Securing the routing infrastructure
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Securing the Routing Infrastructure PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on
  • Presentation posted in: General

Securing the Routing Infrastructure. Sandra Murphy Sparta, Inc [email protected], [email protected] BGP Operation. AS 10. ASPATH= 10 , NLRI=12/8. AS 20. ASPATH= 20 , 10 , NLRI=12/8. Net 12/8. ASPATH= 30 , 20 , 10 , NLRI=12/8. AS 30. ASPATH= 20 , 10 , NLRI=12/8. AS 22.

Download Presentation

Securing the Routing Infrastructure

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Securing the routing infrastructure

Securing the Routing Infrastructure

Sandra Murphy

Sparta, Inc

[email protected], [email protected]

Internet2


Bgp operation

BGP Operation

AS 10

ASPATH=10, NLRI=12/8

AS 20

ASPATH=20,10, NLRI=12/8

Net 12/8

ASPATH=30,20,10, NLRI=12/8

AS 30

ASPATH=20,10, NLRI=12/8

AS 22

ASPATH=22,20,10, NLRI=12/8

Internet2


Bgp operation more specific prefixes

BGP Operation – More specific prefixes

AS 10

ASPATH=10, NLRI=12/8

AS 20

ASPATH=20,10, NLRI=12/8

Net 12/8

ASPATH=30,20,10, NLRI=12/8

ASPATH=22, NLRI=12.12/16

AS 30

ASPATH=20,10, NLRI=12/8

AS 22

Net 12.12/16

ASPATH=22,20,10, NLRI=12/8

ASPATH=22, NLRI=12.12/16

Internet2


Misconfiguration we hope attacks

Misconfiguration (we hope) Attacks

  • Apr 1997 AS7007 announces classful addresses for the whole world

  • Feb/Apr/Aug 2001 Abovenet/Quest/Digex announces routes with private AS numbers in them

  • Typical consequences:

    • Dec 1999 a mis-origination by a downstream takes out ATT’s dial-up net – WSJ notices

    • Apr/May 2003 Trafalgar House/LA County space hijacked by registry spoof

    • Side effect on operation

      • Covad does not aggregate their prefix announcements because they tried it and someone announced more specific prefixes

Internet2


Think we re past all that

Think we’re past all that?

  • Dec 24, 2004 – AS9121 (TTNet) announced 100K+ routes for 1hr20min (shorter event later)

    • According to May 2005 NANOG presentation, 1/3 of Rensys’s 100 peers saw the bad routes within 3 min

    • The bad routes spread far and wide

    • Affected networks included (from NANOG slide):

      • Blue Cross Blue Shield of Iowa - Thomson Financial Services - Citicorp Global Information Network -MetLife Capital Corp - Pitney Bowes Credit Corporation - Brown Brothers Harriman & Company - LaSalle Partners - Kuwait Fund for Arab Economic Development

Internet2


And recently

And recently…

  • Sep 9, 9:29-10:47, 26210, a Bolivian ISP, announced 12/8, 64/8 and 65/8.

    • 12/8, 3549 1239 12956 26210

    • GX-Sprint-Telefonica-AES Comm (Bolivia)

  • On Sep 10, another anomaly

    • 12/8, 3549 1299 12676 (GX-TeliaNet-NCORE)

    • “FYI, happened again this morning for (at least) 12/8 duration approx 30 minutes starting at 5:45 AM PDT. Notice that AT&T is no longer taking chances, and is announcing 2 /9s.

Internet2


Consequences

Consequences

  • Note to NANOG Sep 9: “And wouldn't you know it, we have an application that needs to reach servers in 12/8 and 65/8, and someone just came over to me asking for help in figuring out why that application isn't working. I guess I should have checked my NANOG mail before I told them I had no idea what was going on. :)”

Internet2


Moral of the story

Moral of the Story

  • Your network operation may be an inspiration to us all, but:

  • The other parts of the Internet hold your fate:

    • Your users may not be able to reach the sites they want to reach

    • Your users’s remote users may not be able to reach your users

  • Need more than effective local operation

Internet2


A sequence of solutions

A Sequence of Solutions

Increasingly stringent – increasing cost:

  • Peer-peer Connection Protection

  • Filters – prefix filters and AS-path filters

  • Origination Protection

  • Origination and AS_PATH Adjacency Protection

  • Origination and AS_PATH Route Protection

  • Origination, Transit and Policy Protection

  • “Freshness”

Internet2


In common use

In Common Use

  • Peer-Peer protection methods

    • TCP MD5, IPSEC, TLS, GTSM, (BTNS?)

  • For crypto techniques, management the biggest problem

    • Managing keys for many, many peers, key rollover, hash algorithm rollover

  • Performance scale comes up frequently as well

Internet2


In common use 2

In Common Use (2)

  • Filters – prefix filters and AS-PATH filters

  • Requires transitive trust

    • “Transitively trusting all peers’ on-net customers: fundamentally unsafe” (NANOG Renesys presentation)

  • Management hard (particularly at large AS’s) – keeping filter lists current

    • Manual configuration

    • Authority based

      • Team Cymru Bogon Route Server Project for VIP, bogon and martians; IRR based filter generators

  • OTOH: Mar 2003 - 69/8 allocated; Jan 2004 – 83/8 and 84/8 allocated – installed filters did not keep up

  • For large ISP’s – filter lists stress hardware

Internet2


Requirements for authorities

Requirements for Authorities

  • Must scale to Internet size and routing dynamics

  • Design issues:

    • Non-hierarchical, singly rooted, multiply rooted?

    • Centralized, replicated, or distributed?

    • Client/server vs peer-peer?

    • Query/response vs wholesale download?

    • Event based vs periodic download?

  • ISP distaste for relying on external info for configuration of their routing; chicken and egg

Internet2


Origination protection

Origination Protection

  • Authorization only (AS is authorized address)

  • Authorization and Authentication (AS is also currently announcing address) protects that “17%” unannounced but allocated

  • Need authority (not necessarily central) that:

    • Stores info completely, accurately and securely

    • Accepts changes securely – model for authorization

  • Need architecture and mechanisms for communication with “authority”

  • Need procedures and tools for putting info into use

Internet2


Origination and as path adjacency protection

Origination and AS_PATH Adjacency Protection

  • Checks that adjacent AS’s in AS_PATH have peering

    • SoBGP, Garcia-Lunes-Aceves/Smith

  • Need way to securely transmit adjacency – inline or query/download from database

  • Processing demands (crypto stuff)

  • Residual vulnerabilities

    • existence of peering adjacency gives no assurance AS’s will transit traffic

    • does not assure loop freedom

Internet2


Origination and as path route protection

Origination and AS_PATH Route Protection

  • Protection to show update propagating through AS’s AS_PATH

    • indicates each AS in path has willingness and capability to forward traffic toward the stated route

    • SBGP; SPV

  • Protection may or may not be passed inline

  • Processing demands – crypto and storage

  • Residual vulnerabilities

    • Freshness; policy compliance

Internet2


Origination route and policy protection

Origination, Route and Policy Protection

  • Policy protection – e.g., AS A has a peering relationship with B, not transit – B should not announce A’s addresses

  • Need to express and communicate policy

    • That means expose policy – anathema to many

  • Policy is specific to one AS

    • But may target remote AS

  • No current mechanisms to express, communicate or ensure policies (caveat: SoBGP)

Internet2


Freshness

Freshness

  • Receive replacement route, send replacement route – then send original route again

  • BGP has no features that would facilitate discerning maintenance of update ordering

Internet2


Current activity

Current Activity

  • Concerned community working on this

    • ISP’s, Registry, Security, Router Vendor folk

  • Consensus is that the most pressing need is:

    • Registration database integrity improved

    • Authenticated list of AS-prefix origination authorizations

  • Useful in many ways:

    • Operational debugging

    • Customer care

    • Security protection

  • Fundamental basis for ANY security solution

Internet2


Query

Query

  • Anyone interested in participating in discussion?

  • In putting this to a trial?

    • Start with AS->prefix mapping for Internet2

    • See how difficult it is to include in operational procedures

  • Sponsor - DHS S&T, SPRI program (Secure Protocols for the Routing Infrastructure)

Internet2


  • Login