Methods for Detection and Mitigation of BGP Route Leaks

Similar documents
Solution for Route Leaks Using BGP Communities

Robust Inter-Domain Routing


Problem Statement and Considerations for ROA Mergence. 96 SIDR meeting

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

Internet-Draft Intended status: Standards Track July 4, 2014 Expires: January 5, 2015

RIB Size Estimation for BGPSEC

Secure Routing with RPKI. APNIC44 Security Workshop

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

BGP Attributes and Path Selection

Misdirection / Hijacking Incidents

BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs

BGP Origin Validation

Jumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

Deploying RPKI An Intro to the RPKI Infrastructure

RPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting

RPKI and Internet Routing Security ~ The regional ISP operator view ~

MANRS Mutually Agreed Norms for Routing Security

APNIC Trial of Certification of IP Addresses and ASes

Intended status: Standards Track. K. Patel Cisco J. Haas Juniper Networks June 30, 2014

Collective responsibility for security and resilience of the global routing system

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

Security in inter-domain routing

Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

The RPKI and BGP Origin Validation

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Collective responsibility for security and resilience of the global routing system

CS 43: Computer Networks. 24: Internet Routing November 19, 2018

Request for Comments: 8374 Category: Informational April 2018 ISSN: BGPsec Design Choices and Summary of Supporting Discussions

APNIC Trial of Certification of IP Addresses and ASes

Opaque Information Distribution

Introduction to IP Routing. Geoff Huston

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. Nokia July 2017

Multi-homing Considerations for DOTS Prague, July 2017

Introducción al RPKI (Resource Public Key Infrastructure)

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

BGP and the Internet. Enterprise Multihoming. Enterprise Multihoming. Medium/Large ISP Multihoming. Enterprise Multihoming. Enterprise Multihoming

BGP Route Hijacking - What Can Be Done Today?

Idealized BGPsec: Formally Verifiable BGP

bgpand - Architecting a modular BGP4 Attack & Anomalies Detection Platform

Some Thoughts on Integrity in Routing

Idealized BGPsec: Formally Verifiable BGP

Idealized BGPsec: Formally Verifiable BGP

Internet Engineering Task Force. Intended status: Standards Track Expires: May 4, 2016 November 1, 2015

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Introduction to BGP ISP/IXP Workshops

IPv4/IPv6 BGP Routing Workshop. Organized by:

Network Working Group. Intended status: Standards Track. S. Zandi LinkedIn J. Haas Juniper Networks, Inc X. Xu Huawei June 30, 2018

Multihoming Techniques. bdnog8 May 4 8, 2018 Jashore, Bangladesh.

Internet Engineering Task Force (IETF) Category: Informational. D. Ward Cisco Systems August 2014

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet

IETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet

Robust Routing Policy Architecture. Job Snijders NTT Communications

Routing Security. Daniel Karrenberg RIPE NCC.

Link State Routing & Inter-Domain Routing

Understanding BGP Miscounfiguration

BGP Route- Leak Protec0on Community

Resource Public Key Infrastructure

Configuring IP Multicast Routing

BGP Attributes and Policy Control

Inter-Domain Routing: BGP

Securing BGP. Geoff Huston November 2007

Problem. BGP is a rumour mill.

Internet Engineering Task Force (IETF) Category: Informational. E. Osterweil Verisign, Inc. B. Dickson June 2016

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

Routing Security We can do better!

BGP. Inter-domain routing with the Border Gateway Protocol. Iljitsch van Beijnum Amsterdam, 13 & 16 March 2007

Introduction to BGP. ISP Workshops. Last updated 30 October 2013

Introduction to BGP. ISP/IXP Workshops

On the State of the Inter-domain and Intra-domain Routing Security

BGP Configuration for a Transit ISP

Internet Engineering Task Force (IETF) Category: Informational ISSN: February 2012

Intended status: Informational Expires: March 7, 2019 Huawei Technologies N. Leymann Deutsche Telekom G. Swallow Independent September 3, 2018

MANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

TDC 375 Network Protocols TDC 563 P&T for Data Networks

CS 640: Introduction to Computer Networks. Intra-domain routing. Inter-domain Routing: Hierarchy. Aditya Akella

CS 268: Computer Networking

An Operational Perspective on BGP Security. Geoff Huston February 2005

Mutually Agreed Norms for Routing Security NAME

The Transition to BGP Security Is the Juice Worth the Squeeze?

Internet Engineering Task Force (IETF) BCP: 185 January 2014 Category: Best Current Practice ISSN:

Routing Security Workshop Internet Routing Registries

Introduc)on to Computer Networks

BGP Security. Kevin s Attic for Security Research

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Configuring IP Multicast Routing

Taming BGP. An incremental approach to improving the dynamic properties of BGP. Geoff Huston. CAIA Seminar 18 August

Intended status: Standards Track. May 21, Assigned BGP extended communities draft-ietf-idr-reserved-extended-communities-03

CSE/EE 461 Lecture 11. Inter-domain Routing. This Lecture. Structure of the Internet. Focus How do we make routing scale?

RPKI MIRO & RTRlib. Andreas Reuter, Matthias Wählisch Freie Universität Berlin

How does Internet (Big-I) routing work? The Internet is broken up into Autonomous Systems (AS) An AS is an administrative boundary. Each ISP has 1 or

Network Working Group. J. Scudder Cisco Systems, Inc. February 2001

From the given configuration taken from RTA and graphic, which network will be filtered from being propagated to RTC from RTA?

SENSS Against Volumetric DDoS Attacks

Interdomain Routing and Connectivity

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

ISP Border Definition. Alexander Azimov

Transcription:

Methods for Detection and Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-00 (Route leak definition: draft-ietf-grow-route-leak-problem-definition) K. Sriram, D. Montgomery, and B. Dickson SIDR WG Meeting, July 24, 2015 Acknowledgements: The authors are grateful to many folks in various IETF WGs for commenting, critiquing, and offering very help suggestions (see acknowledgements section in the draft.) 1

Illustration of Basic Notion of a Route Leak prefix (P) route-leak propagated (P) ISP1 (AS1) peer prefix (P) update ISP2 (AS2) route-leak propagated (P) prefix (P) update (AS3) route-leak (P) In general, ISPs prefer customer route announcements over those from others. 2

Hathway / Airtel Route Leaks of Google Prefixes March 12, 2015 Google AS 15169 Normal data path p2p Level3 AS 3356 c2p c2p Many Google Users in Europe Orange S.A. AS 5511 p2p Routes received from Google (private) Hathway AS 17488 Offending AS Misrouted data path c2p Airtel AS 9498 336 Google prefixes (Routes) leaked c2p c2p: customer to provider p2p: peer to peer c2p routes preferred Incident analysis: http://research.dyn.com/2015/03/routing-leak-briefly-takes-google/ 3

Anatomy of a Route Leak: Seven Types Type 1: U-Turn with Full Prefix Type 2: U-Turn with More Specific Prefix Type 3: Prefix Reorigination with Data Path to Legitimate Origin Type 4: Leak of Internal Prefixes and Accidental Deaggregation Type 5: Lateral ISP-ISP-ISP Leak Type 6: Leak of Provider Prefixes to Peer Type 7: Leak of Peer Prefixes to Provider Details and example incidents provided in: draft-ietf-grow-route-leak-problem-definition-02 4

Route Leak Detection/Mitigation in Origin Validation and BGPsec Type of Route Leak Type 1: U-Turn with Full Prefix Detection Coverage None Type 2: U-Turn with More Specific Prefix Type 3: Prefix Reorigination with Data Path to Legitimate Origin Type 4: Leak of Internal Prefixes and Accidental Deaggregation Type 5: Lateral ISP-ISP-ISP Leak Type 6: Leak of Provider Prefixes to Peer Type 7: Leak of Peer Prefixes to Provider Origin Validation (partial); BGPsec (100% detection) Origin Validation (100% detection); BGPsec does not detect Origin Validation (partial); BGPsec does not detect None None None Solution lies in RPKI/OV Data still flows to the legitimate AS (no detour) 5

Basic Idea and Mechanism Date back to 1980 s Information flow rules described in Proceedings of the April 22-24, 1987 Internet Engineering Task Force Link Type described in RFC 1105 (obsolete), June 1989 Hierarchical Recording described in "Inter-Domain Routing Protocol (IDRP)", IETF Internet Draft (expired), November 1994. BGPsec based solution to detect accidental and malicious route leaks Discussed in the SIDR WG since 2011 Documented by Brian Dickson in 2012: https://tools.ietf.org/html/draft-dickson-sidr-route-leak-def-03 (expired) http://tools.ietf.org/html/draft-dickson-sidr-route-leak-reqts-02 (expired) https://tools.ietf.org/html/draft-dickson-sidr-route-leak-solns-01 (expired) 6

Basic Design Principle for Route Leak Detection Major ISP Small ISP / AS4 RLP is Route Leak Protection field; Transitive per hop attribute AS15 (RLP = 00) AS5 AS3 (RLP = 01) AS1 (RLP = 01) AS2 Leak (RLP = xx) Leak Stopped at AS2 AS6 1 2 7

Route Leak Protection (RLP) Field Encoding by Sending Router RLP is proposed to be a 2-bit field set by each AS along the path Can be carried as a transitive per hop attribute in BGP or in the existing Flags field in BGPsec (TBD) The RLP field value SHOULD be set to one of two values as follows: 00: This is the default value (i.e. "nothing specified"), 01: This is the 'Do not Propagate Up or Lateral' indication; sender indicating that the prefix-update SHOULD NOT be subsequently forwarded 'Up towards a provider or to a Lateral peer 10 and 11 values are for possible future use. 8

Sending Router s Intent Note: There is no explicit disclosure about the nature of a peering relationship. By setting RLP indication to 01, merely asserting that this prefix-update that I ve forwarded to my neighbor SHOULD NOT be propagated Up (i.e. on a c2p link) or Lateral (i.e. on a p2p link) by said neighbor or any subsequent AS in the path of update propagation. 9

Recommended Receiver Action for Detection of Route Leaks of Types 1, 2, 5, 6 and 7 Receiving router SHOULD mark an update a Route-Leak if ALL of the following conditions hold true: a) The update is received from a customer or lateralpeer AS b) The update is Valid per RPKI-OV and BGPsec (BGPsec path validation not applicable if update not signed) c) The update has the RLP field set to '01' indication for one or more hops (excluding the most recent) in the AS path. Note: Reason for excluding the most recent an ISP should look at RLP values set by ASes preceding the customer AS in order to ascertain a leak. 10

An Example Receiver Action for Mitigation of Route Leaks If a prefix-route from a customer AS or a peer AS is detected and marked as a Route-Leak, then the receiving router SHOULD prefer an alternate unmarked prefix-route if available If no alternate unmarked prefix-route is available, then the prefix-route marked as a Route-Leak MAY be accepted This in only an example. We do not specify receiver action for mitigation as it may vary based on operator policy. 11

Adoption and Path for Success Mid and large size ISPs can participate early, and be the key detection/mitigation points for route leaks. More the ISPs that adopt, greater the success (benefits accrue incrementally). Note: In a case like that of Hathway/Airtel leak of Google prefixes (see Slide 3), the attack is mitigated if Google would set its RLP field value to 01 in its prefix update announcement to Hathway, and Airtel would in turn use the receiver action recommended on Slide 12 to detect the leak from Hathway. 12

Accidental vs. Intentional (Malicious) Route Leaks & Solution Steps Today: Current BGP (without route leak solution; assuming prefix filters aren t doing job adequately) Vulnerable to accidental (99%) and malicious (1%) route leaks Step 1: BGP with proposed route leak solution (with RPKI/OV but without BGPsec) Detects/mitigates accidental (99%) but not malicious (1%) Step 2: BGP with proposed route leak solution (with RPKI/OV and BGPsec) Detects/mitigates accidental (99%) as well as malicious (1%) 13

Is there a new attack vector in using RLP bits without security (BGPsec)? (1 of 2) Upgrade Attack: RLP 01 RLP 00 to avoid route leak detection For a prefix-route that keeps propagating in the Down (p2c) direction, this poses no problem When propagated Up (c2p) or Lateral (p2p), the worst that can happen is that a route leak goes undetected No worse than BGP today Less than 1% of all route leaks may go undetected in this manner (malicious intent or faulty implementation) 14

Is there a new attack vector in using RLP bits without security (BGPsec)? (2 of 2) Downgrade Attack: RLP 00 RLP 01 Result: A prefix-route is mis-detected as a route leak, but Default is RLP set to 00 that helps reduce errors of this kind Every AS or ISP wants reachability for prefixes it originates; so it is not likely to set RLP 01 intentionally Receiver would prefer an alternate clean prefix-route from a provider or peer over a marked prefix-route from a customer; may end up with a suboptimal path In order to have reachability, receiver would accept marked prefix-route if there is no alternative that is clean Low probability that all received routes for a prefix are detected as route leaks. If it happens, need a tie breaker policy to prefer one (up to the operator to choose a mitigation algorithm) 15

Summary and Conclusion Identified categories of route leaks Some of these are already mitigated in OV or basic BGPsec Presented an enhancement of BGP that detects and mitigates all route leaks (when combined with Origin Validation) Analyzed whether RLP bits (without BGPsec) could become a new attack vector and extent of damage RLP field should be protected in order to detect and mitigate malicious route leaks RLP field can be placed in existing Flags field and protected under path signatures in BGPsec 16

Backup Slides 17

Questions at the mike at IDR WG Mtg. in Dallas Wes George: Have you considered if techniques in RFC 7454 BGP Operations and Security may be adequate to address route leaks? Answered in section 5.2 in the draft Keyur asked about combining the proposed RLP solution with AS path filtering and ORF techniques. Also answered in section 5.2 in the draft 18

Discussion & Examples How it works! 19

Example 1: Multi-homed Leak Major ISP Small ISP / AS4 AS15 AS5 AS3 AS1 (RLP = 01) AS2 Leak Leak Stopped at AS2 AS6 1 2 20

Example 2: Lateral Across Cones and Then Leaked Up to Other ISP Major ISP Small ISP / AS4 AS15 AS5 AS3 (RLP = 01) AS1 AS7 AS2 AS8 Leak Leak Stopped at AS2 1 2 21

Example 3: s is Multi-homed and Leaks Major ISP Small ISP / AS4 AS15 AS5 AS3 (RLP = 01) AS1 AS7 AS2 Leak AS8 Leak Stopped at AS2 AS9 Leak 22

Consideration of DDoS Mitigation Service Provider Major ISP Small ISP / AS4 AS5 AS3 AS32 Sets up BGPsec session and sends BGPsec update AS1 AS2 Victim of DDoS (RLP = 00; default) Not Leak Not Leak AS6 1 DMSP 2 23

Stopgap Solution when Only Origin Validation is Deployed 24

Construction of Prefix Filter List from ROAs 1. ISP makes a list of all the ASes (Cust_AS_List) that are in its customer (ISP s own AS is also included in the list) 2. ISP downloads from the RPKI repositories a complete list (Cust_ROA_List) of valid ROAs that contain any of the ASes in Cust_AS_List 3. ISP creates a list of all the prefixes (Cust_Prfx_List) that are contained in any of the ROAs in Cust_ROA_List 4. Cust_Prfx_List is the allowed list of prefixes that are permitted by the ISP's AS, and will be forwarded by the ISP to upstream ISPs, customers, and peers 5. Any prefix not in Cust_Prfx_List but announced by any of the ISP s direct customers is not permitted to be propagated upstream 25

Exception to the Rule in Case of DDoS Mitigation DDoS Mitigation Service Provider (DMSP) requires exemption from the rule of Cust_Prfx_List described in the previous slide ISP and the DMSP make a prior arrangement on this DMSP can propagate upstream to the ISP any prefix-update it receives from its DDoS ed customer (in emergency), and the ISP will not treat it as a route leak This helps prevent any disruption or delay in the DMSP s mitigation services under emergency scenarios 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback