Routing Security Roadmap

Similar documents
BGP Edge Security for Dummies. Layer , 2603, and others

IRR 101. Job Snijders, DKNOG 8 1 / 35

Routing Security Workshop Internet Routing Registries

Implementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer

BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs

Robust Inter-Domain Routing

Robust Routing Policy Architecture. Job Snijders NTT Communications

BGP Route Hijacking - What Can Be Done Today?

BGP Configuration Automation on Edge Routers

Practical everyday BGP filtering with AS_PATH filters: Peer Locking

APNIC Internet Routing Registry

How Complete and Accurate is the Internet Routing Registry (IRR)?

The ISP Column A column on various things Internet. Securing the Routing System at NANOG 74. A Legal Perspective. October 2018 Geoff Huston


Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

RPKI. Resource Pubic Key Infrastructure

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

RPKI and Internet Routing Security ~ The regional ISP operator view ~

Life After IPv4 Depletion

Golden Prefixes IRR Lockdown Job Snijders

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

32-bit ASNs. Greg Hankins Chris Malayter APRICOT 2009 APRICOT /02/25

Resource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018

Just give me a button!

Securing BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho

TTM AS-level Traceroutes

Automate your IX s RS Config

Resource Public Key Infrastructure

Internet Routing Registry

Peering observations on security and resiliency at IXPs Greg Hankins, AS NANOG 67

RPKI in practice. Sebastian Wiesinger DE-CIX Technical Meeting June 2017

PEERING. A very brief introduction

Route Server Security and the Role of IXPs

Introducción al RPKI (Resource Public Key Infrastructure)

Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

Routing Security We can do better!

BGP Origin Validation

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Routing Security. Training Course

APNIC Training. Internet Routing Registry (IRR)

IETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet

RPKI and Routing Security

RPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager

The RPKI and BGP Origin Validation

32-bit ASNs. Philip Smith. AfNOG rd April 1st May Abuja, Nigeria

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

Security in inter-domain routing

Securing Routing Information

Some Thoughts on Integrity in Routing

Secure Routing with RPKI. APNIC44 Security Workshop

32-bit ASNs. Philip Smith. Last updated February 2010

IPv6 routing table Introduction 1. Impressions. An overview of the global IPv6 routing table. May 3rd, 2005 RIPE 50, Stockholm, SE

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

32-bit ASNs. Philip Smith. MENOG 5, Beirut, 29th October 2009

Securing Routing: RPKI Overview. Mark Kosters Chief Technology Officer

Resource Certification

Mutually Agreed Norms for Routing Security NAME

MANRS Mutually Agreed Norms for Routing Security

Misdirection / Hijacking Incidents

Extending the Life of Layer 3 Switches in a 256k+ Route World a.k.a. Lose Routes Now, Ask Me How!

BGP Case Studies. ISP Workshops

Requirements for Resource Public Key Infrastructure (RPKI) Relying Parties (draft-madi-sidrops-rp-00) Di Ma & Stephen Kent.

IPv4/IPv6 BGP Routing Workshop. Organized by:

Internet Routing Registry Tutorial

Module 16 An Internet Exchange Point

Using BGP Communities

BGP Attributes and Path Selection

Networking 101 ISP/IXP Workshops

Inter-domain routing security and the role of Internet Routing Registries. August 1, 2004 Larry Blunk, Merit Network, Inc.

The RPKI & Origin Validation

Network Layer (Routing)

Moving to default Routeserver IRR filtering... Moving to a more secure peering via the IXP routeservers

IPv4 Run-Out, Trading, and the RPKI

Deploying RPKI An Intro to the RPKI Infrastructure

FAQ. Version: Copyright ImageStream Internet Solutions, Inc., All rights Reserved.

<36 th APNIC Meeting, XIAN CHINA> KISA(KRNIC) UPDATE. YOUNGSUN LA Korea Internet & Security Agency

Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO

The Internet Ecosystem

Decentralized Internet Resource Trust Infrastructure

Problem. BGP is a rumour mill.

A Measurement Study of BGP Misconfiguration

MANRS How to behave on the internet

BGP Operations and Security. Training Course

4-Byte AS Numbers. The view from the Old BGP world. Geoff Huston February 2007 APNIC

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

IPv4 Run-Out, Trading, and the RPKI

Feeling the Brady Bunch s Pain

Methods for Detection and Mitigation of BGP Route Leaks

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

The Contemporary Internet p. 3 Evolution of the Internet p. 5 Origins and Recent History of the Internet p. 5 From ARPANET to NSFNET p.

MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!

Introduction to BGP. ISP Workshops. Last updated 30 October 2013

Table of Contents. Cisco How NAT Works

Real-Time BGP Toolkit

Inter-Domain Routing: BGP

CS 43: Computer Networks. 24: Internet Routing November 19, 2018

BGP Multihoming Techniques

Handling BGP Attribute Errors. Rob Shakir (GX Networks) / RJS-RIPE

Lab Guide 2 - BGP Configuration

Transcription:

Routing Security Roadmap Job Snijders NTT Communications job@ntt.net This presentation contains projections and other forward-looking statements regarding future events or our future routing performance. All statements other than present and historical facts and conditions contained in this release, including any statements regarding our future results of operations and routing positions, business strategy, plans and our objectives for future operations, are forward-looking statements (within the meaning of the Private Securities Litigation Reform Act of 1995, Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended). These statements are only predictions and reflect our

Why are we doing any of this? Creating filters based on public data, forces malicious actors to leave a trail in IRR, WHOIS or other data sources: auditability Bugs happen! your router may suddenly ignore parts of your configuration, you ll then rely on your EBGP peer s filters Everyone makes mistakes a typo is easily made

Average view on routing security

Perception: it is hopeless, too many holes

Exhaustive list of issues in the current ecosystem IRRdb / database inaccuracy (stale, autopiloted, non-validated) IXPs not filtering Lack of Path Validation Lack of sufficient and good enough software

IRR what is broken what can be fixed? Some IRRdbs do not perform validation Meaning that virtually anyone can create virtually any route/route6 object and sneak those into the prefix-filters Eleven relevant IRRs not validating: RIPE, NTTCOM, RADB, ALTDB, ARIN IRR, BBOI, BELL, LEVEL3, RGNET, TC, CANARIE Two solutions: Lock the database down (RIPE / RIPE-NONAUTH) Filter on the mirror level

RIPE NWI-5 proposal & implementation RIPE NCC s IRR previously allowed anyone to register any non-ripemanaged space if it had not yet been registered. *DANGER* The RPSL password & maintainer was used for this Three steps were taken: Cannot register non-ripe-managed space any more All non-ripe space moved to separate RIPE-NONAUTH database Route/route6 ASN authorization rules have been improved More info: https://www.ripe.net/manage-ips-and-asns/db/impact-analysis-for-nwi-5-implementation

OK so current status Ten relevant IRRs not validating: NTTCOM, RADB, ALTDB, ARIN IRR, BBOI, BELL, LEVEL3, RGNET, TC, CANARIE Done: RIPE

ARIN community also recognized this is an issue Consultation at NANOG and through ARIN-Consult mailing list https://www.arin.net/vault/resources/routing/2018_roadmap.html https://teamarin.net/2018/07/12/the-path-forward/ Improve, or kill it

OK so current status Nine relevant IRRs not validating: NTTCOM, RADB, ALTDB, BBOI, BELL, LEVEL3, RGNET, TC, CANARIE Done: RIPE, ARIN IRR How to deal with the remaining nine.? Not all of these are so easily communicated with, not all are really actively managed

The IRR system access The IRR is access through predominantly two gateways whois.radb.net (the bgpq3 and peval default) rr.ntt.net All mirroring is essentially done with one software: IRRd Solution: Let s use the hegemonic duopoly for good!

Improving security at the aggregator? Data sources RIPE IRR Aggregators Clients NTTCOM whois.radb.net RADB APNIC rr.ntt.net bgpq3

Proposal: Let RPKI drown out conflicting IRR RPKI can be used for BGP Origin Validation but also for other things! A RPKI ROA is sort of a route-object It has a prefix, origin and source (the root) We can use RPKI ROAs for provisioning BGP prefix-filters Extend IRRd so that when IRR information is in direct conflict with a RPKI ROA the conflicting information is suppressed (Github)

RPKI filter at the aggregators Data sources RIPE IRR Aggregators Clients NTTCOM whois.radb.net RADB APNIC rr.ntt.net bgpq3

RPKI suppressing conflicting IRR advantages Industry-wide common method to get rid of stale proxy route objects by creating a ROA you hide old garbage in IRRs By creating a ROA you will significantly decrease the chances of people being able to use IRR to hijack your resource

OK so current status IRRs not validating: no longer relevant Done: RIPE, ARIN IRR, NTTCOM, RADB, ALTDB, BBOI, BELL, LEVEL3, RGNET, TC, CANARIE NTT & Dashcare have started a full rewrite of IRRd to make this possible: https://github.com/irrdnet/irrd4

Filtering at IXPs is hard Many IXPs have come to realize their responsibilities to the Internet ecosystem and the commercial benefits of a more secure product. http://peering.exposed/ 9 out of top 10 IXPs are filtering, tenth will later this year. IX.br making good progtress IXP filtering has become much easier, there are multiple fully featured configuration generators: https://www.ixpmanager.org/ http://arouteserver.readthedocs.io/ BIRD s hegemony in the route server software is being challenged: OpenBGPD is funded to be able to compete

Route servers must begin dropping RPKI Invalids Route servers by definition provide partial Internet tables No guarantees whatsoever that a given route will be available via RS When a route server drops a prefix, worst case scenario is rerouting not an outage. ISP Network A Internet Exchange Network B

Not everyone needs to do RPKI Because of the centralization of the web, if a select few companies deploy RPKI Origin Validation millions of people benefit (google, cloudflare, amazon, pch/quad9, facebook, akamai, fastly, liberty global, comcast, etc ) I think only 20 companies or so need to do Origin Validation for there to be big benefits https://dyn.com/blog/bgp-dns-hijacks-target-payment-systems/

RPKI Origin Validation is useless without Path Validation aka BGPSEC The lack of path validation can be resolved through two methods: Densely peer with each other (Example: Google & Akamai have 126+ facilities in common with each other) An AS_PATH blocking mechanisms like peerlock Both effectively are path validation for 1 hop Perhaps 1 hop already is good enough J

There is no healthy software ecosystem RIPE NCC Validator v3 is works and actively maintained NLNetlabs is writing a RPKI Cache Validator (Routinator 3000) A company I can t name is secretly writing one too Almost all serious routing vendors have RPKI support (Cisco, Juniper, BIRD, Nokia, FRR and more are on the way) Solution: more users results in better software, start using!

Timeline IXPs start doing RPKI Origin Validation on your route servers now ISPs / CDNs if you are pointing default somewhere, do it now If you are transit-free, wait a bit

We aren t done yet - Future work Use the RPKI to publish peerlock rules about who are authorized upstreams and who aren t https://tools.ietf.org/html/draft-azimov-sidrops-aspa-verification https://tools.ietf.org/html/draft-azimov-sidrops-aspa-profile Extend the RPKI to replace IRR AS-SETs (IRR / RPKI feature parity) https://tools.ietf.org/html/draft-ss-grow-rpki-as-cones ARIN TAL issue needs addressing

LACNIC RPKI invalids Source: https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c

Double check your RPKI ROAs! Source: https://medium.com/@nusenu/where-are-rpki-unreachable-networks-located-65c7a0bae0f8

Conclusion

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback