Routing Security
-
Upload
ripe-ncc -
Category
Technology
-
view
742 -
download
1
description
Transcript of Routing Security
![Page 2: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/2.jpg)
Who is talking: Daniel Karrenberg
• 1980s: helped build Internet in Europe- EUnet, Ebone, IXes, ...- RIPE
• 1990s: helped build RIPE NCC- 1st CEO: 1992-2000
• 2000s: Chief Scientist & Public Service- Trustee of the Internet Society: IETF, ...- Interests: Internet measurements, stability,
trust & identity in the Internet, ...
2
![Page 3: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/3.jpg)
Who is talking: Daniel Karrenberg
• RIPE NCC- started in 1992- first Regional Internet Registry (RIR)- Association of 7000+ ISPs- 70+ countries in “Europe & surrounding areas”- operational coordination - number resource distribution- trusted source of data- Motto: Neutrality & Expertise- not a lobby group!
3
![Page 4: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/4.jpg)
My Messages Today
• Routing security needs to be improved
• The sky is not falling
• Industry is moving
4
![Page 5: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/5.jpg)
Outline
• Internet Routing- How it works- What makes it work in practice- What can go wrong today
• Risk Mitigation- Routing Hygiene- Resource certification & checks- Obstacles
• Public Policy Considerations
• Discussion
5
![Page 6: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/6.jpg)
The Internet
6
![Page 7: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/7.jpg)
Part(s) of the Internet
7
![Page 8: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/8.jpg)
“Autonomous Systems”
8
![Page 9: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/9.jpg)
Packet Flow
9
![Page 10: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/10.jpg)
Routing Information Flow (BGP)
10
![Page 11: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/11.jpg)
Both Directions are Needed
11
![Page 12: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/12.jpg)
Choice and Redundancy
12
![Page 13: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/13.jpg)
Questions?
![Page 14: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/14.jpg)
What makes it work
14
![Page 15: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/15.jpg)
Business Relationships
15
![Page 16: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/16.jpg)
Transmission Paths
16
![Page 17: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/17.jpg)
Routing Engineering
17
![Page 18: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/18.jpg)
Routing Engineering Methods
• Inbound Traffic- Selectively announce routes.- Very little control over preferences by other ASes.
• Outbound Traffic- Decide which of the known routes to use.
• Inputs- Cost- Transmission Capacity- Load- Routing State
18
![Page 19: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/19.jpg)
Routing Engineering Principles
• Autonomous Decisions by each AS
• Local tools
• Local strategies
• Local knowlege
• Business advantages
• Autonomous Decisions by each AS
• (One of the reasons for rapid growth of the Internet)
19
![Page 20: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/20.jpg)
Questions?
![Page 21: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/21.jpg)
What can go wrong
• Misconfiguration- Announcing too many routes (unitentional transit)- Originating wrong routes
• Malicious Actions- Originating wrong routes (hijacking)
21
![Page 22: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/22.jpg)
Hijacking
22
![Page 23: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/23.jpg)
Hijacking
23
![Page 24: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/24.jpg)
Hijacking
24
![Page 25: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/25.jpg)
Questions?
![Page 26: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/26.jpg)
Examples
• YouTube & Pakistan Telecom (2008)
• A number of full table exports
• Various route leaks from China (2010)
YouTube Movie
26
![Page 27: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/27.jpg)
Outline
• Internet Routing- How it works- What makes it work in practice- What can go wrong today
• Risk Mitigation- Routing Hygiene- Resource certification & checks- Obstacles
• Public Policy Considerations
• Discussion
27
![Page 28: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/28.jpg)
Routing Hygiene
• Do not accept customer routes from peers or upstreams
• Limit number of prefixes accepted per adjacent AS
• Use a routing registry- no global authoritative registry exists
• Use own knowledge about topology- topology is constantly changing- distruptions can cause drastic changes
28
![Page 29: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/29.jpg)
Routing Hygiene
• Is applied locally / autonomously
• Has a cost
• Subservient to routing engineering- No obstruction- Maintain Autonomy
• Cooperation- Trust- Community- Personal Relations
29
![Page 30: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/30.jpg)
Resource Certification - Motivation
• Good practice:- to register routes in an IRR- to filter routes based on IRR data
• Problem:- only useful if the registries are complete- many IRRs exist, lacking standardisation
• Result:- Less than half of all prefixes is registered in an IRR- Real world filtering is difficult and limited- Accidental leaks happen, route hijacking is possible
30
![Page 31: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/31.jpg)
Resource Certification – Definition
31
“Resource certification is a reliable method for proving the association between
resource holders and Internet resources.”
![Page 32: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/32.jpg)
Digital Resource Certificates
• Based on open IETF standards (sidr)
• Issued by the RIPE NCC
• The certificate states that an Internet number resource has been registered by the RIPE NCC
• The certificate does not give any indication of the identity of the holder
• All further information on the resource can be found in the registry
32
![Page 33: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/33.jpg)
• Proof of holdership
• Secure Inter-Domain Routing- Route Origin Authorisation- Preferred certified routing
• Resource transfers
• Validation is the added value!
What Certification offers
33
![Page 34: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/34.jpg)
Proof of holdership
34
• Public Key
• Resources
• Signature
![Page 35: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/35.jpg)
• IP Prefixes
• AS Numbers
• Signature
Route Origin Authorisation (ROA)
35
![Page 36: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/36.jpg)
Automated Provisioning using ROAs
36
Please route this part of my network: 192.0.2.0/24
Please sign a ROA for that resource using my
AS number
OK, I signed and published a ROA
OK, that ROA is valid.I can trust this request
![Page 37: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/37.jpg)
Who Controls Routing?
37
• Certificates do not create additional powers for the Regional Internet Registries
• Certificates reflect the resource registration status- no registration → no certificate- the reverse is not true!
• Routing decisions are made by network operators!
![Page 38: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/38.jpg)
All five Regional Internet Registries will launch production system on
1 January 2011
38
![Page 39: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/39.jpg)
Obstacles
• Fear of loosing autonomy
• Cost
• Low threat perception
• Fear of loosing business advantage
• Fear of loosing autonomy
39
![Page 40: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/40.jpg)
Questions?
![Page 41: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/41.jpg)
Outline
• Internet Routing- How it works- What makes it work in practice- What can go wrong today
• Risk Mitigation- Routing Hygiene- Resource certification & checks- Obstacles
• Public Policy Considerations
• Discussion
41
![Page 42: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/42.jpg)
My Messages Today
• Routing security needs to be improved- Accidents do happen ... sometimes- Hijackings do happen ... sometimes
• The sky is not falling- It does not happen all the time- It does not affect large areas of the Internet
42
![Page 43: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/43.jpg)
My Messages Today
• Industry is addressing the problems- Local measures taken autonomously- RPKI being deployed by RIRs- RPKI based routing tools being
developed- RPKI based routing protocols being
studied in IETF
43
![Page 44: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/44.jpg)
My Messages Today
• No need for public policies at this point- Not a strucutral problem
endangering Internet- Mitigation works- Mitigation being improved- Global coordination is working
44
![Page 45: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/45.jpg)
Outline
• Internet Routing- How it works- What makes it work in practice- What can go wrong today
• Risk Mitigation- Routing Hygiene- Resource certification & checks- Obstacles
• Public Policy Considerations
• Discussion
45
![Page 46: Routing Security](https://reader033.fdocuments.in/reader033/viewer/2022060111/5568db1ed8b42a173c8b5503/html5/thumbnails/46.jpg)
Fin
Ende
KpajKonec
Son
Fine
Pabaiga
Einde
Fim
Finis
Koniec
Lõpp
Kрай
SfârşitКонeц
KrajVége
Kiнець
Slutt
Loppu
Τέλος
Y Diwedd
Amaia Tmiem
Соңы
Endir
Slut
Liðugt
An Críoch
Fund
הסוף
Fí
ËnnFinvezh
The End!
Beigas