Working Group #4: Network Security – Best Practices

1. Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4

2. Working Group #4: Network Security Best Practices • Description: This Working Group will examine and make recommendations to the Council regarding best practices to secure the Domain Name System (DNS) and routing system of the Internet during the period leading up to some significant deployment of protocol extensions such as the Domain Name System Security Extensions (DNSSEC), Secure BGP (Border Gateway Protocol) and the like. The scope and focus is currently deployed and available feature-sets and processes and not future or non-widely deployed protocol extensions. • Duration:  September 2011 – March 2013

3. Working Group #4 – Participants • Co-Chairs • Rod Rasmussen – Internet Identity • Rodney Joffe – Neustar • Participants • 30 Organizations represented • Service Providers • Network Operators • Academia • Government • IT Consultants

4. Working Group #4 – Participant List

5. Working Group #4 – Deliverables • Domain Name Service (DNS) Security Issues • Reported on in September 2012 • BGP and Inter-Domain Routing Security Issues • Report and vote today

6. Working Group #4: Network Security Best Practices FINAL Report – Routing Security Best Practices March 6, 2013 Presenter: Tony Tauber, Comcast WG #4

7. Routing Key Points • Routing security is an environmental good • Unilateral action does not entirely benefit practitioners • Deployment details and scenarios vary • Recommendations should as well • Autonomy is sacrosanct • Key feature of the operational Internet

8. Report Scope • Capabilities in currently deployed gear • Not commenting on protocol extension work • Handled in WG #6 • ISP Network Operational Practices • Enterprise Network Operational Practices • Administrative Practices

9. Routing Issues Considered • BGP Session-Level Vulnerability • Session Hijacking • Denial of Service (DoS) Vulnerability • Source-address filtering • BGP Injection and Propagation Vulnerability • BGP Injection and Propagation Countermeasures • BGP Injection and Propagation Recommendations • Other Attacks and Vulnerabilities of Routing Infrastructure • Hacking and unauthorized 3rd party access to routing infrastructure • ISP insiders inserting false entries into routers • Denial-of-Service Attacks against ISP Infrastructure • Attacks against administrative controls of routing identifiers

10. Deployment Scenarios • Vary according to topology • Stub network vs. Transit network • Vary as a function of scale • Number of BGP routers • Number of BGP sessions • Size of Operational staff

11. Recommendation Process • Leverage existing security recommendations • Taken together recommendations can be confusing, contradictory • Tailor advice based on deployment scenarios • IETF RFCs and BCPs, ICANN SSAC Papers, NIST Special Reports, ISOC papers, SANS Reports • Over a dozen separate documents referenced

12. Recommendation Highlights • Perform explicit filtering of BGP prefixes • Customer relationships • Protect against spoofed IP source addresses • Source validation at network edge • Filter internal address space inbound from Internet • Use extra steps to lessen impact of route leaks • Coarse AS-path filters • Maximum-Prefix limits

13. Working Group #4: Network Security Best Practices March 6, 2013 Questions/Comments Presenter: Tony Tauber, Comcast WG #4 Co-Chair