The RPKI & Origin Validation

Size: px

Start display at page:

Download "The RPKI & Origin Validation"

Duane Joseph
6 years ago
Views:

1 The RPKI & Origin Validation NANOG / Denver Randy Bush <randy@psg.com> Rob Austein <sra@isc.org> Steve Bellovin <smb@cs.columbia.edu> Michael Elkins <me@sigpipe.net> And a cast of thousands! Well, dozens :) RPKI Origin 1

2 Routing is Very Fragile How long can we survive on The Web as Random Acts of Kindness, TED Talk by Jonathan Zittrain? 99% of mis-announcements are accidental originations of someone else s prefix -- Google, UU, IIJ, RPKI Origin 2

3 Why Origin Validation? Prevent YouTube accident Prevent 7007 accident, UU/Sprint 2 days! Prevents most accidental announcements Does not prevent malicious path attacks such as the Kapela/Pilosov DefCon attack That requires Path Validation and locking the data plane to the control plane, the next steps, last talk today RPKI Origin 3

4 The Goal Keep the Internet working!!! Seriously reduce routing damage from mis-configuration, mis-origination Non-Goals Prevent Malicious Attacks Keep RIRs in business by selling X.509 Certificates RPKI Origin 4

5 Resource Public Key Infrastructure (RPKI) RPKI Origin 5

6 Public-Key Concept Private key: This key must be known only by its owner. Public key: This key is known to everyone (it is public) Relation between both keys: What one key encrypts, the other one decrypts, and vice versa. That means that if you encrypt something with my public key (which you would know, because it's public :-), I would need my private key to decrypt the message RPKI Origin 6

Key Generation Stolen from - http://gdp.globus.

7 Key Generation Stolen from RPKI Origin 7

8 En/DeCryption RPKI Origin 8

9 Digital Signature RPKI Origin 9

10 Certificate RPKI Origin 10

11 X.509 RPKI Being Developed & Deployed by IANA, RIRs, and Operators RPKI Origin 11

12 X.509 Certificate w/ 3779 Ext X.509 Cert CA RFC 3779 Extension Describes IP Resources (Addr & ASN) SIA URI for where this Publishes Owner s Public Key RPKI Origin 12

13 Certificate Hierarchy follows Allocation Hierarchy Cert/ISC Cert/ARIN /16 Public Key SIA Cert/RGnet / / /19 CA CA CA CA Cert/PSGnet Public Key Public Key Public Key Cert/Randy CA Cert/Rob CA / /24 Public Key Public Key RPKI Origin 13

14 That s Who Owns It but Who May Route It? RPKI Origin 14

15 Route Origin Authorization (ROA) Owning Cert CA / /16 EE Cert /16 End Entity Cert can not sign certs. can sign other things e.g. ROAs Public Key Public Key ROA /16 This is not a Cert It is a signed blob AS RPKI Origin 15

16 IANA CA PSGnet /16 Experimental Allocation from ARIN 0/0 Public Key ARIN /8 AS Public Key PSGnet /16 AS 3130 Public Key CA CA Announces 256 /24s EE Cert EE Cert EE Cert EE Cert EE Cert / / / / /24 Public Key Public Key Public Key Public Key Public Key ROA ROA ROA ROA ROA / / / / /24 AS 3130 AS 3130 AS 3130 AS 3130 AS 3130 Too Many EE Certs and ROAs, Yucchhy! RPKI Origin 16

17 IANA CA 0/0 Public Key ARIN CA /8 Public Key PSGnet CA /16 Public Key EE Cert /16 ROA Aggregation Using Max Length Public Key ROA /16-24 AS RPKI Origin 17

18 Allocation in Reality My Infrastructure BGP Cust Static (non BGP) Cust Unused RPKI Origin 18

19 ROA Use My Aggregate ROA Customer ROAs I Generate for Lazy Customer My Infrastructure BGP Cust Static (non BGP) Cust Unused RPKI Origin 19

20 Running Code And the Three RPKI Protocols RPKI Origin 20

21 Up / Down to IANA Parent and Child ARIN RPKI Engine Up / Down Protocol Internal Protocol ARIN s Resources ARIN Back End ISPs Resources Registry Back Ends ISP RPKI Engine Internal Protocol ISP s Resources ISP IR Back End Children s Resources Up / Down to Smart Customer RPKI Origin 21

[Hardware] Signing Module RPKI Engine Prototype of Basic Back End LIR Back End IR RPKI Priv Keys Internal CA Data Keys for Talking to IR BackEnd Up / Down Protocol My Resources ID=Me Biz EE Signing

22 [Hardware] Signing Module RPKI Engine Prototype of Basic Back End LIR Back End IR RPKI Priv Keys Internal CA Data Keys for Talking to IR BackEnd Up / Down Protocol My Resources ID=Me Biz EE Signing Key Private RPKI Keys ID=Me Public RPKI Keys Up/Down EE Public Keys Certs Issued to DownStreams Internal CA Data My Misc Config Options Issued ROAs Publication Protocol Repo Mgt Resource PKI IP Resource Certs ASN Resource Certs Route Origin Attestations XML Object Transport & Handler Up / Down Protocol Internal Protocol My RightsToRoute Delegations to Custs Private IR Biz Trust Internal Anchor CA Data Business Key/Cert Management RPKI Origin 22

23 Big, Centralized, & Scary We Don t Do This RPKI DataBase IP Resource Certs ASN Resource Certs Route Origin Attestations RPKI Origin 23

24 Distributed RPKI DataBase IANA IANA SIA ARIN ARIN APNIC APNIC SIA SIA UUNET UUNET PSGnet PSGnet IIJ IIJ SIA UUcust UUcust A Player (CA) Publishes All Certificates Which They Generate in Their Own Unique Publication Point Running Code Repository RPKI Origin 24

25 RCynic Cache Gatherer (cynical rsync) IANA IANA Trust Anchor SIA ARIN ARIN APNIC APNIC SIA SIA UUNET UUNET PSGnet PSGnet IIJ IIJ SIA UUcust UUcust RCynic Gatherer Validated Cache RPKI Origin 25

26 Reliability Issue Expensive To Fetch & Unreliable IANA IANA Trust Anchor SIA ARIN ARIN APNIC APNIC SIA SIA UUNET UUNET PSGnet PSGnet IIJ IIJ SIA UUcust UUcust RCynic Gatherer Validated Cache RPKI Origin 26

27 Reliability Via Hosted Publication IANA IANA ARIN ARIN APNIC APNIC UUNET UUNET UUcust PSGnet IIJ PSGnet IIJ UUcust Repository with Multiple Publication Points Reducing the Number of Publication Points Makes RCynic More Efficient RPKI Origin 27

A Usage Scenario Resources [OrgID] IR s Database(s) My RightsToRoute Delegations to Custs User Web GUI Internal Protocol Keys for Talking to IR BackEnd ID=Me Public RPKI Keys Up/Down EE Public Keys

28 A Usage Scenario Resources [OrgID] IR s Database(s) My RightsToRoute Delegations to Custs User Web GUI Internal Protocol Keys for Talking to IR BackEnd ID=Me Public RPKI Keys Up/Down EE Public Keys 98% of an RIR s Users 10% of an RIR s IP Space Internal CA Data My Misc Config Options RPKI Engine Publication Protocol Publication Point Mac Certs Issued to DownStreams Issued ROAs Contract Out To Google Front End GUI & Management Up / Down Protocol 2% of an RIR s Users 90% of an RIR s IP Space RPKI Origin 28

29 Origin Validation Cisco IOS and IOS-XR test code have Origin Validation now Juniper has early test code now Work continues daily in test routers Compute load much less than ACLs from IRR data, 10µsec per update! RPKI Origin 29

30 RPKI -> Router` Global RPKI Object Security RCynic The Third Protocol (origin validation only) RCynic Gatherer Cache / Server RPKI to Rtr Protocol BGP Decision Process Near/In PoP RPKI Origin 30

31 Typical Exchange Cache Router <----- Reset Query R requests data Cache Response -----> C confirms request IPvX Prefix > C sends zero or more IPvX Prefix > IPv4 and IPv6 Prefix IPvX Prefix > Payload PDUs End of Data > C sends End of Data and sends new serial ~ ~ Notify > (optional) <----- Serial Query R requests data Cache Response -----> C confirms request IPvX Prefix > C sends zero or more IPvX Prefix > IPv4 and IPv6 Prefix IPvX Prefix > Payload PDUs End of Data > C sends End of Data and sends new serial ~ ~ RPKI Origin 31

32 Reset Query Protocol PDU Version Type reserved = zero Length=8 ` ' RPKI Origin 32

33 Cache Response Protocol PDU Version Type Cache Nonce Length=8 ` ' RPKI Origin 33

34 IPv4 Prefix Protocol PDU Version Type reserved = zero Length= Prefix Max Flags Length Length zero IPv4 prefix Autonomous System Number ` ' RPKI Origin 34

35 IPv6 Prefix Protocol PDU Version Type reserved = zero Length= Prefix Max Flags Length Length zero IPv6 prefix Autonomous System Number ` ' RPKI Origin 35

36 End of Data Protocol PDU Version Type Cache Nonce Length= Serial Number ` ' RPKI Origin 36

37 Notify (Think DNS) Protocol PDU Version Type Cache Nonce Length= Serial Number ` ' RPKI Origin 37

38 Serial Query Protocol PDU Version Type Cache Nonce Length= Serial Number ` ' RPKI Origin 38

39 Error Response Protocol PDU Version Type Error Number Length Length of Encapsulated PDU ~ Copy of Erroneous PDU ~ Length of Error Text Arbitrary Text of ~ Error Diagnostic Message ~ RPKI Origin ` ' 39

40 Extremely Large ISP Deployment Global RPKI Asia Cache NoAm Cache Euro Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache Cust Facing Cust Facing Cust Facing Cust Facing Cust Facing High Priority RPKI Origin Lower Priority 40

41 Configure router bgp 3130 bgp rpki server tcp port refresh 120 bgp bestpath prefix-validate allow-invalid RPKI Origin 41

42 Result of Check Valid A matching/covering ROA was found with a matching AS number Invalid A matching or covering ROA was found, but AS number did not match, and there was no valid one Not Found No matching or covering ROA was found RPKI Origin 42

43 Policy Override Knobs Disable Validity Check Completely Disable Validity Check for a Peer Disable Validity Check for Prefixes When check is disabled, the result is Not Found, i.e. as if there was no ROA RPKI Origin 43

44 Look at Table r0.sea#show ip bgp rpki table 76 BGP sovc network entries using 6688 bytes of memory 422 BGP sovc record entries using 8440 bytes of memory Network Maxlen Origin-AS Source Neighbor / / / / / / / / / / / / / / / / / / RPKI Origin 44

45 Defaults Origin Validation is Enabled if you have configured a cache server peering Default Poll Interval is 30 Minutes No Effect on Policy unless you have configured it RPKI Origin 45

46 Good Dog! r0.sea#show bgp /24 BGP routing table entry for /24, version Paths: (3 available, best #1, table default) (metric 1) from ( ) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid from ( ) Origin IGP, metric 43, localpref 100, valid, external Community: 2914: : : :380 path 09AF35CC RPKI State valid RPKI Origin 46

47 Bad Dog! r0.sea#show bgp BGP routing table entry for /24, version Paths: (3 available, best #2, table default) Advertised to update-groups: Refresh Epoch (metric 11) from ( ) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid RPKI Origin 47

48 Strange Dog! r0.sea#show bgp BGP routing table entry for /20, version Paths: (3 available, best #2, table default) Advertised to update-groups: Refresh Epoch (metric 11) from ( ) Origin IGP, metric 4, localpref 100, valid, internal Community: 3130:370 path 11861AA4 RPKI State not found RPKI Origin 48

49 ibgp Hides Validity State p valid invalid p ibgp Full Mesh p unknown which do i choose? RPKI Origin why do i choose it? 49

50 The Solution is to Allow Operator to Test and then Set Local Policy RPKI Origin 50

51 Fairly Secure route-map validity-0 match rpki valid set local-preference 100 route-map validity-1 match rpki not-found set local-preference 50! invalid is dropped RPKI Origin 51

52 Paranoid route-map validity-0 match rpki valid set local-preference 110! everything else dropped RPKI Origin 52

53 After AS-Path route-map validity-0 match rpki not-found set metric 50 route-map validity-1 match rpki invalid set metric 25 route-map validity-2 set metric RPKI Origin 53

Running Code The Open TestBed Repository until we get IANA to act as the parent Trust Anchor Trust Anchor *ARIN ARIN *APNIC APNIC until we get IANA to act as the parent ISC ISC Google BWC RGnet RGnet

54 Running Code The Open TestBed Repository until we get IANA to act as the parent Trust Anchor Trust Anchor *ARIN ARIN *APNIC APNIC until we get IANA to act as the parent ISC ISC Google BWC RGnet RGnet JPNIC JPNIC Google runs own RPKI to keep private key private and control own fate, but publishes at ARIN BWC IIJ Cristel IIJ Mesh Mesh Level (3) Level(3) chocolate Cristel runs own RPKI to keep private key private and control own fate, but publishes at IIJ RPKI Origin * APNIC and ARIN are simulations constructed from public data 54

55 The Big Speedbump RPKI Origin 55

56 But Who Do We Trust? RPKI Origin 56

57 Up-Chain IANA 0/0 CA Expiration Public Key ARIN CA /8 These are not Identity Certs Public Key RGnet /16 Public Key PSGnet CA CA Sloppy Admin, Cert Soon to Expire! /17 Public Key EE Cert /17 Public Key ROA /1724 So My ROA will become RPKI Origin AS 3130 Invalid! 57

58 ROA Invalid but I Can Route The ROA will become Invalid My announcement will just become NotFound, not Invalid Unless my upstream has a ROA for the covering prefix, which is likely RPKI Origin 58

59 So Who Do You Call? RPKI Origin

60 Ghostbusters! IANA 0/0 CA Public Key ARIN CA /8 Public Key RGnet /16 CA Ghostbusters Record Public Key CA PSGnet /17 Public Key EE Cert /17 Public Key ROA BEGIN:vCard VERSION:3.0 FN:Human's Name N:Name;Human's;Ms.;Dr.;OCD;ADD ORG:Organizational Entity ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern; WA; 98666;U.S.A. TEL;TYPE=VOICE,MSG,WORK: TEL;TYPE=FAX,WORK: com END:vCard draft-ietf-sidr-ghostbusters /17-24 AS RPKI Origin 60

61 But in the End, You Control Your Policy Announcements with Invalid origins MAY be used, but SHOULD be less preferred than those with Valid or NotFound. -- draft-ietf-sidr-origin-ops But if I do not reject Invalid, what is all this for? RPKI Origin 61

62 Open Source (BSD Lisc) Running Code Test Code in Routers Talk to C & J RPKI Origin 62

63 Work Supported By US Government THIS PROJECT IS SPONSORED BY THE DEPARTMENT OF HOMELAND SECURITY UNDER AN INTERAGENCY AGREEMENT WITH THE AIR FORCE RESEARCH LABORATORY (AFRL). [0] [0] they Take your Scissors Away and we turn them into plowshares ARIN Internet Initiative Japan & ISC Cisco, Juniper, Google, NTT, Equinix RPKI Origin 63

The RPKI & Origin Validation

The RPKI & Origin Validation RIPE / Praha 2010.05.03 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2010.05.03 RIPE RPKI