BGP route verifica/on and RPKI

Transcription

1 BGP route verifica/on and RPKI Matsuzaki maz Yoshinobu 1

2 Internet AS AS IX IX AS AS ebgp session 2

3 BGP and issues Origina/on mis- origina/on Propaga/on leakage Convergence # of routes flapping topic for today maz@iij.ad.jp 3

4 mis- origina/on Someone announces your prefix without your permission This actually happens in the Internet Also called as route hijack Mostly caused by mistakes 4

5 Internet Routing Registry (IRR) ISP ISP ISP rules are automatically generated from IRR db BGP feeds operations check rules check!! BGP UPDATE we can add some rules by hand as well Alert! by Monitoring BGP UPDATE Receiving full BGP feeds from mul/ple ASs(ISPs) Comparing a prefix and its BGP path ayributes to the check rules When there is a difference between rules and BGP UPDATE, the system alerts operators by maz@iij.ad.jp 5

6 Case1 2010/4/9 An AS in Asia originated and announced others IPv4 prefixes without permission about 10K routes were observed almost of all these prefixes have the same prefix length as the original announcement Their upstream AS propagated the announcement 6

7 Case1 AS AS4 AS AS AS AS 7

8 Case1 - /meline Incident started 04/09 00:54(JST) detected the mis- origina/on the AS in ques/on stopped the announcement 04/09 01:02(JST) received a withdrawn of the announcement 04/09 05:23(JST) NANOG post maz@iij.ad.jp 8

9 Case2 2011/10/6 An AS in Asia originated and announced others prefix without permission 1 prefix was announced /64 ( IPv6 prefix ) maz@iij.ad.jp 9

10 Case2 AS AS AS AS 10

11 Case2 - /meline Incident started 10/06 15:51(JST) detected the mis- origina/on contacted the NOC of the AS in ques/on - to stop the announcement The AS stopped the announcement 10/06 16:09(JST) received a withdrawn of the announcement maz@iij.ad.jp 11

12 Case3 2006/11/30 An AS in U.S. announced 2 prefixes without authority An ISP in Japan received new IPv4 alloca/ons, and some /me later, they realized these prefixes were announced by someone else already maz@iij.ad.jp 12

13 Case3 AS AS AS AS AS AS 13

14 Case3 - /meline 2006/11/30 mis- origina/on started 2007/01/26 the case was shared at JANOG19 mee/ng 2007/01/29 12:00(JST) contacted NOC of the AS in ques/on 2007/01/29 16:30(JST) the AS stopped the announcement 2007/01/29 16:30(JST) got reply from the AS 2007/01/29 16:45(JST) reported to JANOG maz@iij.ad.jp 14

15 current BGP prac/ces deploy prefix filtering for BGP customers to accept only authen/c prefixes from customers check a prefix before announcing it to originate authen/c prefixes How can we confirm the authen/city? Internet Registry (IR) Internet Rou/ng Registry (IIR) maz@iij.ad.jp 15

16 Internet Registry (IR) maintains Internet Resources such as IP addresses and ASNs, and publish the registra/on informa/on alloca/ons for Local Internet Registries assignments for end- users APNIC is the Regional Internet Registry(RIR) in the Asia Pacific region Na/onal Internet Registry(NIR) exists in several economies 16

17 management of IP addresses IANA Regional IR (RIR) AfriNIC RIPE NCC APNIC ARIN LACNIC Na/onal IR (NIR) KRNIC CNNIC JPNIC Usually End Users use IP addresses assigned by ISP Local IR (LIR) ISP End User 17

18 some/mes you need to use mul/ple whois services to get useful informa/on. only a few informa/on is available to check authen/city maz@iij.ad.jp 18

19 Internet Rou/ng Registry maintains rou/ng policy database RADB is the most popular service, though some RIRs also provide similar services rou/ng policy informa/on is expressed in a series of objects on RADB, a registered user can register any object as like you can announce any prefixes route and route6 objects are used to indicate route origina/on prefix and origin AS maz@iij.ad.jp 19

20 20

21 IRR and route filtering AS operators can generate filtering rule by using IRR database useful sonware (e.g. IRRToolSet) many useful whois op/ons whois - h whois.radb.net!gas2497 gives prefixes to be originated by AS2497 actually some ISPs ask their customers to register route objects to maintain route filtering maz@iij.ad.jp 21

22 IRR public and private IRRs over 30 known IRRs Users can register any object on most IRRs authen/city? IRR is useful, but it s not perfect maz@iij.ad.jp 22

23 Resource Public Key Infrastructure IP addresses and AS numbers digital cer/ficate so- called RPKI a PKI for Internet Resources based on Public- key cryptography technology enables users to verify the authen/city of Internet Resources maz@iij.ad.jp 23

24 RPKI structure Trust Anchor cert /8 2001:db8::/32 cer/ficate path Could not validate cer/ficate paths to a Trust Anchor cert / :db8::/40 cer/ficate path /16 cert cert 2001:db8::/48 invalid valid! maz@iij.ad.jp 24

25 cer/ficate and alloca/on hierarchy IANA Regional IR (RIR) AfriNIC RIPE NCC APNIC ARIN LACNIC Na/onal IR (NIR) KRNIC CNNIC JPNIC Local IR (LIR) ISP 25

26 Trust Anchor Loca/ons (TALs) A rsync URL and Public Key informa/on RFC RIRs support RPKI already each RIR publishes TAL for their resources hyps:// services/resource- management/cer/fica/on/rir- trust- anchor- sta/s/cs maz@iij.ad.jp 26

27 RPKI publica/on x.509 cer/ficate RPKI engine - parent - Publica/on Point cert cert cert Child s Public Key IP blocks and/or ASNs Publica/on Point signed by parent Publica/on Point Publica/on Point RPKI engine - child - publish certs cert cert cert maz@iij.ad.jp 27

28 cer/ficate $ openssl x509 - inform DER - text - in nuokqjmirka2dis40zy34cs7tkc.cer : Subject Informa/on Access: CA Repository - URI:rsync://rpki.apnic.net/member_repository/XXX/XX/ : sbgp- autonomoussysnum: cri/cal Autonomous System Numbers: : sbgp- ipaddrblock: cri/cal IPv4: / /18 : publica/on point maz@iij.ad.jp 28

29 Route Origin AYesta/ons (ROAs) a signed object contains an AS and IP prefixes the AS is authorized to originate routes to the given IP prefixes similar to IRR s route and route6 object an IP address block holder can issue a ROA within that block maximum length op/on specifies the maximum length of an IP prefix that the AS is authorized to originate maz@iij.ad.jp 29

30 ROA $ print_roa FksMMjbAOUZnFeuDv2yZmcAXJeY.roa : asid: 2497 addressfamily: 2 IPaddress: 2001:240::/32 You can issue mul/ple ROAs to originate a prefix from different ASes maz@iij.ad.jp 30

31 RPKI cache Trust Anchor Publica/on Point RPKI engine - parent - cert ROA cert rsync gathered data RPKI engine - child - publish certs Publica/on Point cert ROA ROA Validated Cache RPKI Cache maz@iij.ad.jp 31

32 Origin Valida/on Validated Cache RPKI to RTR protocol RPKI Cache Router gets ROA informa/on from the RPKI Cache RPKI verifica/on is done by the RPKI Cache The BGP process will check each announcement with the ROA informa/on and label the prefix 32

33 possible outcomes Valid a ROA matching the prefix and ASN is found Unknown (Not found) There is no covering ROA for the prefix Invalid There are ROAs covering the prefix, but none of them matches the ASN or the prefix length maz@iij.ad.jp 33

34 example - valid ROA /16-17 AS65000 prefix: /16 maximum length: 17 origin AS: BGP BGP BGP /16 AS65000 Valid /17 AS65000 Valid /17 AS65000 Valid maz@iij.ad.jp 34

35 example - unknown ROA /16-17 AS65000 BGP /8 AS65001 Unknown BGP BGP /16 AS /24 AS65000 Unknown Unknown maz@iij.ad.jp 35

36 example - invalid ROA /16-17 AS65000 BGP /16 AS65001 Invalid BGP /24 AS65000 Invalid BGP /18 AS65001 Invalid maz@iij.ad.jp 36

37 example - mul/ple origin ROA ROA ROA /16-17 AS /16-17 AS65001 BGP /16 AS65001 Valid maz@iij.ad.jp 37

38 local policy You can define your policy based on the outcomes do nothing just logging label BGP communi/es modify preference values rejec/ng the announcement 38

39 RPKI running codes RPKI Tools hyps://trac.rpki.net/wiki/doc/rpki RPKI Validator hyp:// services/resource- management/cer/fica/on/tools- and- resources Routers Cisco, Juniper and Quagga 39

40 future work ask NIRs to support RPKI You can not issue ROAs if you received IP resources from a NIR at this moment L They are working hard though give an opera/onal feedback to developers maz@iij.ad.jp 40