The Transition to BGP Security Is the Juice Worth the Squeeze?

Similar documents
Jumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

BGP Security in Partial Deployment

A survey of interdomain routing policies

Internet Kill Switches Demystified

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Problem Statement and Considerations for ROA Mergence. 96 SIDR meeting

Interdomain Routing. Networked Systems (H) Lecture 11

How Secure are. BGP Security Protocols? Sharon Goldberg Microsoft Research & Boston University. Michael Schapira. Pete Hummon AT&T Research

Security in inter-domain routing

Measuring the Adoption of Route Origin Validation and Filtering

Some Thoughts on Integrity in Routing

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

Decentralized Internet Resource Trust Infrastructure

Routing Security We can do better!

Measuring RPKI Route Origin Validation in the Wild


Securing the Internet at the Exchange Point Fernando M. V. Ramos

BGP Origin Validation

Introducción al RPKI (Resource Public Key Infrastructure)

Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

RPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

RPKI and Internet Routing Security ~ The regional ISP operator view ~

Secure Routing with RPKI. APNIC44 Security Workshop

Deploying RPKI An Intro to the RPKI Infrastructure

Let the market drive deployment: a strategy for transitioning to BGP security

MANRS Mutually Agreed Norms for Routing Security

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Life After IPv4 Depletion

Resource Public Key Infrastructure

Misdirection / Hijacking Incidents

How Complete and Accurate is the Internet Routing Registry (IRR)?

BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Measuring Adoption of RPKI Route Origin Validation and Filtering

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Securing BGP. Geoff Huston November 2007

Interdomain Routing and Connectivity

Robust Inter-Domain Routing

Jumpstarting BGP Security with Path-End Validation

BGP Routing Security and Deployment Strategies

Securing BGP Networks using Consistent Check Algorithm

IPv4 Run-Out, Trading, and the RPKI

MANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui

IPv4 Run-Out, Trading, and the RPKI

BGP Origin Validation (RPKI)

Evaluation of Prefix Hijacking Impact Based on Hinge-Transmit Property of BGP Routing System

Network Security: Routing security. Aapo Kalliola T Network security Aalto University, Nov-Dec 2012

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

MANRS Mutually Agreed Norms for Routing Security

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

RTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.

Inter-domain Routing(BGP) Security [IP Prefix Hijacking] Akmal Khan

On the Characteristics of BGP Multiple Origin AS Conflicts

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

BGP security. 19 april 2018 Copenhagen

CS4450. Computer Networks: Architecture and Protocols. Lecture 15 BGP. Spring 2018 Rachit Agarwal

Just give me a button!

Internet Engineering Task Force (IETF) Category: Informational ISSN: February 2012

Routing Basics. ISP Workshops. Last updated 10 th December 2015

Active BGP Measurement with BGP-Mux. Ethan Katz-Bassett (USC) with testbed and some slides hijacked from Nick Feamster and Valas Valancius

Beyond technical solutions: Understanding the role of governance structures in Internet routing security

9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi

Routing Security. Daniel Karrenberg RIPE NCC.

To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity

Auto-Detecting Hijacked Prefixes?

RPKI Workshop Routing Lab

A PKI For IDR Public Key Infrastructure and Number Resource Certification

The RPKI and BGP Origin Validation

Secure Inter-domain Routing with RPKI

TDC 375 Network Protocols TDC 563 P&T for Data Networks

The ISP Column A column on various things Internet. Securing the Routing System at NANOG 74. A Legal Perspective. October 2018 Geoff Huston

On the characteristics of BGP multiple origin AS conflicts

Adventures in RPKI (non) deployment. Wes George

Routing Basics ISP/IXP Workshops

IPv6 Address Management The Internet Registry System

Mutually Agreed Norms for Routing Security NAME

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Sequential Aggregate Signatures with Lazy Verification from Trapdoor Permutations

Networking 101 ISP/IXP Workshops

On Routing Table Growth

Introduction to The Internet

On the State of the Inter-domain and Intra-domain Routing Security

Interdomain Routing Design for MobilityFirst

CNT Computer and Network Security: BGP Security

Routing Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing

March 2013 WORKING GROUP 6 Secure BGP Deployment Final Report

CSE 461 Interdomain routing. David Wetherall

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

Some Lessons Learned from Designing the Resource PKI

Connecting to a Service Provider Using External BGP

Detection of Invalid Routing Announcement in the Internet Λ

Are We There Yet? On RPKI s Deployment and Security

Module: Routing Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Routing on the Internet. Routing on the Internet. Hierarchical Routing. Computer Networks. Lecture 17: Inter-domain Routing and BGP

CS4700/CS5700 Fundamentals of Computer Networks

Routing Basics. ISP Workshops

COMP/ELEC 429 Introduction to Computer Networks

Network-Destabilizing Attacks

Introduction to IP Routing. Geoff Huston

Transcription:

The Transition to BGP Security Is the Juice Worth the Squeeze? RPKI Sharon Goldberg Boston University November 2013 Work with Kyle Brogle (Stanford), Danny Cooper (BU), Ethan Heilman (BU), Robert Lychev (GATech/BU), Leonid Reyzin (BU), Michael Schapira (Hebrew U) from SIGCOMM 13 and HotNets 13

interdomain routing BGP is used to learn routes between Autonomous Systems (ASes) nlayer, SCNet, 29997 NTT NTT, nlayer, SCNet, 29997 SCNet, 29997 nlayer greenhost.nl SCNet 29997 Cyberbunker 34109 29997 0.ns.spamhaus.org 204.16.254.40

the subprefix hijack of spamhaus from 03/2013 NTT NTT, nlayer, SCNet, 29997 29997 SCNet nlayer 34109, 51787, 1198 204.16.254.40/32 0.ns.spamhaus.org 204.16.254.40 greenhost.nl? Choose the more specific prefix! Cyberbunker 34109 Source: https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/

the subprefix hijack of spamhaus from 03/2013 NTT NTT, nlayer, SCNet, 29997 29997 SCNet nlayer 34109, 51787, 1198 204.16.254.40/32 0.ns.spamhaus.org 204.16.254.40 greenhost.nl? Choose the more specific prefix! Cyberbunker 34109 Source: https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/

& other routing incidents

crypto to the rescue! Today RPKI BGP Resource Public Key Infrastructure (origin validation) IETF Standard published 2012. Deployment started in 2011. Certifies IP prefix allocations. Crypto done out-of-band No change to BGP messages BGPSEC Builds on the RPKI Now being standardized Certifies announced routes Crypto done online Major change to BGP msgs Main challenge? Incremental deployment & backward compatibility

our main goal: recommendations for protocol adoption RPKI BGP RPKI BGPSEC What are the security benefits of adopting these protocols? [SIGCOMM 13] [SIGCOMM 10] What are the incentives for adopting them? [SIGCOMM 11] [SODA 13] How do they alter trust relationships? [HotNets 13]

talk overview RPKI BGP and BGPSEC coexistence BGP RPKI BGPSEC What are the security benefits of adopting these protocols? What does BGPSEC offer over the RPKI? [SIGCOMM 13] Focus on the transition, when BGP and BGPSEC coexist. Experiments with deployment scenarios on empirical Internet topologies Result: We find that the RPKI is much more crucial than BGPSEC How do they alter trust relationships? [HotNets 13] Analyze the RPKI in a threat model where certificate authorities are compromised.

part 1: security benefits of RPKI and BGPSEC 1. background: RPKI, BGPSEC 2. why BGP / BGPSEC coexistence is tricky 3. experimental evaluation of security for RPKI and BGPSEC

the RPKI and its cryptographic objects Certificate authority ARIN American Registry of Internet Numbers 63.160.56.0/23-24 AS26390 63.168.93.0/24 ETB S.A. ESP. 63.160.0.0/12 Sprint 63.174.16.0/20 Continental Broadband 63.168.93.0/24 AS19429 ROA 63.174.26.0/23 AS7341 63.174.20.0/23 AS7341 63.174.30.0/24 AS7341 63.174.16.0/22 AS7341 63.174.16.0/20 AS17054

the RPKI defeats all subprefix & prefix hijacks NTT NTT, nlayer, SCNet, 29997 nlayer greenhost.nl? Drop RPKI invalid routes! 29997 SCNet 34109, 51787, 1198 204.16.254.40/32 Cyberbunker AS 34109 ROA (Route Origin Authorization) AS 29997 RPKI

the 1-hop hijack defeats the RPKI (This exact situation is hypothetical, but this type of attack has been seen in the wild, See [Schlamp, Carle, Biersack 2013] ) NTT, nlayer, SCNet, 29997 nlayer NTT greenhost.nl? Both routes valid. Choose short one! SCNet 34109, 29997 204.16.254.40/24 Cyberbunker AS 34109 29997 AS 29997 RPKI

BGPSEC defeats the 1-hop hijack (& all path-shortening attacks) SCNet: (29997, Prefix) nlayer: (SCNet, 29997, Prefix) NTT: (nlayer, SCNet, 29997, Prefix) NTT nlayer greenhost.nl SCNet SCNet: (29997, Prefix) nlayer: (SCNet, 29997, Prefix) SCNet : (29997, Prefix) Cyberbunker AS 34109 29997 Prefix AS 29997 RPKI

BGPSEC defeats the 1-hop hijack (& all path-shortening attacks) SCNet: (29997, Prefix) nlayer: (SCNet, 29997, Prefix) NTT: (nlayer, SCNet, 29997, Prefix) NTT nlayer greenhost.nl SCNet The 1-hop hijack will be BGPSEC invalid because AS29997 never announced 34109: (29997, Prefix) Cyberbunker AS 34109 29997 Prefix AS 29997 RPKI

setup for our analysis in [SIGCOMM 13] RPKI BGP RPKI BGPSEC We suppose RPKI is fully deployed. prefix- and subprefix hijacks are eliminated. our threat model is therefore the 1-hop hijack What happens when BGP and BGPSEC coexist?

BGPSEC in partial deployment To communicate with legacy routers, BGPSEC-speaking routers must send and receive insecure routes. NTT SCNet: (2999 nlayer: (SCNe NTT: (nlaye 47172: (NTT, SCNet nlayer? Long secure route? Or short insecure route? 34109, 29997 204.16.254.40/24 greenhost.nl Cyberbunker 34109 29997 Prefix AS 29997 RPKI

how to prioritize security in partial deployment? BGPSEC Security 1 st Cost, Performance 1. local preference (cost, business relationships) Security 2. prefer short routes ( performance ) 3. tiebreak on interdomain criteria Cost, Performance Security

how to prioritize security in partial deployment? Cost, Performance 1. local preference (cost, business relationships) Security BGPSEC Security 2 nd 2. prefer short routes ( performance ) 3. tiebreak on interdomain criteria Cost, Performance Security

how to prioritize security in partial deployment? Cost, Performance 1. local preference (cost, business relationships) Security 2. prefer short routes ( performance ) BGPSEC Security 3 rd 3. tiebreak on interdomain criteria Cost, Performance Security

how to prioritize security in partial deployment? BGPSEC Security 1 st Cost, Performance 1. local preference (cost, business relationships) Security BGPSEC Security 2 nd 2. prefer short routes ( performance ) BGPSEC Security 3 rd 3. tiebreak on interdomain criteria Cost, Performance Security Survey of 100 network operators shows that 10%, 20% and 41% would place security 1 st, 2 nd, and 3 rd. [NANOG 12] Main question: If everyone uses the same security model, what are the security benefits of deploying BGPSEC at a set of S ASes?

how to prioritize security in partial deployment? BGPSEC Security 1 st 1. local Prefer preference customer paths (cost, over business peer paths relationships) over provider paths BGPSEC Security 2 nd Cost, Performance Security 2. prefer short routes ( performance ) BGPSEC Security 3 rd 3. tiebreak on interdomain criteria Cost, Performance Security Survey of 100 network operators shows that 10%, 20% and 41% would place security 1 st, 2 nd, and 3 rd. [NANOG 12] Main question: If everyone uses the same security model, what are the security benefits of deploying BGPSEC at a set of S ASes?

protocol downgrade attack. (Suppose security is 3 rd ) To communicate with legacy routers, BGPSEC-speaking routers must send and receive insecure routes. NTT SCNet: (2999 nlayer: (SCNe NTT: (nlaye 47172: (NTT, nlayer? Route length trumps security! greenhost.nl SCNet 34109, 29997 204.16.254.40/24 Cyberbunker AS 34109 29997 Prefix AS 29997 RPKI

quantifying security Let S be the set of ASes deploying BGPSEC The number of ASes choosing a legitimate route is d a Happy S, a, d Our security metric averages this over all a and d. = 3 But, it s hard to find the right S : Future deployment patterns are hard to predict Finding S (of size k) maximizing security metric is NP-hard Instead, we quantify security irrespective of the scenario S!

quantify security using only topology & routing model! SCNet and nlayer are immune! They choose the legitimate route regardless of who is secure. greenhost is doomed! It chooses the bogus route regardless of who is secure. NTT nlayer greenhost.nl SCNet Only NTT can be protected by BGPSEC. Cyberbunker 34109 m 29997 208.85.40.0/23 (For this example, Security is 3 rd )

bounding security provided by any BGPSEC deployment RPKI BGP RPKI BGPSEC Security metric: Average fraction of ASes choosing legitimate routes 47% 36% the maximum improvement for any BGPSEC deployment is 1-(fraction of doomed ASes). 17% 53% lower bound with RPKI

securing 113 high degree ASes & their stubs RPKI 50% of AS graph is secure BGP RPKI BGPSEC 24% 8% 4% 53% lower bound with RPKI Security metric: Average fraction of ASes choosing legitimate routes

methodology (& more results in [SIGCOMM 13]) Graph: A UCLA AS-level topology from 09-24-2012 39K ASes, 73.5K and 62K customer-provider and peer links LocalPref model: The Gao-Rexford (& Huston) model: Prefer customer path over peer path over provider paths. Traffic patterns: All ASes equal; non-stub attackers. Robustness Tests: Graph: added 550K peering links from IXP data on 09-24-2012; Traffic patterns: focused on certain destinations (e.g. content providers) and attackers Local pref: Repeating all analysis for different LocalPref models

security benefits: summary RPKI BGP RPKI BGPSEC The RPKI is the most crucial step from a security perspective Limiting the attacker to 1-hop hijacks already weakens him significantly There is no free lunch with BGPSEC If security is not 1 st, protocol downgrade attacks are a serious problem

Part 2: How does the RPKI alter trust relationships? flip the threat model: what if the RPKI is compromised?

the RPKI defeats all subprefix & prefix hijacks NTT NTT, nlayer, SCNet, 29997 nlayer greenhost.nl? Drop RPKI invalid routes! 29997 SCNet 34109, 51787, 1198 204.16.254.40/32 Cyberbunker AS 34109 ROA (Route Origin Authorization) AS 29997 RPKI

RPKI challenges (discussed in [HotNets 13]) what you d expect: ROA BGP msg valid RPKI valid invalid RPKI invalid Missing RPKI unknown The RPKI creates issues for partial deployment, misconfigurations Route Validity Routing

RPKI challenges (discussed in [HotNets 13]) what you d really expect: happens ROA BGP msg valid RPKI valid invalid RPKI invalid Missing RPKI unknown The RPKI creates issues for partial deployment, misconfigurations Route Validity Routing

RPKI challenges (discussed in [HotNets 13]) what you d really expect: happens ROA BGP msg valid RPKI valid invalid RPKI invalid Missing RPKI unknown The RPKI creates issues for partial deployment, misconfigurations Route Validity Routing Routing policy: Prefix remains reachable during routing hijack RPKI problem Drop Invalid X Depref invalid subprefix hijacks possible

RPKI challenges (discussed in [HotNets 13]) what you d really expect: happens ROA BGP msg valid RPKI valid invalid RPKI invalid Missing RPKI unknown The RPKI creates issues for partial deployment, misconfigurations Route Validity Routing Routing policy: Prefix remains reachable during routing hijack RPKI problem Drop Invalid X Depref invalid subprefix hijacks possible

RPKI challenges (discussed in [HotNets 13]) what you d really expect: happens ROA BGP msg valid RPKI valid invalid RPKI invalid Missing RPKI unknown creates a new technical means to seize an IP prefix The RPKI creates issues for partial deployment, misconfigurations Route Validity Routing Routing policy: Prefix remains reachable during routing hijack RPKI problem Drop Invalid X Depref invalid subprefix hijacks possible

IP prefixes can be seized But, lots of collateral damage. ARIN American Registry of Internet Numbers 63.160.56.0/23-24 AS26390 63.160.0.0/12 Sprint 63.168.93.0/24 ETB S.A. ESP. 63.168.93.0/24 AS19429 63.174.26.0/23 AS7341 63.174.20.0/23 AS7341 63.174.16.0/20 Continental Broadband X X 63.174.30.0/24 AS7341 X Revoked 63.174.16.0/22 AS7341 63.174.16.0/20 AS17054 X X

IP prefixes can be seized in a targeted manner ARIN American Registry of Internet Numbers Sprint s repository 63.160.56.0/23-24 AS26390 63.168.93.0/24 ETB S.A. ESP. 63.160.0.0/12 Sprint 63.174.16.0/20 Continental Broadband 63.168.93.0/24 AS19429 63.174.26.0/23 AS7341 63.174.20.0/23 AS7341 63.174.30.0/24 AS7341 63.174.16.0/22 AS7341 63.174.16.0/20 AS17054 X

IP prefixes can be seized in a targeted manner ARIN American Registry of Internet Numbers 63.160.56.0/23-24 AS26390 63.168.93.0/24 ETB S.A. ESP. 63.160.0.0/12 Sprint 63.174.16.0/20 except 63.174.22.0/24 Continental Broadband 63.168.93.0/24 AS19429 63.174.26.0/23 AS7341 63.174.20.0/23 AS7341 63.174.30.0/24 AS7341 63.174.16.0/22 AS7341 63.174.16.0/20 AS17054 X

that can cross international borders. 8.0.0.0/8 Held by Level 3 RU, FR, NL, CN, TW, CA, JP, GU, US, AU, GB, MX 38.0.0.0/8 Held by Cogent CA, US, HK, GB, IN, PH, MX, PR, GU, GT, Data-driven model of the RPKI (today s RPKI is too small) Using RIR direct allocations, routeviews, BGP table dumps RIRs and their direct allocations get RCs, other (prefix,origin AS) pairs in the table dumps get a ROA ASes mapped to countries using RIR data Plot results on a Hilbert Curve of IPv4 address space

that can cross international borders.

summary & future work Today RPKI BGP RPKI BGPSEC RPKI is the most crucial step in terms of security BGPSEC provides marginal gains; hard to realize these gains due to conflicting priorities in routing policies RPKI alters trust relationships creates a small number of powerful authorities; crosses international borders Important work needs to be done to make RPKI more robust, including: Recommendations for routing policies Increasing certificate transparency (monitoring, logging, pinning, notaries) And various other things (circular dependencies, partial deployment, etc)

Thanks! RPKI Is the Juice Worth the Squeeze? BGP Security in Partial Deployment Robert Lychev, Sharon Goldberg, Michael Schapira. SIGCOMM'13, Hong Kong, China. August 2013 On the Risk of Misbehaving RPKI Authorities Danny Cooper, Ethan Heilman, Kyle Brogle, Leonid Reyzin, Sharon Goldberg HotNets 13, Maryland. November 2013.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback