rpki tutorial(pdf)

Rou$ngSecurityandRPKI

Presenters:SandraMurphy(sandy@$slabs.com) Parsons

Channeling:RandyBush([email protected])RobAustein([email protected])DragonResearchMichaelElkins(melkins@$slabs.com)Parsons

11/17/15 Parsons,NOTRStLouis,MO 1

Randy/Robslides

•  Basedonandsomeextractedfrom•  hQps://psg.com/140220.pdf•  hQps://nsrc.org/workshops/2014/sanog23-security/raw-aQachment/wiki/Agenda/2-4-1.rou$ng-protocols.pdf

•  hQps://nsrc.org/workshops/2014/sanog23-security/raw-aQachment/wiki/Agenda/2-4-1.RPKI-Lab.pdf


311/17/15

–  Apr1997–AS7007announcedroutestoalltheInternet–  Apr1998–AS8584mis-announced100Kroutes–  Dec1999–AT&T’sservernetworkannouncedbyanotherISP–misdirec$ngtheirtraffic(madetheWallStreetJournal)–  May2000–SprintaddressesannouncedbyanotherISP–  Apr2001–FlagTelecominLondonmis-announced5Kroutes–  Dec24,2004–thousandsofnetworksmisdirectedtoTurkey–  Feb10,2005:EstonianISPannouncedapartofMeritaddressspace–  Sep9,2005–AT&T,XOandBellSouth(12/8,64/8,65/8)misdirectedtoBolivia

[thenextday,Germany–prompPngAT&Ttodeaggregate]–  Jan22,2006–Manynetworks,includingPANIXandWalrusInternet,misdirectedtoNYISP(ConEdison)–  Feb26,2006-SprintandVeriobrieflypassedalongTTNET(Turkeyagain)announcementsthatitwastheoriginfor4/8,

8/8,and12/8–  Jul07,2007–Yahoounreachableforanhourduetomis-origina$ontoL3fromHanaroTelecom–  Feb24,2008–PakistanTelecomannouncesapartofYouTube’saddressblocks–  Mar-Nov2008–variousaddresseswithinDoDaddressblocksannouncedbyvariousISPs(oneinRussia,onein

Argen$na,othersinAustralia,Turkey,Indonesia,etc.)forperiodsupto3weeks–  Dec2008–AxtelinSanPedro,MXannouncesunallocatedaddressblock,andthensendsalargeamountofmailtraffic

(spam).–  Mar2010-Forthreeweeks,theaddressofChina'sowninternalversionoftheDNSrootzonewasadver$sedoutside

China.ThismadethealteredChinaversionoftherootzonevisibleoutsideChina(Asia,Chile,US,etc.)–  April2010-ChinaTelecommis-originatedabout15%ofInternetaddressblocks–  Jun2010–BGPmonreportsbogonIPv6announcementsmis-originatedbymul$pleISPstoCogent–noexplana$on–  Frequentfulltableleaks,e.g.,Sep08(Moscow),Nov08(Brazil),Jan09(Russia),Jul09(Sweden),…say“when”–  Frequentrouteleaks:viola$onofrou$ngpolicyofproviderorpeer–  RecentcomplaintsofmisbehaviorinIRRregistra$oncausingrou$ngmisbehavior(e.g.,RIPERou$ngandAn$-Abusewg

discussionNov2014)

HistoryofRou$ngIncidents

IntheLastTwoYears•  SeeAndreeToonk’spresenta$on:hQps://www.nanog.org/sites/default/files/monday_general_bgp_toonk_63.18.pdf

–  Turkeyand8.8.8.8(notBGP,exampleofcontrolofrou$ng)–  Bitcoinhijack–  Spammers

•  hQp://www.bgpmon.net/using-bgp-data-to-find-spammers/foranalysis(thatandmore)•  Sugges$onofspoofedIRRregistra$ontomakeitwork

–  SyriaTelecomhijackof1400prefixes–  RouteLeakaffec$ngCloudflare

•  Nov2013RenesysabouttargeQedredircen$on-egIcelandandBelarus•  April2014:AS4761Indostatmisoriginates400Kprefixes(damagezonevaries)•  Renesysabout“aQackinprogress”–coveredbyrouteobject,s$llorigina$ngsameorg’sprefixes,prefixnoworiginatedby

anotherAS.•  Vic$mreportedonNANOG–announcementofunusedspace–couldbeaspammer–AndreeToonkanalysis“ASNumber

43239…HasstartedhijackingourIPv4prefix…103.20.212.0/22<-Thisbelongstous.”•  USNOAA-NCDCoriginatedfromChinafor25hours•  IRRs–someIRRs(RADB,Level3,Savvis,etc.)have“lots”of“proxy-registered”objectsbyveryroughanalysis•  EuropeanISPsaysChinaISPregisteredprefixbelongingtoanothercustomer–origina$onsucceeded–validcustomergot

blamedforspam.•  NANOGOct162014:”AS6983isannouncinga/24outofspaceallocatedtoAS7922.”–EarthlinkandComcast•  March2015:Tier2announcesv6/25inTier1’sv6/24•  March2015:Enzu,routeleakofmorespecifics,7000prefixes,280ASNsimpacted•  12June2015:AS4788TelekomMalaysialeaked170Kprefixes,Level3propagated,BGPsessionsflapped,etc.•  29June2015:NTTpropagatesrouteleakofHEprefixes,HEcomplains•  30June2015:HEpropagateshijack:28,000prefixesfrom4,477AANsimpacted•  July2015:prefixhijackbyAS7514•  Nov2015:AS9498(BHARTIAirtelLtd.)hijack,16Kprefixes,3KASNsimpacted


5

SoMaybeIt’sNotSoBad…

•  Responseissome$mesunderanhour!–  ONLYifsomeoneno-ces–  WouldyoucallthatRELIABLEnetworking?–  Damagetoapplica-onsandinfrastructure

•  Thesearehumanmistakes,notaQacks–  Anythingpossiblethroughhumanerrorispossiblethroughhuman

intent–  Andsomeweredeliberate

•  Therearebiggeroutagesduetohardwareandsovwarefailures

–  Butthosearen’texploitabledeterminis-callyandremotely(mostly)

11/17/15DHSEARSKickoff 5

11/17/15

ASrela$onships(WhyOnEarthDoesisSpreadSoFar?

transitprovider

transitprovider

ISPA ISPB ISPC

customer customer customer

provider-(paying)customer

peers,exchangingcustomertraffic(usuallyfree)

Note:TrafficA<->CdoesnotgothroughB!(butpathexists)Parsons,NOTRStLouis,MO

ASNsPropagatedChinaTelecom’sRoutesChinaTelecom

Internet2Cogent

NTTAmerica

ChinanetBackbone

CenturyLinkAT&T

Services

RGNetAlaskaFiberstar

Educa$onNetworksof

NA

CaliforniaStateUniv.

Swisscom,CH

RogersCable,CA

KDDI,JP

AsiaPacificAdvancedNetwork

HurricaneElectric

RUNNET

GlobalnetRU


CommonWisdom“Don’tbeThatGuy(Gal)”

•  Filterbogonsandmar$anprefixes•  Inboundprefixfilteroncustomers

–  UseIRRbasedprefixfilters•  Getyourdownstreamstocreaterouteobjectsbeforeyouturnthemup.

–  Getyourprovisioningteamstovalidatetheprefixesbeingprovidedbyyourdownstreams.

–  Usebothprefix-andAS_PATH-basedfiltersforyourdownstreams.–  fullyautomateingressprefixmanagement

•  outboundprefix-filteronalltransit&peeringsessions–  OutboundAS_Pathfilterforrouteleaks(checkfortransitandpeer)–  UseBGPcommunitybasedroutefilteringinoutboundpolicy.

•  Max-prefixtocatchmassiveproblems–  usemaxprefixeswithmanualreenableonallebgpsessions

•  Noexcep$ons.



CurrentPrac$ce:InternetRou$ngRegistrybasedfiltering

•  IRRsaredatabases–  RegisteranAS’srou$ngpolicy–  routeobjects–prefixestheASassertsitmayoriginate

•  30+IRRs,someassociatedwithRIRs,somenot•  Thereisatrustmodel–RFC2725(allocateonlyoutofyouralloca$on,cancreate

routeobjectonlyforyourASandyourprefix)•  RIRbasedIRRscan$ealloca$ontoregistra$onofobjects

–  Knowwhetherregistrantisauthorizedtospeakforprefix/AS–  CANfollowRFC2725forresourcesintheirregions,CANNOTforoutsideregion

•  NonRIRbasedIRRs(RADB,Level3,Savvis,…)cannottellifregistrantisauthorized–  CanNOTfollowRFC2725

•  Trustmodeldoesn’tscale–channelsecurity•  Usedoesn’tscale.SeeJaredMauch(260Klinesofprefixlist,96%ofconfigisprefix

lists,5mincommit$mes)Mar14IEPG–  hQp://iepg.org/2014-03-02-iez89/iez89_iepg_jmauch.pdf–  InJun2015,NTTreportsconfigfilehasgrownanother100Klines

GoodToolsAbound•  hQp://bgp.he.net•  hQps://stat.ripe.net•  hQp://irrexplorer.nlnog.net•  hQp://www.routeviews.org

–  hQps://github.com/cmu-sei/bgpuma


AStrongerSolu$oninThreeParts

•  PrefixHolder:Whohastherighttouseaprefix?–  ResourcePublicKeyInfrastructure–RPKI

•  OriginValida$on:Whoisauthorizedtooriginatearoutetoaprefix?–  BasedontheRPKI:onlytheprefixholdercansay–  Preventmis-origina$ons–commonhijacks

•  PathValida$on:Whohastherighttopropagatearoute?–  BasedontheRPKI:onlytheASwhopropagatescansay–  Preventpathproblems:bogusfirsthop,mayberouteleaks


12 11/17/15

Net 2.0.0.0

AS_PATH =123 prefix=

7.2.5.0

AS 123 AS 345 AS 567 AS_PATH =345,654,123 prefix= 7.2.5.0 BGP BGP BGP

TCP

IP

TCP

IP

TCP

IP

MIS-ORIGINATION MIS-CONSTRUCTION of PATH e.g., AS_PATH POISONING

ROUTING INFO

ATTACKS:

BGPVulnerabili$es

Parsons,NOTRStLouis,MO

1311/17/15

InternetAssignedNumbersAuthority

JustWhoDoesHoldanAddress?

IANA

AFRNIC APNIC ARIN LACNIC RIPE

ISP ISP

Customer CustomerISP

Customer

Suballoca-onsofaddresses

Enterprise

RegionalInternetRegistries Legacy

1411/17/15

RPKI-ResourceCer$ficates

IANA


ISP ISP

Customer CustomerISP

Customer

EnterpriseEachsuballoca-onisrepresentedinacer-ficate

________________________

________________________

________________________

________________________

________________________

________________________

________________________

________________________

________________________

________________________

ResourcecerPficate,notidenPtycerPficate

________________________

________________________

Legacy________________________


Certificate lists the addresses you hold and who gave them to you

OriginValida$on:Certs&RouteOriginAuthoriza$on

Enterprise

IANA

ARIN

ISP

Sign a Route Origin Authorization (ROA) for your address space Your certificate validates the signature ISP

ROASignedObject Signed by: EnterpriseKey Addresses: someofyouraddresses Valid Origin: some ASn

The ROA lists the valid origins for those addresses

CA certificate Key: EnterpriseKey Signed by: ARIN Addresses: 10.2/16 (10.2.0.0 – 10.2.255.255)

______ ______ ______ ______

____ ____

____ ____

____ ____


RPKIArchitectureinSingleASGloballyDistributedRepositories

• Localcacheiskeptinsyncwithglobaldistributedrepositories• Localcachedoesallneededcrypto• Routersneedonlyreceivelistof(authorizedorigin,address)pairs• *N*O*cryptointherouters

Localrepositorycaches

PoP

PoP

PoP

ISP


TwoSidesofThis

•  Securingroutestoyouraddresses–  Getcer$ficatesforyour

addressspace–  SignROAs–  MaintainaCArepository–  Createcer$ficatesforyour

customers•  Ifyougivethemaddresses

•  Thinkofthisassigningthebackofyourcreditcard

•  Securingroutestoothers’addresses–  RetrieveROAsfromotherCA

repositories–  Validatereceivedroutesagainst

theRPKIdata•  Thinkofthisascheckingtheback

ofacreditcardtenderedtoyouforasale

Hosted service Outsourced service Offline retrieval & crypto

Thinking “Wow, Lots of WORK!”? Don’t Panic

1811/17/15

StatusonMul$pleFronts:Specs•  IETFSIDRRFCs

– 24documentspublishedasRFCs

IANA


ISP ISPEnterprise

________________________

________________________

Legacy

ISP

________________________

ISP

________________________

________________________

ISP

________________________

Certs,ROAs,cer$ficatepolicy,repositorystructure,cer$ficatemanagementprotocol(aka“up/down”),etc.

routevalida$on,RPKI-to-routerprotocol,commonopera$ons,MIB,etc.

GloballyDistributedRepositories

Localrepositorycaches

PoP

PoP

PoP

ISP


RIPE:20%ofmembers,7000prefixes,>6/8s1500ASNs

StatusonMul$pleFronts:RPKI

StatusonMul$pleFronts-RPKI


TakenfromhQp://cer$fica$on-stats.ripe.net/

RPKIstatsandmonitors

•  hQp://www.labs.lacnic.net/rpkitools/looking_glass/

•  hQp://www-x.antd.nist.gov/rpki-monitor/•  hQp://cer$fica$on-stats.ripe.net/•  hQp://rpki.surfnet.nl/index.html•  hQp://www.hactrn.net/opaque/rcynic/


StatusonMul$pleFronts:OriginValida$on

•  Cisco:– High-end&mid-rangeroutersrunningIOS-XR

•  MinimumreleaseXR4.2.1– Access/EnterpriseroutersrunningIOS-XE

•  MinimumreleaseXE3.5

•  Juniper–  JuniperprovidesofficialsupportforRPKIsincerelease12.2.

•  Alcatel-Lucent


OriginValida$onConfigura$on•  SeeexamplesatRIPE

hQps://www.ripe.net/manage-ips-and-asns/resource-management/cer$fica$on/router-configura$on•  JunOS

–  First:Setupcommunica$onwithlocalRPKIcache–  Second:Assignalocal-preferencebasedontheRPKIvalidityaQribute

policy-op$ons{policy-statementvalida$on{termvalid{from{protocolbgp;valida$on-databasevalid;}then{valida$on-statevalid;communityaddorigin-valida$on-state-valid;nextpolicy;}}}}


OriginValida$onConfigura$ons•  Seeexamplesat

hQps://www.ripe.net/manage-ips-and-asns/resource-management/cer$fica$on/router-configura$on

•  CISCO–  First:Setupcommunica$onwithlocalRPKIcache–  Second:Assignalocal-preferencebasedontheRPKIvalidityaQribute

!route-maprpki-loc-prefpermit10matchrpkiinvalidsetlocal-preference90!route-maprpki-loc-prefpermit20matchrpkinot-foundsetlocal-preference100!route-maprpki-loc-prefpermit30matchrpkivalidsetlocal-preference110


MoreCISCOConfigOp$ons


Fairly Secure route-map validity-0

match rpki valid

set local-preference 100

route-map validity-1

match rpki not-found


! invalid is dropped

DRL RPKI Origin Validation 68

Paranoid

route-map validity-0

match rpki valid


! everything else dropped


JunosShowValida$on

195.24.160.0/19*[BGP/170]00:03:59,MED2000,localpref50,from87.238.63.5 ASpath:335635494788693939648I,valida$on-state:unverified >to87.238.63.56viaae0.0 [BGP/170]00:05:24,MED0,localpref50,from87.238.63.2 ASpath:335635494788693939648I,valida$on-state:unverified >to87.238.63.56viaae0.0 [BGP]01:16:00,MED25245,localpref100 ASpath:35494788693939648I,valida$on-state:unverified >to64.210.69.85viaxe-1/1/0.0


CiscoShowValida$on


Valid! r0.sea#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24, version 3043542 Paths: (3 available, best #1, table default) 6939 27318 206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid 2914 4459 27318 199.238.113.9 from 199.238.113.9 (129.250.0.19) Origin IGP, metric 43, localpref 100, valid, external Community: 2914:410 2914:1005 2914:3000 3130:380 path 09AF35CC RPKI State valid


Invalid! r0.sea#show bgp 198.180.150.0 BGP routing table entry for 198.180.150.0/24, version 2546236 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 8 Refresh Epoch 1 1239 3927 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid



RIPE:20%ofmembers,7000prefixes,>6/8s1500ASNs

StatusonMul$pleFronts:OriginValida$on

OriginValida$onDeployment•  IETFhasusedrpki.netforseveralIETFsinarow(seesfewinvalids)•  IXPs

–  Sep2015:AMS-IXbeginningtoofferRPKIbasedfilteringintheirrouteservers

–  Oct2014:FrenchIXPannouncestheyhavebeguntouseRPKIforfiltering

–  IXPsinRIPEhavesuggestedRPKIasserviceformembers•  EsnetdoingRPKIbasedoriginvalida$on–prefvalid•  MajorEuropeanISPtes$ngininternallab,requestsforfeatures•  Rpki.netvirtualtestbedandAltCA–adozenorsoac$ve

par$cipants(Comcast,ATT,ESnet,LACNIC,Europeanfolk,Google)•  FCCCSRICIIIWG6report2013“Cau$ous,stageddeploymentof

RPKIRouteOriginValida$on”•  FrenchANSSIagency2014recommendsuseofRPKIandROAs


CurrentIssues•  Technical

–  Legacyspace(44%oforgsinARIN,56%ofaddresses)–  Rsyncperformance–  Valida$onreconsidered–  Legacyspace

•  Non-technical–  Mis-useofhierarchicalauthority(errors,courtorders)–  Impactonrou$ngfromRIRac$ons,servicelevel,etc.–  Theusualproblemswithnewtechnology–effortandcost–

•  andusualproblemwithnewsecuritytechnology–hardforuserstoseeimmediatedirectbenefit–

•  andinfrastructuretechnology–nooneisincharge•  SeeWesGeorgetalkathQps://www.nanog.org/sites/default/files/

wednesday_george_adventuresinrpki_62.9.pdf


Extraslides



TheWayThisGoes...ARIN

Acme AS27

Customer S

ISP AS56 ISP AS12 Acme’s service providers

ARIN allocates 10.2/16 Acme signs two ROAs

Acme suballocates 10.2.1/24

ROASignedObject, Signed by S Addresses: 10.2.1/24 Valid Origin: AS27

S signs one ROA CA certificate Customer S’s key Signed by: Acme Addresses: 10.2.1/24

CA certificate ACME’s key Signed by: ARIN Addresses: 10.2/16

ROASignedObject, Signed by ACME Addresses: 10.2/16 Valid Origin: AS12 ROASignedObject, Signed by ACME

Addresses: 10.2/16 Valid Origin: AS56


BGPProcess

Ingress filters

Best path decision

Egress filters

AS_PATH =123, prefix= 2/8

AS 123 AS 345 AS 567

AS_PATH=345, 123, prefix= 2/8

Net 2.0.0.0

AS 789 AS 891

AS_PATH=789, prefix= 2/8

• BGPreceivesmanyroutestothesameprefix• Ingressfilterdecideswhatroutestoconsider• Decisionprocesspicksjustonebestroute• Egressfilterdecideswhatneighborsreceiveanupdate

11/17/15 34

IRRBasedFilters•  RegistriescouldbeusedtocheckNLRIorigina$on,AS_PATHs,etc.

•  Levelofprotec$onfromuseofregistryreliesonregistrycontainingcompleteandaccurateinforma$on,includingpeeringandpolicy

•  Communica$onwithregistrywouldhavetobeprotected

•  IRRsareknowntobeinaccurate,incomplete,stale,andmanyhaveliQletonosecurityapplied

Parsons,NOTRStLouis,MO

WorkshopinaBox

DynaMIPS on MacMini

Global Internet

2-4-1 RPKI Lab 7 Seattle Dallas

98.128.0.0/16!98.128.0.0/24!98.128.1.0/24!…!98.128.31.0/24!

98.128.0.0/16!98.128.0.0/24!98.128.1.0/24!…!98.128.31.0/24!

AS3130 AS4128

AS65000

RPKI Cache

RPKI-Rtr Protocol

AS65001

202.144.137.27

10.0.0.0/8

Creative Commons: Attribution & Share Alike

ExtractedfromRandyBush’sworkshopslidesh;ps://psg.com/140118.pdf

RandyBush’sWorldTraveledWorkshopSet-Up

11/17/15 2Parsons,NOTRStLouis,MO

VMtotallyself-containedenvironment–nooutsidedependenciesComeswithlocaltrustanchorsoyoucangeneratecertsforyourownprefixesUseforexperimentaVon,training,tesVng,whatever

BIRD1 BIRD2

Quagga1 Quagga8.......

RPKICache

WorkshopinaBox


Announcing192.168.0.0/16192.168.1.0/24etc

WorkshopGUI


rpki tutorial(pdf)

Documents