BGPsec: Get ready for the

next step in secure

inter-domain routing

Matthias Wählisch

m.waehlisch@fu-berlin.de

www.cs.fu-berlin.de/~waehl

Matthias Wählisch DE-CIX Technical Meeting, June 2017 2

Does RPKI Origin Validation solve

all BGP security problems?

Matthias Wählisch DE-CIX Technical Meeting, June 2017 3

Does RPKI Origin Validation solve

all BGP security problems?

NO!

Matthias Wählisch DE-CIX Technical Meeting, June 2017 4

Motivation: Threat models for BGP

Prefix Origin

Hijacking

AS Path

ManipulationRoute Leaks

Matthias Wählisch DE-CIX Technical Meeting, June 2017 5

Motivation: Threat models for BGP

Prefix Origin

Hijacking

AS Path

ManipulationRoute Leaks

Matthias Wählisch DE-CIX Technical Meeting, June 2017 6

Simple example

Provider A

Provider B

AS Z

10.20.0.0/16

AS Y AS X AS W

AS V

Customer

Matthias Wählisch DE-CIX Technical Meeting, June 2017 7

Simple example: Shorter path wins

Customer

Provider A

Provider B

AS Z

10.20.0.0/16

AS Y AS X AS W

AS V

10.20.0.0/16 A V ZB W X Y Z10.20.0.0/16

Matthias Wählisch DE-CIX Technical Meeting, June 2017 8

Simple example: Shorter path wins

if net = 10.20.0.0/16 then {

bgp_path.empty;

bgp_path.prepend(B);

bgp_path.prepend(Z);

accept;

}

Shorter path wins, AS B configures:

Matthias Wählisch DE-CIX Technical Meeting, June 2017 9

Simple example: Shorter path wins

Customer

Provider A

Provider B

AS Z

10.20.0.0/16

AS Y AS X AS W

AS V

10.20.0.0/16 A V ZB W X Y Z10.20.0.0/16

Matthias Wählisch DE-CIX Technical Meeting, June 2017 10

Simple example: Shorter path wins

Customer

Provider A

Provider B

AS Z

10.20.0.0/16

AS Y AS X AS W

AS V

10.20.0.0/16 A V ZB Z10.20.0.0/16

Matthias Wählisch DE-CIX Technical Meeting, June 2017 11

Real-world example, 2010

AS 3356

Level 3

AS 22394

Verizon Wireless

AS 7018

AT&TAS 6167

Verizon Wireless

AS 4134

China Telecom

Matthias Wählisch DE-CIX Technical Meeting, June 2017 12

Recap: Why do we need the AS Path?

Loop detection

Breaking Ties (Phase 2) [RFC 4271]

“(a) Remove from consideration all routes that are not

tied for having the smallest number of AS numbers

present in their AS_PATH attributes. [...]”

Matthias Wählisch DE-CIX Technical Meeting, June 2017 13

Objective of BGPsec:

Prevent path manipulation

Matthias Wählisch DE-CIX Technical Meeting, June 2017 14

Objective of BGPsec:

Prevent path manipulation

“Provide confidence that every AS on the path

of ASes listed in the update message has

explicitly authorized the advertisement of the

route.” [draft-ietf-sidr-bgpsec-protocol]

Matthias Wählisch DE-CIX Technical Meeting, June 2017 15

A brief history of BGPsec

Time

Kent et al.

S-BGP

04/2000

SIDR proposed

01/2006

04/2006

started

03/2011

draft-lepinski-bgpsec-protocol-00

06/2011

draft-ietf-sidr-bgpsec-protocol-00

09/2012

WGLC

01/2015

WGLC

03/2016

WGLC

AUTH48

14/06/2017

RFC 8205

?

11/2016

SIDROPS

IESG done

01/2017

Matthias Wählisch DE-CIX Technical Meeting, June 2017 16

BGPsec primer

Basic idea, per prefix and BGP update,

every BGPsec router creates BGPsec_Path, including signatures

list of previous ASNs (~ AS path)

signatures from previous ASNs

next ASN [forward signing]

Every BGPsec router verifies received BGPsec_Path

Matthias Wählisch DE-CIX Technical Meeting, June 2017 17

BGPsec primer

Basic idea, per prefix and BGP update,

every BGPsec router creates BGPsec_Path, including signatures

list of previous ASNs (~ AS path)

signatures from previous ASNs

next ASN [forward signing]

Every BGPsec router verifies received BGPsec_Path

AS X AS Y

I received prefix P

via AS … and

send it to AS Y

signed

I received prefix P

from AS X and

via AS …

verified

Matthias Wählisch DE-CIX Technical Meeting, June 2017 18

We need router certificates

Signing BGPsec router needs a public private key pair

operator vs. router generated keys

Validating BGPsec router needs the (verified) public

keys of all other BGPsec routers (on the path)

verified locally or at cache servers

Matthias Wählisch DE-CIX Technical Meeting, June 2017 19

Some operational considerations

BGPsec validation performed at edge

Yes, your router needs more memory

Yes, your router needs better CPU or

crypto support

Matthias Wählisch DE-CIX Technical Meeting, June 2017 20

Some operational considerations

BGPsec validation performed at edge

Yes, your router needs more memory

Yes, your router needs better CPU or

crypto support

Talk with your vendor

Ask for implementations

Can be ready in the

next ~5 years

Matthias Wählisch DE-CIX Technical Meeting, June 2017 21

Implications for IXP Route Server

Route server is transparent

A client router needs to validate

paths which are forward signed

?

Matthias Wählisch DE-CIX Technical Meeting, June 2017 22

Implications for IXP Route Server

Route server is transparent

A client router needs to validate

paths which are forward signed

Route server AS is inserted and

signs AS path but doesn’t increase

path length (attribute pCount=0)

Matthias Wählisch DE-CIX Technical Meeting, June 2017 23

State of BGPsec support

Cache servers

RPKI.net (https://github.com/dragonresearch/rpki.net)

RTR clients

RTRlib (http://rtrlib.realmv6.org)

BGP daemons

Bird extension (http://www.securerouting.net/tools/bird/)QuaggaSRx (https://www-x.antd.nist.gov/bgpsrx/)

Matthias Wählisch DE-CIX Technical Meeting, June 2017 24

Caveat: BGPsec does not protect

against route leaks

Provider A

Provider B

AS Z

10.20.0.0/16

AS Y AS X AS W

AS V

Customer

Matthias Wählisch DE-CIX Technical Meeting, June 2017 25

Does BGPsec solve

all BGP security problems?

Matthias Wählisch DE-CIX Technical Meeting, June 2017 26

Does BGPsec solve

all BGP security problems?

NO!

Matthias Wählisch DE-CIX Technical Meeting, June 2017 27

Does BGPsec solve

all BGP security problems?

NO!

But it’s one next step towards a

more secure Internet backbone.