Misdirection / Hijacking Incidents

Similar documents
Secure Routing with RPKI. APNIC44 Security Workshop

Deploying RPKI An Intro to the RPKI Infrastructure

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Secure Inter-domain Routing with RPKI

BGP Origin Validation

Resource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

RPKI. Resource Pubic Key Infrastructure

Securing BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho

Problem. BGP is a rumour mill.

Life After IPv4 Depletion

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO


APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

Resource Public Key Infrastructure

Robust Inter-Domain Routing

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

The RPKI & Origin Validation

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

Security in inter-domain routing

RPKI and Internet Routing Security ~ The regional ISP operator view ~

BGP Origin Validation (RPKI)

Introducción al RPKI (Resource Public Key Infrastructure)

Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

IETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet

Resource Certification

RPKI and Routing Security

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Resource Certification

RPKI-Based Origin Validation Lab RPKI Lab Creative Commons: Attribution & Share Alike

The RPKI and BGP Origin Validation

Decentralized Internet Resource Trust Infrastructure

Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO

RPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting

The RPKI & Origin Validation

Just give me a button!

Problem Statement and Considerations for ROA Mergence. 96 SIDR meeting

Some Lessons Learned from Designing the Resource PKI

Securing Routing: RPKI Overview. Mark Kosters Chief Technology Officer

RPKI Trust Anchor. Geoff Huston APNIC

Some Thoughts on Integrity in Routing

BGP Configuration Automation on Edge Routers

An ARIN Update. Susan Hamlin Director of Communications and Member Services

A Policy Story - IPv4 Transfer. TWNIC OPM 26, Taipei 14 December 2016 George Kuo, Services Director

Internet Engineering Task Force (IETF) Category: Informational ISSN: September 2017

APNIC Update TWNIC OPM 1 JUL George Kuo Manager, Member Services, APNIC

APNIC RPKI Report. George Michaelson

APNIC Trial of Certification of IP Addresses and ASes

BGP Route Hijacking - What Can Be Done Today?

Collective responsibility for security and resilience of the global routing system

9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi

APNIC Update. 20 May Paul Wilson. Revision:

Lessons learned running an RPKI service

APNIC Trial of Certification of IP Addresses and ASes

RPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager

Internet Engineering Task Force (IETF) Category: Informational ISSN: February 2012

BGP Routing Security and Deployment Strategies

APNIC Activity Highlights

Securing the Internet at the Exchange Point Fernando M. V. Ramos

An introduction to BGP security

BGP security. 19 april 2018 Copenhagen

Methods for Detection and Mitigation of BGP Route Leaks

Requirements for Resource Public Key Infrastructure (RPKI) Relying Parties (draft-madi-sidrops-rp-00) Di Ma & Stephen Kent.

Facilitating Secure Internet Infrastructure

RPKI MIRO & RTRlib. Andreas Reuter, Matthias Wählisch Freie Universität Berlin

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

RTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.

Shifting Sands. PLNOG March Andrzej Wolski Training Department

Routing Security Workshop Internet Routing Registries

Routing Security. Training Course

Network Working Group. Intended status: Informational Expires: January 9, 2014 July 8, 2013

Route Security for Inter-domain Routing

Jumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

Attacks on routing: IP hijacks

Auto-Detecting Hijacked Prefixes?

Internet-Draft Intended status: Standards Track July 4, 2014 Expires: January 5, 2015

APNIC Update. RIPE 60 May Geoff Huston Chief Scientist, APNIC

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

MANRS Mutually Agreed Norms for Routing Security

Routing Security We can do better!

Resource Certification A Public Key Infrastructure for IP Addresses and AS's

Implementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer

Measuring RPKI Route Origin Validation in the Wild

Mutually Agreed Norms for Routing Security NAME

Internet Kill Switches Demystified

RPKI Workshop Routing Lab

Intended status: Informational Expires: July 18, 2017 January 14, 2017

IPv4 Run-Out, Trading, and the RPKI

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

<36 th APNIC Meeting, XIAN CHINA> KISA(KRNIC) UPDATE. YOUNGSUN LA Korea Internet & Security Agency

Madison, Wisconsin 9 September14

NIR February JPNIC Updates. Hiroki Kawabata Japan Network Information Center (JPNIC) Copyright 2016 Japan Network Information Center

BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs

RPKI in practice. Sebastian Wiesinger DE-CIX Technical Meeting June 2017

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Collective responsibility for security and resilience of the global routing system

The Transition to BGP Security Is the Juice Worth the Squeeze?

Transcription:

Security Tutorial @ TWNOG SECURE ROUTING WITH RPKI 1 Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services downed Occurred 5 Nov 2012 (for 30 minutes) Moratel Indonesia (AS23947) How frequent do these hijacking incidents happen? 1

Cyber Criminals exploiting the vulnerability BGP Hijacking for Cryptocurrency Profit (2014) http://www.secureworks.com/cyber-threat-intelligence/threats/bgphijacking-for-cryptocurrency-profit/ Spamhaus DDoS Attack (2013) http://www.bgpmon.net/looking-at-the-spamhouse-ddos-from-a-bgpperspective/ Detecting BGP Attacks in 2014 https://pacsec.jp/psj14/psj2014_guillaum_presentation.pdf How we address this A network should only originate his own prefix How do we verify & avoid false advertisement? A provider should filter prefixes they propagate from customers Transitive trust; BGP is a trust-based system Check the legitimacy of address (LoA) Passive Countermeasure Strict filter on Interconnection BGP router can filter in UPDATE Messages Useful filtering can be done by upstream provider Automate Filter Maintenance Use the Route Object 4 2

Current practice Receive request LOA check Create associate prefix / AS filter Tools and techniques LOA check RPKI Manual Automated 3

Technology and learning curve RPSL RPSLng RPKI June 1999 March 2005 January 2013 What is RPKI? RPKI resource public key infrastructure 8 4

What is RPKI? A robust security framework for verifying the association between resource holder and Internet resource Helps to secure Internet routing by validating routes What does it solve? Prevents route hijacking A prefix originated by an AS without authorization due to malicious intent Prevents mis-origination A prefix that is mistakenly originated by an AS which does not own it Also route leakage due to configuration mistake or fat finger 5

How does it work? Is this AS number (ASN) authorized to announce this IP address range? 11 RPKI implementation Origin validation Hosted CA Delegated CA *upgrade at least ASBRs to RPKI capable code 6

RPKI Origin Validation 2406:6400::/48 65551 65550 65549 VALID 2406:6400::/48 65551 65550 65548 INVALID 65551 65550 65549 ü I have 2406:6400::/48 65548 I have 2406:6400::/48 û 13 RPKI Path Validation ü ü ü 2406:6400::/48 65551 65550 65549 Check and verify the complete path (BGPSEC) 14 7

Main Components Certificate Authority (CA) Internet registries (RIR, NIR, LIR) Issues certificates to members (delegates with resources) Allows address holders to use the CA system to issue ROAs for their prefixes Relying Party (RP) Software that gathers data from the CA Issuing Party Internet Registries (RIR, NIR, Large LIRs) Acts as a Certificate Authority and issues certificates to members with resources Often provides a web interface to issue ROAs for customer prefixes Publishes the ROA records into a repository APNIC RPKI Engine publication Repositor y rpki.apnic.net MyAPNIC GUI 8

Relying Party IANA Repo Future setup LIR Repo APNIC Repo rpki.apnic.net LIR Repo RIPE Repo rpki.ripe.net RP Cache (gather) Validate d Cache RPKI-Rtr Protocol Software which gathers data from CAs Also called RP cache or validator 17 RPKI Building Blocks 1.PKI and Trust anchors 2.Route Origin Authorizations (ROA) 3.RPKI Validators 9

X.509 Certificate with 3779 Extension X.509 Certificate RFC 3779 Extension SIA Owner's Public Key Resource certificates are based on the X.509 v3 certificate format defined in RFC 5280 Extended by RFC 3779 binds a list of resources (IP, ASN) to the subject of the certificate SIA Subject Information Access; contains a URI that references the directory Trust Anchors 20 10

Route Origin Authorization (ROA) A signed digital object that contains a list of address prefixes and one AS number It is an authority created by a prefix holder to authorize an AS Number to originate one or more specific route advertisements Prefix originated 203.176.189.0 Maximum prefix length /24 Origin ASN AS17821 ROA is valid if a valid certificate which signs it has the prefix in its RFC 3779 extension Adding ROA Records 11

RPKI Validation RPKI-capable routers can fetch the validated ROA dataset from a validated cache VALID INVALID NOT FOUND / UNKNOWN Indicates that the prefix and ASN pair has been found in the database Indicates that the prefix is found, but ASN received did not match, or the prefix length is longer than the maximum length Indicates that the prefix does not match any in the database RPKI Adoption at the RIRs http://rpki.surfnet.nl/perrir.html 12

Ready to ROA Campaign The Goal Get APNIC members to create ROAs for their resources in MYAPNIC Portal Ready to ROA Campaign The Plan ROA Sessions at NOGs Members Meeting & Consultation Ready to ROA ambassadors to promote the campaign & awareness in specific economies Recent Activities First campaign in SANOG in January 2015 More ROA sessions conducted in 2016 www.apnic.net/roa 26 13

RFCs RFC 6480: Resource Public Key Infrastructure RFC 3779: Extensions for IP addresses and ASNs https://www.apnic.net/roa 28 14

Stay in Touch! blog.apnic.net apnic.net/social 29 30 15

Thank You! END OF SESSION 31 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback