1 / 19

Securing the Routing Infrastructure

Securing the Routing Infrastructure. Sandra Murphy Sparta, Inc sandy@tislabs.com, sandy@sparta.com. BGP Operation. AS 10. ASPATH= 10 , NLRI=12/8. AS 20. ASPATH= 20 , 10 , NLRI=12/8. Net 12/8. ASPATH= 30 , 20 , 10 , NLRI=12/8. AS 30. ASPATH= 20 , 10 , NLRI=12/8. AS 22.

jorryn
Download Presentation

Securing the Routing Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing the Routing Infrastructure Sandra Murphy Sparta, Inc sandy@tislabs.com, sandy@sparta.com Internet2

  2. BGP Operation AS 10 ASPATH=10, NLRI=12/8 AS 20 ASPATH=20,10, NLRI=12/8 Net 12/8 ASPATH=30,20,10, NLRI=12/8 AS 30 ASPATH=20,10, NLRI=12/8 AS 22 ASPATH=22,20,10, NLRI=12/8 Internet2

  3. BGP Operation – More specific prefixes AS 10 ASPATH=10, NLRI=12/8 AS 20 ASPATH=20,10, NLRI=12/8 Net 12/8 ASPATH=30,20,10, NLRI=12/8 ASPATH=22, NLRI=12.12/16 AS 30 ASPATH=20,10, NLRI=12/8 AS 22 Net 12.12/16 ASPATH=22,20,10, NLRI=12/8 ASPATH=22, NLRI=12.12/16 Internet2

  4. Misconfiguration (we hope) Attacks • Apr 1997 AS7007 announces classful addresses for the whole world • Feb/Apr/Aug 2001 Abovenet/Quest/Digex announces routes with private AS numbers in them • Typical consequences: • Dec 1999 a mis-origination by a downstream takes out ATT’s dial-up net – WSJ notices • Apr/May 2003 Trafalgar House/LA County space hijacked by registry spoof • Side effect on operation • Covad does not aggregate their prefix announcements because they tried it and someone announced more specific prefixes Internet2

  5. Think we’re past all that? • Dec 24, 2004 – AS9121 (TTNet) announced 100K+ routes for 1hr20min (shorter event later) • According to May 2005 NANOG presentation, 1/3 of Rensys’s 100 peers saw the bad routes within 3 min • The bad routes spread far and wide • Affected networks included (from NANOG slide): • Blue Cross Blue Shield of Iowa - Thomson Financial Services - Citicorp Global Information Network -MetLife Capital Corp - Pitney Bowes Credit Corporation - Brown Brothers Harriman & Company - LaSalle Partners - Kuwait Fund for Arab Economic Development Internet2

  6. And recently… • Sep 9, 9:29-10:47, 26210, a Bolivian ISP, announced 12/8, 64/8 and 65/8. • 12/8, 3549 1239 12956 26210 • GX-Sprint-Telefonica-AES Comm (Bolivia) • On Sep 10, another anomaly • 12/8, 3549 1299 12676 (GX-TeliaNet-NCORE) • “FYI, happened again this morning for (at least) 12/8 duration approx 30 minutes starting at 5:45 AM PDT. Notice that AT&T is no longer taking chances, and is announcing 2 /9s. Internet2

  7. Consequences • Note to NANOG Sep 9: “And wouldn't you know it, we have an application that needs to reach servers in 12/8 and 65/8, and someone just came over to me asking for help in figuring out why that application isn't working. I guess I should have checked my NANOG mail before I told them I had no idea what was going on. :)” Internet2

  8. Moral of the Story • Your network operation may be an inspiration to us all, but: • The other parts of the Internet hold your fate: • Your users may not be able to reach the sites they want to reach • Your users’s remote users may not be able to reach your users • Need more than effective local operation Internet2

  9. A Sequence of Solutions Increasingly stringent – increasing cost: • Peer-peer Connection Protection • Filters – prefix filters and AS-path filters • Origination Protection • Origination and AS_PATH Adjacency Protection • Origination and AS_PATH Route Protection • Origination, Transit and Policy Protection • “Freshness” Internet2

  10. In Common Use • Peer-Peer protection methods • TCP MD5, IPSEC, TLS, GTSM, (BTNS?) • For crypto techniques, management the biggest problem • Managing keys for many, many peers, key rollover, hash algorithm rollover • Performance scale comes up frequently as well Internet2

  11. In Common Use (2) • Filters – prefix filters and AS-PATH filters • Requires transitive trust • “Transitively trusting all peers’ on-net customers: fundamentally unsafe” (NANOG Renesys presentation) • Management hard (particularly at large AS’s) – keeping filter lists current • Manual configuration • Authority based • Team Cymru Bogon Route Server Project for VIP, bogon and martians; IRR based filter generators • OTOH: Mar 2003 - 69/8 allocated; Jan 2004 – 83/8 and 84/8 allocated – installed filters did not keep up • For large ISP’s – filter lists stress hardware Internet2

  12. Requirements for Authorities • Must scale to Internet size and routing dynamics • Design issues: • Non-hierarchical, singly rooted, multiply rooted? • Centralized, replicated, or distributed? • Client/server vs peer-peer? • Query/response vs wholesale download? • Event based vs periodic download? • ISP distaste for relying on external info for configuration of their routing; chicken and egg Internet2

  13. Origination Protection • Authorization only (AS is authorized address) • Authorization and Authentication (AS is also currently announcing address) protects that “17%” unannounced but allocated • Need authority (not necessarily central) that: • Stores info completely, accurately and securely • Accepts changes securely – model for authorization • Need architecture and mechanisms for communication with “authority” • Need procedures and tools for putting info into use Internet2

  14. Origination and AS_PATH Adjacency Protection • Checks that adjacent AS’s in AS_PATH have peering • SoBGP, Garcia-Lunes-Aceves/Smith • Need way to securely transmit adjacency – inline or query/download from database • Processing demands (crypto stuff) • Residual vulnerabilities • existence of peering adjacency gives no assurance AS’s will transit traffic • does not assure loop freedom Internet2

  15. Origination and AS_PATH Route Protection • Protection to show update propagating through AS’s AS_PATH • indicates each AS in path has willingness and capability to forward traffic toward the stated route • SBGP; SPV • Protection may or may not be passed inline • Processing demands – crypto and storage • Residual vulnerabilities • Freshness; policy compliance Internet2

  16. Origination, Route and Policy Protection • Policy protection – e.g., AS A has a peering relationship with B, not transit – B should not announce A’s addresses • Need to express and communicate policy • That means expose policy – anathema to many • Policy is specific to one AS • But may target remote AS • No current mechanisms to express, communicate or ensure policies (caveat: SoBGP) Internet2

  17. Freshness • Receive replacement route, send replacement route – then send original route again • BGP has no features that would facilitate discerning maintenance of update ordering Internet2

  18. Current Activity • Concerned community working on this • ISP’s, Registry, Security, Router Vendor folk • Consensus is that the most pressing need is: • Registration database integrity improved • Authenticated list of AS-prefix origination authorizations • Useful in many ways: • Operational debugging • Customer care • Security protection • Fundamental basis for ANY security solution Internet2

  19. Query • Anyone interested in participating in discussion? • In putting this to a trial? • Start with AS->prefix mapping for Internet2 • See how difficult it is to include in operational procedures • Sponsor - DHS S&T, SPRI program (Secure Protocols for the Routing Infrastructure) Internet2

More Related