Resource Public Key Infrastructure

Size: px

Start display at page:

Download "Resource Public Key Infrastructure"

Rodger Perkins
5 years ago
Views:

1 Resource Public Key Infrastructure A pilot for the Internet2 Community to secure the global route table Andrew Gallo

2 The Basics The Internet is a self organizing network of networks. How do you find your way around? Over 500k destinations in the current Internet routing table

3 BGP to the Rescue The Border Gateway Protocol (BGP) runs between network operators to share reachability information. Wildly successful and stable Internet protocol: First standardized in 1989 Current version (4) standardized in 1994

4 BGP a protocol built on trust Very few mechanisms in BGP for security MD5 hash for session passwords TTL security ACLs These mechanisms protect the control plane but say nothing about the payload. About the time of BGP standardization, table size 20k routes and < 1500ASNs (source:

5 What about Identity who is who No hierarchical addressing or routing on the Internet backbone Any address can appear at any location Opposite of the predecessor mass communications network PSTN Solved the problem of decoupling location and identity Created the problem table size (different talk) and topology (identity) integrity anyone can claim to be any address at any location

6 How are address blocks assigned? In the old days (according to legend), in Jon Postel s notebook Today, there is the IANA, the RIRs, LIRs, etc

7 If that s how they re assigned, how are they Validated? They aren t. There is nothing in BGP or its operation that prevents anyone from claiming to be any address. There is no relationship between prefix, ASN, organization, etc. Current state- use Internet Routing Registry (IRR) (eg, RADB), whois data, to filter improper advertisements.

8 When Things go Wrong Pakistan claims to be Youtube (2008) Mistake or intentional? CTBC (Brazilian ISP) leaks full table (2008) China Telecom claims 37,000 routes (2010) Bitcoin hijacking (2014) Why does this happen Mistakes Clobber target network (blackhole target s network) Fun and profit (Bitcoin example) Observe, capture, sniff, MITM (more advanced)

9 Hijacking shortest path client ASN64515 ASN64818 ASN64717 ASN64612 ASN64616 ASN64919 legit /16 bad guy /16 - so am I!

10 BGP Hijacking more specific client ASN64515 ASN64818 ASN64717 ASN64612 ASN64616 ASN64919 legit /16 bad guy /24 - I'm more specific!

11 Current State of the Art Rely on filtering (whois data, IRR data, LOAs) Semi-automated and error prone (poor input data) Detect BGP monitoring services BGPMon Cyclpos Thousand Eyes Mitigate Call your upstream Post to NANOG Advertise more specific networks (as done with YouTube)

12 RPKI is the Answer (to some of the issues) Resource Public Key Infrastructure Relatively new technology Cryptographically assures an ASN is authorized to announce prefixes Extension to X.509 to carry IP prefix information Route Origin Authorization(ROA)

13 RPKI structure The IANA is the source of all addresses But rather than being the single root of the trust chain, each of the 5 Regionals hold selfsigned certs for the resources they hold. Two modes of operation- Hosted (RIRs run the PKI infrastructure) Delegated (RIRs issue Resource Certificates to orgs that further sub-delegate IP space)

14 ROA Contents Origin Autonomous System Number Prefix (with optional max mask length) Validity dates When a ROA is created, it has a cryptographically provable chain to the source of authority allowing that IP to be advertised by that ASN. No more outdated, erroneous, or missing whois or IRR data

15 I ve created ROAs for my routes. Now what? Go collect ROAs from the TALs, process them, feed digested data to router for policy processing. RPKI-to-rtr protocol (RFC 6180) No crypto processing in the routers Not with origin validation SIDR (path validation) Hop-by-hop, with crypto processing on the router

16 What it looks like- block diag Tr ust Anchor Locat or s APNIC RIR hosted crypto engine Afrinic router Delegated/customer CA ARIN* validator router LACNIC router RIPE

17 Three Route States Valid Prefix is covered by a valid ROA Unknown No ROA exists for this prefix Invalid Unauthorized announcement Mismatch between authorized ASN and originating ASN, split origin More specific announcement than valid ROA allows

18 What to do with this data With 89% of the table in an unknown state, probably nothing 1 In a fully deployed RPKI environment, do you Reject unknown, invalid routes? Set LOCALPREF low?? Set Community, put in a VRF? Still under operational development Study RFC Source: 12-OCT-2018

19 Checking validation - CLI VALID agallo@foghorn:~$ whois -h whois.bgpmon.net " --roa /22" 0 - Valid ROA Details Origin ASN: AS4901 Not valid Before: :00:00 Not valid After: :00:00 Expires in 3y291d19h14m42 Trust Anchor: rpki.arin.net Prefixes: 2620:118:5000::/ /22 Invalid ***** Wrong origin AS agallo@foghorn:~$ whois -h whois.bgpmon.net " --roa /22" 2 - Not Valid: Invalid Origin ASN, expected 4901

20 So, we ve solved everything, right? RPKI provides origin validation only See SIDR working group for path validation Still some work to be done on RPKI Secure transport of the RPKI data Operational best practices And, the best part

21 RPKI introduces vulnerabilities TALs become valuable targets Wasn t the decentralized design of the Internet a reaction to the PSTN (either explicitly or implicitly) How do I trust the prefixes the TALs are using are properly originated? Bootstrap problem of using the network itself to validate its own topology (Gödel strikes the Internet?) Currently, rsync is used to collect ROAs, is there a better way? This is changing to RRPD Also, doesn t prevent Improper advertisement with correct ASN Reasoning behind not using max mask length in ROA loose ROA

22 About 10% of the table Chicken-and-egg problem but not like IPv6 Europe is kicking our butts! Slow adoption

23 Don t Speak BGP? You re not off the hook Using hosted applications (what the kids call The Cloud) look at the Bitcoin hijacking case Your space can still be hijacked or clobbered by a fat finger, so: Ask your providers about RPKI plans Demand your resources be protected Not if, but when will the be protected

24 Hosted RPKI with ARIN Overview Generate Key pair Step 1 Step 2 Submit Certificate Request Submit ROA Request Step 3

25 Hosted RPKI with ARIN Basic workflow: Initial (one-time) Request hosted RPKI with ARIN, provide public key that matches the private key that will be used to sign requests This is NOT the keypair used to create the ROA, just to authenticate communication between you and ARIN This take about 24 hours for ARIN to enable RPKI for your resources. Once enabled, everything is self-service.

Hosted RPKI with ARIN Step 1: Key generation See https://www.arin.

26 Hosted RPKI with ARIN Step 1: Key generation See Generate key Extract Public Key

27 Hosted RPKI with ARIN Step 2: Requested Hosted RPKI Log into ARIN Online, Ask ARIN Create ticket for Create Hosted Resource Certificate Include public key created in previous step Wait. During this time ARIN is configuring the RPKI infrastructure to allow you to create ROAs

28 Hosted RPKI with ARIN Step 3: Create ROA (web) Log into ARIN online, navigate to the Org owning the resource Log into ARIN online Left menu, click Search In View Your Associated Networks Click on a Net Handle

29 Click on Actions and select Manage RPKI Hosted RPKI with ARIN Step 4: Create ROA (web) Click on Create ROA

30 Hosted RPKI with ARIN Step 5: Create ROA (web) Fill in Information This is the private key that was created in step 1

31 Hosted RPKI with ARIN Step 5: Manual ROA request (alternate method) There is an option to create the signed request via CLI, and paste the data in this form, in the Signed tab. See Using OpenSSL at

32 Hosted RPKI with ARIN Step 6: Create ROA (web) Last step review Once submitted, a ticket is automatically created Can be viewed under Tickets Usually takes a minute or two to create ROA May take 24 hours to be available via TAL

33 ARIN OT&E Operational Test and Evaluation environment Environment for testing various ARIN services Monthly refresh of data from production See wiki for details setting up RPKI access in the OT&E

34 ARIN OT&E Key Differences All ROAs in the OT&E are signed using a key at: The keypair used in the OT&E for signing requests is public:

35 Route Validation Second half of RPKI: Collect ROAs from Trust Anchors Cryptographic processing Feed digested route list to router Three common validators RIPE s Validator* Dragon Research Labs: rcynic Validator Raytheon BBN RPSTIR Project (current??)

36 Route Validation Validator Demo RIPE Validator Java, requires JRE 8 ARIN Trust Anchor Locator (TAL) must be manually added (We can hold the discussion about the legal ramifications of RPKI for another time!)

37 Junos Configuration Two areas to configure Validation session (connection to the validating cache) Under routing-options validation Import policy to trigger database lookup Under policy-options policy-statement

38 Junos Configuration Validation Session Basic configuration to establish session with validator There are other options (time outs, etc)

39 Junos Configuration Policy This is a simple policy to trigger validation database lookup Policy is open to operational need Accept? Reject? LocalPref? Send to VRF?

40 Junos Operation Show commands Useful show commands show route validation-state State Description Means invalid Invalid route validation state unknown Unknown route validation state No ROA found Mismatch in ASN/prefix mapping; more specific not covered by valid ROA valid Valid route validation state Matching ROA found unverified Unverified route validation state *Junos specific; no policy triggers database lookup show validation session

41 Barriers to Adoption Lack of familiarity Hopefully we ve at least started to address that today RPKI doesn t address a high risk problem Low priority Legal No (L)RSA with ARIN RPA

42 THANK YOU Contact info Andrew Gallo Pilot Wiki

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC Target Audience Knowledge of Internet Routing(specially BGP) Fair idea on Routing Policy No need to know Cryptography Basic knowledge