routing security workshop - internet2...2018/10/18 · routing security workshop internet routing...
TRANSCRIPT
Routing Security WorkshopInternet Routing Registries
Jeff BartigSenior Interconnection Architect, Internet2
[ 2 ]
IRR Presentation Overview
• NANOG 74 Updates• IRR Overview• IRR Tools• Internet2 Participant IRR Stats
[ 3 ]
NANOG 74 UPDATES
[ 4 ]
NANOG 74 – BGP Route Security Track
• Recent BGP Incidents, Andree Toonk/BGPmon• State of BGP Security, Alexander Azimov/QRator• Legal Barriers to Securing the Routing Architecture, Christopher Yoo,
David Wishnick/UPenn• Routing Security Roadmap, Job Snijders/NTT
– also given at NLNOG: https://nlnog.net/nlnog-day-2018/• So I need to Start Route Filtering Peers, Chris Morrow/Google
– Google tentatively plans to have reject data available for peers by January 1, 2019
– Tentative plans to drop routes not matching IRR data by March 1, 2019
• Track wasn’t recorded, but slides available– https://pc.nanog.org/static/published/meetings/NANOG74/1760/20181003_Tzvetanov_Security_Track_Bgp_v1.pdf
[ 5 ]
IRR OVERVIEW
[ 6 ]
IRR Overview
● What Is An Internet Routing Registry● Why Register IRR Objects● Important IRR Record Types● Querying RADB Whois● IRRExplorer – Checking Your Work
[ 7 ]
What Is An Internet Routing Registry (IRR)
● An IRR is a Public registry (database) of network routing information● Many registry options (RADB, ARIN, RIPE, AltDB, LEVEL3, ….)● Often an IRR will mirror the other IRRs to create a more complete database● Registry objects are specified using the Routing Policy Specification
Language (RPSL, RFC2622)● Registries can be used to document a network’s prefixes, ASNs, groups of
prefixes, groups of ASN, routing policy, and peers
[ 8 ]
Why Register IRR Objects
● Automation!● Standard method for communicating the list of prefixes your network plans
to advertise● Standard method for documenting the origin ASN for prefixes● Statement of ownership – more difficult to hijack● Some services require IRR objects
○ Transit providers○ Peering exchange route servers○ DDoS services (Zenedge)○ Peers
[ 9 ]
Why Register IRR Objects
But what if I don’t peer, use peering exchanges, use a DDoS mitigation provider, or buy transit from someone that requires proper IRR objects?
Your upstream providers may interact with other networks and services that do require IRR objects.
[ 10 ]
Why Register IRR Objects
● If you don’t document in an IRR, your routes may be blocked by peers of your transit providers or by your direct peers
● Routes with missing or incorrect IRR objects may be blocked temporarily or permanently when they are announced
● Routes may be preferenced lower if there are missing IRR objects● Difficult to troubleshoot the path packets take to reach you. You may not
realize you have issues.● Better to maintain your own data, rather than have an upstream provider
proxy register objects for your network
Why Register IRR Objects - PeeringDB.com
[ 12 ]
Important IRR Object Types
● A minimal deployment of IRR objects doesn’t require a lot of effort or object detail
● It is not necessary to document peers and route policy in your objects● Important object types
○ mntner: Maintainer - owner of the objects that you maintain○ route / route6: prefixes you plan to announce and their origin ASN○ aut-num: ASNs that originate your prefixes○ as-set: a grouping of aut-num objects and possibly other as-set objects
Important IRR Object Types - mntner
Important IRR Object Types - mntner
Important IRR Object Types - route/route6
Important IRR Object Types - aut-num
Important IRR Object Types - as-set
Important IRR Object Types - as-set
RADB Whois - all routes with specific origin - !g
A### : start of response and number of characters in responseC : end of response
RADB Whois - expand as-set - !i
!i : expand as-set!iAS-SET,1 : recursively expand as-set, expanding any as-sets contained in the as-set
Not expanded
IRRExplorer – Checking Your Work
IRRExplorer – Checking Your Work
IRRExplorer – Checking Your Work
IRRExplorer – Checking Your Work
IRRExplorer – Checking Your Work
Old cruft toclean up
IRRExplorer – Checking Your Work
Useful IRR Links
● IRR Explorer: http://irrexplorer.nlnog.net● PeeringDB: https://www.peeringdb.com● List of IRR: http://www.irr.net/docs/list.html● List of IRR/RPSL RFCs: http://www.irr.net/docs/rpsl.html● RADB Whois Help/Examples:
○ http://www.radb.net/support/query1.php○ http://www.radb.net/support/query2.php
● ARIN IRR: https://www.arin.net/resources/routing/● Mutually Agreed Norms for Routing Security
● https://www.manrs.org● https://www.manrs.org/tutorials/irrs-rpki-peeringdb/
[ 28 ]
IRR TOOLS
[ 29 ]
Tools
● bgpq3 - https://github.com/snar/bgpq3● IRRExplorer - http://irrexplorer.nlnog.net/● IRRToolSet - https://github.com/irrtoolset/irrtoolset● IRR Power Tools - https://github.com/6connect/irrpt
[ 30 ]
bgpq3
$ bgpq3 -J -l AS-ONENET-MEMBERS AS-ONENET-MEMBERSpolicy-options {replace:prefix-list AS-ONENET-MEMBERS {
64.112.240.0/20;66.186.144.0/20;129.15.0.0/16;129.15.0.0/17;...
}
[ 31 ]
INTERNET2 PARTICIPANT IRR
STATS
[ 32 ]
TR-CPS Participant routes vs IRR
• Total Customer routes in Internet2 trcps VRF: 5,594– Routes with matching IRR record: 3,376 (60%)– Route with no matching IRR record: 2,218 (40%)
[ 33 ]
TR-CPS Participants With 100% Accurately Registered IPv4 Prefixes (19 Out of 64 Participant ASNs)