Upload File

routing security workshop - internet2...2018/10/18  · routing security workshop internet routing...

  • Home
  • Documents
  • Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation
33
Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2

Upload: others

Post on 25-May-2020

11 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

Routing Security WorkshopInternet Routing Registries

Jeff BartigSenior Interconnection Architect, Internet2

Page 2: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 2 ]

IRR Presentation Overview

• NANOG 74 Updates• IRR Overview• IRR Tools• Internet2 Participant IRR Stats

Page 3: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 3 ]

NANOG 74 UPDATES

Page 4: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 4 ]

NANOG 74 – BGP Route Security Track

• Recent BGP Incidents, Andree Toonk/BGPmon• State of BGP Security, Alexander Azimov/QRator• Legal Barriers to Securing the Routing Architecture, Christopher Yoo,

David Wishnick/UPenn• Routing Security Roadmap, Job Snijders/NTT

– also given at NLNOG: https://nlnog.net/nlnog-day-2018/• So I need to Start Route Filtering Peers, Chris Morrow/Google

– Google tentatively plans to have reject data available for peers by January 1, 2019

– Tentative plans to drop routes not matching IRR data by March 1, 2019

• Track wasn’t recorded, but slides available– https://pc.nanog.org/static/published/meetings/NANOG74/1760/20181003_Tzvetanov_Security_Track_Bgp_v1.pdf

Page 5: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 5 ]

IRR OVERVIEW

Page 6: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 6 ]

IRR Overview

● What Is An Internet Routing Registry● Why Register IRR Objects● Important IRR Record Types● Querying RADB Whois● IRRExplorer – Checking Your Work

Page 7: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 7 ]

What Is An Internet Routing Registry (IRR)

● An IRR is a Public registry (database) of network routing information● Many registry options (RADB, ARIN, RIPE, AltDB, LEVEL3, ….)● Often an IRR will mirror the other IRRs to create a more complete database● Registry objects are specified using the Routing Policy Specification

Language (RPSL, RFC2622)● Registries can be used to document a network’s prefixes, ASNs, groups of

prefixes, groups of ASN, routing policy, and peers

Page 8: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 8 ]

Why Register IRR Objects

● Automation!● Standard method for communicating the list of prefixes your network plans

to advertise● Standard method for documenting the origin ASN for prefixes● Statement of ownership – more difficult to hijack● Some services require IRR objects

○ Transit providers○ Peering exchange route servers○ DDoS services (Zenedge)○ Peers

Page 9: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 9 ]

Why Register IRR Objects

But what if I don’t peer, use peering exchanges, use a DDoS mitigation provider, or buy transit from someone that requires proper IRR objects?

Your upstream providers may interact with other networks and services that do require IRR objects.

Page 10: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 10 ]

Why Register IRR Objects

● If you don’t document in an IRR, your routes may be blocked by peers of your transit providers or by your direct peers

● Routes with missing or incorrect IRR objects may be blocked temporarily or permanently when they are announced

● Routes may be preferenced lower if there are missing IRR objects● Difficult to troubleshoot the path packets take to reach you. You may not

realize you have issues.● Better to maintain your own data, rather than have an upstream provider

proxy register objects for your network

Page 11: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

Why Register IRR Objects - PeeringDB.com

Page 12: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 12 ]

Important IRR Object Types

● A minimal deployment of IRR objects doesn’t require a lot of effort or object detail

● It is not necessary to document peers and route policy in your objects● Important object types

○ mntner: Maintainer - owner of the objects that you maintain○ route / route6: prefixes you plan to announce and their origin ASN○ aut-num: ASNs that originate your prefixes○ as-set: a grouping of aut-num objects and possibly other as-set objects

Page 13: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

Important IRR Object Types - mntner

Page 14: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

Important IRR Object Types - mntner

Page 15: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

Important IRR Object Types - route/route6

Page 16: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

Important IRR Object Types - aut-num

Page 17: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

Important IRR Object Types - as-set

Page 18: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

Important IRR Object Types - as-set

Page 19: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

RADB Whois - all routes with specific origin - !g

A### : start of response and number of characters in responseC : end of response

Page 20: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

RADB Whois - expand as-set - !i

!i : expand as-set!iAS-SET,1 : recursively expand as-set, expanding any as-sets contained in the as-set

Not expanded

Page 21: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

IRRExplorer – Checking Your Work

Page 22: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

IRRExplorer – Checking Your Work

Page 23: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

IRRExplorer – Checking Your Work

Page 24: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

IRRExplorer – Checking Your Work

Page 25: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

IRRExplorer – Checking Your Work

Old cruft toclean up

Page 26: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

IRRExplorer – Checking Your Work

Page 27: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

Useful IRR Links

● IRR Explorer: http://irrexplorer.nlnog.net● PeeringDB: https://www.peeringdb.com● List of IRR: http://www.irr.net/docs/list.html● List of IRR/RPSL RFCs: http://www.irr.net/docs/rpsl.html● RADB Whois Help/Examples:

○ http://www.radb.net/support/query1.php○ http://www.radb.net/support/query2.php

● ARIN IRR: https://www.arin.net/resources/routing/● Mutually Agreed Norms for Routing Security

● https://www.manrs.org● https://www.manrs.org/tutorials/irrs-rpki-peeringdb/

http://irrexplorer.nlnog.net/
https://www.peeringdb.com/
http://www.irr.net/docs/list.html
http://www.irr.net/docs/rpsl.html
http://www.radb.net/support/query1.php
http://www.radb.net/support/query2.php
https://www.arin.net/resources/routing/
https://www.manrs.org/
https://www.manrs.org/tutorials/irrs-rpki-peeringdb/
Page 28: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 28 ]

IRR TOOLS

Page 29: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 29 ]

Tools

● bgpq3 - https://github.com/snar/bgpq3● IRRExplorer - http://irrexplorer.nlnog.net/● IRRToolSet - https://github.com/irrtoolset/irrtoolset● IRR Power Tools - https://github.com/6connect/irrpt

https://github.com/snar/bgpq3
http://irrexplorer.nlnog.net/
https://github.com/irrtoolset/irrtoolset
https://github.com/6connect/irrpt
Page 30: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 30 ]

bgpq3

$ bgpq3 -J -l AS-ONENET-MEMBERS AS-ONENET-MEMBERSpolicy-options {replace:prefix-list AS-ONENET-MEMBERS {

64.112.240.0/20;66.186.144.0/20;129.15.0.0/16;129.15.0.0/17;...

}

Page 31: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 31 ]

INTERNET2 PARTICIPANT IRR

STATS

Page 32: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 32 ]

TR-CPS Participant routes vs IRR

• Total Customer routes in Internet2 trcps VRF: 5,594– Routes with matching IRR record: 3,376 (60%)– Route with no matching IRR record: 2,218 (40%)

Page 33: Routing Security Workshop - Internet2...2018/10/18  · Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 [ 2 ] IRR Presentation

[ 33 ]

TR-CPS Participants With 100% Accurately Registered IPv4 Prefixes (19 Out of 64 Participant ASNs)


Internet2 Security Initiatives DICE Meeting Joe St Sauver, Ph.D. ([email protected] or [email protected]) Manager, Internet2 Security Programs Internet2

Internet2 Overview Bob Riddle, Internet2 14 February 2003

Internet2 fall12

Cyberinfrastructure and Internet2 Eric Boyd Deputy Technology Officer Internet2

Internet2 Welcome

Bezpechnyy internet2

Solutions for Explicit Routing In Internet2 Gigapops and …routing.internet2.edu/wg-meetings/20020730-I2rwg-slides/daugherty... · Solutions for Explicit Routing In Internet2 Gigapops

Schools and Internet2 - TERENA · Schools and Internet2 SchoolNet BoF TERENA conference Poznan, Poland Heather Boyles Schools and Internet2 …

LISP: A Level of Indirection for Routing - Internet2

Internet2 1

13-Oct-2003 Internet2 End-to-End Performance Initiative: piPEs Eric Boyd, [email protected] Matt Zekauskas, [email protected] Internet2 International

BGP Tutorial - Internet2 · PDF fileWhat’s In Store? • Routing Architectures • BGP Basics • Path Selection (many examples) • BGP State Machine • Multiprotocol Extensions

Internet2’ION’Service’’ Overview’and’Status’ · Internet2’ION’Service’ • Mul=ple’Domain’Deployments’and’InterDomain’ ServiceProvisioning’ – ION’speaks’the’InterDomain’Controller

Peering Exchange Architectures Jeff Bartig University of Wisconsin WiscNet Engineering

Health Activities and Internet2 Mike McGill, Director, Internet2 Health Sciences, [email protected] Heather Boyles, Director, Internet2 International

Internet2 Overview Bob Riddle, Internet2 12 February 2003

Internet2 Engineering Update Guy Almes Internet2 Chief Engineer Internet2 Membership Meeting Washington — 8 October 1997

Internet2 Overview

Routing Measurements Matt Zekauskas, [email protected] ITF Meeting 2006-Apr-24

The Internet2 Network and International Connections Heather Boyles Director, International Relations, Internet2 [email protected]

Pengenalan internet2

Sydney I. Bartig

Chris Heermann, Internet2 chris.heermann@internet2

Presentacion Internet2

Www.internet2.edu. Internet2 Internet2 y Ecuador Heather Boyles [email protected] Ana Preston apreston@internet2 ESPOL Guayaquil, Ecuador Marzo 26

Internet2 Technology Update Rick Summerhill Chief Technology Officer, Internet2 [email protected] Internet2 Fall Member Meeting 9 October 2007 San Diego,

Consultor internet2

Ppt Internet2

DVTS Overview Ben Fineman [email protected] Internet2

Heather Boyles Director, International Relations, Internet2 heather@internet2

La Internet2

cuadros Internet2

Internet2. Internet2: Antecedentes y definiciones

Internet2 Today

Introducción internet2