Decentralized Internet Resource Trust Infrastructure

Similar documents
Problem Statement and Considerations for ROA Mergence. 96 SIDR meeting


Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

RPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting

Problem. BGP is a rumour mill.

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

Securing Routing: RPKI Overview. Mark Kosters Chief Technology Officer

RPKI. Resource Pubic Key Infrastructure

RPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

IPv4 Run-Out, Trading, and the RPKI

APNIC allocation and policy update. JPNIC OPM July 17, Tokyo, Japan Guangliang Pan

IPv4 Run-Out, Trading, and the RPKI

Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO

Internet Number Resources

Life After IPv4 Depletion

HD Ratio for IPv4. RIPE 48 May 2004 Amsterdam

Secure Routing with RPKI. APNIC44 Security Workshop

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Deploying RPKI An Intro to the RPKI Infrastructure

BGP Origin Validation

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Misdirection / Hijacking Incidents

IPv6 Allocation and Policy Update. Global IPv6 Summit in China 2007 April 12, 2007 Guangliang Pan

Resource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018

RPKI and Internet Routing Security ~ The regional ISP operator view ~

RPKI Trust Anchor. Geoff Huston APNIC

Resource Public Key Infrastructure

Resource Certification

Introducción al RPKI (Resource Public Key Infrastructure)

IPv6 HD Ratio. ARIN Public Policy Meeting April Geoff Huston APNIC

IPv6 HD Ratio. ARIN Public Policy Meeting April Geoff Huston APNIC

An Operational ISP & RIR PKI

IPv6 Address Allocation and Assignment Policy

Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

Security in inter-domain routing

News from RIPE and RIPE NCC

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

IPv6 Allocation Policy and Procedure. Global IPv6 Summit in China 2007 April 13, 2007 Gerard Ross and Guangliang Pan

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

RPKI and Routing Security

Madison, Wisconsin 9 September14

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Facilitating Secure Internet Infrastructure

IPv6 Allocation Policy and Procedure. Global IPv6 Summit in China 2007 April 13, 2007 Gerard Ross and Guangliang Pan

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

BGP Origin Validation (RPKI)

The RPKI & Origin Validation

IPv4 depletion & IPv6 deployment in the RIPE NCC service region. Kjell Leknes - June 2010

IPv6, Act Now! Daniel Karrenberg, RIPE NCC Chief Scientist

APNIC RPKI Report. George Michaelson

The RPKI and BGP Origin Validation

Implementing the Global Policy for Post Exhaustion IPv4 Allocation Mechanisms by the IANA

APNIC elearning: Internet Registry Policies. Revision:

Resource Certification

Using Resource Certificates Progress Report on the Trial of Resource Certification

An Operational ISP & RIR PKI

IPv4 Address Report. This report generated at 12-Mar :24 UTC. IANA Unallocated Address Pool Exhaustion: 03-Feb-2011

A Policy Story - IPv4 Transfer. TWNIC OPM 26, Taipei 14 December 2016 George Kuo, Services Director

Internet Kill Switches Demystified

Securing BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho

APNIC & Internet Address Policy in the Asia Pacific

Introduction to the RIR System. Dr. Nii N. Quaynor

Robust Inter-Domain Routing

An ARIN Update. Susan Hamlin Director of Communications and Member Services

Shifting Sands. PLNOG March Andrzej Wolski Training Department

Feedback from RIPE NCC Registration Services. Alex Le Heux - RIPE NCC RIPE62, May 2011, Amsterdam

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

<36 th APNIC Meeting, XIAN CHINA> KISA(KRNIC) UPDATE. YOUNGSUN LA Korea Internet & Security Agency

The Transition to BGP Security Is the Juice Worth the Squeeze?

Current Policy Topics A World Wide View

Some Lessons Learned from Designing the Resource PKI

APNIC 26 policy update Shifting landscape

Local TA Management. In principle, every RP should be able to locally control the set of TAs that it will employ

RIPE Policy Development & IPv4 / IPv6

IP Address Management The RIR System & IP policy

ARIN Number Resource Policy Manual. Version October 15, 2004

Internet Addressing and the RIR system (part 2)

Whois & Data Accuracy Across the RIRs

IPv6 Addressing Status and Policy Report. Paul Wilson Director General, APNIC

Introduction to The Internet

IPv6 Addressing Status and Policy Report. Paul Wilson Director General, APNIC

IPv6 Deployment and Distribution in the RIPE NCC Service Region. Marco Schmidt IP Resource Analyst Monday, 23 April 2012

Prop-104-v002: Clarifying demonstrated needs requirement in IPv4 transfer policy

Introduction to Networking. Topologies and Definitions. Network Topology and Definitions. Some Icons. Network Topologies. Network Topologies

Networking 101 ISP/IXP Workshops

Internet Corporation for Assigned Names & Numbers - Internet Assigned Numbers Authority Update

ARIN Update. Mark Kosters CTO

Using Resource Certificates Progress Report on the Trial of Resource Certification

APNIC Activity Highlights

Some Thoughts on Integrity in Routing

Introduction to The Internet

The RPKI & Origin Validation

RIPE NCC Introduction. Jochem de Ruig Chief Financial Officer

Overview of Proposals. APNIC 33 Policy SIG Meeting

FIRMS: a Future InteRnet Mapping System

Secure Inter-domain Routing with RPKI

IPv6 Address Allocation Status in AP region and the way forward

Transcription:

Decentralized Internet Resource Trust Infrastructure Bingyang Liu, Fei Yang, Marcelo Bagnulo, Zhiwei Yan, and Qiong Sun Huawei UC3M CNNIC China Telecom 1

Critical Internet Trust Infrastructures are Centralized RPKI DNSSEC PKI IP addresses and ASNs Domain names Identities They all have centralized/hierarchical structures Root nodes often have privilege over sub-trees. Malicious or misconfigured roots can cause problems to sub-trees. This talk is focused on RPKI 1. Resource PKI follows the hierarchy of IP address allocation. IANA, RIRs and NIRs are roots of (sub-)trees 2. Parent node signs a resource certificate (RC) to child for address ownership 3. Address owner signs a route origin authentication (ROA) to map prefixes to ASNs 4. BGP routers rely on ROAs to detect route origin hijack (fake prefix->asn Self-signed RC: I own 10.0.0.0/16 RC: X owns 10.0.1.0/24 X s ROA mapping) 2 Images from here and here

Misbehaving RPKI Authorities Cause Risks to BGP The flipped threat model: BGP route is legitimate while RPKI is at fault. 1. On the Risk of Misbehaving RPKI Authorities [2014 IRTF ANRP] 2. From the Consent of the Routed: Improving the Transparency of the RPKI [SIGCOMM 14] Misbehaving authority can unilaterally takedown descendant s valid routes, by adding or wracking ROAs, by revoking, deleting, overwriting RC/ROA objects. [Mis-add an ROA] Dec 13, 2013: a new ROA was (mis-)added to the production RPKI rooted at ARIN, authorizing prefix 173.251.0.0/17 with maxlength 24 to AS 6128. This caused a large portion of the address space to downgrade from unknown to invalid, including several legitimate /24 routes. [Mis-delete an ROA] Dec 19, 2013, a ROA for (79.139.96.0/24, AS 51813), for a network in Russia, was (mis-)deleted from the production RPKI. Meanwhile, since at least November 21, the RPKI also had a covering ROA mapping 79.139.96.0/19-20 to another Russian ISP, AS 43782. The covering ROA caused the route corresponding to the whacked ROA to downgrade from valid to invalid. Root cause is an entity does not independently owns its address space. Instead, its parent or ancestor have privilege to manage its RC and ROA. 3

Design Goals Top Goals: Organization (ISP, CP, enterprise) independently owns its resources. The validity of resource ownership and mapping only depends on the owner itself, instead of any third party. Other goals: Prevent address exhaustion Enforce prefix aggregation Enforce organization-level traceability and admission control We will deal with IPv6 address allocation, and IPv6/IPv4 address transferring. 4

System Design (1): Address Ownership Eligible organizations run a decentralized ledger for consistent prefix ownership and prefix-to-asn mapping Smart contract is used to ensure unique and aggregated prefix allocation 1. ISP B sends a request for a IPv6 /32 prefix and pays annual fee in the transaction. 2. Smart contract calculates a continuous prefix for B from available address pool and writes the transaction into ledger. 3. If B doesn t renew the prefix before it expires, smart contract will be triggered and the prefix is returned back to the pool ISP A CP C ISP B 1. B: I need a IPv6 /32 for 1 year. Univ. D 2. Other nodes: the best prefix for you is 2001:da8::/32, written into ledger. 5

System Design (2): Prefix-to-AS Mapping (ROA) 1. Address owner initiates an ROA as a transaction 2. Smart contract verifies the address ownership, and writes it into ledger ISP A CP C ISP B 1.B: I authorize AS 3 to originate 2001:da8::/32 Univ. D 3. Relying parties get updated ROAs from the ledger, and sync to BGP routers, which then verify BGP routes 2. Other nodes: verify B is the owner of 2001:da8::/32 and write ROA into ledger. 3. ROAs are synced to RPs and then to routers 6

System Design (3): Prevent Address Exhaustion End-sites can get smaller address space, e.g., /48. ISPs can get a new /32 if its host density ratio (RFC4692) is over the threshold HD-ratio = log(#_assigned_/56) / log(#_allocated_/56) Assignment of PA addresses is also logged in ledger Smart contract can then calculate HD-ratio before agreeing on the /32 allocation ISP A CP C ISP B 1. B: I need a IPv6 /32 for 1 year. Univ. D Today, RIR annual fee for /32 is $1000 ~ $2500, and /48 is $100 ~ $800 (more expensive per /56). If $2000 annual fee is applied to a /32: $2000 * 2 32 = $8*10 12 ~ 10.5% world GDP, making exhaustion attack impractical Although not entire address space is unicast, longer prefixes are more expensive and /32 requires HD-ratio, the cost still efficiently prevents exhaustion attack Money can be given to miners and IETF? 2. Other nodes: verify HD-ratio, and calculate the best prefix for you is 2001:da8::/32, written into ledger. Address Pool Apply ISP Assign (PA address) End Site 7

System Design (4): Prefix Aggregation An entity cannot decide which prefixes it gets. Instead, it can only request the size of address space, and smart contract will calculate the best prefix for it Best is in the sense of prefix aggregation Smart contract runs sparse delegation algorithm used by RIRs. It allows address owner to grow, and avoids fragmentation Sparse address for the new user. Adjacent address for the same user. ISP A CP C ISP B Univ. D 8

System Design (5): Admission Control For purposes of security and traceability, only organizations authorized by RIRs, NIRs or LIRs are eligible to the ledger Identity information is registered for accountability and traceability (like WHOIS) ISP A CP C ISP B Univ. D So we use permissioned ledger. Only entities whose identities are endorsed by IRs are permitted. AFRINIC APNIC ARIN LACNIC RIPE NCC Unlike today, XIRs are only endorsers. They do not own or control resources. RIRs & NIRs are equal and independent CNNIC JPNIC Other IRs 9

Open Question Interdependency between BlockChain and BGP The decentralized ledger is a P2P network built upon underlying routing (BGP) It is still an open chicken-egg problem. Actually, RPKI has the same problem Consensus algorithm We are implementing a permissioned Ethereum, which supports POW and POS. However, eventually we may need a best algorithm for our application. SCP? How to get started Request for an unsinged /20 IPv6 address space to do experiment, so that the solution will not have conflict with RPKI. After real-world experiments, the address should be kept as ordinary address 10

Thanks, and welcome to join in us! liubingyang@huawei.com 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback