Collective responsibility for security and resilience of the global routing system

Similar documents
Collective responsibility for security and resilience of the global routing system

IXP Partnership: Improving Global Routing Security and Resilience

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

Routing Security We can do better!

MANRS Mutually Agreed Norms for Routing Security

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Mutually Agreed Norms for Routing Security NAME

Security)Track) NANOG)65)

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

MANRS Mutually Agreed Norms for Routing Security

MANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui

MANRS Mutually Agreed Norms for Routing Security

Working together to improve routing security for all

An introduction to BGP security

MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!

BGP Route Hijacking - What Can Be Done Today?

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

BGP Origin Validation

Deploying RPKI An Intro to the RPKI Infrastructure

Security in inter-domain routing

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

Secure Routing with RPKI. APNIC44 Security Workshop

Misdirection / Hijacking Incidents

TDC 375 Network Protocols TDC 563 P&T for Data Networks


Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Robust Inter-Domain Routing

Internet Routing with MANRS

Routing Security Workshop Internet Routing Registries

Software Systems for Surveying Spoofing Susceptibility

MANRS How to behave on the internet

Illegitimate Source IP Addresses At Internet Exchange Points

Some Thoughts on Integrity in Routing

Denial of Service Protection Standardize Defense or Loose the War

Implementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer

Jumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

On the State of the Inter-domain and Intra-domain Routing Security

Working together to improve routing security for all

Beyond technical solutions: Understanding the role of governance structures in Internet routing security

Software Systems for Surveying Spoofing Susceptibility


Internet-Draft Intended status: Standards Track July 4, 2014 Expires: January 5, 2015

Methods for Detection and Mitigation of BGP Route Leaks

SCION: Scalability, Control and Isolation On Next-Generation Networks

BGP security. 19 april 2018 Copenhagen

BGP Security. Kevin s Attic for Security Research

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Data Plane Protection. The googles they do nothing.

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Problem. BGP is a rumour mill.

Network Policy Enforcement

Internet Engineering Task Force (IETF) Request for Comments: 7999 Category: Informational. NTT G. Doering SpaceNet AG G. Hankins Nokia October 2016

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,

Security by BGP 101 Building distributed, BGP-based security system

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs

Accurate Real-time Identification of IP Hijacking. Presented by Jacky Mak

An ARIN Update. Susan Hamlin Director of Communications and Member Services

Just give me a button!

A Sampling of Internetwork Security Issues Involving IPv6

RPKI. Resource Pubic Key Infrastructure

Unicast Reverse Path Forwarding Loose Mode

Security Baseline Data Model for Network Infrastructure Device draft-xia-sacm-nid-dp-security-baseline-00 draft-dong-sacm-nid-cp-security-baseline-00

Multi-Lateral Peering Agreement

Routing Security. Daniel Karrenberg RIPE NCC.

Securing the Internet at the Exchange Point Fernando M. V. Ramos

The Danger of the New Internet Choke Points. Authored by: Andrei Robachevsky, Christine Runnegar, Karen O Donoghue and Mat Ford

Introducción al RPKI (Resource Public Key Infrastructure)

SENSS: Software-defined Security Service

Decentralized Internet Resource Trust Infrastructure

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet

DNS Anycast for High Availability and Performance

IHE Change Proposal. Tracking information: Change Proposal Status: Date of last update: Sep 13, 2018 Charles Parisot, Vassil Peytchev, John Moehrke

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

Running A Highly Scaled Registry DNS Platform. ICANN 55 Tech Day Anycast Panel Chris Griffiths -

RSSAC001. Service Expectations of Root Servers. Service Expectations of Root Servers

Spoofing Prevention Method

Internet Engineering Task Force. Intended status: Standards Track Expires: May 4, 2016 November 1, 2015

Techniques, Tools and Processes to Help Service Providers Clean Malware from Subscriber Systems

Interdomain Routing Design for MobilityFirst

RPKI and Internet Routing Security ~ The regional ISP operator view ~

Attack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing

MULTICAST SECURITY. Piotr Wojciechowski (CCIE #25543)

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Our Work at The Internet Society

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920)

Solution for Route Leaks Using BGP Communities

RIPE Labs Operator Tools, Ideas, Analysis

Detecting routing anomalies using RIPE Atlas

Remember Extension Headers?

Detection of Invalid Routing Announcement in the Internet Λ

DNS root server deployments. George Michaelson DNS operations SIG APNIC17/APRICOT 2004 Feb KL, Malaysia

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Transcription:

Collective responsibility for security and resilience of the global routing system Andrei Robachevsky <robachevsky@isoc.org> www.internetsociety.org

Let us look at the problem first BGP is based on trust No validation of the legitimacy of updates Tools outside BGP exist, but not widely deployed BGPSEC is under development in the IETF 2

Let us look at the problem first Prefix hijack Announcing a prefix that does not belong to a network Can involve ASN hijacking Route leak Violation of a valley-free principle E.g. a customer becoming a transit provider 3

But also Source IP address spoofing Forging the source IP address of packets Collaboration How you reach someone on the other side of the Net to help you out? How do you mitigate a DDoS? 4

Impact Prefix hijack Denial of service, impersonating a network or a service, traffic intercept Route leak Traffic intercept, but may result in denial of service IP spoofing The root cause of reflection DDoS attacks 5

Some cases DoS attacks Classics: http://www.ripe.net/internet-coordination/news/industry-developments/youtube-hijacking-aripe-ncc-ris-case-study https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/ IP squatting and spammers http://www.bgpmon.net/using-bgp-data-to-find-spammers/ http://www.internetsociety.org/doc/mind-your-blocks-stealthiness-malicious-bgp-hijacks Traffic interception and impersonation http://research.dyn.com/2013/11/mitm-internet-hijacking/ http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-forcryptocurrency-profit/ http://www.bgpmon.net/turkey-hijacking-ip-addresses-for-popular-global-dns-providers/ 6

How do we address these problems? Tools Prefix and AS-PATH filtering, RPKI, IRR, Ingress and egress anti-spoofing filtering, urpf, Coordination and DDoS mitigation Challenges Your safety is in someone other s hands Too many problems to solve, too many cases 7

The Mutually Agreed Norms for Routing Security (MANRS) https://www.routingmanifesto.org/manrs/ Defines a minimum package Emphasizes collective focus While the mass media often create awareness-knowledge of an innovation, interpersonal communication with peers is necessary to persuade most individuals to adopt a new idea (Rogers & Kincaid, 1981). 8

The MANRS document, in more detail Principles of addressing issues of routing resilience Interdependence and reciprocity (including collaboration) Commitment to Best Practices Encouragement of customers and peers The package indicating the most important actions BGP Filtering Anti-spoofing Coordination and collaboration High-level document specifying what How is in external documents (e.g. BCPs) 9

Where does the MANRS fit? PROBLEM? Real-life examples, threat analysis, community aspirations WHAT is the minimum PACKAGE and WHO supports it? MANRS HOW? BCPs, BCOPs, RFCs, Operational documentation, etc. 10

Good MANRS 1. Prevent propagation of incorrect routing information 2. Prevent traffic with spoofed source IP address 3. Facilitate global operational communication and coordination between the network operators 11

Actions (1) Prevent propagation of incorrect routing information Network operator defines a clear routing policy and implements a system that ensures correctness of their own announcements and announcements from their customers to adjacent networks with prefix and AS-path granularity. Network operator is able to communicate to their adjacent networks which announcements are correct. Network operator applies due diligence when checking the correctness of their customer s announcements, specifically that the customer legitimately holds the ASN and the address space it announces. 12

Actions (2) Prevent traffic with spoofed source IP address Network operator implements a system that enables source address validation for at least single-homed stub customer networks, their own end-users and infrastructure. Network operator implements antispoofing filtering to prevent packets with an incorrect source IP address from entering and leaving the network. 13

Actions (3) Facilitate global operational communication and coordination between the network operators Network operators should maintain globally accessible up-to-date contact information. 14

Actions (4) Facilitate validation of routing information on a global scale. Network operator has publicly documented routing policy, ASNs and prefixes that are intended to be advertised to external parties. 15

MANRS is not (only) a document it is a commitment 1) The company supports the Principles and implements at least one of the Actions for the majority of its infrastructure. Implemented Actions are marked with a check-box. The Action "Facilitate global operational communication" cannot be the only one and requires that another Action is also implemented. 2) The company becomes a Participant of MANRS, helping to maintain and improve the document, for example, by suggesting new Actions and maintaining an up-todate list of references to BCOPs and other documents with more detailed implementation guidance. 16

Public launch of the initiative - 6 November 2014 17

A growing list of participants 18

Next Steps Expanding the group of participants Looking for industry leaders in the region Expanding the scope of the MANRS Raising the bar defining new Actions Developing better guidance Tailored to MANRS In collaboration with existing efforts, like BCOP 19

Further development 20

Are you interested in participating? Filtering Anti-Spoofing Coordination Global scale 21

www.internetsociety.org https://www.routingmanifesto.org/ https://www.manrs.org/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback