Attacks on routing: IP hijacks
|
|
- Sherman Walton
- 5 years ago
- Views:
Transcription
1
2 Attacks on routing: IP hijacks
3 How Internet number resources are managed IANA ARIN LACNIC APNIC RIPE NCC AfriNIC ISP NIC.br NIC.MX ISP #1 LIRs/ISPs LIRs/ISPs End users ISP mx
4 How Internet number resources are managed (ii) What do we mean by resources IPv4 Addresses IPv6 Addresses Autonomous System Numbers Both 16 and 32 bits FoundaOonal document: RFC 2050 IP Registry Alloca1on Guidelines Each RIR is the authorita(ve source on the relaoonship between users/holders and resources Each RIR operates a registry database
5 RouOng in the Internet ASN 20 announces /16 ASN 10 receives the prefix /16 AZributes: The prefix propagates across ASs (via BGP sessions) /16 AS_PATH ASN1 ASN3 ASN20
6 RouOng in the Internet (ii) BGP chooses routes using a decision algorithm and the values of the available a=ributes AS_PATH is a list of the autonomous systems a given UPDATE has traversed The first entry is the AS originaong the route ("origin- as") In this case ASN 20 is the "origin- as" for 10.1/16
7 Who has the "right" to use resources? When an ISP obtains resources from its RIR (IPv6/IPv4/ ASN): The ISP has to noofy its upstream ASNs which prefixes are going to be announced via BGP This is usually done via e- mail, web forms or by updaong an IRR (Internet Rou1ng Registry) Upstreams verify (or at least they should) the right of use for the announced resources RIR WHOIS Text- based and not really suitable for automaoc usage IRR WHOIS Non- signed informaoon, lizle addioonal tools provided for verificaoon of usage rights except for names, phone numbers and POCs This verificaoon process is someomes not as thorough as it should be
8 Checking usage rights for a resource Network administrators Local checks in rouong infrastructure Require previous step (registering the route object with an IRR) Router protecoon RouOng protocol integrity Peer authenocaoon Filtering known- invalid routes RFC 1918 prefix filtering Bogon filtering In the end the integrity of the rouong system depends on ad- hoc trust rela(onships between peers
9 Route Hijacking When an enoty parocipaong in Internet rouong announces a prefix without authorizaoon we face a route hijack It can be either malicious or due to operaoonal mistakes Some well- known cases: Pakistan Telecom vs. You Tube (2008) China Telecom (2010) Google in Eastern Europe (various ASs, 2010) Some ocurrences in our region (January/February 2011)
10 Route Hijacking (ii) AS 6057 announces /16 AS AS 8158 gets announces / /24 AS 8158 gets and / / /16 AS_PATH ASN1 ASN3 ASN /24 AS_PATH ASN1 ASN3 ASN6057
11 Route Hijacking (iii) RIPE NCC Video hzp://
12 Resource PKI Resource Public Key Infraestructure Goal: create a system that allows the ceroficaoon of usage rights for Internet numbering resources High- level overview Use of X.509 v3 ceroficates Apply RFC 3779 extensions to these ceroficates. These extensions allow Internet resources (IPv4/IPv6/ASNs) fields within ceroficates A way to automaocally validate the origin- as of a BGP UPDATE StandardizaOon AcOviOes IETF SIDR working group ImplementaOon AcOviOes RIRs
13 Resource PKI (ii) Automated origin valida(on for route announcements The enoty with usage rights for a resource signs the origin- as field of a PKI object The following procedures are applied to validate RPKI ceroficates and rouong informaoon objects: The cryptographic validity of the RPKI ceroficate chain (just like any other PKI) The CIDR inclusion properoes of IP addresses In this way it becomes more difficult for a third party to inject invalid data into the rouong system
14 Resource PKI (iii) RPKI Management System Cache Repository
15 Resource PKI (iv) All RPKI signed objects are listed in public repositories Aoer verificaoon, these objects can be used to configure filtering in routers ValidaOon Process Signed objects have references to the ceroficate used to sign them Each ceroficate has a pointer to an upper level ceroficate The resources listed in a ceroficate MUST be valid subsets of the resources listed in its parent's ceroficate In this way a trust chain can be traced to a "trust anchor" both cryptographically as well as in CIDR terms
16 X.509 v3 ceroficates with RFC 3779 extensions X.509 Digital CerOficates Subject, validity period, public key and other fields With extensions: RFC 3779 defines extensions that allow the representaoon of Internet resources as ceroficate fields List of IPv4, IPv6 and ASNs assigned to an organizaoon Implemented in OpenSSL 1.0c onwards It has to be specifically enabled when running "./configure" Version Serial Number Signature Algorithm Issuer Subject Subject Public Key Extensions Subject InformaOon Authority (SIA) Authority InformaOon Access (AIA) Addr: Asid: 65535
17 CerOficates with RFC 3779 extensions "IP DelegaOon" SecOon Special value: "INHERITED" "AS DelegaOon" SecOon Special value: "INHERITED" ValidaOon Process It involves the validaoon of the resources Version Serial Number Signature Algorithm Issuer Subject Subject Public Key Extensions Subject InformaOon Authority (SIA) Authority InformaOon Access (AIA) Addr: Asid: 65535
18 RPKI Structure RTA is the self- signed ceroficate in the hierarchy LACNIC RTA LACNIC resources LACNIC ProducOon <<INHERITED>> Signature chain ISP #2 ISP #2 Resources ISP #1 ISP #1 Resources ROA End EnOty cert. ROA End EnOty cert. End User CA #1 (EU #1 Resources) ROA End EnOty cert. ROA End EnOty cert.
19 RPKI Structure (ii) CAs CerOficate- signing enoty (CA bit = 1) ISPs can use this ceroficate to sign their client's ceroficates CerOficate Repository The repository contains ceroficates, CRLs, ROAs and manifests Accesible via rsync Management Interface Web interface for those who prefer "hosted" mode
20 RPKI Management for Users "Hosted" mode LACNIC emits the resource ceroficate for an organizaoon and guards both private and public keys CerOficates are emized when requested by LACNIC member organizaoons Users can manage their RPKI objects using a user- friendly web interface provided by LACNIC "Delegated" mode An organizaoon creates its own resource ceroficate This ceroficate is submized to LACNIC for signing. LACNIC returns the signed ceroficate. "Up- down" protocol
21 Services provided by the RPKI CA Emisng child resource ceroficates when changes to the registry database occur or when solicited by a resource holder Child ceroficate revocaoon when solicited by a resource holder CRL periodic update Publishing child ceroficates, trust anchor and auxiliary objects in a public repository (rsync)
22 Resource CerOficate
23 ROAs ROAs: RouOng Origin AuthorizaOon ROAs contain data on the allowed origin- as for a set of prefixes ROAs are signed using the ceroficates generated by the RPKI Signed ROAs are copied to the repository
24 ROAs (ii) A simplified ROA contains the following informaoon: These ROAs states that: "The prefix /17 will be originated by ASN 6057 and could be de- aggregated up to /20" "This statement is valid star1ng on Jan 2, 2011 un1l Jan 1, 2012" Other ROA content ROAs contain cryptographic material that allows valida(on of the ROAs content
25 ROAs (iii) Contents of a ROA An end- enoty ceroficate with resources A list of "route origin azestaoons" ROA End EnOty CerOficate 200/ / / > AS / > AS 100
26 ROAs (iii) - ValidaOon In order to validate a ROA three steps have to be performed Crypto validaoon of the public keys and signatures included in the EE ceroficates inside each ROA CIDR inclusion checking of resources listed in the EE ceroficate CIDR inclusion checking of resources in the route origin azestaoons. These resources have to be included in the resources listed in the EE ceroficate
27 RPKI in AcOon UPDATE Routers assign a "validity status" to the route included in an UPDATE Cache periodically updates the router with a list of validated prefixes
28 RPKI in AcOon (ii) The validaoon process is split in two parts Crypto and CIDR validaoon of ROAs and ceroficates Performed by the validaon cache ValidaOon of routes in BGP UPDATEs Performed by the BGP speakers in the network A special protocol called RTR is being worked on by the IETF for Router - Cache communicaoon
29 RPKI in AcOon (iii) Cache Repository content is downloaded via RSYNC CerOficates and ROAs are validated Cryptographically (signature chain) Correct CIDR resource inclusion In the routers A database of prefix <- > origin- as relaoonships is built
30 BGP interacoon Routers build a database with the informaoon they receive from the caches This table contains Prefix Min length Max length Origin- AS By applying a set of rules a validity status is assigned to each UPDATE prefix
31 BGP interacoon (ii) UPDATE /9 ORIGIN- AS 20 VALID IP prefix/[min_len max_len] / [16-20] /[8-21] 20 Origin AS If the "UPDATE pfx" is not covered by any entry in the DB - > "not found" If the "UPDATE pfx" is covered by at least one entry in the DB, and the origin- AS matches the ASNs in the DB - > "valid" If the origin- AS does NOT match - > "invalid"
32 Herramientas Validadores RIPE hzp://labs.ripe.net/members/agowland/ripe- ncc- validator- for- resource- ceroficaoon/view Rcyinc hzp://subvert- rpki.hactrn.net/rcynic/ Visualización y estadísocas Construidas sobre la salida de los validadores
33 Validación RIPE Labs
34 Validación (ii) Example: Validación top- down del repositorio de LACNIC exportando prefijos validados en un CSV Paso 1: bajar el RTA de LACNIC wget --output-document=./trust-anchors/talacnic.cer Paso 2: correr la validación./ripencc-rpki-validator/bin/ certification-validator \ --top-down -o validator/ \ -t./trust-anchors/ta-lacnic.cer \ -r lacnic-roas.csv
35 Validación (iii) ROAs validados y prefijos (lacnic-roas.csv) URI,ASN,IP Prefix,Max Length,Not Before,Not After rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af /utt-n3nq91lgzh0jvwppn- KirQ4.roa",AS28000, /23,24, :00:00, :00:00 rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af /utt-n3nq91lgzh0jvwppn- KirQ4.roa",AS28000,2001:13c7:7001::/48,48, :00:00, :00:00 rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af / nfnv84a_ga8zpecmr4jx1qe557o.roa",as28001, /22,24, :00:00, :00:00 rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af / nfnv84a_ga8zpecmr4jx1qe557o.roa",as28001,2001:13c7:7002::/48,48, :00:00, :00:00
36 Fuente: Visualizando RPKI hzp:// heatmaps/latest/ Mapas de Hilbert coloreados de acuerdo con el espacio cubierto por ROAs:
37 The LACNIC RPKI System RPKI in hosted mode is in producoon state since 1/1/2011 To use it you only need: Have your AdministraOve Contact details (username and password) at hand to create ceroficates Have your Technical Contact details (username and password) at hand to create ROAs Where is it? hzp://rpki.lacnic.net/
38 Comentarios finales Posibles usos de RPKI mientras no todos los routers sean capaces de validar Puentes entre IRRd y RPKI Puentes entre WHOIS y RPKI Procesamiento de tablas BGP de routers offline Existe una variedad de herramientas de uso libre para RPKI Los repositorios de los 5 RIRs pueden bajarse libremente via rsync rsync avz rsync://repository.lacnic.net/rpki/./rpki
39 Links / References The LACNIC RPKI System hzp://rpki.lacnic.net/ LACNIC s RSYNC Repository rsync://repository.lacnic.net/rpki/ LisOng the repository rsync - - list- only rsync://repository.lacnic.net/rpki/lacnic/ Some RPKI StaOsOcs hzp://
40 Thank You!
Introducción al RPKI (Resource Public Key Infrastructure)
Introducción al RPKI (Resource Public Key Infrastructure) Roque Gagliano rogaglia@cisco.com 4 Septiembre 2013 Quito, Equator 2011 Cisco and/or its affiliates. All rights reserved. 1 Review of problem to
More informationRPKI. Resource Pubic Key Infrastructure
RPKI Resource Pubic Key Infrastructure Purpose of RPKI RPKI replaces IRR or lives side by side? Side by side: different advantages Security, almost real time, simple interface: RPKI Purpose of RPKI Is
More informationISP 1 AS 1 Prefix P peer ISP 2 AS 2 Route leak (P) propagates Prefix P update Route update P Route leak (P) to upstream 2 AS 3 Customer BGP Update messages Route update A ISP A Prefix A ISP B B leaks
More informationProblem. BGP is a rumour mill.
Problem BGP is a rumour mill. We want to give it a bit more authorita We think we have a model AusNOG-03 2009 IP ADDRESS AND ASN CERTIFICATION TO IMPROVE ROUTING SECURITY George Michaelson APNIC R&D ggm@apnic.net
More informationUpdate on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008 Address and Routing Security What we have had for many years is a relatively insecure interdomain routing system
More informationResource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018
Resource PKI NetSec Tutorial NZNOG2018 - Queenstown 24 Jan 2018 1 Fat-finger/Hijacks/Leaks Bharti (AS9498) originates 103.0.0.0/10 Dec 2017 (~ 2 days) No damage more than 8K specific routes! Google brings
More informationRPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:
RPKI Introduction APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By: 1 Content Why do we need RPKI What is RPKI How to deploy RPKI Configuration case Misdirection / Hijacking Incidents
More informationSecuring BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho
Securing BGP - RPKI ThaiNOG2018 - Bangkok 21 May 2018 Tashi Phuntsho (tashi@apnic.net) 1 Fat-finger/Hijacks/Leaks Amazon (AS16509) Route53 hijack April2018 AS10279 (enet) announced/originated more specifics
More informationSecuring Routing: RPKI Overview. Mark Kosters Chief Technology Officer
Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer Why are DNSSEC and RPKI important? Two of the most critical resources DNS Routing Hard to tell when resource is compromised Focus of
More informationSecuring Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO
Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN Mark Kosters CTO What is RPKI? Resource Public Key Infrastructure Attaches digital certificates to network resources AS Numbers
More informationLife After IPv4 Depletion
1 Life After IPv4 Depletion Jon Worley Analyst Securing Core Internet Functions Resource Certification, RPKI Mark Kosters Chief Technology Officer 2 Core Internet Functions: Routing & DNS The Internet
More informationResource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC
Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC Target Audience Knowledge of Internet Routing(specially BGP) Fair idea on Routing Policy No need to know Cryptography Basic knowledge
More informationResource Certification. Alex Band, Product Manager DENIC Technical Meeting
Resource Certification Alex Band, Product Manager DENIC Technical Meeting Internet Routing Routing is non-hierarchical, open and free Freedom comes at a price: - You can announce any address block on your
More informationSecuring Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO
Securing Core Internet Functions Resource Certification, RPKI Mark Kosters ARIN CTO Core Internet Functions: Routing & DNS The Internet relies on two critical resources DNS: Translates domain names to
More informationRPKI and Routing Security
Presentation September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) What is the Purpose of
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More informationResource Public Key Infrastructure
Resource Public Key Infrastructure A pilot for the Internet2 Community to secure the global route table Andrew Gallo The Basics The Internet is a self organizing network of networks. How do you find your
More informationRPKI Trust Anchor. Geoff Huston APNIC
RPKI Trust Anchor Geoff Huston APNIC Public Keys How can you trust a digital signature?? What if you have never met the signer and have no knowledge of them or their keys? One approach is transitive trust
More informationSecure Routing with RPKI. APNIC44 Security Workshop
Secure Routing with RPKI APNIC44 Security Workshop Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationOverview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies
Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies Presentation Outline The BGP security problem RPKI overiew Address & AS number allocation system Certificates
More informationMisdirection / Hijacking Incidents
Security Tutorial @ TWNOG SECURE ROUTING WITH RPKI 1 Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationDeploying RPKI An Intro to the RPKI Infrastructure
Deploying RPKI An Intro to the RPKI Infrastructure VNIX-NOG 24 November 2016 Hanoi, Vietnam Issue Date: Revision: Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours)
More informationRPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager
RPKI deployment at AFRINIC Status Update Alain P. AINA RPKI Project Manager What is Resource Certifcation? Resource Certifcation is a security framework for verifying the association between resource holders
More informationThe RPKI and BGP Origin Validation
The RPKI and BGP Origin Validation APRICOT / New Delhi 2012.02.27 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2012.02.27
More informationRPKI and Internet Routing Security ~ The regional ISP operator view ~
RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1 Agenda Routing practices of the regional ISP today How this may
More informationRoute Security for Inter-domain Routing
Route Security for Inter-domain Routing Alvaro Retana (aretana@cisco.com) Distinguished Engineer, Cisco Services 3 This could happen to YOUR network 4 This could happen be happening to YOUR network 5 Agenda
More informationIETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet
IETF81 Secure IDR Rollup TREX Workshop 2011 David Freedman, Claranet Introduction to Secure IDR (SIDR) You are in a darkened room at the IETF. You are surrounded by vendors. A lone operator stands quietly
More informationRobust Inter-Domain Routing
Establishing the Technical Basis for Trustworthy Networking Robust Inter-Domain Routing Addressing Systemic Vulnerabilities in BGP Doug Montgomery (dougm@nist.gov) Manager, Internet and Scalable Systems
More informationThe RPKI & Origin Validation
The RPKI & Origin Validation RIPE / Praha 2010.05.03 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2010.05.03 RIPE RPKI
More informationBGP Origin Validation (RPKI)
University of Amsterdam System & Network Engineering BGP Origin Validation (RPKI) July 5, 2013 Authors: Remy de Boer Javy de Koning Supervisors: Jac Kloots
More informationSecurity Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO
Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN CTO Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard to tell if compromised From the user point of
More informationIPv4 Run-Out, Trading, and the RPKI
IPv4 Run-Out, Trading, and the RPKI MENOG 3 / Salmiya 2008.04.15 Randy Bush http://rip.psg.com/~randy/080415.menog-v4-trad-rpki.pdf 2008.04.15 MENOG v4 Trade RPKI 2 Internet Initiative
More informationBGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationInternet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!
Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil! Who is allowed to do what?! BGP (the Internet s inter-domain routing protocol) runs by rumor Participants assert reachability
More informationSecurity Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO
Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN CTO Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard to tell if compromised From the user point of
More informationMadison, Wisconsin 9 September14
1 Madison, Wisconsin 9 September14 2 Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN Engineering 3 Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard
More informationSecuring BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC
Securing BGP: The current state of RPKI Geoff Huston Chief Scientist, APNIC Incidents What happens when I announce your addresses in BGP? All the traffic that used to go to you will now come to me I can
More informationAPNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013
APNIC s role in stability and security Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013 Overview Introducing APNIC Working with LEAs The APNIC Whois Database
More informationIPv4 Run-Out, Trading, and the RPKI
IPv4 Run-Out, Trading, and the RPKI RIPE 56 / Berlin 2008.05.07 Randy Bush http://rip.psg.com/~randy/080507.ripe-v4-trad-rpki.pdf 2008.05.07 RIPE v4 Trade RPKI 2 Internet Initiative Japan
More informationDecentralized Internet Resource Trust Infrastructure
Decentralized Internet Resource Trust Infrastructure Bingyang Liu, Fei Yang, Marcelo Bagnulo, Zhiwei Yan, and Qiong Sun Huawei UC3M CNNIC China Telecom 1 Critical Internet Trust Infrastructures are Centralized
More informationThe RPKI & Origin Validation
The RPKI & Origin Validation NANOG / Denver 2011.06.12 Randy Bush Rob Austein Steve Bellovin Michael Elkins And a cast of thousands!
More informationAn Operational ISP & RIR PKI
An Operational ISP & RIR PKI ARIN / Montreal 2006.04.10 Randy Bush Quicksand Unknown quality of whois data Unknown quality of IRR data No formal
More informationResource Certification
Resource Certification CISSP, science group manager RIPE NCC robert@ripe.net 1 Contents Motivation for Resource Certification (RPKI) Architecture overview Participating in RPKI Most importantly: use cases
More informationUsing Resource Certificates Progress Report on the Trial of Resource Certification
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC From the RIPE Address Policy Mail List 22 25 Sept 06, address-policy-wg@lists.ripe.net
More informationJust give me a button!
Just give me a button! The challenges of routing security RIPE NCC Members organisation founded in 1992 Manages IP and ASN allocations in Europe, Middle East and former Soviet Union - Ensure unique holdership
More informationPKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006
PKI-An Operational Perspective NANOG 38 ARIN XVIII October 10, 2006 Briefing Contents PKI Usage Benefits Constituency Acceptance Specific Discussion of Requirements Certificate Policy Certificate Policy
More informationSecure Inter-domain Routing with RPKI
Secure Inter-domain Routing with RPKI Srinivas (Sunny) Chendi VNIX-NOG 2018, Da Nang sunny@apnic.net Xin chào và chào buổi sáng 1 3 4 What is the fundamental Problem? An underlying problem in routing
More informationFacilitating Secure Internet Infrastructure
Facilitating Secure Internet Infrastructure RIPE NCC http://www.ripe.net About the RIPE NCC RIPE Network Coordination Centre Bottom-up, self-regulated, membership association, notfor-profit Regional Internet
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: February 2012
Internet Engineering Task Force (IETF) G. Huston Request for Comments: 6483 G. Michaelson Category: Informational APNIC ISSN: 2070-1721 February 2012 Abstract Validation of Route Origination Using the
More informationLocal TA Management. In principle, every RP should be able to locally control the set of TAs that it will employ
Local TA Management In principle, every RP should be able to locally control the set of TAs that it will employ In practice, most PKI applications do not provide good, local TA management capabilities
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationBGP Routing Security and Deployment Strategies
Bachelor Informatica Informatica Universiteit van Amsterdam BGP Routing Security and Deployment Strategies Bryan Eikema June 17, 2015 Supervisor(s): Benno Overeinder (NLnet Labs), Stavros Konstantaras
More informationTTM AS-level Traceroutes
TTM AS-level Traceroutes Matching IPs to ASes René Wilhelm New Projects Group RIPE NCC 1 Motivation TTM performs frequent traceroutes to find closest IP route for delay measurements
More informationSecuring the Internet s Foundations: Addresses and Routing
Securing the Internet s Foundations: Addresses and Routing AUSCERT 2011 Geoff Huston Chief Scientist, APNIC On the Internet there are many ways to be bad! An Ascending Scale of Badness Port Scan for known
More informationIPv6 Allocation and Policy Update. Global IPv6 Summit in China 2007 April 12, 2007 Guangliang Pan
IPv6 Allocation and Policy Update Global IPv6 Summit in China 2007 April 12, 2007 Guangliang Pan 1 Overview IPv6 allocation status update Global IPv6 allocations APNIC allocation and assignment details
More information32-bit ASNs. Philip Smith. AfNOG rd April 1st May Abuja, Nigeria
32-bit ASNs Philip Smith AfNOG 2007 23rd April 1st May Abuja, Nigeria Autonomous System (AS) AS 100 Collection of networks with same routing policy Single routing protocol Usually under single ownership,
More information9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi
COMP 535 Lecture 6: Routing Security September 3, 2015 Andrew Chi Includes content used with permission by Angelos Keromytis (Columbia), Philip Smith (APNIC), and Steve Kent (BBN) Agenda
More informationBGP Configuration Automation on Edge Routers
BGP Configuration Automation on Edge Routers System and Network Engineering Msc. Research Project Stella Vouteva & Tarcan Turgut Supervisor: Stavros Konstantaras, NLNetLabs Introduction Big Internet Depletion
More informationSome Thoughts on Integrity in Routing
Some Thoughts on Integrity in Routing Geoff Huston Chief Scientist, APNIC What we want We want the routing system to advertise the correct reachability information for legitimately connected prefixes at
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationIPv4/IPv6 BGP Routing Workshop. Organized by:
IPv4/IPv6 BGP Routing Workshop Organized by: Agenda Multihoming & BGP path control APNIC multihoming resource policy 2 ISP Hierarchy Default free zone Made of Tier-1 ISPs who have explicit routes to every
More informationAPNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes ARIN XVII Open Policy Meeting George Michaelson Geoff Huston Motivation: Address and Routing Security What we have today is a relatively insecure system
More informationIETF Activities Update
IETF Activities Update Marla Azinger marla.azinger@frontiercorp.com ARIN XXVI OCT 2010 Atlanta, GA Note This presentation is not an official IETF report There is no official IETF Liaison to ARIN or any
More informationAn Operational ISP & RIR PKI
An Operational ISP & RIR PKI EOF / Istanbul 2006.04.25 Randy Bush Quicksand Unknown quality of whois data Unknown quality of IRR data No formal
More informationBGP security. 19 april 2018 Copenhagen
BGP security 19 april 2018 Copenhagen Agenda 14:30 Welcome and registration 15:00 Presentation 17:00 Questions 17:30 Beer & Burgers & 2 Who are we? Lucas Senior network engineer @ NL-ix in ISP business
More informationBORDER GATEWAY PROTOCOL (BGP) SECURITY. Nurudeen K. Abdulsalam. Supervisor: Dr. Olaf Maennel
ICNS A910002 BORDER GATEWAY PROTOCOL (BGP) SECURITY By Nurudeen K. Abdulsalam Supervisor: Dr. Olaf Maennel A Master's by Course Dissertation Submitted in partial fulfilment of the requirements for the
More informationUsing Resource Certificates Progress Report on the Trial of Resource Certification
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC Sound Familiar? 4:30 pm Mail: Geoff, mate, I ve been dealing with your phone people and
More information32-bit ASNs. Philip Smith. MENOG 5, Beirut, 29th October 2009
32-bit ASNs Philip Smith MENOG 5, Beirut, 29th October 2009 Autonomous System (AS) AS 100 Collection of networks with same routing policy Single routing protocol Usually under single ownership, trust and
More informationAn Operational Perspective on Routing Security
An Operational Perspective on Routing Security Geoff Huston Chief Scientist, APNIC On the Internet there are many ways to be bad! there are many ways to be bad! Enlist a bot army and mount mul0- gigabit
More informationAPNIC RPKI Report. George Michaelson
APNIC RPKI Report George Michaelson APNIC RPKI Current Activities The RPKI TA Framework APNIC s TA Changes Provisioning Protocol Services The RPKI TA Framework The RPKI TA Framework Managing TAs is an
More informationRTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.
RTRlib An Open-Source Library in C for RPKI-based Prefix Origin Validation Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H. Schiller m.waehlisch@fu-berlin.de schmidt@informatik.haw-hamburg.de
More informationImplementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer
Implementation of RPKI and IRR filtering on the AMS-IX platform Stavros Konstantaras NOC Engineer RIPE EDUCA 2018 Agenda AMS-IX Route Servers Architecture Features Filtering IRRdb RPKI BGP Communities
More informationRPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting
RPKI Deployment Considerations: Problem Analysis and Alternative Solutions draft-lee-sidr-rpki-deployment-01 @IETF 95 SIDR meeting fuyu@cnnic.cn Background RPKI in China CNNIC deploy a platform to provide
More informationInternet Number Resources
Internet Number Resources 1 Internet Number Resources Key Internet resources IPv6 addresses Autonomous System number IPv4 addresses Internet Fully Qualified Domain Name Internet Number Resources The IP
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. BBN September 2017
Internet Engineering Task Force (IETF) Request for Comments: 8209 Updates: 6487 Category: Standards Track ISSN: 2070-1721 M. Reynolds IPSw S. Turner sn3rd S. Kent BBN September 2017 Abstract A Profile
More informationResource Certification A Public Key Infrastructure for IP Addresses and AS's
Resource Certification A Public Key Infrastructure for IP Addresses and AS's Geoff Huston, George Michaelson Asia Pacific Network Information Centre {gih, ggm}@apnic.net DRAFT - November 2008 Abstract
More informationSome Lessons Learned from Designing the Resource PKI
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007 Address and Routing Security The basic security questions that need to be answered are: Is this a valid
More information32-bit ASNs. Philip Smith. Last updated February 2010
32-bit ASNs Philip Smith Last updated February 2010 Autonomous System (AS) AS 100 Collection of networks with same routing policy Single routing protocol Usually under single ownership, trust and administrative
More informationNetworking 101 ISP/IXP Workshops
Networking 101 ISP/IXP Workshops 1 Network Topology and Definitions Definitions and icons Network topologies PoP topologies Interconnections and IXPs IP Addressing Gluing it all together 2 Topologies and
More informationNetwork Working Group. Intended status: Informational Expires: January 9, 2014 July 8, 2013
Network Working Group G. Huston Internet-Draft G. Michaelson Intended status: Informational APNIC Expires: January 9, 2014 July 8, 2013 Abstract RPKI Validation Reconsidered draft-huston-rpki-validation-00.txt
More informationAuto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes? Geoff Huston APNIC @RIPE 50 May 2005 1 Address Hijacking Is the unauthorized use of an address prefix as an advertised route object on the Internet It s not a bogon the
More information<36 th APNIC Meeting, XIAN CHINA> KISA(KRNIC) UPDATE. YOUNGSUN LA Korea Internet & Security Agency
KISA(KRNIC) UPDATE YOUNGSUN LA (rays@kisa.or.kr) Korea Internet & Security Agency 1 Contents IPv6 Verified NSDs R&D WHOIS User Analysis & Statistics RPKI Testbed 2 IPv6
More informationProblem Statement and Considerations for ROA Mergence. 96 SIDR meeting
Problem Statement and Considerations for ROA Mergence draft-yan-sidr-roa-mergence-00 @IETF 96 SIDR meeting fuyu@cnnic.cn Background RFC 6482 1/19 ROA mergence What is the ROA mergence? is a common case
More informationInternet-Draft Intended status: Standards Track July 4, 2014 Expires: January 5, 2015
Network Working Group M. Lepinski, Ed. Internet-Draft BBN Intended status: Standards Track July 4, 2014 Expires: January 5, 2015 Abstract BGPSEC Protocol Specification draft-ietf-sidr-bgpsec-protocol-09
More informationIETF Activities Update
IETF Activities Update Marla Azinger marla.azinger@frontiercorp.com ARIN XXIV OCT 22, 2009 Note This presentation is not an official IETF report There is no official IETF Liaison to ARIN or any RIR It
More informationRouting Security. Daniel Karrenberg RIPE NCC.
Routing Security Daniel Karrenberg RIPE NCC Who is talking: Daniel Karrenberg 1980s: helped build Internet in Europe - EUnet, Ebone, IXes,... - RIPE 1990s: helped build RIPE
More informationAPNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston Motivation: Address and Routing Security What we have today is a relatively insecure system that is
More informationFeedback from RIPE NCC Registration Services. Alex Le Heux - RIPE NCC RIPE62, May 2011, Amsterdam
Feedback from RIPE NCC Registration Services Alex Le Heux - RIPE NCC RIPE62, May 2011, Amsterdam Outline ASN32 success, a competitive disadvantage? Last /8 implementation detail Upgrade of /32 IPv6 allocations
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: September 2017
Internet Engineering Task Force (IETF) Request for Comments: 8211 Category: Informational ISSN: 2070-1721 S. Kent BBN Technologies D. Ma ZDNS September 2017 Adverse Actions by a Certification Authority
More informationHow Complete and Accurate is the Internet Routing Registry (IRR)?
How Complete and Accurate is the Internet Routing Registry (IRR)? Dec 5 th 2011 4th CAIDA-WIDE-CASFI Joint Measurement Workshop Akmal Khan, Hyun-chul Kim, Ted "Taekyoung" Kwon Seoul National University
More informationBGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs
BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs aa@qrator.net Malicious Hijacks/Leaks FISHING SITES HIJACK OF HTTPS CERTIFICATES SPAM/BOTNET ACTIVITY DOS ATTACKS BGP Hijack Factory
More informationResource Certification
Resource Certification Guide to Resource Certification in MyAPNIC Registration Guide for MyAPNIC Page 1 of 11 Table of Contents 1 Guide to Resource Certification in MyAPNIC... 3 1.1 Access to Resource
More informationInternet Number Certification
Internet Number Certification Terry Manderson ICANN involvement In response to requests from the Internet community 2 What you are about to see Possibili*es of Implementa*on Technical manifesta*on of some
More informationRPKI in practice. Sebastian Wiesinger DE-CIX Technical Meeting June 2017
RPKI in practice Sebastian Wiesinger sebastian.wiesinger@noris.net DE-CIX Technical Meeting June 2017 Generate ROAs Generate ROAs for your prefixes RIPE NCC makes this very easy Available at the LIR portal
More informationIP Address Management The RIR System & IP policy
IP Address Management The RIR System & IP policy Nurani Nimpuno APNIC Overview Early address management Evolution of address management Address management today Address policy development IP allocation
More informationRIR Update. A Joint Presentation Prepared By APNIC, ARIN, RIPE NCC. 17 March 2002 IEPG - Minneapolis
RIR Update A Joint Presentation Prepared By APNIC, ARIN, RIPE NCC Overview Joint Efforts RIR Specific Statistics Questions RIR Co-ordination IPv6 policy development Joint tutorial & presentation at AfNOG
More informationAn ARIN Update. Susan Hamlin Director of Communications and Member Services
An ARIN Update Susan Hamlin Director of Communications and Member Services ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number
More informationIntroduction to the RIR System. Dr. Nii N. Quaynor
Introduction to the RIR System Dr. Nii N. Quaynor 1 Internet Identifiers Name resources: Names Names used to access the Internet gtlds: Generic Top level domains (.com,.net, info,.org,.int etc) cctld:
More informationRouting Security Roadmap
Routing Security Roadmap Job Snijders NTT Communications job@ntt.net This presentation contains projections and other forward-looking statements regarding future events or our future routing performance.
More informationGolden Prefixes IRR Lockdown Job Snijders
Golden Prefixes IRR Lockdown Job Snijders Agenda What s the problem? IRR not ideal A possible solution: Golden prefixes Making the best of IRR: IRR Lockdown Actual Frustrations The Youtube
More information