Attacks on routing: IP hijacks

Similar documents
Introducción al RPKI (Resource Public Key Infrastructure)

RPKI. Resource Pubic Key Infrastructure


Problem. BGP is a rumour mill.

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Resource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Securing BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho

Securing Routing: RPKI Overview. Mark Kosters Chief Technology Officer

Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO

Life After IPv4 Depletion

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

RPKI and Routing Security

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Resource Public Key Infrastructure

RPKI Trust Anchor. Geoff Huston APNIC

Secure Routing with RPKI. APNIC44 Security Workshop

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

Misdirection / Hijacking Incidents

Deploying RPKI An Intro to the RPKI Infrastructure

RPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager

The RPKI and BGP Origin Validation

RPKI and Internet Routing Security ~ The regional ISP operator view ~

Route Security for Inter-domain Routing

IETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet

Robust Inter-Domain Routing

The RPKI & Origin Validation

BGP Origin Validation (RPKI)

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

IPv4 Run-Out, Trading, and the RPKI

BGP Origin Validation

Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

Madison, Wisconsin 9 September14

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

IPv4 Run-Out, Trading, and the RPKI

Decentralized Internet Resource Trust Infrastructure

The RPKI & Origin Validation

An Operational ISP & RIR PKI

Resource Certification

Using Resource Certificates Progress Report on the Trial of Resource Certification

Just give me a button!

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Secure Inter-domain Routing with RPKI

Facilitating Secure Internet Infrastructure

Internet Engineering Task Force (IETF) Category: Informational ISSN: February 2012

Local TA Management. In principle, every RP should be able to locally control the set of TAs that it will employ

Security in inter-domain routing

BGP Routing Security and Deployment Strategies

TTM AS-level Traceroutes

Securing the Internet s Foundations: Addresses and Routing

IPv6 Allocation and Policy Update. Global IPv6 Summit in China 2007 April 12, 2007 Guangliang Pan

32-bit ASNs. Philip Smith. AfNOG rd April 1st May Abuja, Nigeria

9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi

BGP Configuration Automation on Edge Routers

Some Thoughts on Integrity in Routing

A PKI For IDR Public Key Infrastructure and Number Resource Certification

IPv4/IPv6 BGP Routing Workshop. Organized by:

APNIC Trial of Certification of IP Addresses and ASes

IETF Activities Update

An Operational ISP & RIR PKI

BGP security. 19 april 2018 Copenhagen

BORDER GATEWAY PROTOCOL (BGP) SECURITY. Nurudeen K. Abdulsalam. Supervisor: Dr. Olaf Maennel

Using Resource Certificates Progress Report on the Trial of Resource Certification

32-bit ASNs. Philip Smith. MENOG 5, Beirut, 29th October 2009

An Operational Perspective on Routing Security

APNIC RPKI Report. George Michaelson

RTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.

Implementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer

RPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting

Internet Number Resources

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. BBN September 2017

Resource Certification A Public Key Infrastructure for IP Addresses and AS's

Some Lessons Learned from Designing the Resource PKI

32-bit ASNs. Philip Smith. Last updated February 2010

Networking 101 ISP/IXP Workshops

Network Working Group. Intended status: Informational Expires: January 9, 2014 July 8, 2013

Auto-Detecting Hijacked Prefixes?

<36 th APNIC Meeting, XIAN CHINA> KISA(KRNIC) UPDATE. YOUNGSUN LA Korea Internet & Security Agency

Problem Statement and Considerations for ROA Mergence. 96 SIDR meeting

Internet-Draft Intended status: Standards Track July 4, 2014 Expires: January 5, 2015

IETF Activities Update

Routing Security. Daniel Karrenberg RIPE NCC.

APNIC Trial of Certification of IP Addresses and ASes

Feedback from RIPE NCC Registration Services. Alex Le Heux - RIPE NCC RIPE62, May 2011, Amsterdam

Internet Engineering Task Force (IETF) Category: Informational ISSN: September 2017

How Complete and Accurate is the Internet Routing Registry (IRR)?

BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs

Resource Certification

Internet Number Certification

RPKI in practice. Sebastian Wiesinger DE-CIX Technical Meeting June 2017

IP Address Management The RIR System & IP policy

RIR Update. A Joint Presentation Prepared By APNIC, ARIN, RIPE NCC. 17 March 2002 IEPG - Minneapolis

An ARIN Update. Susan Hamlin Director of Communications and Member Services

Introduction to the RIR System. Dr. Nii N. Quaynor

Routing Security Roadmap

Golden Prefixes IRR Lockdown Job Snijders

Transcription:

Attacks on routing: IP hijacks

How Internet number resources are managed IANA ARIN LACNIC APNIC RIPE NCC AfriNIC ISP NIC.br NIC.MX ISP #1 LIRs/ISPs LIRs/ISPs End users ISP mx

How Internet number resources are managed (ii) What do we mean by resources IPv4 Addresses IPv6 Addresses Autonomous System Numbers Both 16 and 32 bits FoundaOonal document: RFC 2050 IP Registry Alloca1on Guidelines Each RIR is the authorita(ve source on the relaoonship between users/holders and resources Each RIR operates a registry database

RouOng in the Internet ASN 20 announces 10.1.0.0/16 ASN 10 receives the prefix 10.1.0.0/16 AZributes: The 10.1.0.016 prefix propagates across ASs (via BGP sessions) 10.1.0.0/16 AS_PATH ASN1 ASN3 ASN20

RouOng in the Internet (ii) BGP chooses routes using a decision algorithm and the values of the available a=ributes AS_PATH is a list of the autonomous systems a given UPDATE has traversed The first entry is the AS originaong the route ("origin- as") In this case ASN 20 is the "origin- as" for 10.1/16

Who has the "right" to use resources? When an ISP obtains resources from its RIR (IPv6/IPv4/ ASN): The ISP has to noofy its upstream ASNs which prefixes are going to be announced via BGP This is usually done via e- mail, web forms or by updaong an IRR (Internet Rou1ng Registry) Upstreams verify (or at least they should) the right of use for the announced resources RIR WHOIS Text- based and not really suitable for automaoc usage IRR WHOIS Non- signed informaoon, lizle addioonal tools provided for verificaoon of usage rights except for names, phone numbers and email POCs This verificaoon process is someomes not as thorough as it should be

Checking usage rights for a resource Network administrators Local checks in rouong infrastructure Require previous step (registering the route object with an IRR) Router protecoon RouOng protocol integrity Peer authenocaoon Filtering known- invalid routes RFC 1918 prefix filtering Bogon filtering In the end the integrity of the rouong system depends on ad- hoc trust rela(onships between peers

Route Hijacking When an enoty parocipaong in Internet rouong announces a prefix without authorizaoon we face a route hijack It can be either malicious or due to operaoonal mistakes Some well- known cases: Pakistan Telecom vs. You Tube (2008) China Telecom (2010) Google in Eastern Europe (various ASs, 2010) Some ocurrences in our region (January/February 2011)

Route Hijacking (ii) AS 6057 announces 200.40/16 AS 15358 AS 8158 gets announces 200.40.0.0/16 200.40/24 AS 8158 gets and 200.40.0.0/16 200.40.235.0/24 200.40.0.0/16 AS_PATH ASN1 ASN3 ASN6057 200.40.235.0/24 AS_PATH ASN1 ASN3 ASN6057

Route Hijacking (iii) RIPE NCC Video hzp://www.youtube.com/watch?v=izlpkuaoe50

Resource PKI Resource Public Key Infraestructure Goal: create a system that allows the ceroficaoon of usage rights for Internet numbering resources High- level overview Use of X.509 v3 ceroficates Apply RFC 3779 extensions to these ceroficates. These extensions allow Internet resources (IPv4/IPv6/ASNs) fields within ceroficates A way to automaocally validate the origin- as of a BGP UPDATE StandardizaOon AcOviOes IETF SIDR working group ImplementaOon AcOviOes RIRs

Resource PKI (ii) Automated origin valida(on for route announcements The enoty with usage rights for a resource signs the origin- as field of a PKI object The following procedures are applied to validate RPKI ceroficates and rouong informaoon objects: The cryptographic validity of the RPKI ceroficate chain (just like any other PKI) The CIDR inclusion properoes of IP addresses In this way it becomes more difficult for a third party to inject invalid data into the rouong system

Resource PKI (iii) RPKI Management System Cache Repository

Resource PKI (iv) All RPKI signed objects are listed in public repositories Aoer verificaoon, these objects can be used to configure filtering in routers ValidaOon Process Signed objects have references to the ceroficate used to sign them Each ceroficate has a pointer to an upper level ceroficate The resources listed in a ceroficate MUST be valid subsets of the resources listed in its parent's ceroficate In this way a trust chain can be traced to a "trust anchor" both cryptographically as well as in CIDR terms

X.509 v3 ceroficates with RFC 3779 extensions X.509 Digital CerOficates Subject, validity period, public key and other fields With extensions: RFC 3779 defines extensions that allow the representaoon of Internet resources as ceroficate fields List of IPv4, IPv6 and ASNs assigned to an organizaoon Implemented in OpenSSL 1.0c onwards It has to be specifically enabled when running "./configure" Version Serial Number Signature Algorithm Issuer Subject Subject Public Key Extensions Subject InformaOon Authority (SIA) Authority InformaOon Access (AIA) Addr: 10.10.10.0 Asid: 65535

CerOficates with RFC 3779 extensions "IP DelegaOon" SecOon Special value: "INHERITED" "AS DelegaOon" SecOon Special value: "INHERITED" ValidaOon Process It involves the validaoon of the resources Version Serial Number Signature Algorithm Issuer Subject Subject Public Key Extensions Subject InformaOon Authority (SIA) Authority InformaOon Access (AIA) Addr: 10.10.10.0 Asid: 65535

RPKI Structure RTA is the self- signed ceroficate in the hierarchy LACNIC RTA LACNIC resources LACNIC ProducOon <<INHERITED>> Signature chain ISP #2 ISP #2 Resources ISP #1 ISP #1 Resources ROA End EnOty cert. ROA End EnOty cert. End User CA #1 (EU #1 Resources) ROA End EnOty cert. ROA End EnOty cert.

RPKI Structure (ii) CAs CerOficate- signing enoty (CA bit = 1) ISPs can use this ceroficate to sign their client's ceroficates CerOficate Repository The repository contains ceroficates, CRLs, ROAs and manifests Accesible via rsync Management Interface Web interface for those who prefer "hosted" mode

RPKI Management for Users "Hosted" mode LACNIC emits the resource ceroficate for an organizaoon and guards both private and public keys CerOficates are emized when requested by LACNIC member organizaoons Users can manage their RPKI objects using a user- friendly web interface provided by LACNIC "Delegated" mode An organizaoon creates its own resource ceroficate This ceroficate is submized to LACNIC for signing. LACNIC returns the signed ceroficate. "Up- down" protocol

Services provided by the RPKI CA Emisng child resource ceroficates when changes to the registry database occur or when solicited by a resource holder Child ceroficate revocaoon when solicited by a resource holder CRL periodic update Publishing child ceroficates, trust anchor and auxiliary objects in a public repository (rsync)

Resource CerOficate

ROAs ROAs: RouOng Origin AuthorizaOon ROAs contain data on the allowed origin- as for a set of prefixes ROAs are signed using the ceroficates generated by the RPKI Signed ROAs are copied to the repository

ROAs (ii) A simplified ROA contains the following informaoon: These ROAs states that: "The prefix 200.40.0.0/17 will be originated by ASN 6057 and could be de- aggregated up to /20" "This statement is valid star1ng on Jan 2, 2011 un1l Jan 1, 2012" Other ROA content ROAs contain cryptographic material that allows valida(on of the ROAs content

ROAs (iii) Contents of a ROA An end- enoty ceroficate with resources A list of "route origin azestaoons" ROA End EnOty CerOficate 200/8 172.17/16 200.40.0.0/20-24 - > AS 100 172.17.0.0/16-19 - > AS 100

ROAs (iii) - ValidaOon In order to validate a ROA three steps have to be performed Crypto validaoon of the public keys and signatures included in the EE ceroficates inside each ROA CIDR inclusion checking of resources listed in the EE ceroficate CIDR inclusion checking of resources in the route origin azestaoons. These resources have to be included in the resources listed in the EE ceroficate

RPKI in AcOon UPDATE Routers assign a "validity status" to the route included in an UPDATE Cache periodically updates the router with a list of validated prefixes

RPKI in AcOon (ii) The validaoon process is split in two parts Crypto and CIDR validaoon of ROAs and ceroficates Performed by the validaon cache ValidaOon of routes in BGP UPDATEs Performed by the BGP speakers in the network A special protocol called RTR is being worked on by the IETF for Router - Cache communicaoon

RPKI in AcOon (iii) Cache Repository content is downloaded via RSYNC CerOficates and ROAs are validated Cryptographically (signature chain) Correct CIDR resource inclusion In the routers A database of prefix <- > origin- as relaoonships is built

BGP interacoon Routers build a database with the informaoon they receive from the caches This table contains Prefix Min length Max length Origin- AS By applying a set of rules a validity status is assigned to each UPDATE prefix

BGP interacoon (ii) UPDATE 200.0.0.0/9 ORIGIN- AS 20 VALID IP prefix/[min_len max_len] 172.16.0.0 / [16-20] 10 200.0.0.0/[8-21] 20 Origin AS If the "UPDATE pfx" is not covered by any entry in the DB - > "not found" If the "UPDATE pfx" is covered by at least one entry in the DB, and the origin- AS matches the ASNs in the DB - > "valid" If the origin- AS does NOT match - > "invalid"

Herramientas Validadores RIPE hzp://labs.ripe.net/members/agowland/ripe- ncc- validator- for- resource- ceroficaoon/view Rcyinc hzp://subvert- rpki.hactrn.net/rcynic/ Visualización y estadísocas Construidas sobre la salida de los validadores

Validación RIPE Labs

Validación (ii) Example: Validación top- down del repositorio de LACNIC exportando prefijos validados en un CSV Paso 1: bajar el RTA de LACNIC wget --output-document=./trust-anchors/talacnic.cer https://rpki.lacnic.net/rpki/rootcert Paso 2: correr la validación./ripencc-rpki-validator/bin/ certification-validator \ --top-down -o validator/ \ -t./trust-anchors/ta-lacnic.cer \ -r lacnic-roas.csv

Validación (iii) ROAs validados y prefijos (lacnic-roas.csv) URI,ASN,IP Prefix,Max Length,Not Before,Not After rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/utt-n3nq91lgzh0jvwppn- KirQ4.roa",AS28000,200.7.84.0/23,24,2011-01-07 02:00:00,2012-08-05 03:00:00 rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/utt-n3nq91lgzh0jvwppn- KirQ4.roa",AS28000,2001:13c7:7001::/48,48,2011-01-07 02:00:00,2012-08-05 03:00:00 rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/ nfnv84a_ga8zpecmr4jx1qe557o.roa",as28001,200.3.12.0/22,24,2011-01 -07 02:00:00,2012-08-05 03:00:00 rsync://repository.lacnic.net/rpki/hosted/d62c58a7-668d-41a6- a246-af9400104596/ nfnv84a_ga8zpecmr4jx1qe557o.roa",as28001,2001:13c7:7002::/48,48,2 011-01-07 02:00:00,2012-08-05 03:00:00

Fuente: Visualizando RPKI hzp://www.labs.lacnic.net/~rpki/rpki- heatmaps/latest/ Mapas de Hilbert coloreados de acuerdo con el espacio cubierto por ROAs:

The LACNIC RPKI System RPKI in hosted mode is in producoon state since 1/1/2011 To use it you only need: Have your AdministraOve Contact details (username and password) at hand to create ceroficates Have your Technical Contact details (username and password) at hand to create ROAs Where is it? hzp://rpki.lacnic.net/

Comentarios finales Posibles usos de RPKI mientras no todos los routers sean capaces de validar Puentes entre IRRd y RPKI Puentes entre WHOIS y RPKI Procesamiento de tablas BGP de routers offline Existe una variedad de herramientas de uso libre para RPKI Los repositorios de los 5 RIRs pueden bajarse libremente via rsync rsync avz rsync://repository.lacnic.net/rpki/./rpki

Links / References The LACNIC RPKI System hzp://rpki.lacnic.net/ LACNIC s RSYNC Repository rsync://repository.lacnic.net/rpki/ LisOng the repository rsync - - list- only rsync://repository.lacnic.net/rpki/lacnic/ Some RPKI StaOsOcs hzp://www.labs.lacnic.net/~rpki

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback