LISP & NERD: An application person s adventure in routing

Similar documents
Scaling the Internet with LISP

LISP Functional Overview

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Network layer: Overview. Network layer functions IP Routing and forwarding

IP addressing and forwarding Network layer

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

IMPLEMENTATION OF LOCATION IDENTIFIER SEPARATION PROTOCOL (LISP) ROUTING PROTOCOL IN NETWORK SIMULATOR 2. A Thesis by.

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Security Assessment of Neighbor Discovery for IPv6

Simplify Your Route to the Internet:

8.2 The Internet Protocol

IPv6 First Hop Security Protecting Your IPv6 Access Network

We Are HERE! Subne\ng

INTRODUCTION TO FIREWALL SECURITY

Protocols. Packets. What's in an IP packet

IP Address Classes (Some are Obsolete) Computer Networking. Important Concepts. Subnetting Lecture 8 IP Addressing & Packets

(Refer Slide Time: 02:17)

IP address format: Dotted decimal notation:

Chapter 4 Network Layer

Network layer" 1DT066! Distributed Information Systems!! Chapter 4" Network Layer!! goals: "

Solution of Exercise Sheet 5

Approaches for DDoS an ISP Perspective.

Exterior Gateway Protocols (BGP)

IP Subnetting and Addressing

Network Infrastructure Under Siege

NetFlow/IPFIX Various Thoughts

IPv6 Fundamentals Ch t ap 1 er I : ntroducti ti t on I o P IPv6 Copyright Cisco Academy Yannis Xydas

Network Security TCP/IP Refresher

Network-Based Protocol Innovations in Secure Encryption Environments

Internet Protocol Version 6 (IPv6)

04 Internet Protocol (IP)

Roman Hochuli - nexellent ag / Mathias Seiler - MiroNet AG

Layer Four Traceroute (and related tools) A modern, flexible path-discovery solution with advanced features for network (reverse) engineers

MPLS over IP-Tunnels. Mark Townsley Distinguished Engineer. 21 February 2005

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

Introduction to TCP/IP

Internet Security Firewalls

Introduction. Internet Address Depletion and CIDR. Introduction. Introduction

Network Layer IPv4. Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS. School of Computing, UNF

On Characterizing BGP Routing Table Growth Tian Bu, Lixin Gao, and Don Towsley University of Massachusetts, Amherst, MA 01003

Exam 1 Review Questions

Strategies for Getting Started with IPv6

VLAN und MPLS, Firewall und NAT,

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

IPv6 Advantages. Yanick Pouffary.

Компјутерски Мрежи NAT & ICMP

ProCurve Networking IPv6 The Next Generation of Networking

Network Address Translation (NAT)

The Hybrid- Open ( HOpen ) router architecture. Brian Field / Comcast

TCP/IP Basis. OSI Model

Introduction to IP v6

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

NetFlow v9 Export Format

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Computer Networks - CS132/EECS148 - Spring

Netflow Overview. PacNOG 6 Nadi, Fiji

Outline. EE 122: Interdomain Routing Protocol (BGP) BGP Routing. Internet is more complicated... Ion Stoica TAs: Junda Liu, DK Moon, David Zats

Multihoming and Multi-path Routing. CS 7260 Nick Feamster January

CS 43: Computer Networks IP. Kevin Webb Swarthmore College November 5, 2013

CSCI-1680 So ware-defined Networking

Chapter 9. IP Secure

DHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy

Claudio Jeker. RIPE 41 Meeting Amsterdam, 15. January Using BGP topology information for DNS RR sorting

Technology Brief IPv6 White Paper.

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

How To Block A Ddos Attack On A Network With A Firewall

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Internet Infrastructure Measurement: Challenges and Tools

F5 Silverline DDoS Protection Onboarding: Technical Note

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Internet Architecture and Philosophy

Ethernet and IP A slightly less introductory networking class. Drew Saunders Networking Systems Stanford University

Lecture Computer Networks

PART OF THE PICTURE: The TCP/IP Communications Architecture

Tomás P. de Miguel DIT-UPM. dit UPM

UPPER LAYER SWITCHING

Chapter 11 Cloud Application Development

Interconnection of Heterogeneous Networks. Internetworking. Service model. Addressing Address mapping Automatic host configuration

Introduction to LAN/WAN. Network Layer (part II)

Transition to IPv6 in Service Providers

Network Security. Mobin Javed. October 5, 2011

BGP Prefix Hijack: An Empirical Investigation of a Theoretical Effect Masters Project

Answers to Sample Questions on Network Layer

Savera Tanwir. Internet Protocol

Locator/ID Separation Protocol: do we really need such a thing?

co Characterizing and Tracing Packet Floods Using Cisco R

Transcription:

LISP & NERD: An application person s adventure in routing Eliot Lear DIMACS Routing & Security Workshop

Before we start The purpose of this talk: Not to push NERD NERD was an experiment to demonstrate certain principles. Current development effort focuses around LISP-ALT NERD is NOT under any form of development at Cisco. Those principles are Partitioning of problem space matters. Looking at the entire system matters. Looking at various layers of dependencies matters Oh and beg borrow and steal where you can. Not to give a tutorial on LISP See draft-ietf-lisp-* and www.lisp4.net for that. 2

Security People Say Never rely on the incompetence of your adversaries. Sun Tsu 3

The Rest of the World Never ascribe to malice that which is adequately explained by incompetence Adieux de Napoléon à la Garde impériale dans la cour du Cheval-Blanc du château de Fontainebleau, by Antoine Alphonse Montfort, 19th century Napoleon Bonaparte 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 4

Secure Routing The threat: A bad guy will announce your prefix or worse something more specific. Responses Disaggregate as much as you can get away with. Implement and deploy SIDR Complicating factors The system is incredibly dynamic (Changes are reflected rapidly throughout a huge system) Many MANY announcers of information About the same number of receivers PKI operations are expensive in this environment, and can themselves be a source of attack Delaying evaluation of routing information poses complex state issues in a generally stateless environment

Routing Table Growth CIDR-Report.ORG (6 Mar. 2010)

Unique ASes in the DFZ CIDR-Report.ORG (6 Mar. 2010)

How Shall A Router Answer This Question? Basic SIDR risks: 1. Trust chain between CA and signer is broken 2. Signer loses private key and routing fails 3. Misconfiguration errors on the part of originators. Lot s of moving parts.

What simplifying assumptions reduce the number of moving parts? What if we claim that the core of the network is separate from the edges, and is stable? The core only maintains routes for the core. Edges only maintain routes to the edges. Feasible exit points for a given edge network change rarely. This is managed by a small number of entities. Operational state of a given link is given in return traffic for a given network. These are the operating assumptions for LISP-NERD.

NERD is A Not-So-novel EID to RLOC Database A signed set of mappings A suggested initial distribution mechanism- HTTP A push model approach all routing information is stored on the router Signed host file with MX records for routing draft-lear-lisp-nerd-10.txt Nerd image Copyright 2009 Kevin Menzie (used by permission).

LISP is Locator Identity Separation Protocol A new approach to interdomain connectivity A separate routing plane for end networks and the Internet core Leight-weight tunneling through pre-provisioning See Draft-ietf-lisp-06.txt Draft-ietf-lisp-alt-02.txt Draft-ietf-lisp-ms-04.txt Draft-ietf-lisp-interworking-01.txt

LISP Packet Header 0 1 2 3! 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1!! / Version IHL Type of Service Total Length! /! Identification Flags Fragment Offset!! OH Time to Live Protocol = 17 Header Checksum!! Source Routing Locator! \! \ Destination Routing Locator!! / Source Port = xxxx Dest Port = 4341! UDP! \ UDP Length UDP Checksum!! L N L E rflags Nonce! I \! S / Locator Status Bits! P! / Version IHL Type of Service Total Length! /! Identification Flags Fragment Offset!! IH Time to Live Protocol Header Checksum!! Source EID! \! \ Destination EID!!

0 1 2 3 NERD Format 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Schema Vers=1 DB Code Database Name Size Database Version Old Database Version or 0 Database Name PKCS#7 Block Size Reserved PKCS#7 Block containing Certificate and Signature

The Data 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Num. RLOCs EID Mask Len EID AFI End point identifier These entries correlate in order to reachability bits in LISP header. Priority 1 Weight 1 AFI 1 Routing Locator 1 Priority 2 Weight 2 AFI 2 Routing Locator 2 Priority 3 Weight 3 AFI 3

NERD Process: Getting The Database to Authorities There exists one or more database authorities that manage mappings for some portion of the EID address space The end user communication to these authorities is similar to that of name service registrars NERD database authorities collect and validate mapping requests Authorities then produce a SIGNED database of entries, as well as a SIGNED set of changes from previous versions

NERD Basics: Getting the data to ITRs When ITR boots first time it retrieves a full copy of the database via HTTP Caches are strategically placed and common CDN technologies are used to direct request ITRs periodically request updates through same CDN Possibly an ITR can request via its BGP neighbor or from a configured source the database and updates

Pictoral netnews Sign-and-push Authority http server http cache??? P2P Reachability Bits Pull to Site Pull to Site Register RLOCs ITR ITR admin ETR

Your routers trust Intermediary ISPs Router vendors

And your users trust these people

Use of a PKI The Scape Goat, by Holman Hunt (1854) 2010 Cisco Systems, Inc. All rights reserved. Cisco Public Makes some operators shake in their boots This is not the common use Allows for separation of data from distribution mechanisms Closest analogy is code signing, which can mostly happen under the hood.

So, Pick your poison Today Great challenges to deploy a PKI Reliance on old model BGP security (With LISP-ALT, even that improves) NERD issues Optimistic connectivity model Concentration of trust Circular dependencies Explosive growth Mobility More risk may be found in reachibility bits with NERD The band, Poision, 2008 Matt Becker 22

Conclusions See the whole board Configured state versus operational state Edge versus core Make PKI easy and reliable Rely on those who you already rely Don t assume the world can t change Alekhine and Capablanca, Buenos Aires 1927 But don t try to change it too fast. 23

Thank you! Henry Rutgers 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 24

25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information