IPv6 Routing Protocol Security

Size: px

Start display at page:

Download "IPv6 Routing Protocol Security"

Carol Doyle
6 years ago
Views:

1 IPv6 Routig Protocol Security ITU/APNIC/PacNOG21 IPv6 Workshop 4 th 8 th December 2017 Nuku alofa These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese ( Last updated 31 st October

2 Ackowledgemets p This material origiated from the Cisco ISP/IXP Workshop Programme developed by Philip Smith & Barry Greee p Use of these materials is ecouraged as log as the source is fully ackowledged ad this otice remais i place p Bug fixes ad improvemets are welcomed Please workshop (at) bgp4all.com Philip Smith 2

3 Dealig with Threats Agaist Routig & Routig Protocols p Routig Protocol Security applies equally to IPv4 ad IPv6 Router Cotrol Plae Routig Protocol Neighbour Autheticatio BGP Protocol Security Remotely Triggered Black Hole Filterig Route Origi Validatio 3

4 Router Cotrol Plae 4

5 Router Security Cosideratios p Esure limited access to routers & switches across the backboe Addressig for device cotrol plae access comes from dedicated address block p Do t mix customer delegated ad backboe ifrastructure addressig Filter at etwork edge ad o device to oly allow NOC access to cotrol plae p Easier with IPv6 tha with IPv4 (ifrastructure addressig ca come out of oe /48)

6 Router Security Cosideratios p Segmet backboe to simplify route distributio p Desig etworks so outages do t affect etire etwork but oly portios of it Tue IGP parameters for fast recovergece Use techiques such as Bi-Directioal Forwardig Detectio

7 Router Security Cosideratios p Cotrol router access Watch for iteral attacks o these systems Use differet passwords for stadard ad cofiguratio access to router ad moitorig system root access. Never have role accouts p Oe accout per user, cetrally cotrolled p Scaig craze for all kids of ports this will be ever edig battle Tur off uused features ad remove ueeded cofiguratio

Routig Cotrol Plae p p p p p MD-5 autheticatio Some deploy at customer s request Route filters limit what routes are believed from a valid peer Packet filters limit which systems ca appear as a valid

8 Routig Cotrol Plae p p p p p MD-5 autheticatio Some deploy at customer s request Route filters limit what routes are believed from a valid peer Packet filters limit which systems ca appear as a valid peer Limitig propagatio of ivalid routig iformatio Prefix filters AS-PATH filters (tred is leaig towards this) Route dampig (latest cosesus is that it causes more harm tha good) Not yet possible to validate whether legitimate peer has authority to sed routig update

9 Cotrol Plae (Routig) Filters p Filter traffic destied TO your core routers p Develop list of required protocols that are sourced from outside your AS ad access core routers Example: ebgp peerig, GRE, IPSec, etc. Use classificatio filters as required p Idetify core address block(s) This is the protected address space Summarizatio is critical for simpler ad shorter filter lists

10 Neighbour Autheticatio 10

11 Why Use Neighbour Autheticatio p Neighbour Autheticatio equates to data origi autheticatio ad data itegrity Otherwise uauthorised routers ca potetially compromise the etwork! p I BGP, require TCP resets to be autheticated so malicious perso ca t radomly sed TCP resets p I cases where routig iformatio traverses shared etworks, someoe might be able to alter a packet or sed a duplicate packet p Routig protocols were ot iitially created with security i mid..this eeds to chage.

12 Sample MD-5 Auth Cofiguratio (OSPFv2) iterface Loopback0 ip address ip ospf 10 area 0! iterface Serial2 ip address ip ospf 10 area 0 ip ospf message-digest-key 1 md5 mk6! router ospf 10 area 0 autheticatio message-digest iterface Loopback0 ip address ip ospf 10 area 0! iterface Serial1/0 ip address ip ospf 10 area 0 ip ospf message-digest-key 1 md5 mk6! router ospf 10 area 0 autheticatio message-digest

13 Sample OSPFv3 IPSec Cofiguratio iterface Loopback0 ipv6 address 2001:DB8::1/128 ipv6 ospf 100 area 0 iterface FastEtheret0/0 descriptio Area 0 backboe iterface ipv6 address 2001:DB8:2000::1/64 ipv6 ospf 100 area 0 iterface FastEtheret0/1 descriptio Area 1 iterface ipv6 address 2001:DB8:1000::2/64 ipv6 ospf 100 area 1 ipv6 ospf autheticatio ipsec spi 257 sha C1E A5D A D0C06015B564D400F0E C0C ipv6 router ospf 100 router-id log-adjacecy-chages detail passive-iterface Loopback0 timers spf 0 1 timers pacig flood 15 area 0 rage 2001:DB8::/64 area 0 rage 2001:DB8:2000::/64 area 1 rage 2001:DB8:1000::/64 area 0 ecryptio ipsec spi 256 esp aes-cbc F711C1E A5D557B7A A0B00075D50 4B420D0C E0E53520D D5D A195E4E C5B sha B5B565F701D1F E A D0C07005A574C42

14 Example for IS-IS p Note that eighbour autheticatio for IS-IS is IP protocol idepedet: key-chai isis-as42 key 1 key-strig as42-pass! router isis as42 autheticatio mode md5 level-2 autheticatio key-chai isis-as42 level-2! address-family ipv6 multi-topology! 14

15 BGP Security Techiques p BGP prefix filterig p BGP Commuity Filterig p MD5 Keys o the ebgp ad ibgp Peers p Max Prefix Limits p Max AS Path Legth p Prefer Customer Routes over Peer Routes (RFC 1998) p GTSM (i.e. TTL Hack) p Remote Trigger Black Hole (RTBH) Filterig

16 BGP Prefix Filterig p p Cofigurig BGP peerig without usig filters meas: All best paths o the local router are passed to the eighbour All routes aouced by the eighbour are received by the local router Ca have disastrous cosequeces Good practice is to esure that each ebgp eighbour has iboud ad outboud filter applied: router bgp eighbor remote-as eighbor prefix-list as64510-i i eighbor prefix-list as64510-out out 16

17 BGP Prefix Filterig p If ecessary to receive prefixes from ay provider, care is required. Do t accept default (uless you eed it) Do t accept your ow prefixes p Special use prefixes for IPv4 ad IPv6: p For IPv4: Do t accept prefixes loger tha /24 (?) p p For IPv6: /24 was the historical class C Do t accept prefixes loger tha /48 (?) p /48 is the desig miimum delegated to a site 17

18 BGP Prefix Filterig p Check Team Cymru s list of bogos p For IPv4 also cosult: (BCP171) p For IPv6 also cosult: p Bogo Route Server: Supplies a BGP feed (IPv4 ad/or IPv6) of address blocks which should ot appear i the BGP table 18

19 Receivig IPv4 Prefixes router bgp 100 etwork mask eighbor remote-as 101 eighbor prefix-list i-filter i! ip prefix-list i-filter dey /0 ip prefix-list i-filter dey /8 le 32 ip prefix-list i-filter dey /8 le 32 ip prefix-list i-filter dey /10 le 32 ip prefix-list i-filter dey /19 le 32 ip prefix-list i-filter dey /8 le 32 ip prefix-list i-filter dey /16 le 32 ip prefix-list i-filter dey /12 le 32 ip prefix-list i-filter dey /24 le 32 ip prefix-list i-filter dey /24 le 32 ip prefix-list i-filter dey /24 le 32 ip prefix-list i-filter dey /16 le 32 ip prefix-list i-filter dey /15 le 32 ip prefix-list i-filter dey /24 le 32 ip prefix-list i-filter dey /24 le 32! Default! RFC1122 local host! RFC1918! RFC6598 shared address! Local prefix! Loopback! Auto-cofig! RFC1918! RFC6598 IETF protocol! TEST1! RFC7526 6to4 deprecated! RFC1918! Bechmarkig! TEST2! TEST3! Multicast & Experimetal ip prefix-list i-filter dey /3 le 32 ip prefix-list i-filter dey /0 ge 25! Prefixes >/24 ip prefix-list i-filter permit /0 le 32 19

20 Receivig IPv6 Prefixes router bgp 100 etwork 2020:3030::/32 eighbor 2020:3030::1 remote-as 101 eighbor 2020:3030::1 prefix-list v6i-filter i! ipv6 prefix-list v6i-filter permit 64:ff9b::/96! RFC6052 v4v6tras ipv6 prefix-list v6i-filter dey 2001::/23 le 128! RFC2928 IETF protocol ipv6 prefix-list v6i-filter dey 2001:2::/48 le 128! Bechmarkig ipv6 prefix-list v6i-filter dey 2001:10::/28 le 128! ORCHID ipv6 prefix-list v6i-filter dey 2001:db8::/32 le 128! Documetatio Prefix ipv6 prefix-list v6i-filter dey 2002::/16 le 128! Dey all 6to4 ipv6 prefix-list v6i-filter dey 2020:3030::/32 le 128! Local Prefix ipv6 prefix-list v6i-filter dey 3ffe::/16 le 128! Old 6boe ipv6 prefix-list v6i-filter permit 2000::/3 le 48! Global Uicast ipv6 prefix-list v6i-filter dey ::/0 le 128 Note: These filters block Teredo (serious security risk) ad 6to4 (deprecated by RFC7526) 20

21 Receivig Prefixes p Payig attetio to prefixes received from customers, peers ad trasit providers assists with: The itegrity of the local etwork The itegrity of the Iteret p Resposibility of all Network Operators to be good Iteret citizes 21

22 BGP Commuity Filterig p Network operators use BGP Commuities for: Iteral policies Policies for their customers Policies towards their upstream providers p Policies are aimed at esurig routig system itegrity withi etworks ad betwee etworks p BGP Commuity refereces: Specificatio (RFC1997) ad Example Use (RFC1998) 22

23 MD5 keys o BGP peerigs p Use passwords o all BGP sessios Not beig paraoid, VERY ecessary It s a secret shared betwee you ad your peer If arrivig packets do t have the correct MD5 hash, they are igored Helps defeat miscreats who wish to attack BGP sessios p Powerful prevetative tool, especially whe combied with filters ad GTSM router bgp 100 address-family ipv6 eighbor 2001:db8::1 remote-as 200 eighbor 2001:db8::1 descriptio Peerig with AS200 eighbor 2001:db8::1 password !

24 BGP Maximum Prefix Trackig p p Allow cofiguratio of the maximum umber of prefixes a BGP router will receive from a peer Two level cotrol: Warig threshold: log warig message Maximum: tear dow the BGP peerig, maual itervetio required to restart eighbor <x.x.x.x> maximum-prefix <max> [restart N] [<threshold>] [warig-oly] p Optioal keywords: restart will restart the BGP sessio after N miutes <threshold> sets the warig level (default 75%) warig-oly oly seds warigs

25 Limitig AS Path Legth p Some BGP implemetatios have problems with log AS_PATHS Memory corruptio Memory fragmetatio p Eve usig AS_PATH prepeds, it is ot ormal to see more tha 20 ASes i a typical AS_PATH i the Iteret today The Iteret is aroud 5 ASes deep o average Largest AS_PATH is usually ASNs eighbor x.x.x.x maxas-limit 15

26 Limitig AS Path Legth p Some aoucemets have ridiculous legths of AS-paths: *> 3FFE:1600::/ i This example is a error i oe IPv6 implemetatio *>i i p This example shows 100 prepeds (for o obvious reaso) If your implemetatio supports it, limit the maximum AS-path legth you will accept

27 Customer routes vs Peer routes p Commo for ed orgaisatios to have more tha oe upstream provider p Routes heard from the customer have to be preferred over the same routes heard from a peer This is doe by icreasig BGP local preferece for customer routes Provides a degree of protectio for its customer routes 27

28 GTSM: The BGP TTL hack p Implemet RFC5082 o BGP peerigs (Geeralised TTL Security Mechaism) Neighbour sets TTL to 255 Local router expects TTL of icomig BGP packets to be 254 No oe apart from directly attached devices ca sed BGP packets which arrive with TTL of 254, so ay possible attack by a remote miscreat is dropped due to TTL mismatch ISP AS 100 TTL 254 Attacker R1 R2 TTL 253 TTL 254

29 BGP TTL hack p TTL Hack: Both eighbours must agree to use the feature TTL check is much easier to perform tha MD5 (Called BTSH BGP TTL Security Hack) p Provides security for BGP sessios I additio to packet filters of course MD5 should still be used for messages which slip through the TTL hack See for more details

30 Remotely Triggered Black Hole Filterig p A simple techique whereby the Network Operator ca use their etire backboe to block mischievous traffic to a specific address withi their etwork or their customers etwork p Chris Morrow s presetatio at NANOG 30 i 2004 describig the techique: p Deployed ad supported by may of the world s largest etwork operators 30

31 RTBH How it works p Network Operator deploys: RTBH support across their etire backboe p Simply a ull route for a specific ext-hop address p (Router Null iterfaces simply discard packets set to them egligible overhead i moder hardware) A trigger router (usually i the NOC) p Talks ibgp with the rest of the backboe (typically as a cliet to routereflectors i the core) p Used to trigger a blackhole route activity for ay address uder attack, as requested by a customer 31

32 RTBH Backboe Cofiguratio p Network Operator sets up a ull route for the 100::1 address o all the backboe routers which participate i BGP ipv6 route 100::1/128 ull p 100::1 is part of 100::/64, the Discard Prefix, oe of the reserved IPv6 address blocks listed i the IANA registry It is ot used or routed o the public Iteret 32

33 RTBH Trigger Router (1) p Create a route-map to catch routes which eed to be blackholed Static routes ca be tagged i Cisco IOS we will tag routes to be blackholed with the value of 66 Set origi to be ibgp Set local-preferece to be 150 p higher tha ay other local-preferece set i the backboe Set commuity to be o-export ad iteral marker commuity (ASN:666) p Do t wat prefix to leak outside the AS Set ext-hop to (IPv4) or 100::1 (IPv6) 33

34 RTBH Trigger Router (2) p The whole route-map: route-map v6blackhole-trigger permit 10 descriptio Look for Route 66 match tag 66 set local-preferece 200 set origi igp set commuity o-export 100:666 set ip ext-hop 100::1! route-map v6blackhole-trigger dey 20 descriptio Nothig else gets through 34

35 RTBH Trigger Router (3) p The itroduce the route-map ito the BGP cofiguratio NB: the ibgp o the trigger router caot use ext-hop-self Cisco IOS over writes the route-map origiated ext-hop with ext-hop-self router bgp 100 address-family ipv6 redistribute static route-map v6blackhole-trigger eighbor 2001:dbd::2 remote-as 100 eighbor 2001:dbd::2 descriptio ibgp with RR1 eighbor 2001:dbd::2 update-source Loopback 0 eighbor 2001:dbd::2 sed-commuity eighbor 2001:dbd::3 remote-as 100 eighbor 2001:dbd::3 descriptio ibgp with RR2 eighbor 2001:dbd::3 update-source Loopback 0 eighbor 2001:dbd::3 sed-commuity! 35

36 RTBH Trigger Router (4) p To implemet the trigger, simply ull route whatever address or address block eeds to be blackholed With Tag 66 ipv6 route 2001:db8:f::e0/128 ull0 tag 66 Ad this esures that (for example) 2001:db8:f::e0/128 is aouced to the etire backboe with ext-hop 100::1 set 36

37 RTBH Ed Result p Prefixes which eed to be ull routed will come from the trigger router ad look like this i the BGP table: *>i 2001:DB8:F::E0/ :: i p Routig etry for 2001:db8:f::e0 is this: cr1>sh ipv6 route 2001:db8:f::e0 Routig etry for 2001:DB8:F::E0/128 Kow via "bgp 100", distace 200, metric 0, type iteral Route cout is 1/1, share cout 0 Routig paths: 100::1 MPLS label: olabel Last updated 00:00:03 ago 37

38 RTBH Ed Result p Routig etry for 100::1 is this: cr1>sh ipv6 route 100::1 Routig etry for 100::1/128 Kow via "static", distace 1, metric 0 Route cout is 1/1, share cout 0 Routig paths: directly coected via Null0 Last updated 00:05:21 ago p Traffic to 2001:db8:f::e0 is set to ull iterface 38

39 Audit ad Validate Your Routig Ifrastructures p Are appropriate paths used? Check routig tables Verify cofiguratios p Is router compromised? Check access logs

40 Routig Security Coclusios p Curret routig protocols do ot have adequate security cotrols p Mitigate risks by usig a combiatio of techiques to limit access ad autheticate data p Be vigilat i auditig ad moitorig your etwork ifrastructure p Cosider MD5 autheticatio p Always filter routig updates.especially be careful of redistributio

41 But Wait There s More p RPKI Resource Public Key Ifrastructure, the Certificate Ifrastructure to Support the other Pieces We eed to be able to authoritatively prove who ows a IP prefix ad what AS(s) may aouce it Prefix owership follows the allocatio hierarchy (IANA, RIRs, ISPs, etc) Origi Validatio p Usig the RPKI to detect ad prevet mis-origiatios of someoe else s prefixes (early 2012) AS-Path Validatio AKA BGPsec p Prevet Attacks o BGP (future work)

42 BGP Why Origi Validatio? p Prevet YouTube accidet & Far Worse p Prevets most accidetal aoucemets p Does ot prevet malicious path attacks p That requires Path Validatio ad lockig the data plae to the cotrol plae, the third step, BGPsec

43 What is RPKI? p Resource Public Key Ifrastructure (RPKI) p A robust security framework for verifyig the associatio betwee resource holder ad their Iteret resources p Created to address the issues i RFC 4593 Geeric Threats to Routig Protocols p Helps to secure Iteret routig by validatig routes Proof that prefix aoucemets are comig from the legitimate holder of the resource RFC 6480 A Ifrastructure to Support Secure Iteret Routig (Feb 2012) 43

44 Beefits of RPKI - Routig p Prevets route hijackig A prefix origiated by a AS without authorizatio Reaso: malicious itet p Prevets mis-origiatio A prefix that is mistakely origiated by a AS which does ot ow it Also route leakage Reaso: cofiguratio mistake / fat figer 44

45 BGP Security (BGPsec) p Extesio to BGP that provides improved security for BGP routig p Beig worked o by the SIDR Workig Group at IETF p Implemeted via a ew optioal o-trasitive BGP attribute that cotais a digital sigature p Two compoets: BGP Prefix Origi Validatio (usig RPKI) BGP Path Validatio 45

46 Issuig Party p Iteret Registries (RIR, NIR, Large LIRs) p Acts as a Certificate Authority ad issues certificates for customers p Provides a web iterface to issue ROAs for customer prefixes p Publishes the ROA records APNIC RPKI Egie publicatio Repository rpki.apic.et MyAPNIC GUI Courtesy of APNIC: 46

47 Relyig Party (RP) IANA Repo APNIC Repo LIR Repo LIR Repo RIPE Repo rpki.ripe.et RP Cache (gather) Validated Cache RPKI-Rtr Protocol Software which gathers data from CAs Also called RP cache or validator Courtesy of APNIC: 47

48 RPKI Compoets Trust Achor rpki.ripe.et MyAPNIC GUI APNIC RPKI Egie publicatio Trust Achor rpki.apic.et RP CACHE RPKI-Rtr Protocol Trust Achor ca0.rpki.et Courtesy of APNIC: 48

49 Route Origi Authorizatio (ROA) p A digital object that cotais a list of address prefixes ad oe AS umber p It is a authority created by a prefix holder to authorize a AS Number to origiate oe or more specific route advertisemets p Publish a ROA usig MyAPNIC 49

50 Router Origi Validatio p Router must support RPKI p Checks a RP cache / validator p Validatio returs 3 states: Valid = whe authorizatio is foud for prefix X Ivalid = whe authorizatio is foud for prefix X but ot from ASN Y Ukow = whe o authorizatio data is foud p Vedor support: Cisco IOS available i release 15.2 Cisco IOS/XR available i release Juiper available i release 12.2 Nokia available i release R12.0R4 Huawei ewly available release TBA 50

Build a RP Cache p Dowload ad istall from http://rpki.

51 Build a RP Cache p Dowload ad istall from Istructios here: p The RP cache has a web iterface 51

52 Cofigure Router to Use Cache p Poit router to the local RPKI cache Server listes o port Cisco IOS example: router bgp bgp rpki server tcp port refresh 60 52

53 Some commads p show ip bgp rpki servers Provide coectio status to the RPKI server p show ip bgp rpki table Shows the VRPs (validated ROA payloads) p show ip bgp Shows the BGP table with status idicatio ext to the prefix 53

54 Check Server lg-01-jb.za>sh ip bgp rpki servers BGP SOVC eighbor is /43779 coected to port Flags 64, Refresh time is 300, Serial umber is IQ has 0 messages, OutQ has 0 messages, formatted msg 493 Sessio IO flags 3, Sessio flags 4008 Neighbor Statistics: Prefixes Coectio attempts: Coectio failures: 351 Errors set: 35 Errors received: 0 Coectio state is ESTAB, I/O status: 1, uread iput bytes: 0 Coectio is ECN Disabled Miium icomig TTL 0, Outgoig TTL 255 Local host: , Local port: Foreig host: , Foreig port: Coectio tableid (VRF): 0 Courtesy of SEACOM: 54

55 RPKI Table (IPv4) BGP sovc etwork etries usig bytes of memory BGP sovc record etries usig bytes of memory Network Maxle Origi-AS Source Neighbor / / / / / / / / / / / / / / / / / / / / / / / / / / / / Courtesy of SEACOM: 55

56 RPKI Table (IPv6) 3115 BGP sovc etwork etries usig bytes of memory 3249 BGP sovc record etries usig bytes of memory Network Maxle Origi-AS Source Neighbor 2001:240::/ C0F:FEB0:B:1::2/ :348::/ C0F:FEB0:B:1::2/ :500:4::/ C0F:FEB0:B:1::2/ :500:13::/ C0F:FEB0:B:1::2/ :500:30::/ C0F:FEB0:B:1::2/ :500:31::/ C0F:FEB0:B:1::2/ :500:F0::/ C0F:FEB0:B:1::2/ :504:32::/ C0F:FEB0:B:1::2/ :608::/ C0F:FEB0:B:1::2/ :610::/ C0F:FEB0:B:1::2/ :610:240::/ C0F:FEB0:B:1::2/ :620::/ C0F:FEB0:B:1::2/ :620::/ C0F:FEB0:B:1::2/ :630::/ C0F:FEB0:B:1::2/ Courtesy of SEACOM: 56

57 BGP Table (IPv4) RPKI validatio codes: V valid, I ivalid, N Not foud Network Metric LocPrf Path N*> / i N*> / i... V*> / i N*> / i N*> / i... V*> / i N*> / i N*> / {38266} i... I* / i I* / i I* / i I* / i... Courtesy of SEACOM: 57

58 BGP Table (IPv6) RPKI validatio codes: V valid, I ivalid, N Not foud Network Metric LocPrf Path N*> 2001::/ i N* 2001:4:112::/ i... V*> 2001:240::/ i N*> 2001:250::/ N*> 2001:250::/ i... V*> 2001:348::/ i N*> 2001:350::/ i N*> 2001:358::/ i... I* 2001:1218:101::/ i I* 2001:1218:104::/ i N* 2001:1221::/ i N*> 2001:1228::/ i... Courtesy of SEACOM: 58

59 RPKI BGP State: Valid BGP routig table etry for 2001:240::/32, versio Paths: (2 available, best #2, table default) Not advertised to ay peer Refresh Epoch C0F:FEB0:11:2::1 (FE80::2A8A:1C00:1560:5BC0) from 2C0F:FEB0:11:2::1 ( ) Origi IGP, metric 0, localpref 100, valid, exteral, best Commuity: 37100: : : :22060 path 0828B828 RPKI State valid rx pathid: 0, tx pathid: 0x0 Courtesy of SEACOM: 59

60 RPKI BGP State: Ivalid BGP routig table etry for 2001:1218:101::/48, versio Paths: (2 available, o best path) Not advertised to ay peer Refresh Epoch C0F:FEB0:B:3::1 (FE80::86B5:9C00:15F5:7C00) from 2C0F:FEB0:B:3::1 ( ) Origi IGP, metric 0, localpref 100, valid, exteral Commuity: 37100: :12 path 0DA7D4FC RPKI State ivalid rx pathid: 0, tx pathid: 0 Courtesy of SEACOM: 60

61 RPKI BGP State: Not Foud BGP routig table etry for 2001:200::/32, versio Paths: (2 available, best #2, table default) Not advertised to ay peer Refresh Epoch C0F:FEB0:11:2::1 (FE80::2A8A:1C00:1560:5BC0) from 2C0F:FEB0:11:2::1 ( ) Origi IGP, metric 0, localpref 100, valid, exteral, best Commuity: 37100: :13 path 19D90E68 RPKI State ot foud rx pathid: 0, tx pathid: 0x0 Courtesy of SEACOM: 61

62 Usig RPKI p Network operators ca make decisios based o RPKI state: Ivalid discard the prefix Not foud let it through (maybe low local preferece) Valid let it through (high local preferece) p Some operators eve cosiderig makig ot foud a discard evet But the Iteret IPv4 BGP table would shrik to about 20k prefixes ad the IPv6 BGP table would shrik to about 3k prefixes! 62

63 RPKI Summary p All AS operators should cosider deployig p A importat step to securig the routig system Origi validatio p Does t secure the path, but that s the ext hurdle to cross p With origi validatio, the opportuities for malicious or accidetal mis-origiatio disappear 63

64 Routig Security p Implemet the recommedatios i 1. Prevet propagatio of icorrect routig iformatio p Filter BGP peers, i & out! 2. Prevet traffic with spoofed source addresses p BCP38 Uicast Reverse Path Forwardig 3. Facilitate commuicatio betwee etwork operators p NOC to NOC Commuicatio 4. Facilitate validatio of routig iformatio p Route Origi Authorisatio usig RPKI 64

65 Summary p Secure routig protocols OSPF, IS-IS, BGP p Secure access to the cotrol plae p Deploy RPKI p Filterig helps everyoe PLEASE deploy ati-spoofig filters PLEASE filter all BGP eighbours

66 IPv6 Routig Protocol Security ITU/APNIC/PacNOG21 IPv6 Workshop 4 th 8 th December 2017 Nuku alofa 66

BGP Origin Validation

BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated