BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate...
Transcript of BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate...
BGP Origin Validation
APNIC / Phnom Penh 2012.08.27
Randy Bush <[email protected]> Rob Austein <[email protected]>
Steve Bellovin <[email protected]> And a cast of thousands! Well, dozens :)
2012.08.27 APNIC RtgSec 1
Agenda • This Presentation o Some Technical Background
o Mis-Origination - YouTube Incident
o The RPKI – Needed Infrastructure
o BGP Origin Validation
o BGP Path Validation (briefly)
2012.08.27 APNIC RtgSec 2
This is Not New • 1986 – Bellovin & Perlman identify the
vulnerability • 1999 - National Academies study called it out • 2000 – S-BGP – X.509 PKI to support Secure
BGP - Kent, Lynn, et al. • 2003 – NANOG S-BGP Workshop • 2006 – ARIN & APNIC start work on RPKI.
RIPE starts in 2008. • 2009 – RPKI Open Testbed and running code
in test routers 2012.08.27 APNIC RtgSec 3
What is an AS? An ISP or End Site
2012.08.27 APNIC RtgSec 4
Verizon AS 701
Sprint AS
1239 IIJ AS
2497 Big ISPs ‘Peering’
What is an AS? An ISP or End Site
2012.08.27 APNIC RtgSec 5
Verizon AS 701
Sprint AS
1239 IIJ AS
2497 Big ISPs ‘Peering’
GoJ AS 234
Amazon AS
16509 Customers buy ‘Transit’
Sakura AS
9370
An IP Prefix is Announced & Propagated
2012.08.27 APNIC RtgSec 6
Verizon AS 701
Sprint AS
1239 IIJ AS
2497 Big ISPs ‘Peering’
GoJ AS 234
Amazon AS
16509 Customers buy ‘Transit’
147.28.0.0/16 Sakura
AS 9370
From Inside a Router
BGP routing table entry for 147.28.0.0/16 16509 1239 2497 234
2012.08.27 APNIC RtgSec 7
The AS-Path
Origin AS
Of Course it’s Uglier J r1.iad#sh ip bgp 147.28.0.0/16 BGP routing table entry for 147.28.0.0/16, version 21440610 Paths: (2 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 16509 1239 2497 234 144.232.18.81 from 144.232.18.81 (144.228.241.254) Origin IGP, metric 841, localpref 100, valid, external, best Community: 3297:100 3927:380 path 67E8FFCC RPKI State valid Refresh Epoch 1 16509 701 2497 234 129.250.10.157 (metric 11) from 198.180.150.253 (198.180.150.253) Origin IGP, metric 95, localpref 100, valid, internal Community: 2914:410 2914:1007 2914:2000 2914:3000 3927:380 path 699A867C RPKI State valid
8 2012.08.27 APNIC RtgSec 8
The YouTube Incident
2012.08.27 APNIC RtgSec 9
Pakistan Telekom
PCCW
Pakistan Internet
Poison Pakistan Internal Routing
The Plan
YouTube
Global Internet
YouTube
The YouTube Incident
2012.08.27 APNIC RtgSec 10
Pakistan Telekom
PCCW
Pakistan Internet
Poisoned the Global Internet
What Happened
Oops!
Global Internet
We Call this Mis-Origination
a Prefix is Originated by an AS Which Does
Not Own It 2012.08.27 APNIC RtgSec 11
I Do Not Call it Hijacking
Because that Assumes
Negative Intent 2012.08.27 APNIC RtgSec 12
And These Accidents Happen Every Day
Usually to Small Folk Sometimes to Large
2012.08.27 APNIC RtgSec 13
So,
What’s the Plan?
2012.08.27 APNIC RtgSec 14
Three Pieces • RPKI – Resource Public Key Infrastructure,
the Certificate Infrastructure to Support the other Pieces (starting last year)
• Origin Validation – Using the RPKI to detect and prevent mis-originations of someone else’s prefixes (early 2012)
• AS-Path Validation AKA BGPsec – Prevent Attacks on BGP (future work)
2012.08.27 APNIC RtgSec 15
Why Origin Validation? • Prevent YouTube accident & Far Worse
• Prevent 7007 accident, UU/Sprint 2 days!
• Prevents most accidental announcements
• Does not prevent malicious path attacks such as the Kapela/Pilosov DefCon attack
• That requires ‘Path Validation’, the third step, a few years away
2012.08.27 APNIC RtgSec 16
We Need to be Able to Authoritatively Prove
Who Owns an IP Prefix And What AS(s) May
Announce It 2012.08.27 APNIC RtgSec 17
Prefix Ownership Follows the Allocation
Hierarchy IANA, RIRs, ISPs, …
2012.08.27 APNIC RtgSec 18
Resource Public Key
Infrastructure (RPKI)
2012.08.27 APNIC RtgSec 19
X.509 RPKI Being Developed & Deployed
by IANA, RIRs, and
Operators 2012.08.27 APNIC RtgSec 20
RFC 3779 Extension
Describes IP
Resources (Addr & ASN)
X.509 Cert
Owner’s Public Key
X.509 Certificate w/ 3779 Ext CA
SIA – URI for where this Publishes
2012.08.27 APNIC RtgSec 21
Signed by
Parent’s Private Key
98.128.0.0/16
Public Key
98.128.0.0/20
Public Key
98.128.16.0/20
Public Key
98.128.32.0/19
Public Key
98.128.16.0/24
Public Key
98.128.17.0/24
Public Key
Cert/RGnet
Cert/Rob Cert/Randy
Cert/ISC Cert/PSGnet
Cert/ARIN CA
CA CA CA
CA CA
Certificate Hierarchy follows
Allocation Hierarchy
SIA
2012.08.27 APNIC RtgSec 22
That’s Who Owns It but
Who May Route It?
2012.08.27 APNIC RtgSec 23
98.128.0.0/16
Public Key
98.128.0.0/16
AS 42
EE Cert
ROA
Route Origin Authorization (ROA)
98.128.0.0/16 147.28.0.0/16
Public Key
Owning Cert CA
End Entity Cert can not sign certs. can sign other things e.g. ROAs
This is not a Cert It is a signed blob
2012.08.27 APNIC RtgSec 24
98.128.0.0/16
AS 42
98.128.0.0/16
Public Key
EE Cert
ROA
Multiple ROAs Make Before Break
98.128.0.0/16 147.28.0.0/16
Public Key
Owning Cert CA
2012.08.27 APNIC RtgSec 25
98.128.0.0/16
AS 3130
ROA I Plan to Switch
Providers
98.128.0.0/16
Public Key
EE Cert
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
PSGnet
ARIN
IANA
98.128.0.0/16-24
AS 3130
ROA
ROA Aggregation Using Max Length 98.128.0.0/16
Public Key
EE Cert
CA
CA
CA
2012.08.27 APNIC RtgSec 26 26
RPKI-Based
Origin Validation
2012.08.27 APNIC RtgSec 27
2012.08.27 APNIC RtgSec
RPKI Certificate
Engine
Resource PKI
IP Resource Certs ASN Resource Certs
Route Origin Attestations
Publication Protocol
Up / Down to Parent
Up / Down to Child
28
GUI
2012.08.27 APNIC RtgSec 29
Warning What ROA Will Do
2012.08.27 APNIC RtgSec
Mac
Publication Point
Registry Internal GUI &
Management
Contract Out To
Google? J
A Usage Scenario
Resources [OrgID]
My RightsToRoute
Delegations to Custs
User Web GUI
98% of an RIR’s Users 10% of an RIR’s IP Space
Up / Down Protocol
2% of an RIR’s Users 90% of an RIR’s IP Space
Publication Protocol
Registry’s Database(s)
Internal
Protocol
30
RPKI Certificate
Engine
30
2012.08.27 APNIC RtgSec
IANA
Resource PKI
Publication Protocol
APNIC
Resource
PKI Publication
Protocol
IIJ
Resource PKI
Publication Protocol
31
GUI
GUI
GUI
Please Issue My Cert Up/ Down
Please Issue My Cert Up/ Down
Please Issue My Cert Up/ Down Cert Issuance
Issuing Parties
Cert Issuance
Cert Issuance
2012.08.27 APNIC RtgSec 32
Issuing Parties
IANA
Resource PKI
Publication Protocol
Up Down
APNIC
Resource PKI
Publication Protocol
Up Down
IIJ
Resource
PKI Publication
Protocol
SIA Pointers
SIA Pointers
GUI
GUI
GUI
RCynic Cache Gatherer
RCynic Gatherer Validated
Cache
Trust Anchor
(cynical rsync)
IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
SIA
SIA
SIA
SIA
2012.08.27 APNIC RtgSec 33
2012.08.27 APNIC RtgSec 34
IANA
Resource PKI
Publication Protocol
Up Down
APNIC
Resource PKI
Publication Protocol
Up Down
IIJ
Resource
PKI Publication
Protocol
RCynic Gatherer
BGP Decision Process
Validated Cache
SIA Pointers
SIA Pointers
Trust Anchor
GUI
GUI
GUI
Issuing Parties Relying Parties
route: 147.28.0.0/16!descr: 147.28.0.0/16-16!origin: AS3130!notify: [email protected]!mnt-by: MAINT-RPKI!changed: [email protected] 20110606!source: RPKI!
Pseudo IRR
NOC Tools
RPSL Your WorkFLow? route: 147.28.0.0/16!
descr: 147.28.0.0/16-16!
origin: AS3130!
notify: [email protected]!
mnt-by: MAINT-RPKI!
changed: [email protected] 20110606!
source: RPKI!2012.08.27 APNIC RtgSec 35
CSV Your WorkFlow? 67.21.36.0/24 3970!
192.169.0.0/23 3970!
207.34.0.0/24 3970!
216.21.0.0/24 3970!
216.21.14.0/24 3970!
216.21.16.0/24 3970!
216.151.34.0/24 3970!
147.28.0.0/16 3130!
192.83.230.0/24 3130!
2012.08.27 APNIC RtgSec 36
RPKI-Rtr Protocol
2012.08.27 APNIC RtgSec
RPKI Engine
Repository Mgt RPKI Repo
RCynic Gatherer
RPKI to Rtr Protocol
BGP Decision Process
Cache django
Publication Protocol
37
2012.08.27 APNIC RtgSec
Global RPKI
Asia Cache
NoAm Cache
Euro Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
Cust Facing
Cust Facing
Cust Facing
Cust Facing
Cust Facing
High Priority
Lower Priority
Possible Large ISP Deployment
38
Caches Feed
Caches
How Do ROAs Affect BGP Updates?
2012.08.27 APNIC RtgSec 39
In NOC 2012.08.27 APNIC RtgSec
IANA
Resource PKI
Publication Protocol
Up Down
APNIC
Resource PKI
Publication Protocol
Up Down
IIJ
Resource PKI
Publication Protocol
RCynic Gatherer
RPKI to Rtr
Protocol
Crypto Check
Crypto Stripped
In PoP
BGP Decision Process
Validated Cache
SIA Pointers
SIA Pointers
Trust Anchor
40
GUI
GUI
GUI
Typical Exchange Cache Router | <----- Reset Query -------- | R requests data | | | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial ~ ~ | -------- Notify ----------> | (optional) | | | <----- Serial Query ------- | R requests data | | | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial ~ ~
2012.08.27 APNIC RtgSec 41
IPv4 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 4 | | +-------------------------------------------+ | | | Length=20 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..32 | 0..32 | | +-------------------------------------------+ | | | IPv4 prefix | | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
2012.08.27 APNIC RtgSec 42
IPv6 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 6 | | +-------------------------------------------+ | | | Length=40 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..128 | 0..128 | | +-------------------------------------------+ | | +--- ---+ | | +--- IPv6 prefix ---+ | | +--- ---+ | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
2012.08.27 APNIC RtgSec 43
2012.08.27 APNIC RtgSec 44
BGP Updates are compared with
ROA Data loaded from the RPKI
2012.08.27 APNIC RtgSec 45
BGP Peer
BGP Data
RPKI Cache
RPKI-Rtr Protocol
BGP Updates
RPKI ROAs
mark
Valid
Invalid
NotFound
Marking BGP Updates
Configure Router to Get ROAs
router bgp 3130
…
bgp rpki server tcp 198.180.150.1 port 42420 refresh 3600
bgp rpki server tcp 147.28.0.35 port 93920 refresh 3600
…
2012.08.27 APNIC RtgSec 46
Check Server r0.sea#show ip bgp rpki servers
BGP SOVC neighbor is 198.180.150.1/42420 connected to port 42420
Flags 0, Refresh time is 120, Serial number is 1304239609
InQ has 0 messages, OutQ has 0 messages, formatted msg 345
Session IO flags 3, Session flags 4008
Neighbor Statistics:
Nets Processed 624
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled
Mininum incoming TTL 0, Outgoing TTL 255
Local host: 199.238.113.10, Local port: 57932
Foreign host: 198.180.150.1, Foreign port: 42420
Connection tableid (VRF): 0 2012.08.27 APNIC RtgSec 47 47
Look at Table r0.sea#sh ip bgp rpki table
80 BGP sovc network entries using 7040 bytes of memory
86 BGP sovc record entries using 1720 bytes of memory
Network Maxlen Origin-AS Neighbor
67.21.36.0/24 24 3970 198.180.150.1/42420
98.128.0.0/24 24 3130 198.180.150.1/42420
98.128.0.0/24 24 666 198.180.150.1/42420
98.128.0.0/16 16 3130 198.180.150.1/42420
98.128.3.0/24 24 3130 198.180.150.1/42420
98.128.4.0/24 24 3130 198.180.150.1/42420
98.128.5.0/24 24 3130 198.180.150.1/42420
98.128.6.0/24 24 3130 198.180.150.1/42420
98.128.7.0/24 24 65107 198.180.150.1/42420
98.128.9.0/24 24 3130 198.180.150.1/42420
98.128.10.0/24 24 3130 198.180.150.1/42420
2012.08.27 APNIC RtgSec 48
Look at BGP Table r0.sea#sh ip bgp
Network Next Hop Metric LocPrf Weight Path
V*> 98.128.28.0/24 0.0.0.0 0 32768 i
V*> 98.128.29.0/24 0.0.0.0 0 32768 i
V*> 98.128.30.0/24 0.0.0.0 0 32768 i
V*> 98.128.31.0/24 0.0.0.0 0 32768 i
N*> 98.129.0.0/16 199.238.113.9 62 0 2914 12179 33070 33070 i
N* 129.250.11.41 67 0 2914 12179 33070 33070 i
V*>i 98.130.0.0/16 206.81.80.40 789 90 0 6939 32392 i
N* 199.238.113.9 65 0 2914 4436 32392 i
N* 129.250.11.41 70 0 2914 4436 32392 i
I*>i 98.130.0.0/15 206.81.80.40 789 90 0 6939 32392 i
N* 199.238.113.9 65 0 2914 4436 32392 i
2012.08.27 APNIC RtgSec 49 49
Look at a Prefix R3#show ip bgp 98.128.0.0/24
BGP routing table entry for 98.128.0.0/24, version 360
Paths: (2 available, best #1, table default)
65000 3130
10.0.0.1 from 10.0.0.1 (193.0.24.64)
Origin IGP, localpref 100, valid, external, best
path 680D859C RPKI State valid
65001 4128
10.0.1.1 from 10.0.1.1 (193.0.24.65)
Origin IGP, localpref 100, valid, external
path 680D914C RPKI State invalid
2012.08.27 APNIC RtgSec 50 50
Result of Check • Valid – A matching/covering ROA was
found with a matching AS number • Invalid – A matching or covering ROA
was found, but AS number did not match, and there was no valid one
• Not Found – No matching or covering ROA was found, same as today
2012.08.27 APNIC RtgSec 51
Valid! r0.sea#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24, version 3043542 Paths: (3 available, best #1, table default) 6939 27318 206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid 2914 4459 27318 199.238.113.9 from 199.238.113.9 (129.250.0.19) Origin IGP, metric 43, localpref 100, valid, external Community: 2914:410 2914:1005 2914:3000 3130:380 path 09AF35CC RPKI State valid
2012.08.27 APNIC RtgSec 52
Invalid! r0.sea#show bgp 198.180.150.0 BGP routing table entry for 198.180.150.0/24, version 2546236 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 8 Refresh Epoch 1 1239 3927 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid
2012.08.27 APNIC RtgSec 53
NotFound r0.sea#show bgp 64.9.224.0 BGP routing table entry for 64.9.224.0/20, version 35201 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 Refresh Epoch 1 1239 3356 36492 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 4, localpref 100, valid, internal Community: 3130:370 path 11861AA4 RPKI State not found
2012.08.27 APNIC RtgSec 54
What are the BGP / VRP1
Matching Rules?
1 Validated ROA Payload 2012.08.27 APNIC RtgSec 55
2012.08.27 APNIC RtgSec 56
A Prefix is Covered by a VRP when the VRP prefix length is less than or equal to the Route prefix length
98.128.0.0/16
98.128.0.0/12-16
98.128.0.0/16-24
98.128.0.0/20-24
Covers
Covers
No. It’s Longer
BGP
VRP
VRP
VRP
2012.08.27 APNIC RtgSec 57
Prefix is Matched by a VRP when the Prefix is Covered by that VRP , prefix length is less than or equal to the VRP max-len, and the Route Origin AS is equal to the VRP’s AS
98.128.0.0/16 AS 42
98.128.0.0/12-16 AS 42
98.128.0.0/16-24 AS 666
98.128.0.0/20-24 AS 42
Matched
No. AS Mismatch
No. VRP Longer
BGP
VRP
VRP
VRP
2012.08.27 APNIC RtgSec 58
98.128.0.0/16-24 AS 6
BGP
VRP0
98.128.0.0/16-20 AS 42 VRP1
98.128.0.0/12 AS 42 NotFound, shorter than VRPs
BGP 98.128.0.0/16 AS 42 Valid, Matches VRP1
BGP 98.128.0.0/20 AS 42 Valid, Matches VRP1
BGP 98.128.0.0/24 AS 42 Invalid, longer than VRP with AS 42
BGP 98.128.0.0/24 AS 6 Valid, Matches VRP0
Matching and Validity
iBGP Hides Validity State
2012.08.27 APNIC RtgSec
iBGP Full Mesh
p p
p
valid invalid
unknown
which do i choose? why do i choose it? 59
The Solution is to
Allow Operator to Test and then Set Local Policy
2012.08.27 APNIC RtgSec 60
Fairly Secure route-map validity permit 10
match rpki valid
set local-preference 100
route-map validity permit 20
match rpki not-found
set local-preference 50
! invalid is dropped
2012.08.27 APNIC RtgSec 61
Paranoid
route-map validity permit 42
match rpki valid
set local-preference 110
! everything else dropped
2012.08.27 APNIC RtgSec 62
Set a Community route-map validity permit 10
match rpki valid
set community 3130:400
route-map validity permit 20
match rpki invalid
set community 3130:200
route-map validity permit 30
set community 3130:300 2012.08.27 APNIC RtgSec 63
2012.08.27 APNIC RtgSec 64
BGP Data
RPKI-Rtr Protocol
BGP Updates
RPKI VRPs
mark
Valid
Invalid
NotFound
And it is All Monitored
SNMP
syslog
NOC
The Big Speedbump
2012.08.27 APNIC RtgSec 65
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
RGnet
ARIN
IANA
98.128.0.0/1724
AS 3130
ROA
98.128.0.0/17
Public Key
EE Cert
CA
CA
CA
2012.08.27 APNIC RtgSec
Up-Chain Expiration
98.128.0.0/17
Public Key
PSGnet CA
Sloppy Admin, Cert Soon to Expire!
These are not Identity Certs
So My ROA will become
Invalid! 66
ROA Invalid but I Can Route • The ROA will become Invalid
• My announcement will just become NotFound, not Invalid
• Unless my upstream has a ROA for the covering prefix, which is likely
2012.08.27 APNIC RtgSec 67
2012.08.27 APNIC RtgSec
So Who You Gonna Call?
68
2012.08.27 APNIC RtgSec 69
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
RGnet
ARIN
IANA
98.128.0.0/17-24
AS 3130
ROA
98.128.0.0/17
Public Key
EE Cert
CA
CA
CA
Ghostbusters!
98.128.0.0/17
Public Key
PSGnet CA
BEGIN:vCard VERSION:3.0 FN:Human's Name N:Name;Human's;Ms.;Dr.;OCD;ADD ORG:Organizational Entity ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern; WA; 98666;U.S.A. TEL;TYPE=VOICE,MSG,WORK:+1-666-555-1212 TEL;TYPE=FAX,WORK:+1-666-555-1213 EMAIL;TYPE=INTERNET:[email protected] END:vCard
Ghostbusters Record
draft-ietf-sidr-ghostbusters
But in the End, You Control Your Policy “Announcements with Invalid origins MAY be used, but SHOULD be less preferred than those with Valid or NotFound.” -- draft-ietf-sidr-origin-ops But if I do not reject Invalid, what is all this for?
2012.08.27 APNIC RtgSec 70
Open Source (BSD Lisc) Running Code https://rpki.net/
Shipping Router Code Talk to C & J
2012.08.27 APNIC RtgSec 71
2012.08.27 APNIC RtgSec
BGPsec AS-Path Validation
Future Work
72
Origin Validation is Weak
• RPKI-Based Origin Validation only stops accidental misconfiguration, which is very useful. But ...
• A malicious router may announce as any AS, i.e. forge the ROAed origin AS.
• This would pass Origin ROA Validation.
2012.08.27 APNIC RtgSec 73
Full Path Validation
• Rigorous per-prefix AS path validation is the goal
• Protect against origin forgery and AS-Path monkey in the middle attacks
• Not merely showing that a received AS path is not impossible
2012.08.27 APNIC RtgSec 74
Protocol Not Policy • We can not know intent, should Mary have announced
the prefix to Bob
• But Joe can formally validate that Mary did announce the prefix to Bob
• Policy on the global Internet changes every 36ms, new peers, new customers, new circuits, etc.
• We already have a protocol to distribute policy or its effects, it is called BGP
• BGPsec validates that the protocol has not been violated, and is not about intent or business policy
2012.08.27 APNIC RtgSec 75
Our Parents’ Internet
2012.08.27 APNIC RtgSec 76
X
Z
W $ $ $
A B
XWB WB B
Routing Announcements Packet Data Flows
Path Shortening Attack
2012.08.27 APNIC RtgSec 77
X
Z
W $ $ $
A B
$
$
Expected Path – A->X->W->B Diverted Path - A->X->Z->W->B There Are Many Many Other Attacks
ZB
XZB WB B
Forward Path Signing
AS hop N signing (among other things) that it is sending the announcement to AS hop N+1 by AS number, is believed to be fundamental to protecting against monkey in the middle attacks
2012.08.27 APNIC RtgSec 78
Forward Path Signing
2012.08.27 APNIC RtgSec 79
AS2 AS3 ^RtrCert
Signed Forward
Reference
^RtrCert NLRI AS1 AS2
Hash Signed by Router Key AS1.rtr-xx
Sig1
Hash Signed by Router Key AS2-rtr-yy
Sig2
Forward-Signing
2012.08.27 APNIC RtgSec 80
B cryptographically signs the message to W Sb(B->W) W signs messages to X and Z encapsulating B’s message
Sw(W->X (Sb(B->W))) and Sw(W->Z (Sb(B->W)))
X signs the message to A Sx(X->A (Sw(W->X (Sb(B->W))))
Z can only sign Sz(Z->X (Sw(W->Z (Sb(B->W))))
X
Z
W $ $ $
A B
ZB
XWB WB B
X
Capability Negotiation • It is assumed that consenting routers
will use BGP capability exchange to agree to run BGPsec between them
• The capability will, among other things remove the 4096 PDU limit for updates
• If BGPsec capability is not agreed, then only traditional BGP data are sent
2012.08.27 APNIC RtgSec 81
Per-Router Keys • Needed to deal with compromise of one router
exposing an AS’s private key • Implies a more complex certificate and key
distribution mechanism • A router could generate key pair and send
certificate request to RPKI for signing • Certificate, or reference to it, must be in each
signed path element • If you want one per-AS key, share a router key
2012.08.27 APNIC RtgSec 82
2012.08.27 APNIC RtgSec 83
0/0 AS0-65535
Public Key
98.0.0.0/8 AS3000-4000
Public Key
98.128.0.0/16 AS3130 AS3970
Public Key
PSGnet
ARIN
IANA
98.128.0.0/16-24
AS 3130
ROA
98.128.0.0/16
Public Key
Prefix EE Cert
CA
CA
CA
AS3130
Public Key
AS Cert
Cert / Key Structure for an ISP
Encodes ASN and Router ID
CA
AS3130 rtr-00
Router EE Cert
Public Key AS3130 rtr-00
Router EE Cert
Public Key AS3130 rtr-00
Router EE Cert
Public Key AS3130 rtr-00
Router EE Cert
Public Key AS3130 rtr-00
Router EE Cert
Public Key
Only at Provider Edges • This design protects only inter-domain
routing, not IGPs, not even iBGP • BGPsec will be used inter-provider, only
at the providers' edges • Of course, the provider’s iBGP will have
to carry the BGPsec information • Providers and inter-provider peerings
might be heterogeneous 2012.08.27 APNIC RtgSec 84
Simplex End Site
2012.08.27 APNIC RtgSec 85
Receives Unsigned & Trusts Up-streams
to Validate
Only Signs Own Prefix(es)
Only Signs Own Prefix(es) Very few signatures! No verification Only Needs to Have Own Private Key
No Other Crypto or RPKI Data No Hardware Upgrade!!
Incremental Deployment
Incrementally deployable in today's Internet, and does not require global deployment, a flag day, etc.
2012.08.27 APNIC RtgSec 86
No Increase of Operator Data Exposure
• Operators wish to minimize any increase in visibility of information about peering and customer relationships etc.
• No IRR-style publication of customer or peering relationships is needed
2012.08.27 APNIC RtgSec 87
Work Supported By
• US Government
THIS PROJECT IS SPONSORED BY THE DEPARTMENT OF HOMELAND SECURITY UNDER AN INTERAGENCY AGREEMENT WITH THE AIR FORCE RESEARCH LABORATORY (AFRL). [0]
[0] – they Take your Scissors Away and we turn them into plowshares
• ARIN
• Internet Initiative Japan & ISC
• Cisco, Juniper, Google, NTT, Equinix 2012.08.27 APNIC RtgSec 88