPDATE message is accurate: each AS along the path received the AS path info from the preceding AS and forwarded it to the next AS BGPSEC is the name given to the protocol that provides this capability 45 15

BGPSEC Basics BGPSEC makes use of a new, optional, transitive attribute, to carry digitally signed route info BGPSEC support is negotiated between routers (potentially on an asymmetric basis), so

16 BGPSEC Basics BGPSEC makes use of a new, optional, transitive attribute, to carry digitally signed route info BGPSEC support is negotiated between routers (potentially on an asymmetric basis), so that a non-bgpsec router will not be burdened by big UPDATE messages BGPSEC data is never sent through non- BGPSEC ASes, so secure paths exist only for contiguous sequences of ASes Incremental deployment is viable 46 How Does BGPSEC Work? Huston, Geoff, and Randy Bush. "Securing BGP with BGPSEC." The Internet Protocol Journal. Vol. 14. No How Does BGPSEC Work? Every BGP router receives a certificate under the RPKI, issued by the AS operator of the router The router for the origin AS generates a path signature attribute that covers the NLRI, its AS#, and the next hop AS# When a router sends a BGPSEC UPDATE, it includes a BGPSEC path signature attribute, that covers the previous signature and the next hop AS# Up receipt, a router verifies the chain of signatures on the AS path info and matches the NLRI and origin AS against ROA data 48 16

17 Additional References IETF Secure Inter-Domain Routing WG docs Routing attacks and RPKI in the news chinese-internet-traffic-fix.html RPKI Deployment Statistics BBN RPSTIR software Hurricane Electric BGP Toolkit BGPSEC Attributes Secure Path Data AS X pcount X AY Y pcount Y AS Z pcount Z Signature Block 1 Algorithm Suite 1 SKI X1 Signature X1 SKI Y1 Signature Y1 SKI Z1 Signature Z1 Signature Block 2 Algorithm Suite 2 SKI X1 Signature X1 SKI Y1 Signature Y1 SKI Z1 Signature Z1 A second signature block is present only during transition to a new signature/hash algorithm suite. The secure path data enumerates the list of ASes traversed by the BGP update. The pcount value accommodates AS pre/post-pending and transparent IXPs. Each signature block contains one signature by each AS along the path, under one algorithm suite. The SKI value identifies the public key of the signer. Each SKI/Signature pair is called a Signature Segment. 50 Input to each Signature Segment The number of the AS to which the data is being sent Target AS Number Signer s ASN Signer s pcount value Signature of previous Signer The AS number and pcount value for the AS that is adding its signature, plus the signature of the previous signer The ID of the algorithm suite used to sign the data Algorithm Suite ID NLRI (prefix & length) The address prefix (and length) advertised for this route The sequence of signature segments in a signature block are cryptographically linked, because of the overlapping scope of the signatures

18 BGPSEC Status Threat document published: RFC 7132 Requirements document published: RFC 7353 Protocol architecture & specification awaiting requirements document approval Algorithm profile and router certificate documents will progress with protocol document NIST has a software implementation Router vendors are working on designs for real implementations 52 RPKI Operations Model A typical ISP will play both roles Certification Authority (Publisher) Each ISP uploads new certificates, CRLs, ROAs, and manifests, to a repository as needed, e.g., daily. Relying Party Each ISP downloads all certificates, CRLs, ROAs, and manifests from all repositories (several times per day). Relying party software (e.g., in a server) verifies these digitally signed objects, and extracts the ROA data. Servers distribute the ROA data to BGP routers, enabling these routers to check the origin AS in BGP UPDATE messages. An ISP could, instead, use the validated ROA data to generate route filters for its routers. 53 BBN RPSTIR System Architecture 18

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies Presentation Outline The BGP security problem RPKI overiew Address & AS number allocation system Certificates