Improving Rou-ng Security with RPKI

Transcription

1 Improving Rou-ng Security with RPKI Russ Clark Samuel Norris Cas D Angelo, Sco7 Friedrich Ron Hutchins, Aurore Nguenang Thank you to the Na-onal Science Founda-on for their support of this work.

2 Too Easy To Lie I just adver-sed a shorter path to Google! 2

3 This Is A Recrui-ng Talk For The RPKI Army! 3

4 Standing on Shoulders RPKI and BGPSEC standards efforts Sharon Goldberg Boston University George Wesley - Time Warner (NANOG Preso) ESNET Randy Bush et al ARIN - hups:// 4

5 BGP vulnerabili-es 1/2 Credit to Sharon Goldberg hup:// content/iab- uploads/2014/01/whyrpki.pdf 5

6 BGP vulnerabili-es 2/2 Credit to Sharon Goldberg hup:// content/iab- uploads/2014/01/whyrpki.pdf 6

7 And It s A Common Problem Credit to Sharon Goldberg hup:// content/iab- uploads/2014/01/whyrpki.pdf 7

8 Resource cer-fica-on to the rescue S- BGP RPKI today RPKI So- BGP IETF Standard published 2012 Deployment started in 2011 Cer-fies IP prefix alloca-ons Crypto done out- of- band No change to BGP messages BGPSEC BGPSEC XXX- today Builds on the RPKI Now being standardized Cer-fies announced routes Crypto done online Major change to BGP messages 8

9 What is RPKI? - Components 3 main components A PKI Signed objects A distributed repository X.509 PKI CerNficates a7est to holdings of IP address space and AS numbers Digitally signed rounng objects to support rounng security that are non- cernficate signed objects used by the infrastructure Those objects are: Route OriginaNon AuthorizaNon or ROA Manifests Hold the PKI objects and the signed rounng objects Make those objects available for use by ISPs in making rounng decisions 9

10 What is RPKI? - ROA ROA is a digital object forma7ed according to the Cryptographic Message Syntax specificanon (CMS) [RFC3852] that contains: A list of IP address prefixes One AS number Digest and signature algorithms (currently SHA- 256 with RSA signature) A digital signature An RPKI end- ennty cernficate 10

11 What is RPKI? ROA Crea-on Procedure to issue a ROA CA cert EE cert ROA 1. Obtain the RPKI CA cernficate from a cer-ficate authority 2. Generate the end- ennty (EE) cernficate 3. Create the ROA containing the prefix, the ASN and the EE cert 4. Sign the ROA using the private key corresponding to the EE cert 5. Publish the ROA in the RPKI repository system 11

12 What is RPKI? ROA Valida-on Procedure for validanon How to do the validanon? 1. Walk the Trust Anchors to find the Cer-ficate Authority repository: Ø Ingest ROAs (rsync) Ø Establish the ROAs validity Ø Push valida-on informa-on to routers via RPKI to Router protocol 2. Configure rou-ng policy, usually increase local preference on valids, drop invalids How to establish the ROA s validity? 1. Check that the ROA is a syntac-cally valid CMS object indica-ng appropriate digest and signature algorithms 2. Examine the enclosed EE cer-ficate and check that the IP address extension in the cert matches the IP address prefix(es) in the ROA 3. Verify the signature on the ROA using the public key in the EE cer-ficate 4. Check that the EE cer-ficate is a valid cer-ficate within the RPKI Note: A ROA can be revoked by simply revoking its EE cernficate 12

13 What is RPKI? Router Ac-on Route validanon sate 3 route announcement states Valid Invalid NotFound if covered by at least one ROA if a ROA exists for the prefix but with another AS If the IP address prefix doesn t exist in ROAs 13

14 What is RPKI? Signing Models Signing prefixes models Hosted model Delegated model Based on a third party or Cer-ficate Authority (e.g. ARIN) Relying par-es generate key & upload them to CA, use CA portal to manage ROAs ROAs are generated & signed by the CA, published in the CA s RPKI repository Relying par-es downloaded and validated ROAs to create rou-ng decisions There is some issues with this mode: Ø Relying par-es have to trust a third party with their private key Ø Fully rely on the CA s infrastructure Credit to George Wesley: hups:// Independency from a third party Install Cer-ficate Authority sojware Generate keys (public and private) Generate ROAs for all resources Publish URI for the CA s publica-on point through CA s TA Issues: Ø Careful where you store your keys (not publicly- reachable server) Ø TA can only publish one URI per publica-on point Ø S-ll reliant on CA s TA infrastructure 14

15 Back to Our Example Source: hup:// content/iab- uploads/2014/01/whyrpki.pdf 15

16 Gelng it Deployed RPKI gives us some real benefit But you probably aren t using it yet Some technical hurdles, perhaps some legal We re trying to help move things forward by crea-ng an example for R&E networks 16

17 R&E Architecture Verifica-on level 3 levels of the network hierarchy: A nanonal- based RPKI verificanon A regional- based RPKI verificanon A university- based RPKI verificanon 17

18 3/10/2015 BGP Security - RPKI project 18

19 Project Strategy Get used to working with the sojware Architecture RPKI server ROA management Router configura-on Built a test deployment on GENI Test things out where it s okay to fail! 10/4/15 19

20 GENI Deployment Architecture 20

21 Sojware Details RPKI Server rpki.net/ Ubuntu LTS Quagga Router BGP- SRx extensions www- x.antd.nist.gov/bgpsrx/ NIST- SRx- bundle Centos /4/15 21

22 Let s do a demo 10/4/15 22

23 Conclusion BGP vulnerabili-es are a real threat RPKI is a good first step to solving the problem R&E networks are a good star-ng point We put together a GENI test environment you can use Who wants to join us? 23

24 Thank You! Russ Clark Samuel Norris Cas D Angelo, Sco7 Friedrich Ron Hutchins, Aurore Nguenang Thank you to the Na-onal Science Founda-on for their support of this work.