IETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet

Similar documents
The RPKI and BGP Origin Validation


The RPKI & Origin Validation

Introducción al RPKI (Resource Public Key Infrastructure)

Secure Routing with RPKI. APNIC44 Security Workshop

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

BGP Origin Validation

Resource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018

Misdirection / Hijacking Incidents

RPKI. Resource Pubic Key Infrastructure

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

Route Security for Inter-domain Routing

The RPKI & Origin Validation

Deploying RPKI An Intro to the RPKI Infrastructure

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Resource Public Key Infrastructure

Internet-Draft Intended status: Standards Track July 4, 2014 Expires: January 5, 2015

Problem. BGP is a rumour mill.

Securing BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho

Security in inter-domain routing

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Resource Certification

RPKI and Internet Routing Security ~ The regional ISP operator view ~

Life After IPv4 Depletion

32-bit ASNs. Philip Smith. AfNOG rd April 1st May Abuja, Nigeria

Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

RPKI and Routing Security

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

Idealized BGPsec: Formally Verifiable BGP

Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO

Securing Routing: RPKI Overview. Mark Kosters Chief Technology Officer

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

RPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager

Idealized BGPsec: Formally Verifiable BGP

Some Lessons Learned from Designing the Resource PKI

32-bit ASNs. Philip Smith. MENOG 5, Beirut, 29th October 2009

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Idealized BGPsec: Formally Verifiable BGP

Internet Engineering Task Force (IETF) Category: Informational ISSN: September 2017

Robust Inter-Domain Routing

Internet Engineering Task Force (IETF) Category: Informational ISSN: February 2012

BGP Configuration Automation on Edge Routers

Problem Statement and Considerations for ROA Mergence. 96 SIDR meeting

Secure Inter-domain Routing with RPKI

32-bit ASNs. Philip Smith. Last updated February 2010

RPKI Trust Anchor. Geoff Huston APNIC

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Some Thoughts on Integrity in Routing

Network Working Group. Intended status: Informational Expires: January 9, 2014 July 8, 2013

BGP Origin Validation (RPKI)

Routing Security. Training Course

RPKI MIRO & RTRlib. Andreas Reuter, Matthias Wählisch Freie Universität Berlin

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

Just give me a button!

Request for Comments: 8374 Category: Informational April 2018 ISSN: BGPsec Design Choices and Summary of Supporting Discussions

Requirements for Resource Public Key Infrastructure (RPKI) Relying Parties (draft-madi-sidrops-rp-00) Di Ma & Stephen Kent.

Intended status: Informational Expires: July 18, 2017 January 14, 2017

BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs

AS Numbers. RIPE October Geoff Huston APNIC

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

Implementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer

Madison, Wisconsin 9 September14

Decentralized Internet Resource Trust Infrastructure

BGP Large Communities RFC8092

Securing the Internet at the Exchange Point Fernando M. V. Ramos

RTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.

9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi

4-Byte AS Numbers. The view from the Old BGP world. Geoff Huston February 2007 APNIC

An Operational ISP & RIR PKI

Routing Security. Daniel Karrenberg RIPE NCC.

Attacks on routing: IP hijacks

IPv4 Run-Out, Trading, and the RPKI

RPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting

BGP Routing Security and Deployment Strategies

Methods for Detection and Mitigation of BGP Route Leaks

Securing Routing Information

BGP security. 19 april 2018 Copenhagen

Facilitating Secure Internet Infrastructure

BGP Operations and Security. Training Course

Routing Security Workshop Internet Routing Registries

An Operational ISP & RIR PKI

Resource Certification A Public Key Infrastructure for IP Addresses and AS's

Routing Security Roadmap

An introduction to BGP security

BORDER GATEWAY PROTOCOL (BGP) SECURITY. Nurudeen K. Abdulsalam. Supervisor: Dr. Olaf Maennel

Inter-domain routing security and the role of Internet Routing Registries. August 1, 2004 Larry Blunk, Merit Network, Inc.

Using RPKI secured data for existing routing policy tools. Rüdiger Volk, Deutsche Telekom IETF72 SIDR WG, Dublin

Golden Prefixes IRR Lockdown Job Snijders

Shifting Sands. PLNOG March Andrzej Wolski Training Department

BGP Origin AS Validation

IETF Activities Update

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. BBN September 2017

Multi-Lateral Peering Agreement

Adventures in RPKI (non) deployment. Wes George

Handling BGP Attribute Errors. Rob Shakir (GX Networks) / RJS-RIPE

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

Transcription:

IETF81 Secure IDR Rollup TREX Workshop 2011 David Freedman, Claranet

Introduction to Secure IDR (SIDR) You are in a darkened room at the IETF. You are surrounded by vendors. A lone operator stands quietly in the corner..

A reminder of concepts.. RPKI The current situation IANA are the numbering authority, coordinating allocation of numbering resources to Regional Internet Registries RIPE NCC are the Regional Internet Registry, providing numbering allocations and database services to Local Internet Registries. Local Internet Registries are usually network operators, they consume allocated resources and use the database to build customer (and sometimes peer) filters.

Simple filtering from the database Q. Which routes should I accept from my customer AS8272? A. Only 193.221.118.0/24 $ whois -r -Troute -i origin AS8272! % This is the RIPE Database query service.! % The objects are in RPSL format.! %! % The RIPE Database is subject to Terms and Conditions.! % See http://www.ripe.net/db/support/db-terms-conditions.pdf!! % Note: this output has been filtered.! % To receive output for a database update, use the "-B" flag.!! % Information related to '193.221.118.0/24AS8272'!! route: 193.221.118.0/24! descr: CONVERGENCE! origin: AS8272! mnt-by: CONVERGENCE-MNT! org: ORG-CNV1-RIPE! source: RIPE # Filtered!

I have it too easy. My customer has no downstreams This means no macro evaluation I m only filtering my customer Somebody I m able to (somewhat) control the quality of the data held in the database before I build my filters (try doing this to peers, not much fun). I m an LIR of the RIPE NCC I actually have a great database from which to build such filters, other service regions are not as stringent with regards to this and as such, independent databases (such as Merit s RADB and ALTDB) exist to bridge this gap (but being decoupled from the RIR, they can suffer from authority problems) Nobody else has this great IP<->ASN binding.

Why filter anyway? We should just trust each other, right? Route Hijacking, two modern examples cited: Pakistan Telecom v Youtube [2008] Lack of filters by Upstreams (PCCW) allowed a leaked /24 for YouTube from Pakistan Telecom to propagate for over two hours, leading to a battle of Longest Prefix Match until the rogue announcement could be pulled. Kapela / Pilosov attack [2008] Hijack a route and use a crafted AS_PATH to blind selective transit networks on the return to the hijacked path (creating a MITM vector). Need to verify the peer against the route and the AS_PATH somehow. This means having good, authoritative data. The system has to be easy to use and widely adopted The system has to scale.

Extended X.509 Certification Hierarchy draft-ietf-sidr-arch-13 RFC3779 extensions in Cert carry IP/ASN information. RFC5280 Subject Information Access extension defines publishing URI. CA certificates issued downstream from the IANA through RIR and LIR participants. Last CA in the chain issues an EE Certificate. EE Certificate used to produce a RoA (just a signed blob). IANA 0/0 AS 0-65535 (CA) RIPE NCC - 193/8 (CA) AS 8192-8523 CONVERGENCE (CA) 193.221.118.0/24 AS8272 CONVERGENCE EE (End Entity) CERTIFICATE 193.221.118.0/24 AS8272 CONVERGENCE ROA (Route Origin Authorisation) 193.221.118.0/24 AS8272

And we validate this how? draft-ietf-sidr-rpki-rtr-16 explains: Periodically download entire copy of the RPKI with rsync (RFC5781) Offline validation into a trusted cache Router peers with cache using rpki-rtr protocol and receives trusted origin data. Sounds futuristic? Cisco IOS and IOS-XR have PoC code running now Compute load demonstrated to be ~10µsec per update * How much of this do I have to run myself? Options for RIR Hosted CA, RoA generator and publisher Perhaps your upstream can provide a cache if you are small? rpki-router RoA Publisher RSync Trusted Cache Router protocol * Source: http://ripe60.ripe.net/presentations/bush-the_rpki_origin_validation.pdf

What do we do with this? draft-ietf-sidr-origin-ops-10 Local operator decision Prefer valid over unvalidated over invalid for instance * RP/0/1/CPU0:r0.dfw#show bgp 192.158.248.0/24! BGP routing table entry for 192.158.248.0/24! Versions:! Process brib/rib SendTblVer! Speaker 132327 132327! Last Modified: Oct 2 01:06:47.630 for 13:33:12! Paths: (6 available, best #3)! Advertised to peers (in unique update groups):! 204.69.200.26! Path #1: Received by speaker 0! 2914 1299 6939 6939 27318! 157.238.224.149 from 157.238.224.149 (129.250.0.85)! Origin IGP, metric 0, localpref 100, valid, external, \! origin validity state: valid! Community: 2914:420 2914:2000 2914:3000 4128:380! Path #2: Received by speaker 0!...! * Example courtesy of : http://ripe60.ripe.net/presentations/bush-the_rpki_origin_validation.pdf

BGPSec Without AS_PATH filtering everywhere, prefixes and their origin ASNs can be hijacked. RoA still valid as Origin ASN hasn t changed. Need path validation in the BGP as well BGPSec being developed by SIDR, draft-ietf-sidr-bgpsec-overview-00 BGPSec introduces new type of certificate New Router certificate, public key published for an AS, private key held by routers within the AS, draft-ietf-sidr-bgpsec-overview-00. Routers use private keys to sign AS_PATH elements New attribute BGPSEC_Path_Signatures * Exp Time Algo ID ^A0.RtrCert Sig0 ^A1.RtrCert Sig1 AS_Seq ASN 0 ASN 1 * Example courtesy of : http://tools.ietf.org/agenda/81/slides/sidr-10.pdf

But what about? Some as-yet undrafted ideas AS_PATH prepending? Suggested to add pcnt counter of prepends, decouple policy from path * AS0 (origin) Path Signature AS1 Path Signature Exp ime NLRI AS0 Algo ID pcnt AS1 Sig0 AS1 Algo ID pcnt AS2 Sig1 Hash( ) Signed by Router Key AS0.rtr-xx è Sig0 Hash( ) Signed by Router Key AS1.rtr-yy è Sig1 Transparent Route Servers (i.e MLP)? This makes people uneasy as it proposes a bypass mechanism Current thinking to use pcnt=0 as Special Case for xref with AS_PATH, meaning ignore this AS in AS_PATH when bestpathing, non-bgpsec speakers simply strip the pcnt=0 AS from the AS_PATH completely. * Example courtesy of : http://tools.ietf.org/agenda/81/slides/sidr-10.pdf

And what about replay attacks? draft-ietf-sidr-bgpsec-ops-00 Replay attacks are of concern Provider annoyed at customer who switches Prefix Stuck in Router being replayed over and over again. All at Human timescales. Freshness is critical We could do smaller signing lifetimes Origin could re-announce before this expires (i.e Beaconing) Suggested to be days, but can be hours for critical infrastructure) Timing is of course jittered. Beaconing is required to prevent replay attacks But only origin beaconing is tolerable to internet infrastructure Multi-Beaconing neither useful, nor affordable.

More SIDR discussed topics draft-ietf-sidr-algorithm-agility-03 How we transition to newer and more secure algorithms without disruption. We already have normal Key Rollovers (i.e old key expires or needs to be revoked) This draft specifies a rollover for reason of a new algorithm. Five Phases (0-4) with six steps: Phase 0: Old algorithm only used. Phase 1: Parent CAs can issue using new algorithm. Phase 2: RPs MAY be able to validate new algorithm. Phase 3: RPs MUST be able to validate new and old algorithms. Phase 4: RPs MAY be able to validate using old algorithm. Phase 0: Return to Phase 0, only now old algorithm is invalid. Phase 0 Old algorithm ONLY accepted Phase 1, New algorithm can be issued. Phase 2, New algorithm MAY be validated. Phase 3, New algorithm or old MUST be validated. Phase 4, Old algorithm MAY be validated. Phase 0 New algorithm ONLY accepted

More SIDR discussed topics draft-ietf-sidr-publication-01 An XMLoHTTP based publication protocol, designed for children publishing back to parents (think outsourced SIA model). draft-ietf-sidr-usecases-02 A brilliant reference document showing various RPKI use cases and their outcomes. I would recommend a read of this, here is an except of the index: 3. Origination Use Cases.................... 6! 3.1. Single Announcement................... 6! 3.2. Aggregate with a More Specific.............. 7! 3.3. Aggregate with a More Specific from a Different ASN... 7! 3.4. Sub-allocation to a Multi-homed Customer......... 8! 3.5. Restriction of a New Allocation............. 9! 3.6. Restriction of New ASN.................. 10! 3.7. Restriction of a Part of an Allocation.......... 10! 3.8. Restriction of Prefix Length............... 11! 3.9. Restriction of Sub-allocation Prefix Length....... 12! 3.10. Aggregation and Origination by an Upstream........ 13!

And finally some fun draft-ietf-sidr-ghostbusters-09 With all these certificates floating around, when there s a problem, who you gonna call? This stuff may not be engineered by neteng/netops folk, perhaps systems/security people, not traditionally ops contacts from external networks! We sign RoAs with our EE certificates, why limit this to just routing data? Use the EE to sign a vcard, for somebody to contact regarding a RoA or certification chain. Not meant to replace WHOIS BEGIN:vCard! VERSION:4.0! FN:Human's Name! N:Name;Human's;Ms.;Dr.;OCD;ADD! ORG:Organizational Entity! ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern; WA; 98666;U.S.A.! TEL;TYPE=VOICE,MSG,WORK:+1-666-555-1212! TEL;TYPE=FAX,WORK:+1-666-555-1213! EMAIL;TYPE=INTERNET:human@example.com! END:vCard!

Any questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback