How to Make Routing More Secure

Similar documents
Resource Certification. Alex Band Product Manager

RPKI Tutorial. Certification. Goals. Current Practices in Filtering

OPPORTUNITIES AND CHALLENGES IN CYBERSECURITY

The ISP Column A monthly column on things Internet. Securing BGP with BGPsec. Introduction

IPv4 Address Trading Using Resource Certificate

Routing Security Training Course

APNIC Trial of Certification of IP Addresses and ASes

Improving Rou-ng Security with RPKI

BGP FORGOTTEN BUT USEFUL FEATURES. Piotr Wojciechowski (CCIE #25543)

Policy-Based AS Path Verification with Enhanced Comparison Algorithm to Prevent 1-Hop AS Path Hijacking in Real Time

Draft RIPE NCC Activity Plan and Budget Introduction to the Activity Plan and Budget 2015

Recent Progress in Routing Standardization An IETF update for UKNOF 23

APNIC Plans and Budget - Review

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Internet Operations and the RIRs

RIPE Database Terms and Conditions

Internet Bodies.

BREAKING HTTPS WITH BGP HIJACKING. Artyom Gavrichenkov R&D Team Lead, Qrator Labs

Global Infrastructure Security and IPv6 Implications. Larry J. Blunk Fall 2004 Internet2 Member Meeting September 29, 2004

Internet Structure and Organization

Database Update. Johan Åhlén Assistant Manager and Denis Walker Business Analyst

Enabling Operational Use of RPKI via Internet Routing Registries

Collective responsibility for security and resilience of the global routing system

Introduction to The Internet. ISP/IXP Workshops

Network Security. Mobin Javed. October 5, 2011

Measuring IPv6 Deployment. Geoff Huston APNIC December 2009

Aggregation (?) Effect of business practices on the Internet today. Philip Smith RIPE 50, Stockholm

BGP Security The Human Threat

RIPE Network Coordination Centre RIPE NCC LIR Tutorial

IPv6 and 4-byte ASN Update

Preventing Common Attacks on Critical Infrastructure

Secure routing: State-of-the-art deployment and impact on network resilience

The IANA Functions. An Introduction to the Internet Assigned Numbers Authority (IANA) Functions

Introduction to RPSL. TorIX Meeting, September 2004 Joe Abley,

How To Get An Ipv6 Allocation On Ipv4 (Ipv4) From Ipv5) From The Ipvripe Ncc (Ip6) From A Ipvv6 Ipv2 (Ip4) To Ip

IPv6 and IPv4 Update from the RIPE NCC. Sandra Brás, Ferenc Csorba

IPv6 The Big Picture. Rob Evans, Janet

Embedded BGP Routing Monitoring. Th. Lévy O. Marcé

Layer Four Traceroute (and related tools) A modern, flexible path-discovery solution with advanced features for network (reverse) engineers

F root anycast: What, why and how. João Damas ISC

Introduction to The Internet

technical Operations Area IP Resource Management

BGP Techniques for Internet Service Providers

Network Security Workshop

Introduction to Routing

Simple Multihoming. ISP Workshops. Last updated 30 th March 2015

Network Level Multihoming and BGP Challenges

Detecting BGP hijacks in 2014

DD2491 p Load balancing BGP. Johan Nicklasson KTHNOC/NADA

Analyzing Capabilities of Commercial and Open-Source Routers to Implement Atomic BGP

Policy Implementation and Experience Report. Leslie Nobile

Open Source Software for Routing

SPAMTRACER TRACKING FLY- BY SPAMMERS

IPv6 Addressing. ISP Training Workshops

Outline. Outline. Outline

SECURE PROTOCOLS FOR THE ROUTING INFRASTRUCTURE (SPRI) INITIATIVE. A ROAD MAP (First Draft)

Network Infrastructure Under Siege

BGP Routing. Course Description. Students Will Learn. Target Audience. Hands-On

IPE Database Features

Practical BGP Security: Architecture, Techniques and Tools

Interconnections on the Internet: Exchange Points

RIPE Policy Development Process

Managing security-relevant data from measurements on Internet scale

Introduction. Internet Address Depletion and CIDR. Introduction. Introduction

Simple Multihoming. ISP/IXP Workshops

Locator/ID Separation Protocol: do we really need such a thing?

Introduction to IP Numbers vs. Domain names. Adiel A. Akplogan CEO, AFRINIC. 2014

IPv6 RIPEness from 4 to 5 stars. Vesna Manojlovic Community Builder for Measurement Tools BECHA@ripe.net

AWS Direct Connect. User Guide API Version

Examination. IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491

The benefits of BGP for every service provider

Fireware How To Dynamic Routing

RTMA Working Group Agenda. Overview Speakers Discussion

Information Technology Sector. Risk Management Strategy Internet Routing, Access and Connection Services

Information Pack! October 2014!! Bijal Sanghani! bijal at euro-ix dot net!

Using Resource Certificates Progress Report on the Trial of Resource Certification

Routing in Small Networks. Internet Routing Overview. Agenda. Routing in Large Networks

IPv4-IPv6 transition

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Securing DNS Infrastructure Using DNSSEC

Network provider filter lab

IPV6 FRAGMENTATION. The Case For Deprecation. Ron Bonica NANOG58

Euro6IX project and Italian IPv6 Task Force

NetFlow & BGP multi-path: quo vadis?

Netflow Overview. PacNOG 6 Nadi, Fiji

What's inside the cloud?!

APNIC elearning: Requesting IP Address

IPv6 Address Planning

Claudio Jeker. RIPE 41 Meeting Amsterdam, 15. January Using BGP topology information for DNS RR sorting

IPv6 First Hop Security Protecting Your IPv6 Access Network

Global IP Network Mobility

Firewall-on-Demand. GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF. Leonidas Poulopoulos

IXP Member connection Best Practice. Kittinan Sriprasert BKNIX

Verifying Growth of IPv6 DNS Entries

The ISP Column A monthly column on things Internet. Leaking Routes. March 2012 Geoff Huston. Its happened again.

Understanding Route Aggregation in BGP

Update from the RIPE NCC

BGP overview BGP operations BGP messages BGP decision algorithm BGP states

Autonomous Security for Autonomous Systems

Transcription:

How to Make Routing More Secure Resource Certification (RPKI) Mirjam Kühne & Ivo Dijkhuis (RIPE NCC) TF-CSIRT 45 Poznan - Poland 22 May 2015

Overview 2 Very brief introduction to the RIPE NCC IPv4 hijacking and IPv4 transfers Problem statement - Routing Security Possible solution - Resource Certification (RPKI) Making routing decisions Uptake of RPKI and future developments

The RIPE Network Coordination Centre 3 Established in 1992 by the RIPE community - Initially part of the academic network association - Since 1997 a membership association under Dutch law - Not for profit, independent, neutral, open - Main offices in Amsterdam; staff in Dubai and Moscow Funded by the membership - 11,500 members from 76 countries - Initially mostly ISPs and universities - Now also traditional industries, small Internet companies One of five Regional Internet Registries The Internet Registry System - April 2015

Regional Internet Registries 4 The Internet Registry System - April 2015

IPv4 Address Hijacking and Transfers 5 Presented on IPv4 hijacking at TF-CSIRT in Rome Number of hijackings went down - Due to clean-up in RIPE Database Number of IPv4 transfer went up significantly - See recent post on RIPE Labs (labs.ripe.net) Transfers can create routing overlaps

The Issue 6 Network operators should only announce the IP block (IP prefix) they are the legitimate holder of However, errors can happen - Due to typos or - A bad person is trying to hijack a network by announcing a prefix maliciously So the question is: Is this autonomous system (AS) really supposed to be announcing this IP address block?

The Solution - Resource Certification 7 The Regional Internet Registries (RIRs) are the authority on who is the legitimate holder of resources in their region - IPv4 and IPv6 address blocks - Autonomous System Numbers Information is kept in the registry (whois database) Accuracy and completeness are key - Offers validatable proof of holdership

Digital Resource Certificates 8 Based on IETF standards - Secure Interdomain Routing (SIDR) working group - RFC 5280: X.509 PKI Certificates - RFC 3779: Extensions for IP Addresses and ASNs - RFC 6481-6493: Resource Public Key Infrastructure Issued by the RIRs since 1 January 2011 Digital certificate states that an Internet number resource has been registered by the RIPE NCC

Certification to Secure Internet Routing 9 Resource holders can use their resource certificate to make statements about their BGP routing Route Origin Authorisation (ROA): I authorise this Autonomous System to originate these prefixes Also in a ROA: Maximum Prefix Length - The longest prefix the ASN may announce

Example of ROA 10 Kühne & Dijkhuis - TF-CSIRT 45-22/05/2015

Making Routing Decisions

Route Origin Authorisations 12 A ROA affects the RPKI validity of a BGP route - VALID: ROA found, authorised announcement - INVALID: ROA found, unauthorised announcement - UNKNOWN: No ROA found (resource not yet signed) Every operator is free to base any routing decision on these validity states

Validation in Practice 13 All certificates and ROAs are published in a repository and available for download Software running on your own machine will periodically retrieve and verify the information - Cryptographic tools check all the signatures The result is a list of all valid combinations of ASN and prefix, the validated cache

The RPKI Ecosystem 14 Validated RPKI information can be sent to router, so operators can use it easily A production system since 2011 - All RIRs offer the functionality to their members - All major router vendors offer native support Cisco, Juniper, Alcatel Lucent, Quagga Several open source tools to validate ROAs

Uptake of RPKI

RPKI Adoption 16

RPKI Adoption 17

Future Developments of RPKI 18 Most major ISP have adopted RPKI - Deutsche Telekom, Telefonica, KPN, SFR, etc. Adoption by smaller ISPs accelerating now Path validation is being standardised - Making it impossible to spoof an AS Origin + Path validation offers full routing security

Further References 19 More information on the RIPE NCC web site www.ripe.net/certification RPKI Statistics http://certification-stats.ripe.net/ RIPE Labs labs.ripe.net IETF SIDR WG https://datatracker.ietf.org/wg/sidr/charter/

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information