Resource Public Key Infrastructure for Secure Border Gateway Protocol
|
|
- Thomasine McGee
- 5 years ago
- Views:
Transcription
1 Resource Public Key Ifrastructure for Secure Border Gateway Protocol George Chag, Majid Ariaezhad, ad Ljiljaa Trajković Commuicatio Networks Laboratory Simo Fraser Uiversity, Vacouver British Columbia, Caada
2 Roadmap Itroductio Securig the Iteret Testbed: cofiguratio of a router betwee SFU ad BCNET Simulatio sceario ad results Coclusio ad refereces CCECE 2016, Vacouver, British Columbia, Caada 2
3 Border Gateway Protocol (BGP) Security issues: message isertio, message deletio, ad modificatio to the routes or packets Ma-i-the-middle attack Deial of Service (DoS) Distributed Deial of Service (DDoS) BGP lacks protectio ad verificatio mechaisms for ivalid route advertisemets CCECE 2016, Vacouver, British Columbia, Caada 3
4 2008 YouTube Icidet Cause: Pakista Telecom (AS 17557) re-routed most of YouTube s traffic to itself due to uauthorized advertisemet of a more specific route Cosequece: YouTube etwork was brought dow globally for more tha two hours o Feb. 24 th 2008 CCECE 2016, Vacouver, British Columbia, Caada 4
5 Securig BGP Resource Public Key Ifrastructure (RPKI): utilizes the Public Key Ifrastructure (PKI) to secure resources (routes) for advertisemets uses public ad private keys to ecrypt the certificate that proves route validity implemets guards agaist uauthorized advertisemet of routes ad resources to eighbourig peers esures accurate iter-autoomous System (AS) route advertisemet CCECE 2016, Vacouver, British Columbia, Caada 5
6 Keys ad Certificates RPKI uses the well developed public key cryptographic techology The public ad private keys are geerated from the Regioal Iteret Registry (RIRs) for idividual resource holders RPKI uses X.509 v3 stadard ad format specificatio that is adopted for PKI CCECE 2016, Vacouver, British Columbia, Caada 6
7 RPKI Participats Certificate Authorities (CA) Autheticatio built i a hierarchical system: IANA à RIR à ISP à Customers IANA: Iteret Assiged Numbers Authority RIR: Regioal Iteret Registry ISP: Iteret Service Provider CCECE 2016, Vacouver, British Columbia, Caada 7
8 RPKI Hierarchy Structure CCECE 2016, Vacouver, British Columbia, Caada 8
9 RPKI Tools RIPE ad ARIN provide validatio tools to the RPKI data repository: web iterface cache validator verified routes data automatic queuig of validated ROAs or resources RIPE: Réseaux IP Europées ARIN: America Registry for Iteret Numbers ROA: Route Origi Authorizatio CCECE 2016, Vacouver, British Columbia, Caada 9
10 Routig Rules Routig decisios are made by the etwork admiistrator based o RPKI validity states Each route is assiged oe of the three validity states: valid: authorized aoucemet ivalid: uauthorized aoucemet ot foud: ot assiged or ot backed by ROA CCECE 2016, Vacouver, British Columbia, Caada 10
11 Testbed Architecture Two routers were coected via secure tuelig betwee two ASes: BCNET (AS 271) SFU (AS 11105) Both routers/ases were coected to the RPKI cache validator obtaied from RIPE Default RIR was selected as a trust achor to validate BGP aoucemets (ARIN) CCECE 2016, Vacouver, British Columbia, Caada 11
12 Testbed Specificatios Two logical routers were istatiated betwee SFU ad BCNET usig Juiper JuOS Ubutu virtual machie was used as the local cache validator hosted o a PC UNIX based system ruig Oracle JDK 7, rsyc, ad RIPE s validator package 1 GB of memory allocated SFU ad BCNET obtaied IP resources from ARIN used for route validatio CCECE 2016, Vacouver, British Columbia, Caada 12
13 Testbed Topology CCECE 2016, Vacouver, British Columbia, Caada 13
14 Decisio Makig via Route Validatio Verificatio of the applied routig policy: valid, ivalid, ad ot foud statemets were set to 110, 90, ad 100, respectively decisios are made based o these values chose by the admiistrator durig router setup A rouge test router was itroduced to deliberately advertise false iformatio advertisig false route to BCNET, if accepted, would reroute traffic from SFU CCECE 2016, Vacouver, British Columbia, Caada 14
15 Results: Valid States show route protocol bgp validatiostate valid iet.0: 13 destiatios, 14 routes (13 active, 0 holddow, 0 hidde) + = Active Route, - = Last Active, * = Both /24 *[BGP/170] 3w6d 05:23:33, localpref 110 AS path: I, validatio-state: valid > to via lt-0/2/10.69 CCECE 2016, Vacouver, British Columbia, Caada 15
16 Results: Ivalid States show route protocol bgp validatiostate ivalid iet.0: 13 destiatios, 14 routes (13 active, 0 holddow, 0 hidde) + = Active Route, - = Last Active, * = Both /24 [BGP/170] 3d 08:00:09, localpref 90 AS path: 4476 I, validatio-state: ivalid > to via lt-0/3/10.65 CCECE 2016, Vacouver, British Columbia, Caada 16
17 Route Validity show route iet.0: 13 destiatios, 14 routes (13 active, 0 holddow, 0 hidde) + = Active Route, - = Last Active, * = Both /24 *[BGP/170] 3w6d 05:27:15, localpref 110 AS path: I, validatio-state: valid > to via lt-0/2/10.69 [BGP/170] 3d 08:03:15, localpref 90 AS path: 4476 I, validatio-state: ivalid > to via lt-0/3/10.65 CCECE 2016, Vacouver, British Columbia, Caada 17
18 Testbed Summary We implemeted the testbed usig physical routers ad the RPKI local cache server Validatio states were received for the advertised routes A falsified route was ijected ad verified that the route is idetified as ivalid by the validator CCECE 2016, Vacouver, British Columbia, Caada 18
19 Simulatio Goals Implemet the RIPE RPKI Validator as a etwork admiistrator: use the TAL received from the local RIR to fetch route data verify that the validator is reliably stable over log periods ad remais olie durig simulatio Fetch validated productio routes from the validator implemeted i the simulator TAL: Trust Achor Locator RAR: Regioal Iteret Registry CCECE 2016, Vacouver, British Columbia, Caada 19
20 Simulatio: Network Cofiguratio CCECE 2016, Vacouver, British Columbia, Caada 20
21 Trust Achor Locator: TAL All the verified routes from ARIN for North America were dowloaded by addig the TAL file for ARIN ARIN routes as of Aug. 17, 2015: 950 valid routes 1 ot foud route 0 ivalid routes I total, 17,432 verified routes were dowloaded to the RPKI validator CCECE 2016, Vacouver, British Columbia, Caada 21
22 RPKI Validator Web UI: Trust Achors Page CCECE 2016, Vacouver, British Columbia, Caada 22
23 Validated Productio Routes Dowloaded to the Router CCECE 2016, Vacouver, British Columbia, Caada 23
24 Advertisemet Results Usig the rpki-loc-pref, each idividual state was set ad a preferece umber was assiged to each advertised route: route-map rpki-loc-pref permit 10 match rpki ivalid set local-preferece 90! route-map rpki-loc-pref permit 20 match rpki ot-foud set local-preferece 100! route-map rpki-loc-pref permit 30 match rpki valid set local-preferece 110 CCECE 2016, Vacouver, British Columbia, Caada 24
25 Decisio Makig Network admiistrators may: use the local-prefereces value to help make routig decisios accept routes that are ukow or ot foud desig rules to hadle the validity iformatio via assiged local prefereces CCECE 2016, Vacouver, British Columbia, Caada 25
26 Advertisemet Results: valid Route was advertised to router R2 (AS 271) This origial route was advertised by R1 (AS 11105) Router R2 idetified that the route was valid ad a localpref of 110 was set: CCECE 2016, Vacouver, British Columbia, Caada 26
27 Advertisemet Results: ivalid A ivalid route was advertised to R1 (AS 11105) from R2 (AS 271) Router R1 idetified that the route was ivalid ad a localpref of 90 was set: CCECE 2016, Vacouver, British Columbia, Caada 27
28 Advertisemet Results: ot foud A ot foud route was advertised to R2 (AS 271) from R1 (AS 11105) Router R2 idetified that the route was ot foud ad a localpref of 100 was set: CCECE 2016, Vacouver, British Columbia, Caada 28
29 Simulatio Summary Two stad-aloe virtual productio routers were coected to a Virtualbox Ubutu router ruig the RPKI Validator tool The validator was coected to the Iteret to dowload the latest route iformatio from RIRs The route validity states were dowloaded to the router ad verified with the advertised route Routig decisios may be made based o the state ad its localpref value CCECE 2016, Vacouver, British Columbia, Caada 29
30 Coclusio RPKI is becomig a widely accepted techology It calls for additioal participats to validate their routes The validatio tool is user friedly: easy to implemet easily maitaied limited resources are required to moitor the system, which automatically updates local data The experimetal results idicate that RPKI may provide protectio agaist route origi hijacks CCECE 2016, Vacouver, British Columbia, Caada 30
31 Refereces Y. Rekhter ad T. Li, A Border Gateway Protocol 4 (BGP-4), IETF RFC 1771, Mar S. Murphy, BGP Security Vulerabilities Aalysis, IETF RFC 4272, Ja Pakista hijacks [Olie]. Available: YouTube A. Heffera, Protectio of BGP Sessios via the TCP MD5 Sigature Optio, IETF RFC 2385, Aug M. Lepiski ad S. Ket, A Ifrastructure to Support Secure Iteret Routig, IETF RFC 6480, Feb G. Husto ad G. Michaelso, Validatio of Route Origiatio Usig the Resource Certificate Public Key Ifrastructure (PKI) ad Route Origi Authorizatios (ROAs), IETF RFC 6482, Feb R. Bush ad R. Austei, The Resource Public Key Ifrastructure (RPKI) to Router Protocol, IETF RFC 6810, Ja Resource Public Key Ifrastructure (RPKI) [Olie]. Available: rpki/idex.html. M. Lepiski, S. Ket, ad D. Kog, A Profile for Route Origi Authorizatios (ROAs), IETF RFC 6482, Feb CCECE 2016, Vacouver, British Columbia, Caada 31
BGP Attributes and Path Selection. ISP Training Workshops
BGP Attributes ad Path Selectio ISP Traiig Workshops 1 BGP Attributes The tools available for the job 2 What Is a Attribute?... Next Hop AS Path MED...... p Part of a BGP Update p Describes the characteristics
More informationTransitioning to BGP
Trasitioig to BGP ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 24 th April
More informationIntroduction to OSPF. ISP Training Workshops
Itroductio to OSPF ISP Traiig Workshops 1 OSPF p Ope Shortest Path First p Lik state or SPF techology p Developed by OSPF workig group of IETF (RFC 1247) p OSPFv2 stadard described i RFC2328 p Desiged
More informationEvaluation of Support Vector Machine Kernels for Detecting Network Anomalies
Evaluatio of Support Vector Machie Kerels for Detectig Network Aomalies Prera Batta, Maider Sigh, Zhida Li, Qigye Dig, ad Ljiljaa Trajković Commuicatio Networks Laboratory http://www.esc.sfu.ca/~ljilja/cl/
More informationResource Certification. Alex Band, Product Manager DENIC Technical Meeting
Resource Certification Alex Band, Product Manager DENIC Technical Meeting Internet Routing Routing is non-hierarchical, open and free Freedom comes at a price: - You can announce any address block on your
More informationIS-IS in Detail. ISP Workshops
IS-IS i Detail ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 27 th November
More informationIS-IS for IPv6. ISP Workshops
IS-IS for IPv6 ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 8 th April 2018
More informationProblem. BGP is a rumour mill.
Problem BGP is a rumour mill. We want to give it a bit more authorita We think we have a model AusNOG-03 2009 IP ADDRESS AND ASN CERTIFICATION TO IMPROVE ROUTING SECURITY George Michaelson APNIC R&D ggm@apnic.net
More informationSecure Routing with RPKI. APNIC44 Security Workshop
Secure Routing with RPKI APNIC44 Security Workshop Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationCommunication Networks: Traffic Data, Network Topologies, and Routing Anomalies
Commuicatio Networks: Traffic Data, Network Topologies, ad Routig Aomalies Ljiljaa Trajković ljilja@cs.sfu.ca Commuicatio Networks Laboratory http://www.esc.sfu.ca/cl School of Egieerig Sciece Simo Fraser
More informationLife After IPv4 Depletion
1 Life After IPv4 Depletion Jon Worley Analyst Securing Core Internet Functions Resource Certification, RPKI Mark Kosters Chief Technology Officer 2 Core Internet Functions: Routing & DNS The Internet
More informationMisdirection / Hijacking Incidents
Security Tutorial @ TWNOG SECURE ROUTING WITH RPKI 1 Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationDeploying RPKI An Intro to the RPKI Infrastructure
Deploying RPKI An Intro to the RPKI Infrastructure VNIX-NOG 24 November 2016 Hanoi, Vietnam Issue Date: Revision: Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours)
More informationBGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationCommunication Networks: Traffic Data, Network Topologies, and Routing Anomalies
Commuicatio Networks: Traffic Data, Network Topologies, ad Routig Aomalies Ljiljaa Trajković ljilja@cs.sfu.ca Commuicatio Networks Laboratory http://www.esc.sfu.ca/cl School of Egieerig Sciece Simo Fraser
More informationIPv6 Routing Protocol Security
IPv6 Routig Protocol Security ITU/APNIC/PacNOG21 IPv6 Workshop 4 th 8 th December 2017 Nuku alofa These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/)
More informationOverview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies
Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies Presentation Outline The BGP security problem RPKI overiew Address & AS number allocation system Certificates
More informationResource Public Key Infrastructure
Resource Public Key Infrastructure A pilot for the Internet2 Community to secure the global route table Andrew Gallo The Basics The Internet is a self organizing network of networks. How do you find your
More informationIntroducción al RPKI (Resource Public Key Infrastructure)
Introducción al RPKI (Resource Public Key Infrastructure) Roque Gagliano rogaglia@cisco.com 4 Septiembre 2013 Quito, Equator 2011 Cisco and/or its affiliates. All rights reserved. 1 Review of problem to
More informationISP 1 AS 1 Prefix P peer ISP 2 AS 2 Route leak (P) propagates Prefix P update Route update P Route leak (P) to upstream 2 AS 3 Customer BGP Update messages Route update A ISP A Prefix A ISP B B leaks
More informationResource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018
Resource PKI NetSec Tutorial NZNOG2018 - Queenstown 24 Jan 2018 1 Fat-finger/Hijacks/Leaks Bharti (AS9498) originates 103.0.0.0/10 Dec 2017 (~ 2 days) No damage more than 8K specific routes! Google brings
More informationRPKI. Resource Pubic Key Infrastructure
RPKI Resource Pubic Key Infrastructure Purpose of RPKI RPKI replaces IRR or lives side by side? Side by side: different advantages Security, almost real time, simple interface: RPKI Purpose of RPKI Is
More informationUpdate on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008 Address and Routing Security What we have had for many years is a relatively insecure interdomain routing system
More informationResource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC
Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC Target Audience Knowledge of Internet Routing(specially BGP) Fair idea on Routing Policy No need to know Cryptography Basic knowledge
More informationFirewall and IDS. TELE3119: Week8
Firewall ad IDS TELE3119: Week8 Outlie Firewalls Itrusio Detectio Systems (IDSs) Itrusio Prevetio Systems (IPSs) 8-2 Example Attacks Disclosure, modificatio, ad destructio of data Compromise a host ad
More informationDeploying 32-bit ASNs
Deployig 32-bit ASNs ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 26 th September
More informationSecuring Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO
Securing Core Internet Functions Resource Certification, RPKI Mark Kosters ARIN CTO Core Internet Functions: Routing & DNS The Internet relies on two critical resources DNS: Translates domain names to
More informationBGP with an Adaptive Minimal Route Advertisement Interval
with a Adaptive Miimal Route Advertisemet Iterval Nead Lasković ad Ljiljaa Trajković Simo Fraser Uiversity Vacouver, British Columbia, Caada {laskovi, ljilja}@cs.sfu.ca Abstract The duratio of the Miimal
More informationCommunication Networks: Traffic Data, Network Topologies, and Routing Anomalies
Commuicatio Networks: Traffic Data, Network Topologies, ad Routig Aomalies Ljiljaa Trajković ljilja@cs.sfu.ca Commuicatio Networks Laboratory http://www.esc.sfu.ca/cl School of Egieerig Sciece Simo Fraser
More informationSecurity Solutions SALES GUIDE. for Connectivity Data Center Applications & Content. Your JUNIPER NETWORKS dedicated Sales Team
Security Solutios for Coectivity Data Ceter Applicatios & Cotet Your JUNIPER NETWORKS dedicated Sales Team tel. 07824 305561 Eklis.Miah@westcosecurity.co.uk www.westcosecurity.co.uk SALES GUIDE Juiper
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More informationRPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager
RPKI deployment at AFRINIC Status Update Alain P. AINA RPKI Project Manager What is Resource Certifcation? Resource Certifcation is a security framework for verifying the association between resource holders
More information100 Internet Exchange Points And Beyond!
100 Iteret Exchage Poits Ad Beyod! April 2016 LACNIC 25 Havaa Cuba Walt Wolly, Director Itercoectio Strategy Hurricae Electric AS6939 Who is Walt Wolly? Hurricae Electric AS6939 2 years Amazo AS16509 4
More informationGlobal Support Guide. Verizon WIreless. For the BlackBerry 8830 World Edition Smartphone and the Motorola Z6c
Verizo WIreless Global Support Guide For the BlackBerry 8830 World Editio Smartphoe ad the Motorola Z6c For complete iformatio o global services, please refer to verizowireless.com/vzglobal. Whether i
More informationCollection and Characterization of BCNET BGP Traffic
Collection and Characterization of BCNET BGP Traffic Sukhchandan Lally, Tanjila Farah, Rajvir Gill, Ravinder Paul, Nabil Al-Rousan, and Ljiljana Trajković Simon Fraser University Vancouver, British Columbia,
More informationRPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:
RPKI Introduction APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By: 1 Content Why do we need RPKI What is RPKI How to deploy RPKI Configuration case Misdirection / Hijacking Incidents
More informationHow Deutsche Telekom protects customer data
KEEPING THE CLOUD OF THINGS Secure How Deutsche Telekom protects customer data CotetS Maximum security with the Cloud of Thigs A secure start CONTENTS 1. THE CLOUD OF THINGS IT All starts with access 1.
More informationIntroduction to The Internet
Itroductio to The Iteret ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 13 th
More informationChapter 1. Introduction to Computers and C++ Programming. Copyright 2015 Pearson Education, Ltd.. All rights reserved.
Chapter 1 Itroductio to Computers ad C++ Programmig Copyright 2015 Pearso Educatio, Ltd.. All rights reserved. Overview 1.1 Computer Systems 1.2 Programmig ad Problem Solvig 1.3 Itroductio to C++ 1.4 Testig
More informationn Learn how resiliency strategies reduce risk n Discover automation strategies to reduce risk
Chapter Objectives Lear how resiliecy strategies reduce risk Discover automatio strategies to reduce risk Chapter #16: Architecture ad Desig Resiliecy ad Automatio Strategies 2 Automatio/Scriptig Resiliet
More informationProtection of Communication Infrastructures
Protectio of Commuicatio Ifrastructures Chapter Itroductio Threats, Security Goals & Requiremets Threat Aalysis System Security Egieerig Course Objectives & Overview http://www.tu-ilmeau.de/telematik/protectio/
More informationSecuring BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC
Securing BGP: The current state of RPKI Geoff Huston Chief Scientist, APNIC Incidents What happens when I announce your addresses in BGP? All the traffic that used to go to you will now come to me I can
More informationIPv6 Routing Protocols. ISP Training Workshops
IPv6 Routig Protocols ISP Traiig Workshops 1 Iitial IPv6 Cofiguratio for Cisco IOS 2 IPv6 Cofiguratio o Cisco IOS p To eable IPv6 the followig global commads are required: Router(cofig)# ipv6 uicast-routig
More informationTable 2 GSM, UMTS and LTE Coverage Levels
6 INDICATORS OF QUALITY OF SERVICE This sectio defies quality idicators that characterize the performace of services supported o mobile commuicatio systems i their various phases of access ad use 6. 6.1
More informationBGP Origin Validation (RPKI)
University of Amsterdam System & Network Engineering BGP Origin Validation (RPKI) July 5, 2013 Authors: Remy de Boer Javy de Koning Supervisors: Jac Kloots
More informationRPKI Trust Anchor. Geoff Huston APNIC
RPKI Trust Anchor Geoff Huston APNIC Public Keys How can you trust a digital signature?? What if you have never met the signer and have no knowledge of them or their keys? One approach is transitive trust
More informationRPKI and Internet Routing Security ~ The regional ISP operator view ~
RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1 Agenda Routing practices of the regional ISP today How this may
More informationSecurity of Bluetooth: An overview of Bluetooth Security
Versio 2 Security of Bluetooth: A overview of Bluetooth Security Marjaaa Träskbäck Departmet of Electrical ad Commuicatios Egieerig mtraskba@cc.hut.fi 52655H ABSTRACT The purpose of this paper is to give
More informationSecuring Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO
Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN Mark Kosters CTO What is RPKI? Resource Public Key Infrastructure Attaches digital certificates to network resources AS Numbers
More informationSecuring BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho
Securing BGP - RPKI ThaiNOG2018 - Bangkok 21 May 2018 Tashi Phuntsho (tashi@apnic.net) 1 Fat-finger/Hijacks/Leaks Amazon (AS16509) Route53 hijack April2018 AS10279 (enet) announced/originated more specifics
More informationThe Value of Peering
The Value of Peerig ISP/IXP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 25 th
More informationIPv6 Deployment Planning
IPv6 Deploymet Plaig ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 5 th July
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationWindows Server 2008 R2 networking
Chapter3 Widows Server 2008 R2 etworkig Orgaizatios large ad small deped o computer etworks to operate their busiesses. Employees require aywhere access to data, while cliets ad busiess parters demad ehaced
More informationInternet Security: How the Internet works and some basic vulnerabilities
CS 155 Iteret Security: How the Iteret works ad some basic vulerabilities Da Boeh Iteret Ifrastructure ISP Backboe ISP Local ad iterdomai routig TCP/IP for routig ad messagig BGP for routig aoucemets Domai
More information150 Internet Exchange Points And Beyond!
150 Iteret Exchage Poits Ad Beyod! HKNOG 2018 Hog Kog Walt Wolly, Director Itercoectio Strategy Hurricae Electric AS6939 Who is Walt Wolly? Hurricae Electric AS6939 4 years Amazo AS16509 4 years Director
More informationSimple Multihoming. ISP Training Workshops
Simple Multihomig ISP Traiig Workshops 1 Why Multihome? p Redudacy Oe coectio to iteret meas the etwork is depedet o: p Local router (cofiguratio, software, hardware) p WAN media (physical failure, carrier
More informationRPKI in practice. Sebastian Wiesinger DE-CIX Technical Meeting June 2017
RPKI in practice Sebastian Wiesinger sebastian.wiesinger@noris.net DE-CIX Technical Meeting June 2017 Generate ROAs Generate ROAs for your prefixes RIPE NCC makes this very easy Available at the LIR portal
More informationRPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting
RPKI Deployment Considerations: Problem Analysis and Alternative Solutions draft-lee-sidr-rpki-deployment-01 @IETF 95 SIDR meeting fuyu@cnnic.cn Background RPKI in China CNNIC deploy a platform to provide
More informationInternet Security: How the Internet works and some basic vulnerabilities. *Slides borrowed from Dan Boneh
Iteret Security: How the Iteret works ad some basic vulerabilities *Slides borrowed from Da Boeh Iteret Ifrastructure ISP Backboe ISP Local ad iterdomai routig TCP/IP for routig ad messagig BGP for routig
More informationQuality of Service. Spring 2018 CS 438 Staff - University of Illinois 1
Quality of Service Sprig 2018 CS 438 Staff - Uiversity of Illiois 1 Quality of Service How good are late data ad lowthroughput chaels? It depeds o the applicatio. Do you care if... Your e-mail takes 1/2
More informationDesign of efficient, virtual non-blocking optical switches
Desig of efficiet, virtual o-blockig otical switches Larry F. Lid, Michael Sratt Mobile Systems ad Services Laboratory HP Laboratories Bristol HPL-200-239 March 3 th, 2002* otical switchig, switch desig
More informationCMSC Computer Architecture Lecture 12: Virtual Memory. Prof. Yanjing Li University of Chicago
CMSC 22200 Computer Architecture Lecture 12: Virtual Memory Prof. Yajig Li Uiversity of Chicago A System with Physical Memory Oly Examples: most Cray machies early PCs Memory early all embedded systems
More information1 Enterprise Modeler
1 Eterprise Modeler Itroductio I BaaERP, a Busiess Cotrol Model ad a Eterprise Structure Model for multi-site cofiguratios are itroduced. Eterprise Structure Model Busiess Cotrol Models Busiess Fuctio
More informationMining Network Traffic Data
Miig Network Traffic Data Ljiljaa Trajković ljilja@cs.sfu.ca Commuicatio Networks Laboratory http://www.esc.sfu.ca/cl School of Egieerig Sciece Simo Fraser Uiversity, Vacouver, British Columbia Caada Natioal
More informationISP Systems Design. ISP Workshops
ISP Systems Desig ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 24 th April
More informationMining Network Traffic Data
Miig Network Traffic Data Ljiljaa Trajković ljilja@cs.sfu.ca Commuicatio Networks Laboratory http://www.esc.sfu.ca/cl School of Egieerig Sciece Simo Fraser Uiversity, Vacouver, British Columbia Caada Natioal
More informationResource Certification
Resource Certification CISSP, science group manager RIPE NCC robert@ripe.net 1 Contents Motivation for Resource Certification (RPKI) Architecture overview Participating in RPKI Most importantly: use cases
More informationThe RPKI & Origin Validation
The RPKI & Origin Validation RIPE / Praha 2010.05.03 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2010.05.03 RIPE RPKI
More informationUniversity of North Carolina at Charlotte ECGR-6185 ADVANCED EMBEDDED SYSTEMS SMART CARDS. Sravanthi Chalasani
Uiversity of North Carolia at Charlotte ECGR-6185 ADVANCED EMBEDDED SYSTEMS SMART CARDS Overview Itroductio History of smart cards Types of smart cards Categories of smart cards Smart Card Stadards SLE4442
More informationBGP Best Current Practices. ISP Training Workshops
BGP Best Curret Practices ISP Traiig Workshops 1 Cofigurig BGP Where do we start? 2 IOS Good Practices p ISPs should start off with the followig BGP commads as a basic template: router bgp 64511 bgp determiistic-med
More informationApplication Notes for Configuring Dasan Electron Headsets from JPL Europe with Avaya 9600 Series IP Deskphones using a DA-30 Cord Issue 1.
Avaya Solutio & Iteroperability Test Lab Applicatio Notes for Cofigurig Dasa Electro Headsets from JPL Europe with Avaya 9600 Series IP Deskphoes usig a DA-30 Cord Issue 1.0 Abstract These Applicatio Notes
More informationA PREDICTION MODEL FOR USER S SHARE ANALYSIS IN DUAL- SIM ENVIRONMENT
GSJ: Computer Sciece ad Telecommuicatios 03 No.3(39) ISSN 5-3 A PRDICTION MODL FOR USR S SHAR ANALYSIS IN DUAL- SIM NVIRONMNT Thakur Sajay, Jai Parag Orietal Uiversity, Idore, Idia sajaymca00@yahoo.com
More informationIPv6 Deployment Planning
IPv6 Deploymet Plaig ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 8 th April
More informationRobust Inter-Domain Routing
Establishing the Technical Basis for Trustworthy Networking Robust Inter-Domain Routing Addressing Systemic Vulnerabilities in BGP Doug Montgomery (dougm@nist.gov) Manager, Internet and Scalable Systems
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: February 2012
Internet Engineering Task Force (IETF) G. Huston Request for Comments: 6483 G. Michaelson Category: Informational APNIC ISSN: 2070-1721 February 2012 Abstract Validation of Route Origination Using the
More informationSecuring Routing: RPKI Overview. Mark Kosters Chief Technology Officer
Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer Why are DNSSEC and RPKI important? Two of the most critical resources DNS Routing Hard to tell when resource is compromised Focus of
More informationL5355 Modbus Plus Communications Interface
L5355 Modbus Plus Commuicatios Iterface Techical Maual HA470897 Issue 2 Copyright SSD Drives Ic 2005 All rights strictly reserved. No part of this documet may be stored i a retrieval system, or trasmitted
More informationSwitching Hardware. Spring 2018 CS 438 Staff, University of Illinois 1
Switchig Hardware Sprig 208 CS 438 Staff, Uiversity of Illiois Where are we? Uderstad Differet ways to move through a etwork (forwardig) Read sigs at each switch (datagram) Follow a kow path (virtual circuit)
More informationThe RPKI and BGP Origin Validation
The RPKI and BGP Origin Validation APRICOT / New Delhi 2012.02.27 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2012.02.27
More informationICS Regent. Communications Modules. Module Operation. RS-232, RS-422 and RS-485 (T3150A) PD-6002
ICS Reget Commuicatios Modules RS-232, RS-422 ad RS-485 (T3150A) Issue 1, March, 06 Commuicatios modules provide a serial commuicatios iterface betwee the cotroller ad exteral equipmet. Commuicatios modules
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. BBN September 2017
Internet Engineering Task Force (IETF) Request for Comments: 8209 Updates: 6487 Category: Standards Track ISSN: 2070-1721 M. Reynolds IPSw S. Turner sn3rd S. Kent BBN September 2017 Abstract A Profile
More informationAPNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013
APNIC s role in stability and security Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013 Overview Introducing APNIC Working with LEAs The APNIC Whois Database
More informationPrevention of Black Hole Attack in Mobile Ad-hoc Networks using MN-ID Broadcasting
Vol.2, Issue.3, May-Jue 2012 pp-1017-1021 ISSN: 2249-6645 Prevetio of Black Hole Attack i Mobile Ad-hoc Networks usig MN-ID Broadcastig Atoy Devassy 1, K. Jayathi 2 *(PG scholar, ME commuicatio Systems,
More informationBE Software Upgrades to ITALYCS 5. It s in the. Software
BE Software Upgrades to ITALYCS 5 It s i the Software UPGRADES WE OFFER Brampto Egieerig is offerig customers with ITALYCS 2 ad ITALYCS 4 systems the opportuity to upgrade their existig systems to the
More informationOracle Server. What s New in this Release? Release Notes
Oracle email Server Release Notes Release 5.2 for Widows NT May 2001 Part No. A90426-01 These release otes accompay Oracle email Server Release 5.2 for Widows NT. They cotai the followig topics: What s
More informationSystem and Software Architecture Description (SSAD)
System ad Software Architecture Descriptio (SSAD) Diabetes Health Platform Team #6 Jasmie Berry (Cliet) Veerav Naidu (Project Maager) Mukai Nog (Architect) Steve South (IV&V) Vijaya Prabhakara (Quality
More informationGoals of this Lecture Activity Diagram Example
Goals of this Lecture Activity Diagram Example Object-Orieted Aalysis ad Desig - Fall 998 Preset a example activity diagram Ð Relate to requiremets, use cases, ad class diagrams Also, respod to a questio
More informationNetwork Time Protocol (NTP)
Network Time Protocol (NTP) Quick ad Dirty for AfNOG 2018 (Michuki Mwagi) Origial slides by Ayitey Bulley About NTP Network Time Protocol project http://tp.org NTP is a protocol desiged to sychroize the
More informationAir Force Data Reference Architecture and Platform
Headquarters U.S. Air Force Air Force Data Referece Architecture ad Platform Ms. Jackie Murray 11 Oct 2018 1 AF Data Challeges Large umber of legacy systems with umerous poit-to-poit iterfaces that are
More informationn Explore virtualization concepts n Become familiar with cloud concepts
Chapter Objectives Explore virtualizatio cocepts Become familiar with cloud cocepts Chapter #15: Architecture ad Desig 2 Hypervisor Virtualizatio ad cloud services are becomig commo eterprise tools to
More informationBGP Configuration Automation on Edge Routers
BGP Configuration Automation on Edge Routers System and Network Engineering Msc. Research Project Stella Vouteva & Tarcan Turgut Supervisor: Stavros Konstantaras, NLNetLabs Introduction Big Internet Depletion
More informationInter-domain Routing. Outline. Border Gateway Protocol
Inter-domain Routing Outline Border Gateway Protocol Internet Structure Original idea CS 640 2 Internet Structure Today CS 640 3 Route Propagation in the Internet Autonomous System (AS) corresponds to
More informationData Mining and Machine Learning for Analysis of Network Traffic
Data Miig ad Machie Learig for Aalysis of Network Traffic Ljiljaa Trajković ljilja@cs.sfu.ca Commuicatio Networks Laboratory http://www.esc.sfu.ca/cl School of Egieerig Sciece Simo Fraser Uiversity, Vacouver,
More information9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi
COMP 535 Lecture 6: Routing Security September 3, 2015 Andrew Chi Includes content used with permission by Angelos Keromytis (Columbia), Philip Smith (APNIC), and Steve Kent (BBN) Agenda
More informationTask scenarios Outline. Scenarios in Knowledge Extraction. Proposed Framework for Scenario to Design Diagram Transformation
6-0-0 Kowledge Trasformatio from Task Scearios to View-based Desig Diagrams Nima Dezhkam Kamra Sartipi {dezhka, sartipi}@mcmaster.ca Departmet of Computig ad Software McMaster Uiversity CANADA SEKE 08
More informationBGP Routing Security and Deployment Strategies
Bachelor Informatica Informatica Universiteit van Amsterdam BGP Routing Security and Deployment Strategies Bryan Eikema June 17, 2015 Supervisor(s): Benno Overeinder (NLnet Labs), Stavros Konstantaras
More informationAvid Interplay Bundle
Avid Iterplay Budle Versio 2.5 Cofigurator ReadMe Overview This documet provides a overview of Iterplay Budle v2.5 ad describes how to ru the Iterplay Budle cofiguratio tool. Iterplay Budle v2.5 refers
More informationIMP: Superposer Integrated Morphometrics Package Superposition Tool
IMP: Superposer Itegrated Morphometrics Package Superpositio Tool Programmig by: David Lieber ( 03) Caisius College 200 Mai St. Buffalo, NY 4208 Cocept by: H. David Sheets, Dept. of Physics, Caisius College
More informationNetwork Time Protocol (NTP)
Network Time Protocol (NTP) Quick ad Dirty for AfNOG 2017 (Ayitey Bulley) About NTP Network Time Protocol project http://tp.org NTP is a protocol desiged to sychroize the clocks of computers over a etwork.
More information