securing the routing infrastructure n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Securing the Routing Infrastructure PowerPoint Presentation
Download Presentation
Securing the Routing Infrastructure

Loading in 2 Seconds...

play fullscreen
1 / 19

Securing the Routing Infrastructure - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on

Securing the Routing Infrastructure. Sandra Murphy Sparta, Inc sandy@tislabs.com, sandy@sparta.com. BGP Operation. AS 10. ASPATH= 10 , NLRI=12/8. AS 20. ASPATH= 20 , 10 , NLRI=12/8. Net 12/8. ASPATH= 30 , 20 , 10 , NLRI=12/8. AS 30. ASPATH= 20 , 10 , NLRI=12/8. AS 22.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Securing the Routing Infrastructure' - jorryn


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
securing the routing infrastructure
Securing the Routing Infrastructure

Sandra Murphy

Sparta, Inc

sandy@tislabs.com, sandy@sparta.com

Internet2

bgp operation
BGP Operation

AS 10

ASPATH=10, NLRI=12/8

AS 20

ASPATH=20,10, NLRI=12/8

Net 12/8

ASPATH=30,20,10, NLRI=12/8

AS 30

ASPATH=20,10, NLRI=12/8

AS 22

ASPATH=22,20,10, NLRI=12/8

Internet2

bgp operation more specific prefixes
BGP Operation – More specific prefixes

AS 10

ASPATH=10, NLRI=12/8

AS 20

ASPATH=20,10, NLRI=12/8

Net 12/8

ASPATH=30,20,10, NLRI=12/8

ASPATH=22, NLRI=12.12/16

AS 30

ASPATH=20,10, NLRI=12/8

AS 22

Net 12.12/16

ASPATH=22,20,10, NLRI=12/8

ASPATH=22, NLRI=12.12/16

Internet2

misconfiguration we hope attacks
Misconfiguration (we hope) Attacks
  • Apr 1997 AS7007 announces classful addresses for the whole world
  • Feb/Apr/Aug 2001 Abovenet/Quest/Digex announces routes with private AS numbers in them
  • Typical consequences:
    • Dec 1999 a mis-origination by a downstream takes out ATT’s dial-up net – WSJ notices
    • Apr/May 2003 Trafalgar House/LA County space hijacked by registry spoof
    • Side effect on operation
      • Covad does not aggregate their prefix announcements because they tried it and someone announced more specific prefixes

Internet2

think we re past all that
Think we’re past all that?
  • Dec 24, 2004 – AS9121 (TTNet) announced 100K+ routes for 1hr20min (shorter event later)
    • According to May 2005 NANOG presentation, 1/3 of Rensys’s 100 peers saw the bad routes within 3 min
    • The bad routes spread far and wide
    • Affected networks included (from NANOG slide):
      • Blue Cross Blue Shield of Iowa - Thomson Financial Services - Citicorp Global Information Network -MetLife Capital Corp - Pitney Bowes Credit Corporation - Brown Brothers Harriman & Company - LaSalle Partners - Kuwait Fund for Arab Economic Development

Internet2

and recently
And recently…
  • Sep 9, 9:29-10:47, 26210, a Bolivian ISP, announced 12/8, 64/8 and 65/8.
    • 12/8, 3549 1239 12956 26210
    • GX-Sprint-Telefonica-AES Comm (Bolivia)
  • On Sep 10, another anomaly
    • 12/8, 3549 1299 12676 (GX-TeliaNet-NCORE)
    • “FYI, happened again this morning for (at least) 12/8 duration approx 30 minutes starting at 5:45 AM PDT. Notice that AT&T is no longer taking chances, and is announcing 2 /9s.

Internet2

consequences
Consequences
  • Note to NANOG Sep 9: “And wouldn't you know it, we have an application that needs to reach servers in 12/8 and 65/8, and someone just came over to me asking for help in figuring out why that application isn't working. I guess I should have checked my NANOG mail before I told them I had no idea what was going on. :)”

Internet2

moral of the story
Moral of the Story
  • Your network operation may be an inspiration to us all, but:
  • The other parts of the Internet hold your fate:
    • Your users may not be able to reach the sites they want to reach
    • Your users’s remote users may not be able to reach your users
  • Need more than effective local operation

Internet2

a sequence of solutions
A Sequence of Solutions

Increasingly stringent – increasing cost:

  • Peer-peer Connection Protection
  • Filters – prefix filters and AS-path filters
  • Origination Protection
  • Origination and AS_PATH Adjacency Protection
  • Origination and AS_PATH Route Protection
  • Origination, Transit and Policy Protection
  • “Freshness”

Internet2

in common use
In Common Use
  • Peer-Peer protection methods
    • TCP MD5, IPSEC, TLS, GTSM, (BTNS?)
  • For crypto techniques, management the biggest problem
    • Managing keys for many, many peers, key rollover, hash algorithm rollover
  • Performance scale comes up frequently as well

Internet2

in common use 2
In Common Use (2)
  • Filters – prefix filters and AS-PATH filters
  • Requires transitive trust
    • “Transitively trusting all peers’ on-net customers: fundamentally unsafe” (NANOG Renesys presentation)
  • Management hard (particularly at large AS’s) – keeping filter lists current
    • Manual configuration
    • Authority based
      • Team Cymru Bogon Route Server Project for VIP, bogon and martians; IRR based filter generators
  • OTOH: Mar 2003 - 69/8 allocated; Jan 2004 – 83/8 and 84/8 allocated – installed filters did not keep up
  • For large ISP’s – filter lists stress hardware

Internet2

requirements for authorities
Requirements for Authorities
  • Must scale to Internet size and routing dynamics
  • Design issues:
    • Non-hierarchical, singly rooted, multiply rooted?
    • Centralized, replicated, or distributed?
    • Client/server vs peer-peer?
    • Query/response vs wholesale download?
    • Event based vs periodic download?
  • ISP distaste for relying on external info for configuration of their routing; chicken and egg

Internet2

origination protection
Origination Protection
  • Authorization only (AS is authorized address)
  • Authorization and Authentication (AS is also currently announcing address) protects that “17%” unannounced but allocated
  • Need authority (not necessarily central) that:
    • Stores info completely, accurately and securely
    • Accepts changes securely – model for authorization
  • Need architecture and mechanisms for communication with “authority”
  • Need procedures and tools for putting info into use

Internet2

origination and as path adjacency protection
Origination and AS_PATH Adjacency Protection
  • Checks that adjacent AS’s in AS_PATH have peering
    • SoBGP, Garcia-Lunes-Aceves/Smith
  • Need way to securely transmit adjacency – inline or query/download from database
  • Processing demands (crypto stuff)
  • Residual vulnerabilities
    • existence of peering adjacency gives no assurance AS’s will transit traffic
    • does not assure loop freedom

Internet2

origination and as path route protection
Origination and AS_PATH Route Protection
  • Protection to show update propagating through AS’s AS_PATH
    • indicates each AS in path has willingness and capability to forward traffic toward the stated route
    • SBGP; SPV
  • Protection may or may not be passed inline
  • Processing demands – crypto and storage
  • Residual vulnerabilities
    • Freshness; policy compliance

Internet2

origination route and policy protection
Origination, Route and Policy Protection
  • Policy protection – e.g., AS A has a peering relationship with B, not transit – B should not announce A’s addresses
  • Need to express and communicate policy
    • That means expose policy – anathema to many
  • Policy is specific to one AS
    • But may target remote AS
  • No current mechanisms to express, communicate or ensure policies (caveat: SoBGP)

Internet2

freshness
Freshness
  • Receive replacement route, send replacement route – then send original route again
  • BGP has no features that would facilitate discerning maintenance of update ordering

Internet2

current activity
Current Activity
  • Concerned community working on this
    • ISP’s, Registry, Security, Router Vendor folk
  • Consensus is that the most pressing need is:
    • Registration database integrity improved
    • Authenticated list of AS-prefix origination authorizations
  • Useful in many ways:
    • Operational debugging
    • Customer care
    • Security protection
  • Fundamental basis for ANY security solution

Internet2

query
Query
  • Anyone interested in participating in discussion?
  • In putting this to a trial?
    • Start with AS->prefix mapping for Internet2
    • See how difficult it is to include in operational procedures
  • Sponsor - DHS S&T, SPRI program (Secure Protocols for the Routing Infrastructure)

Internet2