Measuring the Adoption of Route Origin Validation and Filtering
|
|
- Geoffrey Mitchell
- 5 years ago
- Views:
Transcription
1 Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Wählisch PEERING The BGP Testbed
2 The BGP Problem AS D P AS B P P AS C AS A 2
3 The BGP Problem AS D P AS B P P AS C Attacker Legitimate Origin AS A 3
4 and the (partial) solution: RPKI AS D P AS B P P AS C AS A 4
5 and the (partial) solution: RPKI AS D P AS B P P AS C Prefix: P Legitimate Origin: AS A Owner of P AS A 5
6 and the (partial) solution: RPKI AS D P AS B P P AS C Prefix: P Legitimate Origin: AS A Owner of P AS A 6
7 and the (partial) solution: RPKI AS D P AS B P P AS C Prefix: P Legitimate Origin: AS A Owner of P AS A 7
8 ROA and ROV Route Origin Authorization (ROA) Prefix owner authorizes AS to legitimately announce the prefix 8
9 ROA and ROV Route Origin Authorization (ROA) Prefix owner authorizes AS to legitimately announce the prefix Route Origin Validation (ROV) BGP router validates received routes using ROA information 9
10 Research Problem Goal: Are any ASes using ROV-based filtering policies? 10
11 Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy 11
12 Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy Challenge: Private router configurations must be inferred. 12
13 Route Collectors & Vantage Points Vantage Point (VP) BGP Router that exports BGP Updates to a Route Collector AS B P P Route Collector (RC) AS A Route Collector BGP Router that dumps received BGP Updates 13
14 Measuring ROV: Approaches Description Property 14
15 Measuring ROV: Approaches Uncontrolled Description Analyzing existing BGP data and ROAs, trying to infer who is filtering Property Needs Existing Data Fast 15
16 Measuring ROV: Approaches Description Uncontrolled Analyzing existing BGP data and ROAs, trying to infer who is filtering Controlled Actively inject routes and dynamically create ROAs Analyze resulting data to infer who is filtering Property Needs Existing Data Fast Needs own AS & Prefixes Slow 16
17 Controlled Experiments Goal: Find AS that filter invalid routes 17
18 Controlled Experiments Goal: Find AS that filter invalid routes BGP Announce prefixes P A (Anchor) and P E (Experiment) Same RIR DB route object Same prefix length Announced at the same time Announced to same peers Announced from same origin AS 18
19 Controlled Experiments Goal: Find AS that filter invalid routes BGP Announce prefixes P A (Anchor) and P E (Experiment) RPKI Issue ROAs for both prefixes Same RIR DB route object Same prefix length Announced at the same time Announced to same peers Announced from same origin AS P A announcement is always valid. Periodically change ROA for P E : Flips announcement from valid to invalid to valid daily. 19
20 Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly AS A P A P E AS47065 PEERING* Vantage Point * 20
21 Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly AS A P A P E AS47065 PEERING* Vantage Point * 21
22 Controlled Experiments Observation 1: Vantage point exports no route for P E AS A P A AS47065 PEERING* Vantage Point * 22
23 Controlled Experiments Observation 1: Vantage point exports no route for P E AS A P A AS47065 PEERING* Vantage Point Conclusion: Vantage point is using ROV-based filtering * 23
24 Controlled Experiments Observation 2: Vantage point exports alternate route for P E AS A P A AS47065 PEERING* Vantage Point P E AS X P E * 24
25 Controlled Experiments Observation 2: Vantage point exports alternate route for P E AS A Vantage Point P E P A AS X P E Conclusion: Vantage point is using ROV-based filtering selectively. AS47065 PEERING* * 25
26 Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly AS A P A P E AS X P A P E AS47065 PEERING* Vantage Point * 26
27 Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly AS A P A P E AS X P A P E AS47065 PEERING* Vantage Point * 27
28 Controlled Experiments Observation 1: Vantage point exports no route for P E AS A P A AS X P A AS47065 PEERING* Vantage Point * 28
29 Controlled Experiments Observation 2: Vantage point exports different route for P E AS A P A AS X P A AS47065 PEERING* Vantage Point P E AS Y P E * 29
30 Controlled Experiments Problem Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS? 30
31 Controlled Experiments Problem Solution Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS? Establishing direct peering with vantage point AS or Check if intermediate ASes have vantage points 31
32 Controlled Experiments Results Before October 20 th 2017: - Three AS drop invalid routes October 20 th 2017: - AMS-IX Route Server changes ROV based filtering to opt-out ASes drop invalid routes Caveat: Technically, using Route Server filtering isn t deploying ROV! 32
33 ROV Deployment Monitor Idea Give the networking community means to assess state of deployment Launched rov.rpki.net 33
34 ROV Deployment Monitor Implements our measurement methodology. Table with AS that have deployed ROV. Updated daily. 34
35 ROV Deployment Monitor Details show vantage points of AS 35
36 Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E 36
37 Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid 37
38 Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! 38
39 Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! Note: False negatives are possible because of default routes! 39
40 Conclusion 40
41 Conclusion Controlled experiments are crucial to measuring adoption of ROVbased filtering policies 41
42 Conclusion Controlled experiments are crucial to measuring adoption of ROVbased filtering policies There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX 42
43 Conclusion Controlled experiments are crucial to measuring adoption of ROVbased filtering policies There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX IXP offering ROV at Route Servers can boost deployment 43
44 Conclusion Please peer with PEERING* and Route Collectors! Questions? * ROV Deployment Monitor: rov.rpki.net More details about methodology: ACM CCR 48(1) 44
45 Reference Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch, Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering, ACM SIGCOMM Computer Communication Review, Vol. 48, No. 1, pp , Jan
46 Backup 46
47 Uncontrolled Experiments Limited Control Limited Visibility Reproducibility Don t know origin AS policy Can t distinguish between ROVfiltering and other filtering Incomplete data can lead to misclassification No 47
48 Controlled: Advantages Limited Control Limited Visibility Reproducibility Control origin AS policy, can announce own routes Can distinguish ROV-filtering by changing route RPKI state Less of an issue: Only care about our routes Yes 48
49 Uncontrolled Experiments AS B P 2 P 2 AS E Vantage Point P 1 AS C P 1 AS A 49
50 Uncontrolled Experiments Does AS C filter P 2 because it s announcement is invalid? AS B P 2 P 2 AS E Vantage Point E P 1 AS C P 1 AS A 50
51 Uncontrolled Experiments AS D Vantage Point D AS B P 1 P 2 P 2 Probably not! AS C P 1 AS A 51
52 Research Problem Goal: Measure the adoption of ROV-based filtering policies ROA ROV Local Policy Which AS is allowed to announce an IP prefix Router operation to validate BGP Updates based on ROA data Decide handling of invalid BGP routes (Drop?) (De-preference?) Public Repository Private Configuration Challenge: Private policies must be inferred from measurements 52
Measuring Adoption of RPKI Route Origin Validation and Filtering
PEERING The BGP Testbed Measuring Adoption of RPKI Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas
More informationTowards A Longitudinal Study of Adoption of RPKI-Based Route Filtering
1 Towards A Longitudinal Study of Adoption of RPKI-Based Route Filtering Ethan Katz-Bassett (University of Southern California) with: Andreas Reuter and Matthias Wahlisch (Freie Universität Berlin), Brandon
More informationMeasuring RPKI Route Origin Validation in the Wild
Master Thesis Measuring RPKI Route Origin Validation in the Wild Andreas Reuter Matr. 4569130 Supervisor: Prof. Dr. Matthias Wählisch Institute of Computer Science, Freie Universität Berlin, Germany January
More informationTowards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering
Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering Andreas Reuter Freie Universitaet Berlin andreas.reuter@fuberlin.de Ethan Katz-Bassett USC / Columbia University
More informationRTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.
RTRlib An Open-Source Library in C for RPKI-based Prefix Origin Validation Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H. Schiller m.waehlisch@fu-berlin.de schmidt@informatik.haw-hamburg.de
More informationRPKI MIRO & RTRlib. Andreas Reuter, Matthias Wählisch Freie Universität Berlin
RPKI MIRO & RTRlib RIPE 74, Budapest Andreas Reuter, Matthias Wählisch Freie Universität Berlin {andreas.reuter,m.waehlisch}@fu-berlin.de Thomas Schmidt HAW Hamburg t.schmidt@haw-hamburg.de RPKI Overview
More informationImpactful Routing Research with the PEERING Testbed
1 Impactful Routing Research with the PEERING Testbed Combining intradomain emulation with real BGP connectivity Ethan Katz-Bassett (University of Southern California) with: Brandon Schlinker and Kyriakos
More informationSecuring the Internet at the Exchange Point Fernando M. V. Ramos
Securing the Internet at the Exchange Point Fernando M. V. Ramos 18.09.2017 Securing the Internet at the Exchange Point Fernando M. V. Ramos 18.09.2017 There are vulnerabilities in the Internet architecture
More informationThe Transition to BGP Security Is the Juice Worth the Squeeze?
The Transition to BGP Security Is the Juice Worth the Squeeze? RPKI Sharon Goldberg Boston University November 2013 Work with Kyle Brogle (Stanford), Danny Cooper (BU), Ethan Heilman (BU), Robert Lychev
More informationBGP Origin Validation (RPKI)
University of Amsterdam System & Network Engineering BGP Origin Validation (RPKI) July 5, 2013 Authors: Remy de Boer Javy de Koning Supervisors: Jac Kloots
More informationSecuring BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC
Securing BGP: The current state of RPKI Geoff Huston Chief Scientist, APNIC Incidents What happens when I announce your addresses in BGP? All the traffic that used to go to you will now come to me I can
More informationJumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira
Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira Prefix hijacking Victim Path: 111 AS X AS 111 Boston University BGP Ad. AS 666 Data flow 2 Prefix
More informationPEERING: An AS for Us
1 : An AS for Us Ethan Katz-Bassett (University of Southern California) with: Brandon Schlinker and Kyriakos Zarifis (USC) Italo Cunha (UFMG Brazil) Nick Feamster (Georgia Tech) Supported By: : An AS for
More informationProblem Statement and Considerations for ROA Mergence. 96 SIDR meeting
Problem Statement and Considerations for ROA Mergence draft-yan-sidr-roa-mergence-00 @IETF 96 SIDR meeting fuyu@cnnic.cn Background RFC 6482 1/19 ROA mergence What is the ROA mergence? is a common case
More informationActive BGP Measurement with BGP-Mux. Ethan Katz-Bassett (USC) with testbed and some slides hijacked from Nick Feamster and Valas Valancius
Active BGP Measurement with BGP-Mux Ethan Katz-Bassett (USC) with testbed and some slides hijacked from Nick Feamster and Valas Valancius 2 Before I Start Georgia Tech system, I am just an enthusiastic
More informationRIPE Labs Operator Tools, Ideas, Analysis
RIPE Labs Operator Tools, Ideas, Analysis AMS-IX Meeting, Amsterdam, 16 Nov. 2011 Mirjam Kühne, RIPE NCC A Bit of History RIPE NCC started as the coordination centre for the RIPE community - RIPE Database,
More informationImplementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer
Implementation of RPKI and IRR filtering on the AMS-IX platform Stavros Konstantaras NOC Engineer RIPE EDUCA 2018 Agenda AMS-IX Route Servers Architecture Features Filtering IRRdb RPKI BGP Communities
More informationSome Thoughts on Integrity in Routing
Some Thoughts on Integrity in Routing Geoff Huston Chief Scientist, APNIC What we want We want the routing system to advertise the correct reachability information for legitimately connected prefixes at
More informationReal-time Blackhole Analysis with Hubble
Real-time Blackhole Analysis with Hubble Ethan Katz-Bassett, Harsha V. Madhyastha, John P. John, Arvind Krishnamurthy, Thomas Anderson University of Washington NANOG 40, June 2007 1 Global Reachability
More informationUpdate from the RIPE NCC
Update from the RIPE NCC INEX Meeting, Dublin, 14 December 2011 Mirjam Kühne, RIPE NCC Outline RIPE Labs - Background, Purpose, Content, Participation IPv6 Activities and Statistics RIPE Atlas RIPEstat
More informationRPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting
RPKI Deployment Considerations: Problem Analysis and Alternative Solutions draft-lee-sidr-rpki-deployment-01 @IETF 95 SIDR meeting fuyu@cnnic.cn Background RPKI in China CNNIC deploy a platform to provide
More informationPERISCOPE: Standardizing and Orchestrating Looking Glass Querying
PERISCOPE: Standardizing and Orchestrating Looking Glass Querying Vasileios Giotsas UCSD/CAIDA vgiotsas@caida.org NANOG 68, October 17-19 2016, Dallas, TX Purpose of this Talk Inform the operational community
More informationHow Complete and Accurate is the Internet Routing Registry (IRR)?
How Complete and Accurate is the Internet Routing Registry (IRR)? Dec 5 th 2011 4th CAIDA-WIDE-CASFI Joint Measurement Workshop Akmal Khan, Hyun-chul Kim, Ted "Taekyoung" Kwon Seoul National University
More informationStudying Black Holes on the Internet with Hubble
Studying Black Holes on the Internet with Hubble Ethan Katz-Bassett, Harsha V. Madhyastha, John P. John, Arvind Krishnamurthy, David Wetherall, Thomas Anderson University of Washington RIPE, May 2008 This
More informationBGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationDeploying RPKI An Intro to the RPKI Infrastructure
Deploying RPKI An Intro to the RPKI Infrastructure VNIX-NOG 24 November 2016 Hanoi, Vietnam Issue Date: Revision: Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours)
More informationAS Connectedness Based on Multiple Vantage Points and the Resulting Topologies
AS Connectedness Based on Multiple Vantage Points and the Resulting Topologies Steven Fisher University of Nevada, Reno CS 765 Steven Fisher (UNR) CS 765 CS 765 1 / 28 Table of Contents 1 Introduction
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationResource Certification. Alex Band, Product Manager DENIC Technical Meeting
Resource Certification Alex Band, Product Manager DENIC Technical Meeting Internet Routing Routing is non-hierarchical, open and free Freedom comes at a price: - You can announce any address block on your
More informationSecure Routing with RPKI. APNIC44 Security Workshop
Secure Routing with RPKI APNIC44 Security Workshop Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationRPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:
RPKI Introduction APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By: 1 Content Why do we need RPKI What is RPKI How to deploy RPKI Configuration case Misdirection / Hijacking Incidents
More informationBGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs
BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs aa@qrator.net Malicious Hijacks/Leaks FISHING SITES HIJACK OF HTTPS CERTIFICATES SPAM/BOTNET ACTIVITY DOS ATTACKS BGP Hijack Factory
More informationIntroduction to BGP. ISP Workshops. Last updated 30 October 2013
Introduction to BGP ISP Workshops Last updated 30 October 2013 1 Border Gateway Protocol p A Routing Protocol used to exchange routing information between different networks n Exterior gateway protocol
More informationDailyCatch: A Provider-centric View of Anycast Behaviour
DailyCatch: A Provider-centric View of Anycast Behaviour Stephen McQuistin University of Glasgow Sree Priyanka Uppu Marcel Flores Verizon Digital Media Services What is IP anycast? 2 What is IP anycast?
More informationInternet Engineering Task Force (IETF) BCP: 185 January 2014 Category: Best Current Practice ISSN:
Internet Engineering Task Force (IETF) R. Bush Request for Comments: 7115 Internet Initiative Japan BCP: 185 January 2014 Category: Best Current Practice ISSN: 2070-1721 Abstract Origin Validation Operation
More informationLIFEGUARD: Practical Repair of Persistent Route Failures
LIFEGUARD: Practical Repair of Persistent Route Failures Ethan Katz-Bassett (USC) Colin Scott, David Choffnes, Italo Cunha, Valas Valancius, Nick Feamster, Harsha Madhyastha, Tom Anderson, Arvind Krishnamurthy
More informationMeasuring and Modeling the Adoption of IPv6
Measuring and Modeling the Adoption of IPv6 Amogh Dhamdhere, Matthew Luckie, Bradley Huffaker, kc claffy (CAIDA/UCSD) Ahmed Elmokashfi (Simula Research) Emile Aben (RIPE NCC) presented at TIP2013, 14 Jan
More informationOverview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies
Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies Presentation Outline The BGP security problem RPKI overiew Address & AS number allocation system Certificates
More informationSecuring Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO
Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN Mark Kosters CTO What is RPKI? Resource Public Key Infrastructure Attaches digital certificates to network resources AS Numbers
More informationBGP Routing Table Report
BGP Routing Table Report View of the routing table between 2006-2016 Objective Analyse changes in global routing table between 2006 to 2016 Analysis is along: 1.Top 5 well connected ASNs 2.Growth of ASNs
More informationMisdirection / Hijacking Incidents
Security Tutorial @ TWNOG SECURE ROUTING WITH RPKI 1 Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationDetecting Peering Infrastructure Outages
Detecting Peering Infrastructure Outages ENOG14, Minsk Vasileios Giotsas, Christoph Dietzel, Georgios Smaragdakis, Anja Feldmann, Arthur Berger, Emile Aben # TU Berlin CAIDA DE-CIX MIT Akamai # RIPE NCC
More informationThe Impact of Router Outages on the AS-Level Internet
The Impact of Router Outages on the AS-Level Internet Matthew Luckie* - University of Waikato Robert Beverly - Naval Postgraduate School *work started while at CAIDA, UC San Diego SIGCOMM 2017, August
More informationISP 1 AS 1 Prefix P peer ISP 2 AS 2 Route leak (P) propagates Prefix P update Route update P Route leak (P) to upstream 2 AS 3 Customer BGP Update messages Route update A ISP A Prefix A ISP B B leaks
More informationRPKI. Resource Pubic Key Infrastructure
RPKI Resource Pubic Key Infrastructure Purpose of RPKI RPKI replaces IRR or lives side by side? Side by side: different advantages Security, almost real time, simple interface: RPKI Purpose of RPKI Is
More informationTTM AS-level Traceroutes
TTM AS-level Traceroutes Matching IPs to ASes René Wilhelm New Projects Group RIPE NCC 1 Motivation TTM performs frequent traceroutes to find closest IP route for delay measurements
More informationBGP Routing Security and Deployment Strategies
Bachelor Informatica Informatica Universiteit van Amsterdam BGP Routing Security and Deployment Strategies Bryan Eikema June 17, 2015 Supervisor(s): Benno Overeinder (NLnet Labs), Stavros Konstantaras
More informationMAPPING PEERING INTERCONNECTIONS TO A FACILITY
MAPPING PEERING INTERCONNECTIONS TO A FACILITY Vasileios Giotsas 1 Georgios Smaragdakis 2 Bradley Huffaker 1 Matthew Luckie 3 kc claffy 1 vgiotsas@caida.org WIE 2015 1 UCSD/CAIDA 2 MIT/TU Berlin 3 University
More informationThe RPKI and BGP Origin Validation
The RPKI and BGP Origin Validation APRICOT / New Delhi 2012.02.27 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2012.02.27
More informationSibyl A Practical Internet Route Oracle
Sibyl A Practical Internet Route Oracle Ítalo Cunha1, Pietro Marchetta2, Matt Calder3, Yi-Ching Chiu3 Brandon Schlinker3, Bruno Machado1, Antonio Pescapè2 Vasileios Giotsas4, Harsha Madhyastha5, Ethan
More informationReverse Traceroute. NSDI, April 2010 This work partially supported by Cisco, Google, NSF
Reverse Traceroute Ethan Katz-Bassett, Harsha V. Madhyastha, Vijay K. Adhikari, Colin Scott, Justine Sherry, Peter van Wesep, Arvind Krishnamurthy, Thomas Anderson NSDI, April 2010 This work partially
More informationRPKI Workshop Routing Lab
RPKI Workshop Routing Lab NANOG / Denver 2011.06.12 Randy Bush Michael Elkins Rob Austein Serpil Bayraktar 2011.06.12 RPKI Router Lab
More informationSoftware Systems for Surveying Spoofing Susceptibility
Software Systems for Surveying Spoofing Susceptibility Matthew Luckie, Ken Keys, Ryan Koga, Bradley Huffaker, Robert Beverly, kc claffy https://spoofer.caida.org/ NANOG68, October 18th 2016 www.caida.o
More informationUnderstanding BGP Miscounfiguration
Understanding Archana P Student of Department of Electrical & Computer Engineering Missouri University of Science and Technology appgqb@mst.edu 16 Feb 2017 Introduction Background Misconfiguration Outline
More informationIPv4 Run-Out, Trading, and the RPKI
IPv4 Run-Out, Trading, and the RPKI MENOG 3 / Salmiya 2008.04.15 Randy Bush http://rip.psg.com/~randy/080415.menog-v4-trad-rpki.pdf 2008.04.15 MENOG v4 Trade RPKI 2 Internet Initiative
More informationThe RPKI & Origin Validation
The RPKI & Origin Validation RIPE / Praha 2010.05.03 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2010.05.03 RIPE RPKI
More informationAS-CRED: Reputation Service for Trustworthy Inter-domain Routing
AS-CRED: Reputation Service for Trustworthy Inter-domain Routing Krishna Venkatasubramanian Computer and Information Science University of Pennsylvania ONR MURI N00014-07-1-0907 Review Meeting June 10,
More informationModule 10 An IPv6 Internet Exchange Point
ISP/IXP Networking Workshop Lab Module 10 An IPv6 Internet Exchange Point Objective: To investigate methods for connecting to an Internet Exchange Point. Prerequisites: Modules 1 to 4, and the Exchange
More informationLessons learned running an RPKI service
Lessons learned running an RPKI service Alex Band Product Manager @alexander_band NANOG 63, San Antonio, Texas RPKI: Ultra Quick Intro 2 RIR becomes a Certificate Authority - Puts IPs and ASNs on a digital
More informationIllegitimate Source IP Addresses At Internet Exchange Points
Illegitimate Source IP Addresses At Internet Exchange Points @ DENOG8, Darmstadt Franziska Lichtblau, Florian Streibelt, Philipp Richter, Anja Feldmann 23.11.2016 Internet Network Architectures, TU Berlin
More informationBGP Routing Table Report
BGP Routing Table Report View of the routing table between 2006-2016 Objective Analyse changes in global routing table between 2006 to 2016 Analysis is along: 1. Top 5 well connected ASNs 2. Growth of
More informationIPv4 Run-Out, Trading, and the RPKI
IPv4 Run-Out, Trading, and the RPKI RIPE 56 / Berlin 2008.05.07 Randy Bush http://rip.psg.com/~randy/080507.ripe-v4-trad-rpki.pdf 2008.05.07 RIPE v4 Trade RPKI 2 Internet Initiative Japan
More informationMANRS How to behave on the internet
MANRS How to behave on the internet Massimiliano Stucchi TOP-IX Meeting January 2017 BGP BGP is based on trust - No built-in validation - Chain of trust is hard to establish - Data scattered over different
More informationVerifying Wide-Area Routing Configuration
Verifying Wide-Area Routing Configuration Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory {feamster,hari}@csail.mit.edu http://nms.lcs.mit.edu/bgp/ BGP
More informationRouting Is At Risk. Let's Secure It Together. Andrei Robachevsky 1
Routing Is At Risk. Let's Secure It Together Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 100 80 60 Hijack Leak 40 20 0 1/1/17 2/1/17 3/1/17 4/1/17
More informationRPKI and Routing Security
Presentation September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) What is the Purpose of
More informationSecuring Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO
Securing Core Internet Functions Resource Certification, RPKI Mark Kosters ARIN CTO Core Internet Functions: Routing & DNS The Internet relies on two critical resources DNS: Translates domain names to
More informationSoftware Systems for Surveying Spoofing Susceptibility
Software Systems for Surveying Spoofing Susceptibility Matthew Luckie, Ken Keys, Ryan Koga, Bradley Huffaker, Robert Beverly, kc claffy https://spoofer.caida.org/ AusNOG 2016, September 2nd 2016 www.caida.o
More informationhttps://spoofer.caida.org/
Software Systems for Surveying Spoofing Susceptibility Matthew Luckie, Ken Keys, Ryan Koga, Bradley Huffaker, Robert Beverly, kc claffy https://spoofer.caida.org/ DDoS PI meeting, March 9 2017 www.caida.o
More informationIntroducción al RPKI (Resource Public Key Infrastructure)
Introducción al RPKI (Resource Public Key Infrastructure) Roque Gagliano rogaglia@cisco.com 4 Septiembre 2013 Quito, Equator 2011 Cisco and/or its affiliates. All rights reserved. 1 Review of problem to
More informationThe Remote Peering Jedi A portal in the remote peering ecosystem
The Remote Peering Jedi A portal in the remote peering ecosystem Vasileios Giotsas, UCSD/CAIDA, vgiotsas@caida.org Petros Gigis, ICS-FORTH/UOC, gkigkis@ics. forth. gr Alexandros Milolidakis, ICS-FORTH/UOC,
More informationRouting Is At Risk. Let's Secure It Together. Andrei Robachevsky 1
Routing Is At Risk. Let's Secure It Together Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 100 80 60 Hijack Leak 40 20 0 1/1/17 2/1/17 3/1/17 4/1/17
More informationBROAD AND LOAD-AWARE ANYCAST MAPPING WITH VERFPLOETER
BROAD AND LOAD-AWARE ANYCAST MAPPING WITH VERFPLOETER WOUTER B. DE VRIES, RICARDO DE O. SCHMIDT, WES HARDAKER, JOHN HEIDEMANN, PIETER-TJERK DE BOER AND AIKO PRAS London - November 3, 2017 INTRODUCTION
More informationMAPPING PEERING INTERCONNECTIONS TO A FACILITY
MAPPING PEERING INTERCONNECTIONS TO A FACILITY Vasileios Giotsas 1 Georgios Smaragdakis 2 Bradley Huffaker 1 Matthew Luckie 3 kc claffy 1 vgiotsas@caida.org CoNEXT 2015 1 UCSD/CAIDA 2 MIT/TU Berlin 3 University
More informationExamination. IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491
Examination IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491 Date: October 21st 2008 10:00 13:00 a) No help material is allowed You
More informationLife After IPv4 Depletion
1 Life After IPv4 Depletion Jon Worley Analyst Securing Core Internet Functions Resource Certification, RPKI Mark Kosters Chief Technology Officer 2 Core Internet Functions: Routing & DNS The Internet
More informationSome Lessons Learned from Designing the Resource PKI
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007 Address and Routing Security The basic security questions that need to be answered are: Is this a valid
More informationUnderstanding the Reachability of IPv6 Limited Visibility Prefixes
Understanding the Reachability of IPv6 Limited Visibility Prefixes Andra Lutu 1,2, Marcelo Bagnulo 2, Cristel Pelsser 3, and Olaf Maennel 4 1 Institute IMDEA Networks, Spain 2 University Carlos III of
More informationInterdomain Routing and Connectivity
Interdomain Routing and Connectivity Brighten Godfrey CS 538 February 28 2018 slides 2010-2018 by Brighten Godfrey unless otherwise noted Routing Choosing paths along which messages will travel from source
More informationSecuring Routing: RPKI Overview. Mark Kosters Chief Technology Officer
Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer Why are DNSSEC and RPKI important? Two of the most critical resources DNS Routing Hard to tell when resource is compromised Focus of
More informationTechnical update part 2. Arnaud Fenioux France-IX GM-2016
Technical update part 2 Arnaud Fenioux France-IX GM-2016 Oxidized It's a RANCID replacement! Written in ruby to backup equipment s configuration into a git repository Lots of Vendor OS supported Web interface
More informationMeasuring IPv6 Adoption in Africa
Measuring IPv6 Adoption in Africa Ioana Livadariu, Ahmed Elmokashfi, Amogh Dhamdhere Simula Research Laboratory, Norway, CAIDA, UCSD Abstract. With the current IPv4 scarcity problem, deploying IPv6 is
More informationTowards root cause analysis of BGP routing dynamics. Matthew Caesar, Lakshmi Subramanian, Randy H. Katz
Towards root cause analysis of BGP routing dynamics Matthew Caesar, Lakshmi Subramanian, Randy H. Katz mccaesar@cs.berkeley.edu Motivation Interdomain routing suffers from many problems Instability Slow
More information<36 th APNIC Meeting, XIAN CHINA> KISA(KRNIC) UPDATE. YOUNGSUN LA Korea Internet & Security Agency
KISA(KRNIC) UPDATE YOUNGSUN LA (rays@kisa.or.kr) Korea Internet & Security Agency 1 Contents IPv6 Verified NSDs R&D WHOIS User Analysis & Statistics RPKI Testbed 2 IPv6
More informationRobust Inter-Domain Routing
Establishing the Technical Basis for Trustworthy Networking Robust Inter-Domain Routing Addressing Systemic Vulnerabilities in BGP Doug Montgomery (dougm@nist.gov) Manager, Internet and Scalable Systems
More informationAPNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013
APNIC s role in stability and security Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013 Overview Introducing APNIC Working with LEAs The APNIC Whois Database
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: February 2012
Internet Engineering Task Force (IETF) G. Huston Request for Comments: 6483 G. Michaelson Category: Informational APNIC ISSN: 2070-1721 February 2012 Abstract Validation of Route Origination Using the
More informationResource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018
Resource PKI NetSec Tutorial NZNOG2018 - Queenstown 24 Jan 2018 1 Fat-finger/Hijacks/Leaks Bharti (AS9498) originates 103.0.0.0/10 Dec 2017 (~ 2 days) No damage more than 8K specific routes! Google brings
More informationRPKI and Internet Routing Security ~ The regional ISP operator view ~
RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1 Agenda Routing practices of the regional ISP today How this may
More information9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi
COMP 535 Lecture 6: Routing Security September 3, 2015 Andrew Chi Includes content used with permission by Angelos Keromytis (Columbia), Philip Smith (APNIC), and Steve Kent (BBN) Agenda
More informationUpdate on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008 Address and Routing Security What we have had for many years is a relatively insecure interdomain routing system
More informationDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP Infrastructures Tim Dijkhuizen Lennart van Gijtenbeek Supervisor: Stavros Konstantaras (AMS-IX) SNE: Research Project II 03-07-2018 Introduction Distributed Denial of Service
More informationResource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC
Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC Target Audience Knowledge of Internet Routing(specially BGP) Fair idea on Routing Policy No need to know Cryptography Basic knowledge
More informationQuantifying Violations of Destination-based Forwarding on the Internet
Quantifying Violations of Destination-based Forwarding on the Internet Tobias Flach, Ethan Katz-Bassett, and Ramesh Govindan University of Southern California November 14, 2012 Destination-based Routing
More informationRPKI and Origin Valida9on Deployment in Ecuador IETF 88 Vancouver
So#a Silva Berenguer sofia @ lacnic.net RPKI and Origin Valida9on Deployment in Ecuador IETF 88 Vancouver Some facts about me I prac:ce kung fu I went to a military high- school - > I know how to shoot
More informationSENSS: Software-defined Security Service
SENSS: Software-defined Security Service Minlan Yu University of Southern California Joint work with Abdulla Alwabel, Ying Zhang, Jelena Mirkovic 1 Growing DDoS Attacks Average monthly size of DDoS attacks
More informationMethods for Detection and Mitigation of BGP Route Leaks
Methods for Detection and Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-00 (Route leak definition: draft-ietf-grow-route-leak-problem-definition) K. Sriram, D. Montgomery, and
More informationMANRS Mutually Agreed Norms for Routing Security
27 March 2018 MANRS Mutually Agreed Norms for Routing Security Kevin Meynell meynell@isoc.org Presentation title Client name Internet Society 1992 2016 1 The Problem A Routing Security Overview 2 The Basics:
More informationMANRS. Mutually Agreed Norms for Routing Security. Jan Žorž
MANRS Mutually Agreed Norms for Routing Security Jan Žorž The Problem A Routing Security Overview 2 No Day Without an Incident http://bgpstream.com/ 3 Routing Incidents Cause Real World
More informationA Measurement Study of BGP Misconfiguration
A Measurement Study of BGP Misconfiguration Ratul Mahajan, David Wetherall, and Tom Anderson University of Washington Motivation Routing protocols are robust against failures Meaning fail-stop link and
More information