Facilitating Secure Internet Infrastructure
|
|
- Buddy Payne
- 5 years ago
- Views:
Transcription
1 Facilitating Secure Internet Infrastructure RIPE NCC
2 About the RIPE NCC RIPE Network Coordination Centre Bottom-up, self-regulated, membership association, notfor-profit Regional Internet Registry - Allocation of IP addresses and AS numbers - Reverse DNS Network Coordination Centre - Information Services, Coordination activities Funded entirely by members; fully autonomous Open Transparent Neutral Impartial RIPE NCC is not RIPE Security Forum, April 23,
3 Regional Internet Registries (RIRs) Security Forum, April 23,
4 The presenter Chief Technical Officer - General IT - On-line Services RIPE Database DNS & K-root Information Services - Inter-RIR technical coordination Not a security expert, but - Coordinated deployment of DNSSEC at the RIPE NCC - Active participant in resource certification activities Security Forum, April 23,
5 Thanks Olaf Kolkman and Jaap Akkerhuis from NLNetLabs Geoff Huston from APNIC Daniel Karrenberg from RIPE NCC - For allowing me to steal their slides RIPE NCC and other RIR teams - For doing the actual work The Security Forum - For inviting me Security Forum, April 23,
6 Outline Security and the Internet Security and DNS Security and Routing Challenges Security Forum, April 23,
7 There are many ways to be bad on the Internet Enlist a Bot army and mount multi-gigabit DOS attacks - Extortion leverage Port Scan for known exploits - Deploy a bot, spyware or simply annoy people Spew spam - Yes, there are still gullible folk out there! Mount a fake web site attack - And lure victims Mount a routing attack - And bring down an entire service / region / country / global network! Security Forum, April 23,
8 Internet Architecture A Network of Networks - Little intelligence inside the network - Most of the intelligence is in the end-systems Adding functionality doesn t require network changes Adding security doesn t require network changes Between Networks - Routing & Addressing - Domain Name System - Introducing changes here is more challenging Security Forum, April 23,
9 Securing the Internet Securing the Infrastructure - Cables, routers, power, colo s, etc. Securing the edges - Servers, PCs, etc. Securing the between - The common good Security Forum, April 23,
10 Network Infrastructure Little intelligence - Little potential for exploitation and abuse Key business assets for ISPs - Lots of motivation for security Clear responsibility Challenges - Can be done locally and incrementally - Not a big problem Security Forum, April 23,
11 The end-systems Hosts, personal computers, servers - Intelligence here: a versatile abuse toolkit - Poorly defended: design flaws and lack of expertise - Increasing bandwidth: effective weapon - Responsibility: widely dispersed - Criminal activities: botnets, etc. Challenges - Cannot be done centrally - Little control and responsibility - Buggy applications - Growing number Security Forum, April 23,
12 Routing The between - the common good - Decentralised - Addressing - hierarchical DNS - Hierarchical, distributed Challenges - Responsibility is dispersed - Cannot be done centrally - Securing edges can be done easier - Tragedy of the commons RIPE Network Coordination Centre Security Forum, April 23,
13 Outline Security and the Internet Security and DNS Security and Routing Security Forum, April 23,
14 Securing DNS Why to secure DNS? DNSSEC Deployment of DNSSEC Challenges Security Forum, April 23,
15 The Problem DNS data published by the registry is being replaced on its path between the server and the client. This can happen in multiple places in the DNS architecture - Some places are more vulnerable to attacks then others - Vulnerabilities in DNS software make attacks easier (and there will always be software vulnerabilities) Security Forum, April 23,
16 Registrars DNS Architecture RIPE Network Coordination Centre Secondary DNS server Cache server Registry DB Provisioning Primary DNS server DNS Protocol Cache server Client Security Forum, April 23,
17 Registrars DNS Architecture RIPE Network Coordination Centre Server compromise Inter-server communication Cache Poisoning Registry DB Provisioning DNS Protocol Security Forum, April 23,
18 Solution: DNSSEC Sign the data - Each resource record separately Secure delegation points - Sign the keys of the children Allow building a chain of trust from a Trust Anchor to the actual record A Metaphor: - Compare DNSSEC to a sealed transparent envelope Security Forum, April 23,
19 How DNSSEC works root.net.net Security Forum, April 23,
20 How DNSSEC works root.net.net ripe.net Security Forum, April 23,
21 Trust anchor How DNSSEC works root= root.net.net = ripe.net Security Forum, April 23,
22 Trust anchor How DNSSEC works root= root.net.net = ripe.net.net ripe.net ripe.net = Security Forum, April 23,
23 Trust anchor How DNSSEC works root= root.net.net = ripe.net ripe.net = ripe.net Security Forum, April 23,
24 Registrars Registrants DNSSEC protection RIPE Network Coordination Centre envelope sealed Seal checked Registry DB Provisioning DNS Protocol Seal checked Security Forum, April 23,
25 DNSSEC properties DNSSEC secures the name to address mapping - Transport and Application security are just other layers DNSSEC provides message authentication and integrity verification through cryptographic signatures - Authentic DNS source - No modifications between signing and validation It does not provide authorisation It does not provide confidentiality Security Forum, April 23,
26 DNSSEC secondary benefits DNSSEC provides an independent trust path - The person administering https is most probably a different from person from the one that does DNSSEC - The chains of trust are most probably different Security Forum, April 23,
27 DNSSEC at the RIPE NCC Servi c e commitment with the community drawn up in 2005 DNSSEC operations introduced on 1 January 2006 Initially, the NCC signed all forward zones (eg. ( 193.in-addr.arpa ripe.net) and reverse /8 zones (eg. The NCC also began si g Security Forum, April 23,
28 DNSSEC Setup signer unsigned zones signed zones RIPE database Domain objects provisioning server ns-pri.ripe.net publish signed zones Security Forum, April 23,
29 Trust anchors Because the parent is not signed each /8 is a trust anchor Trust anchors of all our signed zones are published at BIND-style file which can be easily included File is signed with the RIPE NCC PGP key Security Forum, April 23,
30 Secure delegation points Users insert their DS (delegated signer) records into parents zones via the RIPE database Create domain objects with the appropriate DS attributes Security Forum, April 23,
31 Operational impact of DNSSEC RIPE Network Coordination Centre CPU usage on the server doubled - from about 8% to about 16% Traffic to the server went up by 60% There was no noticeable increase in memory usage Security Forum, April 23,
32 How about the client side Set up your caching nameserver to perform validation and the infrastructure behind it is protected DNSSEC has not yet been pushed to the host or application Costs are in maintaining trust anchors - There is no standard to automate against Security Forum, April 23,
33 Challenges New technology; chicken and egg L9 issues at the top Zone walking possibility - Is this really an issue in your environment? - Solutions are there - NSEC3 Higher security vs increased complexity Automated key rollover and distribution Security Forum, April 23,
34 Outline Security and the Internet Security and DNS Security and Routing Security Forum, April 23,
35 Securing Routing Why to secure Routing Certification: A starting point for routing security Internet resource certification Challenges Security Forum, April 23,
36 Why to secure routing?
37 If I were really bad (and evil) I d attack the routing system Through routing I d attack: - the DNS system - isolate critical public servers and resources - overwhelm the routing system with spurious information - generate a massive routing overload situation to bring down entire regional routing domains And see if I could bring the network to a complete chaotic halt Security Forum, April 23,
38 What s the base problem here? RIPE Network Coordination Centre Routing is built on mutual trust models of varying quality Routing auditing is a low value but expensive activity It s a tragedy of the commons situation: - Nobody can single-handedly apply rigorous tests on the routing system - And the lowest common denominator approach is to apply no integrity tests at all - All trust and no defence Security Forum, April 23,
39 So we need routing security like we need clean air and clean water But what does this need mean? - Who wants to pay for decent security? - What s the business drivers for effective security? - How do you avoid diversions into security pantomimes and functionless veneers? Can you make decent security and also support better, faster and cheaper networked services? Security Forum, April 23,
40 Threats Corrupting the routers forwarding tables can result in: - Misdirecting traffic (subversion, denial of service, third party inspection, passing off) - Dropping traffic (denial of service, compound attacks) - Adding false addresses into the routing system (support compound attacks) - Isolating or removing the router from the network Security Forum, April 23,
41 Address and Routing Security The basic routing payload security questions that need to be answered are: - Is this a valid address prefix? - Who injected this address prefix into the network? - Did they have the necessary credentials to inject this address prefix? - Is the forwarding path to reach this address prefix an acceptable representation of the network s forwarding state? Can these questions be answered reliably, cheaply and quickly? Security Forum, April 23,
42 A Foundation for Routing Security RIPE Network Coordination Centre The use of authenticatable attestations to allow automated validation of: - the authenticity of the route object being advertised - authenticity of the origin AS - the binding of the origin AS to the route object Such attestations used to provide a cost effective method of validating routing requests - as compared to the today s state of the art based on techniques of vague trust and random whois data mining Security Forum, April 23,
43 Certification: A Starting Point for Routing Security Certification of the Right-of-Use of IP Addresses and AS numbers as a linked attribute of the Internet s number resource allocation and distribution framework Adoption of some basic security functions into the Internet s routing domain: Injection of reliable trustable data A Resource PKI as the base of validation of network data Explicit verifiable mechanisms for integrity of data distribution Adoption of some form of certified authorization mechanism to support validation of credentials associated with address and routing information Security Forum, April 23,
44 X.509 Extensions for IP Addresses RIPE Network Coordination Centre RFC3779 defines extension to the X.509 certificate format for IP addresses & AS number The extension binds a list of IP address blocks and AS numbers to the subject of a certificate These extensions may be used to convey the issuer s authorization of the subject for exclusive use of the IP addresses and autonomous system identifiers contained in the certificate extension The extension is defined as a critical extension - Validation includes the requirement that the Issuer s certificate extension must encompass the resource block described in the extension of the certificated being validated Security Forum, April 23,
45 What is being Certified For example: RIPE NCC (the Issuer ) certifies that: the certificate Subject whose public key is contained in the certificate is the current controller of a set of IP address and AS resources that are listed in the certificate extension RIPE NCC does NOT certify the identity of the subject, nor their good (or evil) intentions! Security Forum, April 23,
46 Resource Certificates Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC LIR1 LIR2 ISP ISP ISP ISP ISP ISP ISP
47 Resource Certificates Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issued Certificates match allocation actions LIR LIR ISP ISP ISP ISP ISP ISP ISP
48 Resource Certificates Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issuer: RIPE NCC Subject: LIR2 Resources: /16 Key Info: <lir2-key-pub> LIR1 LIR2 Signed: <ripencc-key-priv> Issued Certificates ISP ISP ISP ISP4 ISP ISP ISP
49 Resource Certificates Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issuer: RIPE NCC Subject: LIR2 Resources: /16 Key Info: <lir2-key-pub> LIR1 LIR2 Signed: <ripencc-key-priv> Issuer: LIR2 Subject: ISP4 Resources: /24 Key Info: <isp4-key-pub> Signed: <lir2-key-priv> ISP ISP ISP ISP4 ISP ISP ISP Issued Certificates
50 Resource Certificates Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issuer: RIPE NCC Subject: LIR2 Resources: /16 Key Info: <lir2-key> Signed: <ripencc-key-priv> NIR1 NIR2 Issuer: LIR2 Subject: ISP4 Resources: Issuer: ISP /22 Key Subject: Info: <isp4-key> ISP4-EE Signed: ISP ISP Resources: <lir2-key-priv> /24 ISP ISP4 ISP ISP ISP Key Info: <isp4-ee-key> Signed: <isp4-key-priv> Issued Certificates
51 What could you do with Resource Certificates? RIPE Network Coordination Centre You could sign routing origination authorities or routing requests with your private key, providing an authority for an AS to originate a route for the named prefix. A Relying Party can validate this authority in the RPKI You could use the private key to sign routing information in an Internet Route Registry You could attach a digital signature to a protocol element in a routing protocol You could issue signed derivative certificates for any suballocations of resources Security Forum, April 23,
52 Signed Objects Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv>
53 Signed Object Validation Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, 1. Did the matching private key sign ISP4 <isp4-ee-key-priv> this text?
54 Signed Object Validation Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv> 2. Is this certificate valid?
55 Signed Object Validation Resource Allocation Hierarchy RIPE NCC Trust Anchor AFRINIC APNIC ARIN RIPE NCC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv> 3. Is there a valid certificate path from a Trust Anchor to this certificate?
56 Signed Object Validation Resource Allocation Hierarchy Validation RIPE NCC Outcomes Trust Anchor AFRINIC APNIC ARIN 1. ISP4 RIPE authorized NCC this LACNIC Authority document /24 is a Issued valid Certificates address, derived from an RIPE NCC Route Origination Authority LIR1 allocation LIR2 ISP4 permits AS65000 to 3. ISP4 holds a current right-of-use of originate a route for the prefix / /24 4. A route object, where AS65000 originates an advertisement for the Attachment: <isp4-ee-cert> address prefix /24, has ISP ISP the ISP explicit ISP4 authority ISP ISP of ISP4, who is Signed, the current holder of this address ISP4 <isp4-ee-key-priv> prefix
57 Intended Objectives Create underlying framework for route security measures Assist ISP business process accuracy with Peering and Customer Configuration tool support Improve the integrity of published data through the signing and verification capability in the RIPE Database, IRR and similar Security Forum, April 23,
58 What this does NOT do Compete with sbgp, sobgp, pgbgp, proposals - It is intended to provide a robust validation framework that supports the operation of such proposals that intend to secure the operation of the BGP protocol Insert another critical point of vulnerability into the Internet - No intention of defining a framework of certificate-enforced compliance as a precursor to network reachability - Interpretation of validation outcomes is a local policy preference outcome Security Forum, April 23,
59 Challenges Critical mass of adoption - Even basic route filtering is not a common practice - Little incentive More complex provisioning system - Requires modifications and expertise A long road to secure routing - RPKI and ROAs only secure origination requests - S*-BGP - more comprehensive proposals, but much more complex and demanding Security Forum, April 23,
60 Summary Securing the Internet means securing: - The edge - The infrastructure - The between Securing DNS and routing is challenging and requires a lot of coordination - Lead by example, share experience - Take responsibility as a community - Make it easier But this will make the Internet a better and safer place Security Forum, April 23,
61 Questions?
Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008 Address and Routing Security What we have had for many years is a relatively insecure interdomain routing system
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationProblem. BGP is a rumour mill.
Problem BGP is a rumour mill. We want to give it a bit more authorita We think we have a model AusNOG-03 2009 IP ADDRESS AND ASN CERTIFICATION TO IMPROVE ROUTING SECURITY George Michaelson APNIC R&D ggm@apnic.net
More informationSome Lessons Learned from Designing the Resource PKI
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007 Address and Routing Security The basic security questions that need to be answered are: Is this a valid
More informationSecuring BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC
Securing BGP: The current state of RPKI Geoff Huston Chief Scientist, APNIC Incidents What happens when I announce your addresses in BGP? All the traffic that used to go to you will now come to me I can
More informationSecuring the Internet s Foundations: Addresses and Routing
Securing the Internet s Foundations: Addresses and Routing AUSCERT 2011 Geoff Huston Chief Scientist, APNIC On the Internet there are many ways to be bad! An Ascending Scale of Badness Port Scan for known
More informationAPNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston Motivation: Address and Routing Security What we have today is a relatively insecure system that is
More informationAPNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes ARIN XVII Open Policy Meeting George Michaelson Geoff Huston Motivation: Address and Routing Security What we have today is a relatively insecure system
More informationSecuring Routing: RPKI Overview. Mark Kosters Chief Technology Officer
Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer Why are DNSSEC and RPKI important? Two of the most critical resources DNS Routing Hard to tell when resource is compromised Focus of
More informationRPKI Trust Anchor. Geoff Huston APNIC
RPKI Trust Anchor Geoff Huston APNIC Public Keys How can you trust a digital signature?? What if you have never met the signer and have no knowledge of them or their keys? One approach is transitive trust
More informationUsing Resource Certificates Progress Report on the Trial of Resource Certification
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC From the RIPE Address Policy Mail List 22 25 Sept 06, address-policy-wg@lists.ripe.net
More informationAn Operational Perspective on Routing Security
An Operational Perspective on Routing Security Geoff Huston Chief Scientist, APNIC On the Internet there are many ways to be bad! there are many ways to be bad! Enlist a bot army and mount mul0- gigabit
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More informationUsing Resource Certificates Progress Report on the Trial of Resource Certification
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC Sound Familiar? 4:30 pm Mail: Geoff, mate, I ve been dealing with your phone people and
More informationAPNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013
APNIC s role in stability and security Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013 Overview Introducing APNIC Working with LEAs The APNIC Whois Database
More informationOverview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies
Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies Presentation Outline The BGP security problem RPKI overiew Address & AS number allocation system Certificates
More informationPKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006
PKI-An Operational Perspective NANOG 38 ARIN XVIII October 10, 2006 Briefing Contents PKI Usage Benefits Constituency Acceptance Specific Discussion of Requirements Certificate Policy Certificate Policy
More informationSecurity Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO
Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN CTO Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard to tell if compromised From the user point of
More informationMadison, Wisconsin 9 September14
1 Madison, Wisconsin 9 September14 2 Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN Engineering 3 Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard
More informationIPv4 Run-Out, Trading, and the RPKI
IPv4 Run-Out, Trading, and the RPKI MENOG 3 / Salmiya 2008.04.15 Randy Bush http://rip.psg.com/~randy/080415.menog-v4-trad-rpki.pdf 2008.04.15 MENOG v4 Trade RPKI 2 Internet Initiative
More informationIPv4 Run-Out, Trading, and the RPKI
IPv4 Run-Out, Trading, and the RPKI RIPE 56 / Berlin 2008.05.07 Randy Bush http://rip.psg.com/~randy/080507.ripe-v4-trad-rpki.pdf 2008.05.07 RIPE v4 Trade RPKI 2 Internet Initiative Japan
More informationRPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager
RPKI deployment at AFRINIC Status Update Alain P. AINA RPKI Project Manager What is Resource Certifcation? Resource Certifcation is a security framework for verifying the association between resource holders
More informationInternet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!
Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil! Who is allowed to do what?! BGP (the Internet s inter-domain routing protocol) runs by rumor Participants assert reachability
More informationRPKI. Resource Pubic Key Infrastructure
RPKI Resource Pubic Key Infrastructure Purpose of RPKI RPKI replaces IRR or lives side by side? Side by side: different advantages Security, almost real time, simple interface: RPKI Purpose of RPKI Is
More informationAn ARIN Update. Susan Hamlin Director of Communications and Member Services
An ARIN Update Susan Hamlin Director of Communications and Member Services ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number
More informationProgress Report on APNIC Trial of Certification of IP Addresses and ASes
Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston Motivation: Address and Routing Security What we have today is a relatively insecure system
More informationDNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs)
DNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs) olaf@nlnetlabs.nl Stichting NLnet Labs page 2 Registrars/ Registrants DNS Architecture As friend secondary As ISP Cache server Registry DB primary As
More informationAn Operational Perspective on BGP Security. Geoff Huston February 2005
An Operational Perspective on BGP Security Geoff Huston February 2005 Disclaimer This is not a description of the approach taken by any particular service provider in securing their network. It is intended
More informationISP 1 AS 1 Prefix P peer ISP 2 AS 2 Route leak (P) propagates Prefix P update Route update P Route leak (P) to upstream 2 AS 3 Customer BGP Update messages Route update A ISP A Prefix A ISP B B leaks
More informationSecuring Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO
Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN Mark Kosters CTO What is RPKI? Resource Public Key Infrastructure Attaches digital certificates to network resources AS Numbers
More informationRIPE NCC DNS Update. Wolfgang Nagele DNS Services Manager
RIPE NCC DNS Update Wolfgang Nagele DNS Services Manager DNS Department Services Reverse DNS for RIPE NCC zones Secondary for other RIRs K-root F-reverse (in-addr.arpa & ip6.arpa) Secondary DNS for cctlds
More informationAuto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes? Geoff Huston APNIC @RIPE 50 May 2005 1 Address Hijacking Is the unauthorized use of an address prefix as an advertised route object on the Internet It s not a bogon the
More informationSecurity Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO
Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN CTO Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard to tell if compromised From the user point of
More informationIntroducción al RPKI (Resource Public Key Infrastructure)
Introducción al RPKI (Resource Public Key Infrastructure) Roque Gagliano rogaglia@cisco.com 4 Septiembre 2013 Quito, Equator 2011 Cisco and/or its affiliates. All rights reserved. 1 Review of problem to
More informationDecentralized Internet Resource Trust Infrastructure
Decentralized Internet Resource Trust Infrastructure Bingyang Liu, Fei Yang, Marcelo Bagnulo, Zhiwei Yan, and Qiong Sun Huawei UC3M CNNIC China Telecom 1 Critical Internet Trust Infrastructures are Centralized
More informationSecuring BGP. Geoff Huston November 2007
Securing BGP Geoff Huston November 2007 Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions An Introduction to BGP Background to Internet Routing The routing architecture
More informationResource Certification
Resource Certification CISSP, science group manager RIPE NCC robert@ripe.net 1 Contents Motivation for Resource Certification (RPKI) Architecture overview Participating in RPKI Most importantly: use cases
More informationMAGPI: Advanced Services IPv6, Multicast, DNSSEC
MAGPI: Advanced Services IPv6, Multicast, DNSSEC Shumon Huque MAGPI GigaPoP & Univ. of Pennsylvania MAGPI Technical Meeting April 19th 2006, Philadelphia, PA 1 Outline A description of advanced services
More informationResource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC
Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC Target Audience Knowledge of Internet Routing(specially BGP) Fair idea on Routing Policy No need to know Cryptography Basic knowledge
More informationSecuring Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO
Securing Core Internet Functions Resource Certification, RPKI Mark Kosters ARIN CTO Core Internet Functions: Routing & DNS The Internet relies on two critical resources DNS: Translates domain names to
More informationRPKI and Routing Security
Presentation September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) What is the Purpose of
More informationRPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:
RPKI Introduction APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By: 1 Content Why do we need RPKI What is RPKI How to deploy RPKI Configuration case Misdirection / Hijacking Incidents
More informationLife After IPv4 Depletion
1 Life After IPv4 Depletion Jon Worley Analyst Securing Core Internet Functions Resource Certification, RPKI Mark Kosters Chief Technology Officer 2 Core Internet Functions: Routing & DNS The Internet
More informationAPNIC RPKI Report. George Michaelson
APNIC RPKI Report George Michaelson APNIC RPKI Current Activities The RPKI TA Framework APNIC s TA Changes Provisioning Protocol Services The RPKI TA Framework The RPKI TA Framework Managing TAs is an
More informationResource Public Key Infrastructure
Resource Public Key Infrastructure A pilot for the Internet2 Community to secure the global route table Andrew Gallo The Basics The Internet is a self organizing network of networks. How do you find your
More informationShifting Sands. PLNOG March Andrzej Wolski Training Department
Shifting Sands PLNOG March 2014 Andrzej Wolski Training Department RIPE NCC 2 Began operating in 1992 Not-for-profit membership organisation 10,000 members (Local Internet Registries) Neutral, Impartial,
More informationIPv6 HD Ratio. ARIN Public Policy Meeting April Geoff Huston APNIC
IPv6 HD Ratio ARIN Public Policy Meeting April 2005 Geoff Huston APNIC 1 Background Current IPv6 Address Allocation policies refer to the use of the Host Density Ratio as a metric for acceptable utilization
More informationAPNIC & Internet Address Policy in the Asia Pacific
APNIC & Internet Address Policy in the Asia Pacific NZ Internet Industry Forum Auckland, 29 November 2001 Anne Lord, APNIC Overview Introduction to APNIC Policy Development Address Management APNIC Update
More informationIPv6 HD Ratio. ARIN Public Policy Meeting April Geoff Huston APNIC
IPv6 HD Ratio ARIN Public Policy Meeting April 2005 Geoff Huston APNIC 1 Background Current IPv6 Address Allocation policies refer to the use of the Host Density Ratio as a metric for acceptable utilization
More informationSecure Routing with RPKI. APNIC44 Security Workshop
Secure Routing with RPKI APNIC44 Security Workshop Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationSome Thoughts on Integrity in Routing
Some Thoughts on Integrity in Routing Geoff Huston Chief Scientist, APNIC What we want We want the routing system to advertise the correct reachability information for legitimately connected prefixes at
More informationDeploying RPKI An Intro to the RPKI Infrastructure
Deploying RPKI An Intro to the RPKI Infrastructure VNIX-NOG 24 November 2016 Hanoi, Vietnam Issue Date: Revision: Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours)
More informationInternet Numbers Introduction to the RIR System
Internet Numbers Introduction to the RIR System Chafic Chaya MEAC-IG Summer School, AUB - Lebanon August 2016 1 Who Runs the Internet? The short answer is NO ONE!!! Chafic Chaya MEAC-IG Summer School August
More informationAn Operational ISP & RIR PKI
An Operational ISP & RIR PKI EOF / Istanbul 2006.04.25 Randy Bush Quicksand Unknown quality of whois data Unknown quality of IRR data No formal
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationMisdirection / Hijacking Incidents
Security Tutorial @ TWNOG SECURE ROUTING WITH RPKI 1 Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationIPv4 depletion & IPv6 deployment in the RIPE NCC service region. Kjell Leknes - June 2010
IPv4 depletion & IPv6 deployment in the RIPE NCC service region Kjell Leknes - June 2010 Outline About RIPE and RIPE NCC IPv4 depletion IPv6 deployment Engaging the community - RIPE NCC and the RIPE community
More informationDNSSEC All You Need To Know To Get Started
DNSSEC All You Need To Know To Get Started Olaf M. Kolkman RIPE NCC A Semi Technical Introduction Why do we need DNSSEC What does DNSSEC provide How does DNSSEC work Question: www.ripe.net A Reminder:
More informationDNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION
DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10 Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC
More informationRobust Inter-Domain Routing
Establishing the Technical Basis for Trustworthy Networking Robust Inter-Domain Routing Addressing Systemic Vulnerabilities in BGP Doug Montgomery (dougm@nist.gov) Manager, Internet and Scalable Systems
More informationHoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client
More informationIPv6, Act Now! Daniel Karrenberg, RIPE NCC Chief Scientist
IPv6, Act Now! Daniel Karrenberg, RIPE NCC Chief Scientist Who is talking: Daniel Karrenberg 1980s: helped build Internet in Europe EUnet, Ebone, IXes,... RIPE 1990s: helped build RIPE NCC 1st CEO: 1992-2000
More informationResource Certification. Alex Band, Product Manager DENIC Technical Meeting
Resource Certification Alex Band, Product Manager DENIC Technical Meeting Internet Routing Routing is non-hierarchical, open and free Freedom comes at a price: - You can announce any address block on your
More informationWhois & Data Accuracy Across the RIRs
Whois & Data Accuracy Across the RIRs Terms ISP An Internet Service Provider is allocated address space by an RIR for the purpose of providing connectivity and address space to their downstream customer
More informationResource Certification A Public Key Infrastructure for IP Addresses and AS's
Resource Certification A Public Key Infrastructure for IP Addresses and AS's Geoff Huston, George Michaelson Asia Pacific Network Information Centre {gih, ggm}@apnic.net DRAFT - November 2008 Abstract
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: February 2012
Internet Engineering Task Force (IETF) G. Huston Request for Comments: 6483 G. Michaelson Category: Informational APNIC ISSN: 2070-1721 February 2012 Abstract Validation of Route Origination Using the
More informationRPKI and Internet Routing Security ~ The regional ISP operator view ~
RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1 Agenda Routing practices of the regional ISP today How this may
More information<36 th APNIC Meeting, XIAN CHINA> KISA(KRNIC) UPDATE. YOUNGSUN LA Korea Internet & Security Agency
KISA(KRNIC) UPDATE YOUNGSUN LA (rays@kisa.or.kr) Korea Internet & Security Agency 1 Contents IPv6 Verified NSDs R&D WHOIS User Analysis & Statistics RPKI Testbed 2 IPv6
More informationRIPE NCC Introduction. Jochem de Ruig Chief Financial Officer
RIPE NCC Introduction Chief Financial Officer RIPE NCC Contents Basics what are Internet Number Resources (INR)? The INR world The registration Legal aspects of INR RIPE NCC and Law Enforcement Basics
More informationAn Operational ISP & RIR PKI
An Operational ISP & RIR PKI ARIN / Montreal 2006.04.10 Randy Bush Quicksand Unknown quality of whois data Unknown quality of IRR data No formal
More informationResource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018
Resource PKI NetSec Tutorial NZNOG2018 - Queenstown 24 Jan 2018 1 Fat-finger/Hijacks/Leaks Bharti (AS9498) originates 103.0.0.0/10 Dec 2017 (~ 2 days) No damage more than 8K specific routes! Google brings
More informationFeedback from RIPE NCC Registration Services. Alex Le Heux - RIPE NCC RIPE62, May 2011, Amsterdam
Feedback from RIPE NCC Registration Services Alex Le Heux - RIPE NCC RIPE62, May 2011, Amsterdam Outline ASN32 success, a competitive disadvantage? Last /8 implementation detail Upgrade of /32 IPv6 allocations
More informationSome DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007
Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007 The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO
More informationHD Ratio for IPv4. RIPE 48 May 2004 Amsterdam
HD Ratio for IPv4 RIPE 48 May 2004 Amsterdam 1 Current status APNIC Informational presentation at APNIC 16 Well supported, pending presentation at other RIRs ARIN Similar proposal made at ARIN XIII Not
More informationSCION: Scalability, Control and Isolation On Next-Generation Networks
SCION: Scalability, Control and Isolation On Next-Generation Networks Xin Zhang, Hsu-Chun Hsiao, Geoff Hasker, Haowen Chan, Adrian Perrig, David Andersen 1 After years of patching, the Internet is Reliable
More informationLEA Workshop. Champika Wijayatunga & George Kuo, APNIC Wellington, New Zealand 09, May, 2013
LEA Workshop Champika Wijayatunga & George Kuo, APNIC Wellington, New Zealand 09, May, 2013 Agenda Introduction to APNIC Know about APNIC Internet Policy Development How the Internet Policies are developed
More informationIPv6 Addressing Status and Policy Report. Paul Wilson Director General, APNIC
IPv6 Addressing Status and Policy Report Paul Wilson Director General, APNIC Overview Introduction to APNIC Role and responsibilities IPv6 deployment status Allocations, Registration and Routing Asia Pacific
More informationRegistry Vulnerabilities An Overview
Registry Vulnerabilities An Overview Edward Lewis ed.lewis@neustar.biz ccnso Tech Day @ ICANN 46 April 8, 2013 1 Goal of the Presentation» High-level overview of where security matters» Reduce the chances
More informationIn the Domain Name System s language, rcode 0 stands for: no error condition.
12/2017 SIMPLE, FAST, RESILIENT In the Domain Name System s language, rcode 0 stands for: no error condition. If a DNS server answers a query with this result code, the service is running properly. This
More informationA Policy Story - IPv4 Transfer. TWNIC OPM 26, Taipei 14 December 2016 George Kuo, Services Director
A Policy Story - Transfer TWNIC OPM 26, Taipei 14 December 2016 George Kuo, Services Director 1 About APNIC Membership-based, not-for-profit, Regional Internet Registry (RIR) Delegates and registers IP
More informationDNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator
More informationAPNIC DNSSEC APNIC DNSSEC. Policy and Practice Statement. DNSSEC Policy and Practice Statement Page 1 of 12
APNIC DNSSEC Policy and Practice Statement DNSSEC Policy and Practice Statement Page 1 of 12 Table of Contents Overview 4 Document name and identification 4 Community and applicability 4 Specification
More informationInternet Kill Switches Demystified
Internet Kill Switches Demystified Benjamin Rothenberger, Daniele E. Asoni, David Barrera, Adrian Perrig EuroSec 17, Belgrade B.Rothenberger 23.04.2017 1 B.Rothenberger 23.04.2017 2 Internet Kill Switches
More informationARIN Update. Mark Kosters CTO
ARIN Update Mark Kosters CTO Agenda What does ARIN do? A short ARIN status report How you can get IP space from us? 2 3 ARIN, a nonprofit member-based organization, supports the operation of the Internet
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationIPv6 Allocation Policy and Procedure. Global IPv6 Summit in China 2007 April 13, 2007 Gerard Ross and Guangliang Pan
IPv6 Allocation Policy and Procedure Global IPv6 Summit in China 2007 April 13, 2007 Gerard Ross and Guangliang Pan 1 Overview Introduction to APNIC Policy development process IPv6 policy and procedures
More informationDNS Security. Wolfgang Nagele DNS Group Manager
DNS Security Wolfgang Nagele DNS Group Manager DNS: the Domain Name System Specified by Paul Mockapetris in 1983 Distributed Hierarchical Database Main purpose: Translate names to IP addresses Since then:
More informationRoot Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail
What is DNS? Systems to convert domain names into ip addresses: For an instance; www.tashicell.com 118.103.136.66 Reverse: 118.103.136.66 www.tashicell.com DNS Hierarchy Root Servers The top of the DNS
More informationInter-Domain Routing: BGP
Inter-Domain Routing: BGP Stefano Vissicchio UCL Computer Science CS 3035/GZ01 Agenda We study how to route over the Internet 1. Context The Internet, a network of networks Relationships between ASes 2.
More informationBGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationFIRMS: a Future InteRnet Mapping System
Institute of Computer Science Department of Distributed Systems Prof. Dr.-Ing. P. Tran-Gia FIRMS: a Future InteRnet Mapping System Michael Menth, Matthias Hartmann, Michael Höfling Overview The FIRMS architecture
More informationRIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.
K-root and DNSSEC Wolfgang Nagele RIPE NCC RIPE NCC One of the five Regional Internet Registries Provides IP address and AS number resources to Europe and Middle-East regions DNS related work - Parent
More informationSecuring the Border Gateway Protocol. Dr. Stephen Kent Chief Scientist - Information Security
Securing the Border Gateway Protocol Dr. Stephen Kent Chief Scientist - Information Security Outline BGP Overview BGP Security S-BGP Architecture Deployment Issues for S-BGP Alternative Approaches to BGP
More informationIntroduction to The Internet
Introduction to The Internet ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok Last updated 5 th May 2015 1 Introduction to the Internet p Topologies and Definitions p IP Addressing p
More informationJust give me a button!
Just give me a button! The challenges of routing security RIPE NCC Members organisation founded in 1992 Manages IP and ASN allocations in Europe, Middle East and former Soviet Union - Ensure unique holdership
More informationAPNIC 26 policy update Shifting landscape
APNIC 26 policy update Shifting landscape IPv6 Global Summit, 2 nd September 2008 Taipei, Taiwan Miwa Fujii IPv6 Program Manager APNIC 1 Overview Recap of the Internet policy community RIR and NRO APNIC
More informationDNS Security. Wolfgang Nagele DNS Services Manager
DNS Security Wolfgang Nagele DNS Services Manager DNS: the Domain Name System Specified by Paul Mockapetris in 1983 Distributed Hierarchical Database Main purpose: Translate names to IP addresses Since
More information(DNS, and DNSSEC and DDOS) Geoff Huston APNIC
D* (DNS, and DNSSEC and DDOS) Geoff Huston APNIC How to be bad 2 How to be bad Host and application-based exploits abound And are not going away anytime soon! And there are attacks on the Internet infrastructure
More informationIP Address Management The RIR System & IP policy
IP Address Management The RIR System & IP policy Nurani Nimpuno APNIC Overview Early address management Evolution of address management Address management today Address policy development IP allocation
More informationIPv6 Allocation and Policy Update. Global IPv6 Summit in China 2007 April 12, 2007 Guangliang Pan
IPv6 Allocation and Policy Update Global IPv6 Summit in China 2007 April 12, 2007 Guangliang Pan 1 Overview IPv6 allocation status update Global IPv6 allocations APNIC allocation and assignment details
More information