The RPKI & Origin Validation
|
|
- Coral Wiggins
- 5 years ago
- Views:
Transcription
1 The RPKI & Origin Validation RIPE / Praha Randy Bush <randy@psg.com> Rob Austein <sra@isc.org> Steve Bellovin <smb@cs.columbia.edu> And a cast of thousands! Well, dozens :) RIPE RPKI 1
2 Routing is Very Fragile How long can we survive on The Web as Random Acts of Kindness, TED Talk by Jonathan Zittrain? RIPE RPKI 2
3 Routing Mistakes Routing errors are significant and have very high customer impact We need to fix this before we are crucified in the WSJ a la Toyota 99% of mis-announcements are accidental originations of someone else s prefix -- Google, UU, IIJ, RIPE RPKI 3
4 Why Origin Validation? Prevent YouTube accident Prevent 7007 accident, UU/Sprint 2 days! Prevents most accidental announcements Does not prevent malicious path attacks such as the Kapela/Pilosov DefCon attack That requires Path Validation and locking the data plane to the control plane, the next steps, by my children RIPE RPKI 4
5 This is Not New 1986 Bellovin identifies vulnerability 2000 S-BGP X.509 PKI to support Secure BGP - Kent, Lynn, et al NANOG S-BGP Workshop 2006 ARIN & APNIC start work on RPKI. RIPE starts in RPKI Open Testbed and running code in test routers 2009 ISOC discovers problem RIPE RPKI 5
6 The Goal Keep the Internet working!!! Seriously reduce routing damage from mis-configuration, mis-origination Non-Goals Prevent Malicious Attacks Keep RIRs in business by selling X.509 Certificates RIPE RPKI 6
7 Resource Public Key Infrastructure (RPKI) RIPE RPKI 7
8 X.509 Certificate w/ 3779 Ext X.509 Cert CA RFC 3779 Extension Describes IP Resources (Addr & ASN) SIA URI for where this Publishes Owner s Public Key RIPE RPKI 8
9 Being Developed & Deployed by RIRs and Operators RIPE RPKI 9
10 Certificate Hierarchy follows Allocation Hierarchy Cert/ISC Cert/ARIN /16 Public Key SIA Cert/RGnet / / /19 CA CA CA CA Cert/PSGnet Public Key Public Key Public Key Cert/Randy CA Cert/Rob CA / /24 Public Key Public Key RIPE RPKI 10
11 That s Who Owns It but Who May Route It? RIPE RPKI 11
12 Route Origin Authorization (ROA) Owning Cert CA / /16 EE Cert /16 End Entity Cert can not sign certs. can sign other things e.g. ROAs Public Key Public Key ROA /16 This is not a Cert It is a signed blob AS RIPE RPKI 12
13 IANA CA PSGnet /16 Experimental Allocation from ARIN 0/0 Public Key ARIN /8 AS Public Key PSGnet /16 AS 3130 Public Key CA CA Announces 256 /24s EE Cert EE Cert EE Cert EE Cert EE Cert / / / / /24 Public Key Public Key Public Key Public Key Public Key ROA ROA ROA ROA ROA / / / / /24 AS 3130 AS 3130 AS 3130 AS 3130 AS 3130 Too Many EE Certs and ROAs, Yucchhy! RIPE RPKI 13
14 IANA CA 0/0 Public Key ARIN CA /8 Public Key PSGnet CA /16 Public Key EE Cert /16 ROA Aggregation Using Max Length Public Key ROA /16-24 AS RIPE RPKI 14
15 Allocation in Reality My Infrastructure BGP Cust Static (non BGP) Cust Unused RIPE RPKI 15
16 ROA Use My Aggregate ROA Customer ROAs I Generate for Lazy Customer My Infrastructure BGP Cust Static (non BGP) Cust Unused RIPE RPKI 16
17 Running Code And the Three RPKI Protocols RIPE RPKI 17
18 [Hardware] Signing Module RPKI Engine Prototype of Basic Back End LIR Back End IR RPKI Priv Keys Internal CA Data Keys for Talking to IR BackEnd Up / Down Protocol My Resources ID=Me Biz EE Signing Key Private RPKI Keys ID=Me Public RPKI Keys Up/Down EE Public Keys Certs Issued to DownStreams Internal CA Data My Misc Config Options Issued ROAs Publication Protocol Repo Mgt Resource PKI XML Object Transport & Handler Up / Down Protocol Internal Protocol My RightsToRoute Delegations to Custs Private IR Biz Trust Anchor Internal CA Data Business Key/Cert Management IP Resource Certs ASN Resource Certs RIPE RPKI Route Origin Attestations 18
19 Big, Centralized, & Scary We Don t Do This RPKI DataBase IP Resource Certs ASN Resource Certs Route Origin Attestations RIPE RPKI 19
20 Distributed RPKI DataBase IANA IANA SIA ARIN ARIN APNIC APNIC SIA SIA UUNET UUNET PSGnet PSGnet IIJ IIJ SIA UUcust UUcust A Player (CA) Publishes All Certificates Which They Generate in Their Own Unique Publication Point Running Code Repository RIPE RPKI 20
21 RCynic Cache Gatherer (cynical rsync) IANA IANA Trust Anchor SIA ARIN ARIN APNIC APNIC SIA SIA UUNET UUNET PSGnet PSGnet IIJ IIJ SIA UUcust UUcust RCynic Gatherer Validated Cache RIPE RPKI 21
22 Reliability Issue Expensive To Fetch & Unreliable IANA IANA Trust Anchor SIA ARIN ARIN APNIC APNIC SIA SIA UUNET UUNET PSGnet PSGnet IIJ IIJ SIA UUcust UUcust RCynic Gatherer Validated Cache RIPE RPKI 22
23 Reliability Via Hosted Publication IANA IANA ARIN ARIN APNIC APNIC UUNET UUNET UUcust PSGnet IIJ PSGnet IIJ UUcust Repository with Multiple Publication Points Reducing the Number of Publication Points Makes RCynic More Efficient RIPE RPKI 23
24 A Usage Scenario Resources [OrgID] IR s Database(s) My RightsToRoute Delegations to Custs User Web GUI Internal Protocol Keys for Talking to IR BackEnd ID=Me Public RPKI Keys Up/Down EE Public Keys 98% of an RIR s Users 10% of an RIR s IP Space Internal CA Data My Misc Config Options Publication Protocol Publication Point Mac Front End GUI & Management Certs Issued to DownStreams RPKI Engine RIPE RPKI 24 Issued ROAs Contract Out To Google Up / Down Protocol 2% of an RIR s Users 90% of an RIR s IP Space
25 Origin Validation Cisco IOS and IOS-XR test code have Origin Validation now Work continues daily in test routers Compute load much less than ACLs from IRR data, 10µsec per update! Expect other vendor soon RIPE RPKI 25
26 RPKI -> Router Global RPKI Object Security RCynic The Third Protocol (origin validation only) Transport Security ssh RCynic Gatherer Cache / Server RPKI to Rtr Protocol BGP Decision Process Near/In PoP RIPE RPKI 26
27 Typical Exchange Cache Router <----- Reset Query R requests data Cache Response -----> C confirms request IPvX Prefix > C sends zero or more IPvX Prefix > IPv4 and IPv6 Prefix IPvX Prefix > Payload PDUs End of Data > C sends End of Data and sends new serial ~ ~ Notify > (optional) <----- Serial Query R requests data Cache Response -----> C confirms request IPvX Prefix > C sends zero or more IPvX Prefix > IPv4 and IPv6 Prefix IPvX Prefix > Payload PDUs End of Data > C sends End of Data and sends new serial ~ ~ RIPE RPKI 27
28 IPv4 Prefix Protocol PDU Version Type Color Length= Prefix Max Data Flags Length Length Source RPKI/IRR IPv4 prefix Autonomous System Number ` ' RIPE RPKI 28
29 IPv6 Prefix Protocol PDU Version Type Color Length= Prefix Max Data Flags Length Length Source RPKI/IRR IPv6 prefix Autonomous System Number ` ' RIPE RPKI 29
30 Extremely Large ISP Deployment Global RPKI Asia Cache NoAm Cache Euro Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache Cust Facing Cust Facing Cust Facing Cust Facing Cust Facing High Priority Lower Priority RIPE RPKI 30
31 Configure router bgp 4128 bgp router-id bgp rpki cache refresh-time 600 address-family ipv4 unicast bgp dampening collect-statistics ebgp redistribute static route-policy vb-ebgp-out RIPE RPKI 31
32 Result of Check Valid A matching/covering ROA was found with a matching AS number Invalid A matching or covering ROA was found, but AS number did not match, and there was no valid one Not Found No matching or covering ROA was found RIPE RPKI 32
33 RIPE RPKI 33
34 Policy Override Knobs Disable Validity Check Completely Disable Validity Check for a Peer Disable Validity Check for Prefixes When check is disabled, the result is Not Found, i.e. as if there was no ROA RIPE RPKI 34
35 RIPE RPKI 35
36 Defaults Origin Validation is Enabled if you have configured a cache server peering RPKI Poll Interval is 30 Minutes No Effect on Policy unless you have configured it RIPE RPKI 36
37 An ISP s ROAs # <prefix>/<length>-<maxlength> <asn> <group> # / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN :4860::/ ARIN RIPE RPKI 37
38 Good Dog! RP/0/1/CPU0:r0.dfw#show bgp /24 BGP routing table entry for /24 Versions: Process brib/rib SendTblVer Speaker Last Modified: Oct 2 01:06: for 13:33:12 Paths: (6 available, best #3) Advertised to peers (in unique update groups): Path #1: Received by speaker from ( ) Origin IGP, metric 0, localpref 100, valid, external, \ origin validity state: valid Community: 2914: : : :380 Path #2: Received by speaker RIPE RPKI 38
39 Bad Dog! RP/0/1/CPU0:r0.dfw#sh bgp BGP routing table entry for /20 Versions: Process brib/rib SendTblVer Speaker 0 0 Last Modified: Oct 2 17:38: for 4d22h Paths: (6 available, no best path) Not advertised to any peer Path #1: Received by speaker from ( ) Origin IGP, metric 2, localpref 100, valid, external,\ origin validity state: invalid Community: 2914: : : : RIPE RPKI 39
40 Strange Dog! RP/0/1/CPU0:r0.dfw#sh bgp BGP routing table entry for /16 Versions: Process brib/rib SendTblVer Speaker Last Modified: Oct 2 17:40: for 4d22h Paths: (6 available, best #1) Advertised to peers (in unique update groups): Path #1: Received by speaker from ( ) Origin IGP, metric 68, localpref 100, valid, external, \ origin validity state: not found Community: 2914: : : : RIPE RPKI 40
41 ibgp Hides Validity State p valid invalid p ibgp Full Mesh p unknown which do i choose? why do i choose it? RIPE RPKI 41
42 Unknown Beat Valid! r1.iad#sh ip bg ! BGP routing table entry for /24, version ! Paths: (2 available, best #1, table default)! Not advertised to any peer! ! (metric 1) from ( )! Origin IGP, metric 51, localpref 100, valid, internal, best! Community: 2914: : : :380! ! from ( )! Origin IGP, metric 0, localpref 100, valid, external! Community: 3927:380! Sovc state valid! RIPE RPKI 42
43 MED Beat Valid r1.iad#sh ip bg ! BGP routing table entry for /16, version ! Paths: (2 available, best #1, table default)! Not advertised to any peer! ! (metric 1) from ( )! Origin IGP, metric 105, localpref 100, valid, internal, best! Community: 2914: : : :380! ! from ( )! Origin IGP, metric 653, localpref 100, valid, external! Community: 3927:380! Sovc state valid! RIPE RPKI 43
44 The Solution is to Allow Operator to Test and then Set Local Policy RIPE RPKI 44
45 Secure route-map validity-0!! match rpki-invalid!! drop! route-map validity-1!! match rpki-not-found!! set localpref 50! // valid defaults to 100! RIPE RPKI 45
46 Paranoid route-map validity-0!! match rpki-valid!! set localpref 110! route-map validity-1!! drop! RIPE RPKI 46
47 After AS-Path route-map validity-0! match rpki-unknown!! set metric 50! route-map validity-1! match rpki-invalid!! set metric 25! // valid defaults to 100! RIPE RPKI 47
48 Running Code The Open TestBed Repository until we get IANA to act as the parent Trust Anchor Trust Anchor *ARIN ARIN *APNIC APNIC until we get IANA to act as the parent ISC ISC Google BWC RGnet RGnet JPNIC JPNIC Google runs own RPKI to keep private key private and control own fate, but publishes at ARIN BWC IIJ Cristel IIJ Mesh Mesh Level (3) Level(3) chocolate Cristel runs own RPKI to keep private key private and control own fate, but publishes at IIJ RIPE RPKI * APNIC and ARIN are simulations constructed from public data 48
49 The Big Speedbump RIPE RPKI 49
50 But Who Do We Trust? RIPE RPKI 50
51 RPKI Full Implementation Available as Open Source and there is a mailing list RIPE RPKI 51
52 Work Supported By US Government THIS PROJECT IS SPONSORED BY THE DEPARTMENT OF HOMELAND SECURITY UNDER AN INTERAGENCY AGREEMENT WITH THE AIR FORCE RESEARCH LABORATORY (AFRL). ARIN Internet Initiative Japan Cisco, Google, NTT, Equinix RIPE RPKI 52
53 Up / Down Protocol My Resources Simple Parent and Simple Child RPKI Engine Up / Down Protocol RPKI Engine Internal Protocol Internal Protocol IR Back End Childs Resources Registry Back Ends My Resources IR Back End Childs Resources Up / Down Protocol RIPE RPKI 53
54 [Hardware] Signing Module RPKI Engine IR Back End IR RPKI Priv Keys Internal CA Data Keys for Talking to IR BackEnd Up / Down Protocol My Resources My RightsToRoute ID=Me Biz EE Signing Key(s) Private RPKI Keys ID=Me Public RPKI Keys Up/Down EE Public Keys Certs Issued to DownStreams Internal CA Data My Misc Config Options Issued ROAs XML Object Transport & Handler Up / Down Protocol Internal Protocol Stub Provided to be Hacked Publication Protocol Repo Mgt Resource PKI IP Resource Certs ASN Resource Certs Route Origin Attestations Private IR Biz Trust Anchor Internal CA Data Business Key/Cert Management RIPE RPKI 54
55 Signing Engine RPKI Engine IR Back End IR RPKI Priv Keys Internal CA Data Keys for Talking to IR BackEnd Up / Down Protocol Resources [OrgID] RightsToRoute [OrgID] Cust ID Biz EE Signing Key(s) Private RPKI Keys Cust ID Public RPKI Keys Up/Down EE Public Keys Certs Issued to DownStreams Internal CA Data Cust s Preferences Issued ROAs Publication Protocol Repo Mgt Resource PKI XML Object Transport & Handler Up / Down Protocol Internal Protocol Stub Provided to be Hacked Private IR Biz Trust Anchor Internal CA Data Business Key/Cert Management IP Resource Certs ASN Resource Certs Route Origin Attestations RIPE RPKI 55
56 Serial Query Protocol PDU Version Type reserved = zero Length= Serial Number ` ' RIPE RPKI 56
57 End of Data Protocol PDU Version Type reserved = zero Length= Serial Number ` ' RIPE RPKI 57
The RPKI & Origin Validation
The RPKI & Origin Validation NANOG / Denver 2011.06.12 Randy Bush Rob Austein Steve Bellovin Michael Elkins And a cast of thousands!
More informationThe RPKI and BGP Origin Validation
The RPKI and BGP Origin Validation APRICOT / New Delhi 2012.02.27 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2012.02.27
More informationIPv4 Run-Out, Trading, and the RPKI
IPv4 Run-Out, Trading, and the RPKI RIPE 56 / Berlin 2008.05.07 Randy Bush http://rip.psg.com/~randy/080507.ripe-v4-trad-rpki.pdf 2008.05.07 RIPE v4 Trade RPKI 2 Internet Initiative Japan
More informationIPv4 Run-Out, Trading, and the RPKI
IPv4 Run-Out, Trading, and the RPKI MENOG 3 / Salmiya 2008.04.15 Randy Bush http://rip.psg.com/~randy/080415.menog-v4-trad-rpki.pdf 2008.04.15 MENOG v4 Trade RPKI 2 Internet Initiative
More informationRPKI-Based Origin Validation, Routers, & Caches
RPKI-Based Origin Validation, Routers, & Caches RPKIWS / Berlin 2013.07.26 Randy Bush Rob Austein Michael Elkins Matthias Waehlisch
More informationRPKI. Resource Pubic Key Infrastructure
RPKI Resource Pubic Key Infrastructure Purpose of RPKI RPKI replaces IRR or lives side by side? Side by side: different advantages Security, almost real time, simple interface: RPKI Purpose of RPKI Is
More informationBGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationResource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC
Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC Target Audience Knowledge of Internet Routing(specially BGP) Fair idea on Routing Policy No need to know Cryptography Basic knowledge
More informationResource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018
Resource PKI NetSec Tutorial NZNOG2018 - Queenstown 24 Jan 2018 1 Fat-finger/Hijacks/Leaks Bharti (AS9498) originates 103.0.0.0/10 Dec 2017 (~ 2 days) No damage more than 8K specific routes! Google brings
More informationIdealized BGPsec: Formally Verifiable BGP
Idealized BGPsec: Formally Verifiable BGP 2011.04.10 Randy Bush for the Informal BGPsec Design Group 2011.04.10 ARIN BGPsec 1 Informal BGPsec Group chris morrow (google) pradosh mohapatra
More informationSecuring BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho
Securing BGP - RPKI ThaiNOG2018 - Bangkok 21 May 2018 Tashi Phuntsho (tashi@apnic.net) 1 Fat-finger/Hijacks/Leaks Amazon (AS16509) Route53 hijack April2018 AS10279 (enet) announced/originated more specifics
More informationIdealized BGPsec: Formally Verifiable BGP
Idealized BGPsec: Formally Verifiable BGP 2011.05.04 Randy Bush for the Informal BGPsec Design Group 2011.05.04 RIPE BGPsec 1 Informal BGPsec Group chris morrow (google) pradosh mohapatra
More informationRPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:
RPKI Introduction APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By: 1 Content Why do we need RPKI What is RPKI How to deploy RPKI Configuration case Misdirection / Hijacking Incidents
More informationIdealized BGPsec: Formally Verifiable BGP
Idealized BGPsec: Formally Verifiable BGP JaNOG 27.5 / Tokyo 2011.04.14 Randy Bush for the Informal BGPsec Design Group 2011.04.14 JaNOG BGPsec 1 Informal BGPsec Group chris morrow (google)
More informationISP 1 AS 1 Prefix P peer ISP 2 AS 2 Route leak (P) propagates Prefix P update Route update P Route leak (P) to upstream 2 AS 3 Customer BGP Update messages Route update A ISP A Prefix A ISP B B leaks
More informationSecure Routing with RPKI. APNIC44 Security Workshop
Secure Routing with RPKI APNIC44 Security Workshop Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationIntroducción al RPKI (Resource Public Key Infrastructure)
Introducción al RPKI (Resource Public Key Infrastructure) Roque Gagliano rogaglia@cisco.com 4 Septiembre 2013 Quito, Equator 2011 Cisco and/or its affiliates. All rights reserved. 1 Review of problem to
More informationAn Operational ISP & RIR PKI
An Operational ISP & RIR PKI EOF / Istanbul 2006.04.25 Randy Bush Quicksand Unknown quality of whois data Unknown quality of IRR data No formal
More informationRoute Security for Inter-domain Routing
Route Security for Inter-domain Routing Alvaro Retana (aretana@cisco.com) Distinguished Engineer, Cisco Services 3 This could happen to YOUR network 4 This could happen be happening to YOUR network 5 Agenda
More informationRPKI-Based Origin Validation Lab RPKI Lab Creative Commons: Attribution & Share Alike
RPKI-Based Origin Validation Lab 1 Issuing Parties Relying Parties GUI altca Publication Protocol Trust Anchor Resource PKI RCynic Gatherer Pseudo IRR route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin:
More informationDeploying RPKI An Intro to the RPKI Infrastructure
Deploying RPKI An Intro to the RPKI Infrastructure VNIX-NOG 24 November 2016 Hanoi, Vietnam Issue Date: Revision: Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours)
More informationMisdirection / Hijacking Incidents
Security Tutorial @ TWNOG SECURE ROUTING WITH RPKI 1 Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationRPKI Workshop Routing Lab
RPKI Workshop Routing Lab NANOG / Denver 2011.06.12 Randy Bush Michael Elkins Rob Austein Serpil Bayraktar 2011.06.12 RPKI Router Lab
More informationUpdate on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008 Address and Routing Security What we have had for many years is a relatively insecure interdomain routing system
More informationAn Operational ISP & RIR PKI
An Operational ISP & RIR PKI ARIN / Montreal 2006.04.10 Randy Bush Quicksand Unknown quality of whois data Unknown quality of IRR data No formal
More informationRPKI and Internet Routing Security ~ The regional ISP operator view ~
RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1 Agenda Routing practices of the regional ISP today How this may
More informationSecuring Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO
Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN Mark Kosters CTO What is RPKI? Resource Public Key Infrastructure Attaches digital certificates to network resources AS Numbers
More informationResource Public Key Infrastructure
Resource Public Key Infrastructure A pilot for the Internet2 Community to secure the global route table Andrew Gallo The Basics The Internet is a self organizing network of networks. How do you find your
More informationIETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet
IETF81 Secure IDR Rollup TREX Workshop 2011 David Freedman, Claranet Introduction to Secure IDR (SIDR) You are in a darkened room at the IETF. You are surrounded by vendors. A lone operator stands quietly
More informationResource Certification. Alex Band, Product Manager DENIC Technical Meeting
Resource Certification Alex Band, Product Manager DENIC Technical Meeting Internet Routing Routing is non-hierarchical, open and free Freedom comes at a price: - You can announce any address block on your
More informationSecuring Routing: RPKI Overview. Mark Kosters Chief Technology Officer
Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer Why are DNSSEC and RPKI important? Two of the most critical resources DNS Routing Hard to tell when resource is compromised Focus of
More informationOverview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies
Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies Presentation Outline The BGP security problem RPKI overiew Address & AS number allocation system Certificates
More informationRPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager
RPKI deployment at AFRINIC Status Update Alain P. AINA RPKI Project Manager What is Resource Certifcation? Resource Certifcation is a security framework for verifying the association between resource holders
More information32-bit ASNs. Philip Smith. AfNOG rd April 1st May Abuja, Nigeria
32-bit ASNs Philip Smith AfNOG 2007 23rd April 1st May Abuja, Nigeria Autonomous System (AS) AS 100 Collection of networks with same routing policy Single routing protocol Usually under single ownership,
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More informationLife After IPv4 Depletion
1 Life After IPv4 Depletion Jon Worley Analyst Securing Core Internet Functions Resource Certification, RPKI Mark Kosters Chief Technology Officer 2 Core Internet Functions: Routing & DNS The Internet
More informationAPNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013
APNIC s role in stability and security Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013 Overview Introducing APNIC Working with LEAs The APNIC Whois Database
More informationDecentralized Internet Resource Trust Infrastructure
Decentralized Internet Resource Trust Infrastructure Bingyang Liu, Fei Yang, Marcelo Bagnulo, Zhiwei Yan, and Qiong Sun Huawei UC3M CNNIC China Telecom 1 Critical Internet Trust Infrastructures are Centralized
More informationProblem. BGP is a rumour mill.
Problem BGP is a rumour mill. We want to give it a bit more authorita We think we have a model AusNOG-03 2009 IP ADDRESS AND ASN CERTIFICATION TO IMPROVE ROUTING SECURITY George Michaelson APNIC R&D ggm@apnic.net
More informationInternet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!
Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil! Who is allowed to do what?! BGP (the Internet s inter-domain routing protocol) runs by rumor Participants assert reachability
More informationInternet Engineering Task Force (IETF) BCP: 185 January 2014 Category: Best Current Practice ISSN:
Internet Engineering Task Force (IETF) R. Bush Request for Comments: 7115 Internet Initiative Japan BCP: 185 January 2014 Category: Best Current Practice ISSN: 2070-1721 Abstract Origin Validation Operation
More informationSecurity Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO
Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN CTO Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard to tell if compromised From the user point of
More informationRPKI and Routing Security
Presentation September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) What is the Purpose of
More informationUsing Resource Certificates Progress Report on the Trial of Resource Certification
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC From the RIPE Address Policy Mail List 22 25 Sept 06, address-policy-wg@lists.ripe.net
More informationMadison, Wisconsin 9 September14
1 Madison, Wisconsin 9 September14 2 Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN Engineering 3 Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard
More informationBGP Origin Validation (RPKI)
University of Amsterdam System & Network Engineering BGP Origin Validation (RPKI) July 5, 2013 Authors: Remy de Boer Javy de Koning Supervisors: Jac Kloots
More informationRTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.
RTRlib An Open-Source Library in C for RPKI-based Prefix Origin Validation Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H. Schiller m.waehlisch@fu-berlin.de schmidt@informatik.haw-hamburg.de
More informationSecure Inter-domain Routing with RPKI
Secure Inter-domain Routing with RPKI Srinivas (Sunny) Chendi VNIX-NOG 2018, Da Nang sunny@apnic.net Xin chào và chào buổi sáng 1 3 4 What is the fundamental Problem? An underlying problem in routing
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationBGP Origin AS Validation
The feature helps prevent network administrators from inadvertently advertising routes to networks they do not control. This feature uses a Resource Public Key Infrastructure (RPKI) server to authenticate
More informationBORDER GATEWAY PROTOCOL (BGP) SECURITY. Nurudeen K. Abdulsalam. Supervisor: Dr. Olaf Maennel
ICNS A910002 BORDER GATEWAY PROTOCOL (BGP) SECURITY By Nurudeen K. Abdulsalam Supervisor: Dr. Olaf Maennel A Master's by Course Dissertation Submitted in partial fulfilment of the requirements for the
More informationAdventures in RPKI (non) deployment. Wes George
Adventures in RPKI (non) deployment Wes George wesley.george@twcable.com @wesgeorge Background March 2013 FCC CSRIC III WG 6 report on Secure BGP Accurate Records, better measurements Cautious, staged
More information32-bit ASNs. Philip Smith. MENOG 5, Beirut, 29th October 2009
32-bit ASNs Philip Smith MENOG 5, Beirut, 29th October 2009 Autonomous System (AS) AS 100 Collection of networks with same routing policy Single routing protocol Usually under single ownership, trust and
More informationSecuring Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO
Securing Core Internet Functions Resource Certification, RPKI Mark Kosters ARIN CTO Core Internet Functions: Routing & DNS The Internet relies on two critical resources DNS: Translates domain names to
More informationSecurity Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO
Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN CTO Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard to tell if compromised From the user point of
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationIPv4/IPv6 BGP Routing Workshop. Organized by:
IPv4/IPv6 BGP Routing Workshop Organized by: Agenda Multihoming & BGP path control APNIC multihoming resource policy 2 ISP Hierarchy Default free zone Made of Tier-1 ISPs who have explicit routes to every
More information32-bit ASNs. Philip Smith. Last updated February 2010
32-bit ASNs Philip Smith Last updated February 2010 Autonomous System (AS) AS 100 Collection of networks with same routing policy Single routing protocol Usually under single ownership, trust and administrative
More informationRPKI Trust Anchor. Geoff Huston APNIC
RPKI Trust Anchor Geoff Huston APNIC Public Keys How can you trust a digital signature?? What if you have never met the signer and have no knowledge of them or their keys? One approach is transitive trust
More informationPolicy Proposal Capturing AS Originations In Templates
Policy Proposal 2006-3 Capturing AS Originations In Templates Sandra Murphy sandy@sparta.com, sandy@tislabs.com 11 April 2006 ARIN XVII Montreal, QC, CA 1 Securing Routing Infrastructure Important problem,
More informationUsing Resource Certificates Progress Report on the Trial of Resource Certification
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC Sound Familiar? 4:30 pm Mail: Geoff, mate, I ve been dealing with your phone people and
More informationResource Certification
Resource Certification CISSP, science group manager RIPE NCC robert@ripe.net 1 Contents Motivation for Resource Certification (RPKI) Architecture overview Participating in RPKI Most importantly: use cases
More informationRobust Inter-Domain Routing
Establishing the Technical Basis for Trustworthy Networking Robust Inter-Domain Routing Addressing Systemic Vulnerabilities in BGP Doug Montgomery (dougm@nist.gov) Manager, Internet and Scalable Systems
More informationRoute Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes
1 Types of prefixes in IP core network: Internal Prefixes External prefixes Downstream customers Internet prefixes 2 Internal prefixes originated in IP core network Loopback Transport Connect inter-regional
More informationIntroduction to BGP. ISP Workshops. Last updated 30 October 2013
Introduction to BGP ISP Workshops Last updated 30 October 2013 1 Border Gateway Protocol p A Routing Protocol used to exchange routing information between different networks n Exterior gateway protocol
More informationRPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting
RPKI Deployment Considerations: Problem Analysis and Alternative Solutions draft-lee-sidr-rpki-deployment-01 @IETF 95 SIDR meeting fuyu@cnnic.cn Background RPKI in China CNNIC deploy a platform to provide
More informationRoute Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes
Types of prefixes in IP core network: Internal Prefixes External prefixes Downstream customers Internet prefixes Internal prefixes originated in IP core network Loopback Transport Connect inter-regional
More informationBGP for Internet Service Providers
BGP for Internet Service Providers Philip Smith Seoul KIOW 2002 1 BGP current status RFC1771 is quite old, and no longer reflects current operational practice nor vendor implementations
More informationSome Lessons Learned from Designing the Resource PKI
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007 Address and Routing Security The basic security questions that need to be answered are: Is this a valid
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: February 2012
Internet Engineering Task Force (IETF) G. Huston Request for Comments: 6483 G. Michaelson Category: Informational APNIC ISSN: 2070-1721 February 2012 Abstract Validation of Route Origination Using the
More informationBGP Multihoming ISP/IXP Workshops
BGP Multihoming ISP/IXP 1 Why Multihome? Redundancy One connection to internet means the network is dependent on: Local router (configuration, software, hardware) WAN media (physical failure, carrier failure)
More informationRPKI in practice. Sebastian Wiesinger DE-CIX Technical Meeting June 2017
RPKI in practice Sebastian Wiesinger sebastian.wiesinger@noris.net DE-CIX Technical Meeting June 2017 Generate ROAs Generate ROAs for your prefixes RIPE NCC makes this very easy Available at the LIR portal
More informationIntroduction to BGP. ISP/IXP Workshops
Introduction to BGP ISP/IXP Workshops 1 Border Gateway Protocol A Routing Protocol used to exchange routing information between different networks Exterior gateway protocol Described in RFC4271 RFC4276
More informationAPNIC elearning: BGP Basics. 30 September :00 PM AEST Brisbane (UTC+10) Revision: 2.0
APNIC elearning: BGP Basics 30 September 2015 1:00 PM AEST Brisbane (UTC+10) Issue Date: 07 July 2015 Revision: 2.0 Presenter Nurul Islam (Roman) Senior Training Specialist, APNIC Nurul maintains the APNIC
More informationNetworking 101 ISP/IXP Workshops
Networking 101 ISP/IXP Workshops 1 Network Topology and Definitions Definitions and icons Network topologies PoP topologies Interconnections and IXPs IP Addressing Gluing it all together 2 Topologies and
More informationJust give me a button!
Just give me a button! The challenges of routing security RIPE NCC Members organisation founded in 1992 Manages IP and ASN allocations in Europe, Middle East and former Soviet Union - Ensure unique holdership
More informationBGP Routing Security and Deployment Strategies
Bachelor Informatica Informatica Universiteit van Amsterdam BGP Routing Security and Deployment Strategies Bryan Eikema June 17, 2015 Supervisor(s): Benno Overeinder (NLnet Labs), Stavros Konstantaras
More informationProblem Statement and Considerations for ROA Mergence. 96 SIDR meeting
Problem Statement and Considerations for ROA Mergence draft-yan-sidr-roa-mergence-00 @IETF 96 SIDR meeting fuyu@cnnic.cn Background RFC 6482 1/19 ROA mergence What is the ROA mergence? is a common case
More informationNetwork Working Group. Intended status: Informational Expires: January 9, 2014 July 8, 2013
Network Working Group G. Huston Internet-Draft G. Michaelson Intended status: Informational APNIC Expires: January 9, 2014 July 8, 2013 Abstract RPKI Validation Reconsidered draft-huston-rpki-validation-00.txt
More informationInternet Engineering Task Force (IETF) ISSN: September The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1
Internet Engineering Task Force (IETF) R. Bush Request for Comments: 8210 Internet Initiative Japan Updates: 6810 R. Austein Category: Standards Track Dragon Research Labs ISSN: 2070-1721 September 2017
More informationBGP Multihoming. ISP/IXP Workshops
BGP Multihoming ISP/IXP Workshops 1 Why Multihome? Redundancy One connection to internet means the network is dependent on: Local router (configuration, software, hardware) WAN media (physical failure,
More informationRouting Security* CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring * Thanks to Steve Bellovin for slide source material.
Routing Security* CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring 2008 * Thanks to Steve Bellovin for slide source material. 1 Routing 101 Network routing exists to provide hosts desirable
More information2016/09/07 08:37 1/5 Internal BGP Lab. Set up Internal BGP (ibgp) within the each Group autonomous system to carry routing information within the AS.
2016/09/07 08:37 1/5 Internal BGP Lab Internal BGP Lab Introduction The purpose of this exercise is to: Set up Internal BGP (ibgp) within the each Group autonomous system to carry routing information within
More informationSecuring BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC
Securing BGP: The current state of RPKI Geoff Huston Chief Scientist, APNIC Incidents What happens when I announce your addresses in BGP? All the traffic that used to go to you will now come to me I can
More informationModule: Routing Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Routing Security Professor Patrick McDaniel Spring 2009 1 Routing 101 Network routing exists to provide hosts desirable paths from the source
More information6.829 BGP Recitation. Rob Beverly September 29, Addressing and Assignment
6.829 BGP Recitation Rob Beverly September 29, 2006 Addressing and Assignment 1 Area-Routing Review Why does Internet Scale? Hierarchical Addressing How are addresses assigned? Classfull
More informationMeasuring the Adoption of Route Origin Validation and Filtering
Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias
More information<36 th APNIC Meeting, XIAN CHINA> KISA(KRNIC) UPDATE. YOUNGSUN LA Korea Internet & Security Agency
KISA(KRNIC) UPDATE YOUNGSUN LA (rays@kisa.or.kr) Korea Internet & Security Agency 1 Contents IPv6 Verified NSDs R&D WHOIS User Analysis & Statistics RPKI Testbed 2 IPv6
More informationFacilitating Secure Internet Infrastructure
Facilitating Secure Internet Infrastructure RIPE NCC http://www.ripe.net About the RIPE NCC RIPE Network Coordination Centre Bottom-up, self-regulated, membership association, notfor-profit Regional Internet
More informationAPNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes ARIN XVII Open Policy Meeting George Michaelson Geoff Huston Motivation: Address and Routing Security What we have today is a relatively insecure system
More information9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi
COMP 535 Lecture 6: Routing Security September 3, 2015 Andrew Chi Includes content used with permission by Angelos Keromytis (Columbia), Philip Smith (APNIC), and Steve Kent (BBN) Agenda
More informationCSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca
CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca Based partly on lecture notes by Rob Sherwood, David Mazières, Phil Levis, John Janno? Administrivia Midterm moved up from 3/17 to 3/15 IP
More informationService Provider Multihoming
Service Provider Multihoming ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last
More informationIPv6 Module 6x ibgp and Basic ebgp
IPv6 Module 6x ibgp and Basic ebgp Objective: Using IPv6, simulate four different interconnected ISP backbones using a combination of IS-IS, internal BGP, and external BGP. Topology : Figure 1 BGP AS Numbers
More informationInternet Number Resources
Internet Number Resources 1 Internet Number Resources Key Internet resources IPv6 addresses Autonomous System number IPv4 addresses Internet Fully Qualified Domain Name Internet Number Resources The IP
More informationResource Certification A Public Key Infrastructure for IP Addresses and AS's
Resource Certification A Public Key Infrastructure for IP Addresses and AS's Geoff Huston, George Michaelson Asia Pacific Network Information Centre {gih, ggm}@apnic.net DRAFT - November 2008 Abstract
More informationResource Certification
Resource Certification Guide to Resource Certification in MyAPNIC Registration Guide for MyAPNIC Page 1 of 11 Table of Contents 1 Guide to Resource Certification in MyAPNIC... 3 1.1 Access to Resource
More informationInternet Engineering Task Force (IETF) Updates: 6811 September 2018 Category: Standards Track ISSN:
Internet Engineering Task Force (IETF) R. Bush Request for Comments: 8481 Internet Initiative Japan Updates: 6811 September 2018 Category: Standards Track ISSN: 2070-1721 Abstract Clarifications to BGP
More informationIntroduction. Keith Barker, CCIE #6783. YouTube - Keith6783.
Understanding, Implementing and troubleshooting BGP 01 Introduction http:// Instructor Introduction Keith Barker, CCIE #6783 CCIE Routing and Switching 2001 CCIE Security 2003 kbarker@ine.com YouTube -
More informationAPNIC RPKI Report. George Michaelson
APNIC RPKI Report George Michaelson APNIC RPKI Current Activities The RPKI TA Framework APNIC s TA Changes Provisioning Protocol Services The RPKI TA Framework The RPKI TA Framework Managing TAs is an
More information