bgpsec: get ready for the next step in secure inter-domain routing€¦ · matthias wählisch...
TRANSCRIPT
BGPsec: Get ready for the
next step in secure
inter-domain routing
Matthias Wählisch
www.cs.fu-berlin.de/~waehl
Matthias Wählisch DE-CIX Technical Meeting, June 2017 2
Does RPKI Origin Validation solve
all BGP security problems?
Matthias Wählisch DE-CIX Technical Meeting, June 2017 3
Does RPKI Origin Validation solve
all BGP security problems?
NO!
Matthias Wählisch DE-CIX Technical Meeting, June 2017 4
Motivation: Threat models for BGP
Prefix Origin
Hijacking
AS Path
ManipulationRoute Leaks
Matthias Wählisch DE-CIX Technical Meeting, June 2017 5
Motivation: Threat models for BGP
Prefix Origin
Hijacking
AS Path
ManipulationRoute Leaks
Matthias Wählisch DE-CIX Technical Meeting, June 2017 6
Simple example
Provider A
Provider B
AS Z
10.20.0.0/16
AS Y AS X AS W
AS V
Customer
Matthias Wählisch DE-CIX Technical Meeting, June 2017 7
Simple example: Shorter path wins
Customer
Provider A
Provider B
AS Z
10.20.0.0/16
AS Y AS X AS W
AS V
10.20.0.0/16 A V ZB W X Y Z10.20.0.0/16
Matthias Wählisch DE-CIX Technical Meeting, June 2017 8
Simple example: Shorter path wins
if net = 10.20.0.0/16 then {
bgp_path.empty;
bgp_path.prepend(B);
bgp_path.prepend(Z);
accept;
}
Shorter path wins, AS B configures:
Matthias Wählisch DE-CIX Technical Meeting, June 2017 9
Simple example: Shorter path wins
Customer
Provider A
Provider B
AS Z
10.20.0.0/16
AS Y AS X AS W
AS V
10.20.0.0/16 A V ZB W X Y Z10.20.0.0/16
Matthias Wählisch DE-CIX Technical Meeting, June 2017 10
Simple example: Shorter path wins
Customer
Provider A
Provider B
AS Z
10.20.0.0/16
AS Y AS X AS W
AS V
10.20.0.0/16 A V ZB Z10.20.0.0/16
Matthias Wählisch DE-CIX Technical Meeting, June 2017 11
Real-world example, 2010
AS 3356
Level 3
AS 22394
Verizon Wireless
AS 7018
AT&TAS 6167
Verizon Wireless
AS 4134
China Telecom
Matthias Wählisch DE-CIX Technical Meeting, June 2017 12
Recap: Why do we need the AS Path?
Loop detection
Breaking Ties (Phase 2) [RFC 4271]
“(a) Remove from consideration all routes that are not
tied for having the smallest number of AS numbers
present in their AS_PATH attributes. [...]”
Matthias Wählisch DE-CIX Technical Meeting, June 2017 13
Objective of BGPsec:
Prevent path manipulation
Matthias Wählisch DE-CIX Technical Meeting, June 2017 14
Objective of BGPsec:
Prevent path manipulation
“Provide confidence that every AS on the path
of ASes listed in the update message has
explicitly authorized the advertisement of the
route.” [draft-ietf-sidr-bgpsec-protocol]
Matthias Wählisch DE-CIX Technical Meeting, June 2017 15
A brief history of BGPsec
Time
Kent et al.
S-BGP
04/2000
SIDR proposed
01/2006
04/2006
started
03/2011
draft-lepinski-bgpsec-protocol-00
06/2011
draft-ietf-sidr-bgpsec-protocol-00
09/2012
WGLC
01/2015
WGLC
03/2016
WGLC
AUTH48
14/06/2017
RFC 8205
?
11/2016
SIDROPS
IESG done
01/2017
Matthias Wählisch DE-CIX Technical Meeting, June 2017 16
BGPsec primer
Basic idea, per prefix and BGP update,
every BGPsec router creates BGPsec_Path, including signatures
list of previous ASNs (~ AS path)
signatures from previous ASNs
next ASN [forward signing]
Every BGPsec router verifies received BGPsec_Path
Matthias Wählisch DE-CIX Technical Meeting, June 2017 17
BGPsec primer
Basic idea, per prefix and BGP update,
every BGPsec router creates BGPsec_Path, including signatures
list of previous ASNs (~ AS path)
signatures from previous ASNs
next ASN [forward signing]
Every BGPsec router verifies received BGPsec_Path
AS X AS Y
I received prefix P
via AS … and
send it to AS Y
signed
I received prefix P
from AS X and
via AS …
verified
Matthias Wählisch DE-CIX Technical Meeting, June 2017 18
We need router certificates
Signing BGPsec router needs a public private key pair
operator vs. router generated keys
Validating BGPsec router needs the (verified) public
keys of all other BGPsec routers (on the path)
verified locally or at cache servers
Matthias Wählisch DE-CIX Technical Meeting, June 2017 19
Some operational considerations
BGPsec validation performed at edge
Yes, your router needs more memory
Yes, your router needs better CPU or
crypto support
Matthias Wählisch DE-CIX Technical Meeting, June 2017 20
Some operational considerations
BGPsec validation performed at edge
Yes, your router needs more memory
Yes, your router needs better CPU or
crypto support
Talk with your vendor
Ask for implementations
Can be ready in the
next ~5 years
Matthias Wählisch DE-CIX Technical Meeting, June 2017 21
Implications for IXP Route Server
Route server is transparent
A client router needs to validate
paths which are forward signed
?
Matthias Wählisch DE-CIX Technical Meeting, June 2017 22
Implications for IXP Route Server
Route server is transparent
A client router needs to validate
paths which are forward signed
Route server AS is inserted and
signs AS path but doesn’t increase
path length (attribute pCount=0)
Matthias Wählisch DE-CIX Technical Meeting, June 2017 23
State of BGPsec support
Cache servers
RPKI.net (https://github.com/dragonresearch/rpki.net)
RTR clients
RTRlib (http://rtrlib.realmv6.org)
BGP daemons
Bird extension (http://www.securerouting.net/tools/bird/)QuaggaSRx (https://www-x.antd.nist.gov/bgpsrx/)
Matthias Wählisch DE-CIX Technical Meeting, June 2017 24
Caveat: BGPsec does not protect
against route leaks
Provider A
Provider B
AS Z
10.20.0.0/16
AS Y AS X AS W
AS V
Customer
Matthias Wählisch DE-CIX Technical Meeting, June 2017 25
Does BGPsec solve
all BGP security problems?
Matthias Wählisch DE-CIX Technical Meeting, June 2017 26
Does BGPsec solve
all BGP security problems?
NO!
Matthias Wählisch DE-CIX Technical Meeting, June 2017 27
Does BGPsec solve
all BGP security problems?
NO!
But it’s one next step towards a
more secure Internet backbone.