Facilitating Secure Internet Infrastructure

Size: px

Start display at page:

Download "Facilitating Secure Internet Infrastructure"

Buddy Payne
5 years ago
Views:

1 Facilitating Secure Internet Infrastructure RIPE NCC

2 About the RIPE NCC RIPE Network Coordination Centre Bottom-up, self-regulated, membership association, notfor-profit Regional Internet Registry - Allocation of IP addresses and AS numbers - Reverse DNS Network Coordination Centre - Information Services, Coordination activities Funded entirely by members; fully autonomous Open Transparent Neutral Impartial RIPE NCC is not RIPE Security Forum, April 23,

Regional Internet Registries (RIRs) 1997 1992 2002 2005

3 Regional Internet Registries (RIRs) Security Forum, April 23,

4 The presenter Chief Technical Officer - General IT - On-line Services RIPE Database DNS & K-root Information Services - Inter-RIR technical coordination Not a security expert, but - Coordinated deployment of DNSSEC at the RIPE NCC - Active participant in resource certification activities Security Forum, April 23,

5 Thanks Olaf Kolkman and Jaap Akkerhuis from NLNetLabs Geoff Huston from APNIC Daniel Karrenberg from RIPE NCC - For allowing me to steal their slides RIPE NCC and other RIR teams - For doing the actual work The Security Forum - For inviting me Security Forum, April 23,

6 Outline Security and the Internet Security and DNS Security and Routing Challenges Security Forum, April 23,

7 There are many ways to be bad on the Internet Enlist a Bot army and mount multi-gigabit DOS attacks - Extortion leverage Port Scan for known exploits - Deploy a bot, spyware or simply annoy people Spew spam - Yes, there are still gullible folk out there! Mount a fake web site attack - And lure victims Mount a routing attack - And bring down an entire service / region / country / global network! Security Forum, April 23,

8 Internet Architecture A Network of Networks - Little intelligence inside the network - Most of the intelligence is in the end-systems Adding functionality doesn t require network changes Adding security doesn t require network changes Between Networks - Routing & Addressing - Domain Name System - Introducing changes here is more challenging Security Forum, April 23,

9 Securing the Internet Securing the Infrastructure - Cables, routers, power, colo s, etc. Securing the edges - Servers, PCs, etc. Securing the between - The common good Security Forum, April 23,

10 Network Infrastructure Little intelligence - Little potential for exploitation and abuse Key business assets for ISPs - Lots of motivation for security Clear responsibility Challenges - Can be done locally and incrementally - Not a big problem Security Forum, April 23,

11 The end-systems Hosts, personal computers, servers - Intelligence here: a versatile abuse toolkit - Poorly defended: design flaws and lack of expertise - Increasing bandwidth: effective weapon - Responsibility: widely dispersed - Criminal activities: botnets, etc. Challenges - Cannot be done centrally - Little control and responsibility - Buggy applications - Growing number Security Forum, April 23,

12 Routing The between - the common good - Decentralised - Addressing - hierarchical DNS - Hierarchical, distributed Challenges - Responsibility is dispersed - Cannot be done centrally - Securing edges can be done easier - Tragedy of the commons RIPE Network Coordination Centre Security Forum, April 23,

13 Outline Security and the Internet Security and DNS Security and Routing Security Forum, April 23,

14 Securing DNS Why to secure DNS? DNSSEC Deployment of DNSSEC Challenges Security Forum, April 23,

15 The Problem DNS data published by the registry is being replaced on its path between the server and the client. This can happen in multiple places in the DNS architecture - Some places are more vulnerable to attacks then others - Vulnerabilities in DNS software make attacks easier (and there will always be software vulnerabilities) Security Forum, April 23,

16 Registrars DNS Architecture RIPE Network Coordination Centre Secondary DNS server Cache server Registry DB Provisioning Primary DNS server DNS Protocol Cache server Client Security Forum, April 23,

17 Registrars DNS Architecture RIPE Network Coordination Centre Server compromise Inter-server communication Cache Poisoning Registry DB Provisioning DNS Protocol Security Forum, April 23,

18 Solution: DNSSEC Sign the data - Each resource record separately Secure delegation points - Sign the keys of the children Allow building a chain of trust from a Trust Anchor to the actual record A Metaphor: - Compare DNSSEC to a sealed transparent envelope Security Forum, April 23,

19 How DNSSEC works root.net.net Security Forum, April 23,

20 How DNSSEC works root.net.net ripe.net Security Forum, April 23,

21 Trust anchor How DNSSEC works root= root.net.net = ripe.net Security Forum, April 23,

22 Trust anchor How DNSSEC works root= root.net.net = ripe.net.net ripe.net ripe.net = Security Forum, April 23,

23 Trust anchor How DNSSEC works root= root.net.net = ripe.net ripe.net = ripe.net Security Forum, April 23,

24 Registrars Registrants DNSSEC protection RIPE Network Coordination Centre envelope sealed Seal checked Registry DB Provisioning DNS Protocol Seal checked Security Forum, April 23,

25 DNSSEC properties DNSSEC secures the name to address mapping - Transport and Application security are just other layers DNSSEC provides message authentication and integrity verification through cryptographic signatures - Authentic DNS source - No modifications between signing and validation It does not provide authorisation It does not provide confidentiality Security Forum, April 23,

26 DNSSEC secondary benefits DNSSEC provides an independent trust path - The person administering https is most probably a different from person from the one that does DNSSEC - The chains of trust are most probably different Security Forum, April 23,

27 DNSSEC at the RIPE NCC Servi c e commitment with the community drawn up in 2005 DNSSEC operations introduced on 1 January 2006 Initially, the NCC signed all forward zones (eg. ( 193.in-addr.arpa ripe.net) and reverse /8 zones (eg. The NCC also began si g Security Forum, April 23,

28 DNSSEC Setup signer unsigned zones signed zones RIPE database Domain objects provisioning server ns-pri.ripe.net publish signed zones Security Forum, April 23,

29 Trust anchors Because the parent is not signed each /8 is a trust anchor Trust anchors of all our signed zones are published at BIND-style file which can be easily included File is signed with the RIPE NCC PGP key Security Forum, April 23,

30 Secure delegation points Users insert their DS (delegated signer) records into parents zones via the RIPE database Create domain objects with the appropriate DS attributes Security Forum, April 23,

31 Operational impact of DNSSEC RIPE Network Coordination Centre CPU usage on the server doubled - from about 8% to about 16% Traffic to the server went up by 60% There was no noticeable increase in memory usage Security Forum, April 23,

32 How about the client side Set up your caching nameserver to perform validation and the infrastructure behind it is protected DNSSEC has not yet been pushed to the host or application Costs are in maintaining trust anchors - There is no standard to automate against Security Forum, April 23,

33 Challenges New technology; chicken and egg L9 issues at the top Zone walking possibility - Is this really an issue in your environment? - Solutions are there - NSEC3 Higher security vs increased complexity Automated key rollover and distribution Security Forum, April 23,

34 Outline Security and the Internet Security and DNS Security and Routing Security Forum, April 23,

35 Securing Routing Why to secure Routing Certification: A starting point for routing security Internet resource certification Challenges Security Forum, April 23,

36 Why to secure routing?

37 If I were really bad (and evil) I d attack the routing system Through routing I d attack: - the DNS system - isolate critical public servers and resources - overwhelm the routing system with spurious information - generate a massive routing overload situation to bring down entire regional routing domains And see if I could bring the network to a complete chaotic halt Security Forum, April 23,

38 What s the base problem here? RIPE Network Coordination Centre Routing is built on mutual trust models of varying quality Routing auditing is a low value but expensive activity It s a tragedy of the commons situation: - Nobody can single-handedly apply rigorous tests on the routing system - And the lowest common denominator approach is to apply no integrity tests at all - All trust and no defence Security Forum, April 23,

39 So we need routing security like we need clean air and clean water But what does this need mean? - Who wants to pay for decent security? - What s the business drivers for effective security? - How do you avoid diversions into security pantomimes and functionless veneers? Can you make decent security and also support better, faster and cheaper networked services? Security Forum, April 23,

40 Threats Corrupting the routers forwarding tables can result in: - Misdirecting traffic (subversion, denial of service, third party inspection, passing off) - Dropping traffic (denial of service, compound attacks) - Adding false addresses into the routing system (support compound attacks) - Isolating or removing the router from the network Security Forum, April 23,

41 Address and Routing Security The basic routing payload security questions that need to be answered are: - Is this a valid address prefix? - Who injected this address prefix into the network? - Did they have the necessary credentials to inject this address prefix? - Is the forwarding path to reach this address prefix an acceptable representation of the network s forwarding state? Can these questions be answered reliably, cheaply and quickly? Security Forum, April 23,

42 A Foundation for Routing Security RIPE Network Coordination Centre The use of authenticatable attestations to allow automated validation of: - the authenticity of the route object being advertised - authenticity of the origin AS - the binding of the origin AS to the route object Such attestations used to provide a cost effective method of validating routing requests - as compared to the today s state of the art based on techniques of vague trust and random whois data mining Security Forum, April 23,

43 Certification: A Starting Point for Routing Security Certification of the Right-of-Use of IP Addresses and AS numbers as a linked attribute of the Internet s number resource allocation and distribution framework Adoption of some basic security functions into the Internet s routing domain: Injection of reliable trustable data A Resource PKI as the base of validation of network data Explicit verifiable mechanisms for integrity of data distribution Adoption of some form of certified authorization mechanism to support validation of credentials associated with address and routing information Security Forum, April 23,

44 X.509 Extensions for IP Addresses RIPE Network Coordination Centre RFC3779 defines extension to the X.509 certificate format for IP addresses & AS number The extension binds a list of IP address blocks and AS numbers to the subject of a certificate These extensions may be used to convey the issuer s authorization of the subject for exclusive use of the IP addresses and autonomous system identifiers contained in the certificate extension The extension is defined as a critical extension - Validation includes the requirement that the Issuer s certificate extension must encompass the resource block described in the extension of the certificated being validated Security Forum, April 23,

45 What is being Certified For example: RIPE NCC (the Issuer ) certifies that: the certificate Subject whose public key is contained in the certificate is the current controller of a set of IP address and AS resources that are listed in the certificate extension RIPE NCC does NOT certify the identity of the subject, nor their good (or evil) intentions! Security Forum, April 23,

46 Resource Certificates Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC LIR1 LIR2 ISP ISP ISP ISP ISP ISP ISP

47 Resource Certificates Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issued Certificates match allocation actions LIR LIR ISP ISP ISP ISP ISP ISP ISP

48 Resource Certificates Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issuer: RIPE NCC Subject: LIR2 Resources: /16 Key Info: <lir2-key-pub> LIR1 LIR2 Signed: <ripencc-key-priv> Issued Certificates ISP ISP ISP ISP4 ISP ISP ISP

49 Resource Certificates Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issuer: RIPE NCC Subject: LIR2 Resources: /16 Key Info: <lir2-key-pub> LIR1 LIR2 Signed: <ripencc-key-priv> Issuer: LIR2 Subject: ISP4 Resources: /24 Key Info: <isp4-key-pub> Signed: <lir2-key-priv> ISP ISP ISP ISP4 ISP ISP ISP Issued Certificates

50 Resource Certificates Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issuer: RIPE NCC Subject: LIR2 Resources: /16 Key Info: <lir2-key> Signed: <ripencc-key-priv> NIR1 NIR2 Issuer: LIR2 Subject: ISP4 Resources: Issuer: ISP /22 Key Subject: Info: <isp4-key> ISP4-EE Signed: ISP ISP Resources: <lir2-key-priv> /24 ISP ISP4 ISP ISP ISP Key Info: <isp4-ee-key> Signed: <isp4-key-priv> Issued Certificates

51 What could you do with Resource Certificates? RIPE Network Coordination Centre You could sign routing origination authorities or routing requests with your private key, providing an authority for an AS to originate a route for the named prefix. A Relying Party can validate this authority in the RPKI You could use the private key to sign routing information in an Internet Route Registry You could attach a digital signature to a protocol element in a routing protocol You could issue signed derivative certificates for any suballocations of resources Security Forum, April 23,

52 Signed Objects Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv>

Signed Object Validation Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate

53 Signed Object Validation Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, 1. Did the matching private key sign ISP4 <isp4-ee-key-priv> this text?

54 Signed Object Validation Resource Allocation Hierarchy AFRINIC APNIC ARIN RIPE NCC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv> 2. Is this certificate valid?

55 Signed Object Validation Resource Allocation Hierarchy RIPE NCC Trust Anchor AFRINIC APNIC ARIN RIPE NCC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv> 3. Is there a valid certificate path from a Trust Anchor to this certificate?

Signed Object Validation Resource Allocation Hierarchy Validation RIPE NCC Outcomes Trust Anchor AFRINIC APNIC ARIN 1. ISP4 RIPE authorized NCC this LACNIC Authority document 2. 192.2.200.

56 Signed Object Validation Resource Allocation Hierarchy Validation RIPE NCC Outcomes Trust Anchor AFRINIC APNIC ARIN 1. ISP4 RIPE authorized NCC this LACNIC Authority document /24 is a Issued valid Certificates address, derived from an RIPE NCC Route Origination Authority LIR1 allocation LIR2 ISP4 permits AS65000 to 3. ISP4 holds a current right-of-use of originate a route for the prefix / /24 4. A route object, where AS65000 originates an advertisement for the Attachment: <isp4-ee-cert> address prefix /24, has ISP ISP the ISP explicit ISP4 authority ISP ISP of ISP4, who is Signed, the current holder of this address ISP4 <isp4-ee-key-priv> prefix

57 Intended Objectives Create underlying framework for route security measures Assist ISP business process accuracy with Peering and Customer Configuration tool support Improve the integrity of published data through the signing and verification capability in the RIPE Database, IRR and similar Security Forum, April 23,

58 What this does NOT do Compete with sbgp, sobgp, pgbgp, proposals - It is intended to provide a robust validation framework that supports the operation of such proposals that intend to secure the operation of the BGP protocol Insert another critical point of vulnerability into the Internet - No intention of defining a framework of certificate-enforced compliance as a precursor to network reachability - Interpretation of validation outcomes is a local policy preference outcome Security Forum, April 23,

59 Challenges Critical mass of adoption - Even basic route filtering is not a common practice - Little incentive More complex provisioning system - Requires modifications and expertise A long road to secure routing - RPKI and ROAs only secure origination requests - S*-BGP - more comprehensive proposals, but much more complex and demanding Security Forum, April 23,

60 Summary Securing the Internet means securing: - The edge - The infrastructure - The between Securing DNS and routing is challenging and requires a lot of coordination - Lead by example, share experience - Take responsibility as a community - Make it easier But this will make the Internet a better and safer place Security Forum, April 23,

61 Questions?

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008 Address and Routing Security What we have had for many years is a relatively insecure interdomain routing system