The RPKI & Origin Validation

Size: px

Start display at page:

Download "The RPKI & Origin Validation"

Coral Wiggins
5 years ago
Views:

1 The RPKI & Origin Validation RIPE / Praha Randy Bush <randy@psg.com> Rob Austein <sra@isc.org> Steve Bellovin <smb@cs.columbia.edu> And a cast of thousands! Well, dozens :) RIPE RPKI 1

2 Routing is Very Fragile How long can we survive on The Web as Random Acts of Kindness, TED Talk by Jonathan Zittrain? RIPE RPKI 2

3 Routing Mistakes Routing errors are significant and have very high customer impact We need to fix this before we are crucified in the WSJ a la Toyota 99% of mis-announcements are accidental originations of someone else s prefix -- Google, UU, IIJ, RIPE RPKI 3

4 Why Origin Validation? Prevent YouTube accident Prevent 7007 accident, UU/Sprint 2 days! Prevents most accidental announcements Does not prevent malicious path attacks such as the Kapela/Pilosov DefCon attack That requires Path Validation and locking the data plane to the control plane, the next steps, by my children RIPE RPKI 4

5 This is Not New 1986 Bellovin identifies vulnerability 2000 S-BGP X.509 PKI to support Secure BGP - Kent, Lynn, et al NANOG S-BGP Workshop 2006 ARIN & APNIC start work on RPKI. RIPE starts in RPKI Open Testbed and running code in test routers 2009 ISOC discovers problem RIPE RPKI 5

6 The Goal Keep the Internet working!!! Seriously reduce routing damage from mis-configuration, mis-origination Non-Goals Prevent Malicious Attacks Keep RIRs in business by selling X.509 Certificates RIPE RPKI 6

7 Resource Public Key Infrastructure (RPKI) RIPE RPKI 7

8 X.509 Certificate w/ 3779 Ext X.509 Cert CA RFC 3779 Extension Describes IP Resources (Addr & ASN) SIA URI for where this Publishes Owner s Public Key RIPE RPKI 8

9 Being Developed & Deployed by RIRs and Operators RIPE RPKI 9

10 Certificate Hierarchy follows Allocation Hierarchy Cert/ISC Cert/ARIN /16 Public Key SIA Cert/RGnet / / /19 CA CA CA CA Cert/PSGnet Public Key Public Key Public Key Cert/Randy CA Cert/Rob CA / /24 Public Key Public Key RIPE RPKI 10

11 That s Who Owns It but Who May Route It? RIPE RPKI 11

12 Route Origin Authorization (ROA) Owning Cert CA / /16 EE Cert /16 End Entity Cert can not sign certs. can sign other things e.g. ROAs Public Key Public Key ROA /16 This is not a Cert It is a signed blob AS RIPE RPKI 12

13 IANA CA PSGnet /16 Experimental Allocation from ARIN 0/0 Public Key ARIN /8 AS Public Key PSGnet /16 AS 3130 Public Key CA CA Announces 256 /24s EE Cert EE Cert EE Cert EE Cert EE Cert / / / / /24 Public Key Public Key Public Key Public Key Public Key ROA ROA ROA ROA ROA / / / / /24 AS 3130 AS 3130 AS 3130 AS 3130 AS 3130 Too Many EE Certs and ROAs, Yucchhy! RIPE RPKI 13

14 IANA CA 0/0 Public Key ARIN CA /8 Public Key PSGnet CA /16 Public Key EE Cert /16 ROA Aggregation Using Max Length Public Key ROA /16-24 AS RIPE RPKI 14

15 Allocation in Reality My Infrastructure BGP Cust Static (non BGP) Cust Unused RIPE RPKI 15

16 ROA Use My Aggregate ROA Customer ROAs I Generate for Lazy Customer My Infrastructure BGP Cust Static (non BGP) Cust Unused RIPE RPKI 16

17 Running Code And the Three RPKI Protocols RIPE RPKI 17

[Hardware] Signing Module RPKI Engine Prototype of Basic Back End LIR Back End IR RPKI Priv Keys Internal CA Data Keys for Talking to IR BackEnd Up / Down Protocol My Resources ID=Me Biz EE Signing

18 [Hardware] Signing Module RPKI Engine Prototype of Basic Back End LIR Back End IR RPKI Priv Keys Internal CA Data Keys for Talking to IR BackEnd Up / Down Protocol My Resources ID=Me Biz EE Signing Key Private RPKI Keys ID=Me Public RPKI Keys Up/Down EE Public Keys Certs Issued to DownStreams Internal CA Data My Misc Config Options Issued ROAs Publication Protocol Repo Mgt Resource PKI XML Object Transport & Handler Up / Down Protocol Internal Protocol My RightsToRoute Delegations to Custs Private IR Biz Trust Anchor Internal CA Data Business Key/Cert Management IP Resource Certs ASN Resource Certs RIPE RPKI Route Origin Attestations 18

19 Big, Centralized, & Scary We Don t Do This RPKI DataBase IP Resource Certs ASN Resource Certs Route Origin Attestations RIPE RPKI 19

20 Distributed RPKI DataBase IANA IANA SIA ARIN ARIN APNIC APNIC SIA SIA UUNET UUNET PSGnet PSGnet IIJ IIJ SIA UUcust UUcust A Player (CA) Publishes All Certificates Which They Generate in Their Own Unique Publication Point Running Code Repository RIPE RPKI 20

21 RCynic Cache Gatherer (cynical rsync) IANA IANA Trust Anchor SIA ARIN ARIN APNIC APNIC SIA SIA UUNET UUNET PSGnet PSGnet IIJ IIJ SIA UUcust UUcust RCynic Gatherer Validated Cache RIPE RPKI 21

22 Reliability Issue Expensive To Fetch & Unreliable IANA IANA Trust Anchor SIA ARIN ARIN APNIC APNIC SIA SIA UUNET UUNET PSGnet PSGnet IIJ IIJ SIA UUcust UUcust RCynic Gatherer Validated Cache RIPE RPKI 22

23 Reliability Via Hosted Publication IANA IANA ARIN ARIN APNIC APNIC UUNET UUNET UUcust PSGnet IIJ PSGnet IIJ UUcust Repository with Multiple Publication Points Reducing the Number of Publication Points Makes RCynic More Efficient RIPE RPKI 23

A Usage Scenario Resources [OrgID] IR s Database(s) My RightsToRoute Delegations to Custs User Web GUI Internal Protocol Keys for Talking to IR BackEnd ID=Me Public RPKI Keys Up/Down EE Public Keys

24 A Usage Scenario Resources [OrgID] IR s Database(s) My RightsToRoute Delegations to Custs User Web GUI Internal Protocol Keys for Talking to IR BackEnd ID=Me Public RPKI Keys Up/Down EE Public Keys 98% of an RIR s Users 10% of an RIR s IP Space Internal CA Data My Misc Config Options Publication Protocol Publication Point Mac Front End GUI & Management Certs Issued to DownStreams RPKI Engine RIPE RPKI 24 Issued ROAs Contract Out To Google Up / Down Protocol 2% of an RIR s Users 90% of an RIR s IP Space

25 Origin Validation Cisco IOS and IOS-XR test code have Origin Validation now Work continues daily in test routers Compute load much less than ACLs from IRR data, 10µsec per update! Expect other vendor soon RIPE RPKI 25

26 RPKI -> Router Global RPKI Object Security RCynic The Third Protocol (origin validation only) Transport Security ssh RCynic Gatherer Cache / Server RPKI to Rtr Protocol BGP Decision Process Near/In PoP RIPE RPKI 26

27 Typical Exchange Cache Router <----- Reset Query R requests data Cache Response -----> C confirms request IPvX Prefix > C sends zero or more IPvX Prefix > IPv4 and IPv6 Prefix IPvX Prefix > Payload PDUs End of Data > C sends End of Data and sends new serial ~ ~ Notify > (optional) <----- Serial Query R requests data Cache Response -----> C confirms request IPvX Prefix > C sends zero or more IPvX Prefix > IPv4 and IPv6 Prefix IPvX Prefix > Payload PDUs End of Data > C sends End of Data and sends new serial ~ ~ RIPE RPKI 27

28 IPv4 Prefix Protocol PDU Version Type Color Length= Prefix Max Data Flags Length Length Source RPKI/IRR IPv4 prefix Autonomous System Number ` ' RIPE RPKI 28

29 IPv6 Prefix Protocol PDU Version Type Color Length= Prefix Max Data Flags Length Length Source RPKI/IRR IPv6 prefix Autonomous System Number ` ' RIPE RPKI 29

30 Extremely Large ISP Deployment Global RPKI Asia Cache NoAm Cache Euro Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache Cust Facing Cust Facing Cust Facing Cust Facing Cust Facing High Priority Lower Priority RIPE RPKI 30

31 Configure router bgp 4128 bgp router-id bgp rpki cache refresh-time 600 address-family ipv4 unicast bgp dampening collect-statistics ebgp redistribute static route-policy vb-ebgp-out RIPE RPKI 31

32 Result of Check Valid A matching/covering ROA was found with a matching AS number Invalid A matching or covering ROA was found, but AS number did not match, and there was no valid one Not Found No matching or covering ROA was found RIPE RPKI 32

33 RIPE RPKI 33

34 Policy Override Knobs Disable Validity Check Completely Disable Validity Check for a Peer Disable Validity Check for Prefixes When check is disabled, the result is Not Found, i.e. as if there was no ROA RIPE RPKI 34

35 RIPE RPKI 35

36 Defaults Origin Validation is Enabled if you have configured a cache server peering RPKI Poll Interval is 30 Minutes No Effect on Policy unless you have configured it RIPE RPKI 36

37 An ISP s ROAs # <prefix>/<length>-<maxlength> <asn> <group> # / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN / ARIN :4860::/ ARIN RIPE RPKI 37

38 Good Dog! RP/0/1/CPU0:r0.dfw#show bgp /24 BGP routing table entry for /24 Versions: Process brib/rib SendTblVer Speaker Last Modified: Oct 2 01:06: for 13:33:12 Paths: (6 available, best #3) Advertised to peers (in unique update groups): Path #1: Received by speaker from ( ) Origin IGP, metric 0, localpref 100, valid, external, \ origin validity state: valid Community: 2914: : : :380 Path #2: Received by speaker RIPE RPKI 38

39 Bad Dog! RP/0/1/CPU0:r0.dfw#sh bgp BGP routing table entry for /20 Versions: Process brib/rib SendTblVer Speaker 0 0 Last Modified: Oct 2 17:38: for 4d22h Paths: (6 available, no best path) Not advertised to any peer Path #1: Received by speaker from ( ) Origin IGP, metric 2, localpref 100, valid, external,\ origin validity state: invalid Community: 2914: : : : RIPE RPKI 39

40 Strange Dog! RP/0/1/CPU0:r0.dfw#sh bgp BGP routing table entry for /16 Versions: Process brib/rib SendTblVer Speaker Last Modified: Oct 2 17:40: for 4d22h Paths: (6 available, best #1) Advertised to peers (in unique update groups): Path #1: Received by speaker from ( ) Origin IGP, metric 68, localpref 100, valid, external, \ origin validity state: not found Community: 2914: : : : RIPE RPKI 40

41 ibgp Hides Validity State p valid invalid p ibgp Full Mesh p unknown which do i choose? why do i choose it? RIPE RPKI 41

42 Unknown Beat Valid! r1.iad#sh ip bg ! BGP routing table entry for /24, version ! Paths: (2 available, best #1, table default)! Not advertised to any peer! ! (metric 1) from ( )! Origin IGP, metric 51, localpref 100, valid, internal, best! Community: 2914: : : :380! ! from ( )! Origin IGP, metric 0, localpref 100, valid, external! Community: 3927:380! Sovc state valid! RIPE RPKI 42

43 MED Beat Valid r1.iad#sh ip bg ! BGP routing table entry for /16, version ! Paths: (2 available, best #1, table default)! Not advertised to any peer! ! (metric 1) from ( )! Origin IGP, metric 105, localpref 100, valid, internal, best! Community: 2914: : : :380! ! from ( )! Origin IGP, metric 653, localpref 100, valid, external! Community: 3927:380! Sovc state valid! RIPE RPKI 43

44 The Solution is to Allow Operator to Test and then Set Local Policy RIPE RPKI 44

45 Secure route-map validity-0!! match rpki-invalid!! drop! route-map validity-1!! match rpki-not-found!! set localpref 50! // valid defaults to 100! RIPE RPKI 45

46 Paranoid route-map validity-0!! match rpki-valid!! set localpref 110! route-map validity-1!! drop! RIPE RPKI 46

47 After AS-Path route-map validity-0! match rpki-unknown!! set metric 50! route-map validity-1! match rpki-invalid!! set metric 25! // valid defaults to 100! RIPE RPKI 47

Running Code The Open TestBed Repository until we get IANA to act as the parent Trust Anchor Trust Anchor *ARIN ARIN *APNIC APNIC until we get IANA to act as the parent ISC ISC Google BWC RGnet RGnet

48 Running Code The Open TestBed Repository until we get IANA to act as the parent Trust Anchor Trust Anchor *ARIN ARIN *APNIC APNIC until we get IANA to act as the parent ISC ISC Google BWC RGnet RGnet JPNIC JPNIC Google runs own RPKI to keep private key private and control own fate, but publishes at ARIN BWC IIJ Cristel IIJ Mesh Mesh Level (3) Level(3) chocolate Cristel runs own RPKI to keep private key private and control own fate, but publishes at IIJ RIPE RPKI * APNIC and ARIN are simulations constructed from public data 48

49 The Big Speedbump RIPE RPKI 49

50 But Who Do We Trust? RIPE RPKI 50

51 RPKI Full Implementation Available as Open Source and there is a mailing list RIPE RPKI 51

52 Work Supported By US Government THIS PROJECT IS SPONSORED BY THE DEPARTMENT OF HOMELAND SECURITY UNDER AN INTERAGENCY AGREEMENT WITH THE AIR FORCE RESEARCH LABORATORY (AFRL). ARIN Internet Initiative Japan Cisco, Google, NTT, Equinix RIPE RPKI 52

53 Up / Down Protocol My Resources Simple Parent and Simple Child RPKI Engine Up / Down Protocol RPKI Engine Internal Protocol Internal Protocol IR Back End Childs Resources Registry Back Ends My Resources IR Back End Childs Resources Up / Down Protocol RIPE RPKI 53

54 [Hardware] Signing Module RPKI Engine IR Back End IR RPKI Priv Keys Internal CA Data Keys for Talking to IR BackEnd Up / Down Protocol My Resources My RightsToRoute ID=Me Biz EE Signing Key(s) Private RPKI Keys ID=Me Public RPKI Keys Up/Down EE Public Keys Certs Issued to DownStreams Internal CA Data My Misc Config Options Issued ROAs XML Object Transport & Handler Up / Down Protocol Internal Protocol Stub Provided to be Hacked Publication Protocol Repo Mgt Resource PKI IP Resource Certs ASN Resource Certs Route Origin Attestations Private IR Biz Trust Anchor Internal CA Data Business Key/Cert Management RIPE RPKI 54

55 Signing Engine RPKI Engine IR Back End IR RPKI Priv Keys Internal CA Data Keys for Talking to IR BackEnd Up / Down Protocol Resources [OrgID] RightsToRoute [OrgID] Cust ID Biz EE Signing Key(s) Private RPKI Keys Cust ID Public RPKI Keys Up/Down EE Public Keys Certs Issued to DownStreams Internal CA Data Cust s Preferences Issued ROAs Publication Protocol Repo Mgt Resource PKI XML Object Transport & Handler Up / Down Protocol Internal Protocol Stub Provided to be Hacked Private IR Biz Trust Anchor Internal CA Data Business Key/Cert Management IP Resource Certs ASN Resource Certs Route Origin Attestations RIPE RPKI 55

56 Serial Query Protocol PDU Version Type reserved = zero Length= Serial Number ` ' RIPE RPKI 56

57 End of Data Protocol PDU Version Type reserved = zero Length= Serial Number ` ' RIPE RPKI 57

The RPKI & Origin Validation

The RPKI & Origin Validation NANOG / Denver 2011.06.12 Randy Bush Rob Austein Steve Bellovin Michael Elkins And a cast of thousands!