The RPKI and BGP Origin Validation

Similar documents
The RPKI & Origin Validation

The RPKI & Origin Validation

RPKI-Based Origin Validation, Routers, & Caches

IETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet

BGP Origin Validation

Idealized BGPsec: Formally Verifiable BGP

Idealized BGPsec: Formally Verifiable BGP

Idealized BGPsec: Formally Verifiable BGP

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

RPKI. Resource Pubic Key Infrastructure


RPKI-Based Origin Validation Lab RPKI Lab Creative Commons: Attribution & Share Alike

RPKI and Internet Routing Security ~ The regional ISP operator view ~

Resource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018

Introducción al RPKI (Resource Public Key Infrastructure)

Resource Public Key Infrastructure

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

RPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Securing BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho

An Operational ISP & RIR PKI

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

Secure Routing with RPKI. APNIC44 Security Workshop

Deploying RPKI An Intro to the RPKI Infrastructure

RPKI Workshop Routing Lab

Route Security for Inter-domain Routing

Misdirection / Hijacking Incidents

An Operational ISP & RIR PKI

Using Resource Certificates Progress Report on the Trial of Resource Certification

Security in inter-domain routing

IPv4 Run-Out, Trading, and the RPKI

Internet Engineering Task Force (IETF) Category: Informational ISSN: February 2012

IPv4 Run-Out, Trading, and the RPKI

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

RPKI and Routing Security

Problem. BGP is a rumour mill.

Problem Statement and Considerations for ROA Mergence. 96 SIDR meeting

RTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Securing Routing: RPKI Overview. Mark Kosters Chief Technology Officer

Using Resource Certificates Progress Report on the Trial of Resource Certification

Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

Internet Engineering Task Force (IETF) BCP: 185 January 2014 Category: Best Current Practice ISSN:

Internet-Draft Intended status: Standards Track July 4, 2014 Expires: January 5, 2015

Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO

9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Network Working Group. Intended status: Informational Expires: January 9, 2014 July 8, 2013

Robust Inter-Domain Routing

32-bit ASNs. Philip Smith. AfNOG rd April 1st May Abuja, Nigeria

Decentralized Internet Resource Trust Infrastructure

RPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting

RPKI Trust Anchor. Geoff Huston APNIC

Resource Certification

BGP Origin Validation (RPKI)

Internet Engineering Task Force (IETF) ISSN: September The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1

Internet Engineering Task Force (IETF) Category: Informational. D. Ward Cisco Systems August 2014

Some Lessons Learned from Designing the Resource PKI

BORDER GATEWAY PROTOCOL (BGP) SECURITY. Nurudeen K. Abdulsalam. Supervisor: Dr. Olaf Maennel

Internet Engineering Task Force (IETF) Category: Informational ISSN: September 2017

Securing BGP. Geoff Huston November 2007

Some Thoughts on Integrity in Routing

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

IETF Activities Update

Adventures in RPKI (non) deployment. Wes George

Life After IPv4 Depletion

32-bit ASNs. Greg Hankins Chris Malayter APRICOT 2009 APRICOT /02/25

32-bit ASNs. Philip Smith. MENOG 5, Beirut, 29th October 2009

Narten Thomas ARIN

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

Route Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes

Routing Security. Training Course

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. BBN September 2017

IPv4/IPv6 BGP Routing Workshop. Organized by:

Jumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

APNIC Trial of Certification of IP Addresses and ASes

Internet Engineering Task Force (IETF) Category: Standards Track. January The Resource Public Key Infrastructure (RPKI) to Router Protocol

Intended status: Informational Expires: July 18, 2017 January 14, 2017

Attacks on routing: IP hijacks

BGP Routing Security and Deployment Strategies

TDC 375 Network Protocols TDC 563 P&T for Data Networks

BGP Configuration Automation on Edge Routers

Route Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes

IETF Activities Update

IETF Activities Update

Methods for Detection and Mitigation of BGP Route Leaks

Resource Certification

Resource Certification A Public Key Infrastructure for IP Addresses and AS's

RPKI MIRO & RTRlib. Andreas Reuter, Matthias Wählisch Freie Universität Berlin

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

APNIC RPKI Report. George Michaelson

BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

Madison, Wisconsin 9 September14

Measuring RPKI Route Origin Validation in the Wild

Secure Inter-domain Routing with RPKI

Securing Routing Information

Expiration Date: July RGnet Tony Li Juniper Networks Yakov Rekhter. cisco Systems

Transcription:

The RPKI and BGP Origin Validation APRICOT / New Delhi 2012.02.27 Randy Bush <randy@psg.com> Rob Austein <sra@isc.org> Steve Bellovin <smb@cs.columbia.edu> And a cast of thousands! Well, dozens :) 2012.02.27 APRICOT RtgSec 1

Why Origin Validation? Prevent YouTube accident Prevent 7007 accident, UU/Sprint 2 days! Prevents most accidental announcements Does not prevent malicious path attacks such as the Kapela/Pilosov DefCon attack That requires Path Validation and locking the data plane to the control plane, the third step, a few years away 2012.02.27 APRICOT RtgSec 2

Prefix Has Origin AS BGP routing table entry for 98.128.1.0/24 Paths: (32 available, best #21, table Default-IP-Routing-Table) 1221 4637 3561 2914 4128 The AS-Path Origin AS 2012.02.27 APRICOT RtgSec 3

Three Pieces RPKI Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) Origin Validation Using the RPKI to detect and prevent mis-originations of someone else s prefixes (early 2012) AS-Path Validation AKA BGPsec Prevent Attacks on BGP (future work) 2012.02.27 APRICOT RtgSec 4

Resource Public Key Infrastructure (RPKI) 2012.02.27 APRICOT RtgSec 5

X.509 RPKI Being Developed & Deployed by IANA, RIRs, and Operators 2012.02.27 APRICOT RtgSec 6

Private/Public Keys Stolen from - http://gdp.globus.org/gt4-tutorial/multiplehtml/ch09s03.html 2012.02.27 APRICOT RtgSec 7

En/DeCryption 2012.02.27 APRICOT RtgSec 8

Digital Signature 2012.02.27 APRICOT RtgSec 9

X.509 Certificate w/ 3779 Ext X.509 Cert CA Signed by Parent s RFC 3779 Extension Describes IP Resources (Addr & ASN) Private Key SIA URI for where this Publishes Owner s Public Key 2012.02.27 APRICOT RtgSec 10

Certificate Hierarchy follows Allocation Hierarchy Cert/ISC Cert/ARIN 98.128.0.0/16 Public Key SIA Cert/RGnet 98.128.0.0/20 98.128.16.0/20 98.128.32.0/19 CA CA CA CA Cert/PSGnet Public Key Public Key Public Key Cert/Randy CA Cert/Rob CA 98.128.16.0/24 98.128.17.0/24 Public Key Public Key 2012.02.27 APRICOT RtgSec 11

That s Who Owns It but Who May Route It? 2012.02.27 APRICOT RtgSec 12

Route Origin Authorization (ROA) Owning Cert CA 98.128.0.0/16 147.28.0.0/16 Public Key EE Cert 98.128.0.0/16 Public Key End Entity Cert can not sign certs. can sign other things e.g. ROAs ROA 98.128.0.0/16 This is not a Cert It is a signed blob AS 42 2012.02.27 APRICOT RtgSec 13

Multiple ROAs Make Before Break Owning Cert CA EE Cert 98.128.0.0/16 147.28.0.0/16 EE Cert 98.128.0.0/16 Public Key 98.128.0.0/16 Public Key Public Key ROA 98.128.0.0/16 AS 42 I Plan to Switch Providers ROA 98.128.0.0/16 AS 3130 2012.02.27 APRICOT RtgSec 14

IANA CA 0/0 Public Key ARIN CA 98.0.0.0/8 Public Key PSGnet CA 98.128.0.0/16 Public Key EE Cert 98.128.0.0/16 ROA Aggregation Using Max Length Public Key ROA 98.128.0.0/16-24 AS 3130 2011.11.09 RPKI Origin 15

RPKI-Based Origin Validation 2012.02.27 APRICOT RtgSec 16

Up / Down to Parent GUI RPKI Certificate Engine Publication Protocol Resource PKI IP Resource Certs ASN Resource Certs Route Origin Attestations Up / Down to Child 2012.02.27 APRICOT RtgSec 17

Warning What ROA Will Do 2012.02.27 APRICOT RtgSec 18

Issuing Parties GUI IANA Publication Protocol Resource PKI Please Issue My Cert Up/ Down Cert Issuance GUI APNIC Publication Protocol Resource PKI Please Issue My Cert Up/ Down Cert Issuance GUI IIJ Publication Protocol Resource PKI Please Issue My Cert Up/ Down Cert Issuance 2012.02.27 APRICOT RtgSec 19

Issuing Parties GUI IANA Publication Protocol Resource PKI Up Down SIA Pointers GUI APNIC Publication Protocol Resource PKI Up Down SIA Pointers GUI IIJ Publication Protocol Resource PKI 2012.02.27 APRICOT RtgSec 20

Issuing Parties Relying Parties GUI IANA Publication Protocol Trust Anchor Resource PKI RCynic Gatherer Pseudo IRR route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin: AS3130! notify: irr-hack@rpki.net! mnt-by: MAINT-RPKI! changed: irr-hack@rpki.net 20110606! source: RPKI! GUI Up Down APNIC Publication Protocol SIA Pointers Resource PKI Validated Cache NOC Tools GUI Up Down IIJ Publication Protocol SIA Pointers Resource PKI BGP Decision Process 2012.02.27 APRICOT RtgSec 21

Extremely Large ISP Deployment Global RPKI Caches Feed Caches Asia Cache NoAm Cache Euro Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache in-pop Cache Cust Facing Cust Facing Cust Facing Cust Facing Cust Facing High Priority 2012.02.27 APRICOT RtgSec Lower Priority 22

How Do ROAs Affect BGP Updates? 2012.02.27 APRICOT RtgSec 23

Trust Anchor In PoP GUI IANA Publication Protocol Resource PKI Up Down SIA Pointers RCynic Gatherer GUI APNIC Up Down Publication Protocol Resource PKI SIA Pointers Validated Cache GUI IIJ Publication Protocol Resource PKI RPKI to Rtr Protocol BGP Decision Process In NOC 2012.02.27 APRICOT RtgSec 24

IPv4 Prefix 0 8 16 24 31.-------------------------------------------. Protocol PDU Version Type reserved = zero 0 4 +-------------------------------------------+ Length=20 +-------------------------------------------+ Prefix Max Flags Length Length zero 0..32 0..32 +-------------------------------------------+ IPv4 prefix +-------------------------------------------+ Autonomous System Number `-------------------------------------------' 2012.02.27 APRICOT RtgSec 25

IPv6 Prefix 0 8 16 24 31.-------------------------------------------. Protocol PDU Version Type reserved = zero 0 6 +-------------------------------------------+ Length=40 +-------------------------------------------+ Prefix Max Flags Length Length zero 0..128 0..128 +-------------------------------------------+ +--- ---+ +--- IPv6 prefix ---+ +--- ---+ +-------------------------------------------+ Autonomous System Number `-------------------------------------------' 2012.02.27 APRICOT RtgSec 26

BGP Updates are compared with ROAs loaded from the RPKI 2012.02.27 APRICOT RtgSec 27

Marking BGP Updates BGP Peer BGP Data BGP Updates Valid mark Invalid RPKI Cache RPKI-Rtr Protocol RPKI ROAs NotFound 2012.02.27 APRICOT RtgSec 28

Result of Check Valid A matching/covering ROA was found with a matching AS number Invalid A matching or covering ROA was found, but AS number did not match, and there was no valid one Not Found No matching or covering ROA was found, same as today 2012.02.27 APRICOT RtgSec 29

Configure Router to Get ROAs router bgp 3130 bgp rpki server tcp 198.180.150.1 port 42420 refresh 3600 bgp rpki server tcp 147.28.0.35 port 93920 refresh 3600 2012.02.27 APRICOT RtgSec 30

Valid! r0.sea#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24, version 3043542 Paths: (3 available, best #1, table default) 6939 27318 206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid 2914 4459 27318 199.238.113.9 from 199.238.113.9 (129.250.0.19) Origin IGP, metric 43, localpref 100, valid, external Community: 2914:410 2914:1005 2914:3000 3130:380 path 09AF35CC RPKI State valid 2012.02.27 APRICOT RtgSec 31

Invalid! r0.sea#show bgp 198.180.150.0 BGP routing table entry for 198.180.150.0/24, version 2546236 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 8 Refresh Epoch 1 1239 3927 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid 2012.02.27 APRICOT RtgSec 32

NotFound r0.sea#show bgp 64.9.224.0 BGP routing table entry for 64.9.224.0/20, version 35201 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 Refresh Epoch 1 1239 3356 36492 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 4, localpref 100, valid, internal Community: 3130:370 path 11861AA4 RPKI State not found 2012.02.27 APRICOT RtgSec 33

What are the BGP / ROA Matching Rules? 2012.02.27 APRICOT RtgSec 34

A Prefix is Covered by a ROA when the ROA prefix length is less than or equal to the Route prefix length BGP 98.128.0.0/16 ROA ROA 98.128.0.0/12-16 98.128.0.0/16-24 Covers Covers ROA 98.128.0.0/20-24 No. It s Longer 2012.02.27 APRICOT RtgSec 35

Prefix is Matched by a ROA when the Prefix is Covered by that ROA, prefix length is less than or equal to the ROA max-len, and the Route Origin AS is equal to the ROA s AS BGP 98.128.0.0/16 AS 42 ROA ROA ROA 98.128.0.0/12-16 AS 42 98.128.0.0/16-24 AS 666 98.128.0.0/20-24 AS 42 Matched No. AS Mismatch No. ROA Longer 2012.02.27 APRICOT RtgSec 36

Matching and Validity ROA0 98.128.0.0/16-24 AS 6 ROA1 98.128.0.0/16-20 AS 42 BGP 98.128.0.0/12 AS 42 NotFound, shorter than ROAs BGP 98.128.0.0/16 AS 42 Valid, Matches ROA1 BGP 98.128.0.0/20 AS 42 Valid, Matches ROA1 BGP 98.128.0.0/24 AS 42 Invalid, longer than ROAs BGP 98.128.0.0/24 AS 6 Valid, Matches ROA0 2012.02.27 APRICOT RtgSec 37

The Operator Tests and then Sets Local Policy 2012.02.27 APRICOT RtgSec 38

Fairly Secure route-map validity-0 match rpki valid set local-preference 100 route-map validity-1 match rpki not-found set local-preference 50! invalid is dropped 2012.02.27 APRICOT RtgSec 39

Paranoid route-map validity-0 match rpki valid set local-preference 110! everything else dropped 2012.02.27 APRICOT RtgSec 40

After AS-Path route-map validity-0 match rpki not-found set metric 100 route-map validity-1 match rpki invalid set metric 150 route-map validity-2 set metric 50 2012.02.27 APRICOT RtgSec 41

Allocation in Reality /16 Assignment from RIR My Infrastructure BGP Cust Static (non BGP) Cust Unused 2012.02.27 APRICOT RtgSec 42

ROA Use My Aggregate ROA Customer ROAs I Generate for Lazy Customer My Infrastructure BGP Cust Static (non BGP) Cust Unused 2012.02.27 APRICOT RtgSec 43

Covering a Customer I Issue a ROA for the Covering Prefix I need to do this to protect Static Customers and my Infrastructure My Infrastructure BGP Cust Static (non BGP) Cust Unused 2012.02.27 APRICOT RtgSec 44

Covering a Customer But if I Issue a ROA for the Covering Prefix Before My Customers issue ROAs for These My Infrastructure BGP Cust Static (non BGP) Cust Unused 2012.02.27 APRICOT RtgSec 45

Covering a Customer If I Issue a ROA for the Covering Prefix Before My Customers issue ROAs for These Their Routing Becomes Invalid! My Infrastructure BGP Cust Static (non BGP) Cust Unused 2012.02.27 APRICOT RtgSec 46

Up-Chain IANA 0/0 CA Expiration Public Key ARIN CA 98.0.0.0/8 These are not Identity Certs Public Key RGnet 98.128.0.0/16 Public Key PSGnet CA CA Sloppy Admin Cert Soon to Expire! 98.128.0.0/17 So Who You Gonna Call? 2012.02.27 APRICOT RtgSec Public Key EE Cert 98.128.0.0/17 Public Key ROA 98.128.0.0/1724 AS 3130 So My ROA will become Invalid! 47

ROA Invalid but I Can Route The ROA will become Invalid My announcement will just become NotFound, not Invalid Unless my upstream has a ROA for the covering prefix, which is likely 2012.02.27 APRICOT RtgSec 48

So Who You Gonna Call? 2012.02.27 APRICOT RtgSec 49

Ghostbusters! IANA 0/0 CA Public Key ARIN CA 98.0.0.0/8 Public Key RGnet 98.128.0.0/16 CA Ghostbusters Record Public Key CA PSGnet 98.128.0.0/17 Public Key EE Cert 98.128.0.0/17 Public Key ROA BEGIN:vCard VERSION:3.0 FN:Human's Name N:Name;Human's;Ms.;Dr.;OCD;ADD ORG:Organizational Entity ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern; WA; 98666;U.S.A. TEL;TYPE=VOICE,MSG,WORK: +1-666-555-1212 TEL;TYPE=FAX,WORK:+1-666-555-1213 EMAIL;TYPE=INTERNET:human@example. com END:vCard draft-ietf-sidr-ghostbusters 98.128.0.0/17-24 2012.02.27 APRICOT RtgSec AS 3130 50

But in the End, You Control Your Policy Announcements with Invalid origins SHOULD NOT be used, but MAY be used to meet special operational needs. -- draft-ietf-sidr-origin-ops But if I do not reject Invalid, what is all this for? 2012.02.27 APRICOT RtgSec 51

Open Source (BSD Lisc) Running Code https://rpki.net/ Test Code in Routers Talk to C & J 2012.02.27 APRICOT RtgSec 52

Vendor Code Cisco IOS and XR test code have Origin Validation now, shipping some code now Juniper has test code now, ship 2Q2012 Work continues daily in test routers Compute load much less than ACLs from IRR data, 10µsec per update! 2012.02.27 APRICOT RtgSec 53

BGPsec AS-Path Validation Future Work 2012.02.27 APRICOT RtgSec 54

Origin Validation is Weak RPKI-Based Origin Validation only stops accidental misconfiguration, which is very useful. But... A malicious router may announce as any AS, i.e. forge the ROAed origin AS. This would pass ROA Validation as in draft-ietf-sidr-pfx-validate. 2012.02.27 APRICOT RtgSec 55

Full Path Validation Rigorous per-prefix AS path validation is the goal Protect against origin forgery and AS- Path monkey in the middle attacks Not merely showing that a received AS path is not impossible 2012.02.27 APRICOT RtgSec 56

Forward Path Signing AS hop N signing (among other things) that it is sending the announcement to AS hop N+1 by AS number, is believed to be fundamental to protecting against monkey in the middle attacks 2012.02.27 APRICOT RtgSec 57

Forward Path Signing NLRI AS0 ^RtrCert AS1 Hash Signed by Router Key AS0.rtr-xx Sig0 AS1 ^RtrCert AS2 Hash Signed by Router Key AS1-rtr-yy Sig1 Signed Forward Reference 2012.02.27 APRICOT RtgSec 58

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback