rpki tutorial(pdf)
TRANSCRIPT
Rou$ngSecurityandRPKI
Presenters:SandraMurphy(sandy@$slabs.com) Parsons
Channeling:RandyBush([email protected])RobAustein([email protected])DragonResearchMichaelElkins(melkins@$slabs.com)Parsons
11/17/15 Parsons,NOTRStLouis,MO 1
Randy/Robslides
• Basedonandsomeextractedfrom• hQps://psg.com/140220.pdf• hQps://nsrc.org/workshops/2014/sanog23-security/raw-aQachment/wiki/Agenda/2-4-1.rou$ng-protocols.pdf
• hQps://nsrc.org/workshops/2014/sanog23-security/raw-aQachment/wiki/Agenda/2-4-1.RPKI-Lab.pdf
11/17/15 Parsons,NOTRStLouis,MO 2
311/17/15
– Apr1997–AS7007announcedroutestoalltheInternet– Apr1998–AS8584mis-announced100Kroutes– Dec1999–AT&T’sservernetworkannouncedbyanotherISP–misdirec$ngtheirtraffic(madetheWallStreetJournal)– May2000–SprintaddressesannouncedbyanotherISP– Apr2001–FlagTelecominLondonmis-announced5Kroutes– Dec24,2004–thousandsofnetworksmisdirectedtoTurkey– Feb10,2005:EstonianISPannouncedapartofMeritaddressspace– Sep9,2005–AT&T,XOandBellSouth(12/8,64/8,65/8)misdirectedtoBolivia
[thenextday,Germany–prompPngAT&Ttodeaggregate]– Jan22,2006–Manynetworks,includingPANIXandWalrusInternet,misdirectedtoNYISP(ConEdison)– Feb26,2006-SprintandVeriobrieflypassedalongTTNET(Turkeyagain)announcementsthatitwastheoriginfor4/8,
8/8,and12/8– Jul07,2007–Yahoounreachableforanhourduetomis-origina$ontoL3fromHanaroTelecom– Feb24,2008–PakistanTelecomannouncesapartofYouTube’saddressblocks– Mar-Nov2008–variousaddresseswithinDoDaddressblocksannouncedbyvariousISPs(oneinRussia,onein
Argen$na,othersinAustralia,Turkey,Indonesia,etc.)forperiodsupto3weeks– Dec2008–AxtelinSanPedro,MXannouncesunallocatedaddressblock,andthensendsalargeamountofmailtraffic
(spam).– Mar2010-Forthreeweeks,theaddressofChina'sowninternalversionoftheDNSrootzonewasadver$sedoutside
China.ThismadethealteredChinaversionoftherootzonevisibleoutsideChina(Asia,Chile,US,etc.)– April2010-ChinaTelecommis-originatedabout15%ofInternetaddressblocks– Jun2010–BGPmonreportsbogonIPv6announcementsmis-originatedbymul$pleISPstoCogent–noexplana$on– Frequentfulltableleaks,e.g.,Sep08(Moscow),Nov08(Brazil),Jan09(Russia),Jul09(Sweden),…say“when”– Frequentrouteleaks:viola$onofrou$ngpolicyofproviderorpeer– RecentcomplaintsofmisbehaviorinIRRregistra$oncausingrou$ngmisbehavior(e.g.,RIPERou$ngandAn$-Abusewg
discussionNov2014)
HistoryofRou$ngIncidents
IntheLastTwoYears• SeeAndreeToonk’spresenta$on:hQps://www.nanog.org/sites/default/files/monday_general_bgp_toonk_63.18.pdf
– Turkeyand8.8.8.8(notBGP,exampleofcontrolofrou$ng)– Bitcoinhijack– Spammers
• hQp://www.bgpmon.net/using-bgp-data-to-find-spammers/foranalysis(thatandmore)• Sugges$onofspoofedIRRregistra$ontomakeitwork
– SyriaTelecomhijackof1400prefixes– RouteLeakaffec$ngCloudflare
• Nov2013RenesysabouttargeQedredircen$on-egIcelandandBelarus• April2014:AS4761Indostatmisoriginates400Kprefixes(damagezonevaries)• Renesysabout“aQackinprogress”–coveredbyrouteobject,s$llorigina$ngsameorg’sprefixes,prefixnoworiginatedby
anotherAS.• Vic$mreportedonNANOG–announcementofunusedspace–couldbeaspammer–AndreeToonkanalysis“ASNumber
43239…HasstartedhijackingourIPv4prefix…103.20.212.0/22<-Thisbelongstous.”• USNOAA-NCDCoriginatedfromChinafor25hours• IRRs–someIRRs(RADB,Level3,Savvis,etc.)have“lots”of“proxy-registered”objectsbyveryroughanalysis• EuropeanISPsaysChinaISPregisteredprefixbelongingtoanothercustomer–origina$onsucceeded–validcustomergot
blamedforspam.• NANOGOct162014:”AS6983isannouncinga/24outofspaceallocatedtoAS7922.”–EarthlinkandComcast• March2015:Tier2announcesv6/25inTier1’sv6/24• March2015:Enzu,routeleakofmorespecifics,7000prefixes,280ASNsimpacted• 12June2015:AS4788TelekomMalaysialeaked170Kprefixes,Level3propagated,BGPsessionsflapped,etc.• 29June2015:NTTpropagatesrouteleakofHEprefixes,HEcomplains• 30June2015:HEpropagateshijack:28,000prefixesfrom4,477AANsimpacted• July2015:prefixhijackbyAS7514• Nov2015:AS9498(BHARTIAirtelLtd.)hijack,16Kprefixes,3KASNsimpacted
11/17/15 Parsons,NOTRStLouis,MO 4
5
SoMaybeIt’sNotSoBad…
• Responseissome$mesunderanhour!– ONLYifsomeoneno-ces– WouldyoucallthatRELIABLEnetworking?– Damagetoapplica-onsandinfrastructure
• Thesearehumanmistakes,notaQacks– Anythingpossiblethroughhumanerrorispossiblethroughhuman
intent– Andsomeweredeliberate
• Therearebiggeroutagesduetohardwareandsovwarefailures
– Butthosearen’texploitabledeterminis-callyandremotely(mostly)
11/17/15DHSEARSKickoff 5
11/17/15
ASrela$onships(WhyOnEarthDoesisSpreadSoFar?
transitprovider
transitprovider
ISPA ISPB ISPC
customer customer customer
provider-(paying)customer
peers,exchangingcustomertraffic(usuallyfree)
Note:TrafficA<->CdoesnotgothroughB!(butpathexists)Parsons,NOTRStLouis,MO
ASNsPropagatedChinaTelecom’sRoutesChinaTelecom
Internet2Cogent
NTTAmerica
ChinanetBackbone
CenturyLinkAT&T
Services
RGNetAlaskaFiberstar
Educa$onNetworksof
NA
CaliforniaStateUniv.
Swisscom,CH
RogersCable,CA
KDDI,JP
AsiaPacificAdvancedNetwork
HurricaneElectric
RUNNET
GlobalnetRU
11/17/15 Parsons,NOTRStLouis,MO 7
CommonWisdom“Don’tbeThatGuy(Gal)”
• Filterbogonsandmar$anprefixes• Inboundprefixfilteroncustomers
– UseIRRbasedprefixfilters• Getyourdownstreamstocreaterouteobjectsbeforeyouturnthemup.
– Getyourprovisioningteamstovalidatetheprefixesbeingprovidedbyyourdownstreams.
– Usebothprefix-andAS_PATH-basedfiltersforyourdownstreams.– fullyautomateingressprefixmanagement
• outboundprefix-filteronalltransit&peeringsessions– OutboundAS_Pathfilterforrouteleaks(checkfortransitandpeer)– UseBGPcommunitybasedroutefilteringinoutboundpolicy.
• Max-prefixtocatchmassiveproblems– usemaxprefixeswithmanualreenableonallebgpsessions
• Noexcep$ons.
11/17/15 Parsons,NOTRStLouis,MO 8
11/17/15 Parsons,NOTRStLouis,MO 9
CurrentPrac$ce:InternetRou$ngRegistrybasedfiltering
• IRRsaredatabases– RegisteranAS’srou$ngpolicy– routeobjects–prefixestheASassertsitmayoriginate
• 30+IRRs,someassociatedwithRIRs,somenot• Thereisatrustmodel–RFC2725(allocateonlyoutofyouralloca$on,cancreate
routeobjectonlyforyourASandyourprefix)• RIRbasedIRRscan$ealloca$ontoregistra$onofobjects
– Knowwhetherregistrantisauthorizedtospeakforprefix/AS– CANfollowRFC2725forresourcesintheirregions,CANNOTforoutsideregion
• NonRIRbasedIRRs(RADB,Level3,Savvis,…)cannottellifregistrantisauthorized– CanNOTfollowRFC2725
• Trustmodeldoesn’tscale–channelsecurity• Usedoesn’tscale.SeeJaredMauch(260Klinesofprefixlist,96%ofconfigisprefix
lists,5mincommit$mes)Mar14IEPG– hQp://iepg.org/2014-03-02-iez89/iez89_iepg_jmauch.pdf– InJun2015,NTTreportsconfigfilehasgrownanother100Klines
GoodToolsAbound• hQp://bgp.he.net• hQps://stat.ripe.net• hQp://irrexplorer.nlnog.net• hQp://www.routeviews.org
– hQps://github.com/cmu-sei/bgpuma
11/17/15 Parsons,NOTRStLouis,MO 10
AStrongerSolu$oninThreeParts
• PrefixHolder:Whohastherighttouseaprefix?– ResourcePublicKeyInfrastructure–RPKI
• OriginValida$on:Whoisauthorizedtooriginatearoutetoaprefix?– BasedontheRPKI:onlytheprefixholdercansay– Preventmis-origina$ons–commonhijacks
• PathValida$on:Whohastherighttopropagatearoute?– BasedontheRPKI:onlytheASwhopropagatescansay– Preventpathproblems:bogusfirsthop,mayberouteleaks
11/17/15 Parsons,NOTRStLouis,MO 11
12 11/17/15
Net 2.0.0.0
AS_PATH =123 prefix=
7.2.5.0
AS 123 AS 345 AS 567 AS_PATH =345,654,123 prefix= 7.2.5.0 BGP BGP BGP
TCP
IP
TCP
IP
TCP
IP
MIS-ORIGINATION MIS-CONSTRUCTION of PATH e.g., AS_PATH POISONING
ROUTING INFO
ATTACKS:
BGPVulnerabili$es
Parsons,NOTRStLouis,MO
1311/17/15
InternetAssignedNumbersAuthority
JustWhoDoesHoldanAddress?
IANA
AFRNIC APNIC ARIN LACNIC RIPE
ISP ISP
Customer CustomerISP
Customer
Suballoca-onsofaddresses
Enterprise
RegionalInternetRegistries Legacy
1411/17/15
RPKI-ResourceCer$ficates
IANA
AFRNIC APNIC ARIN LACNIC RIPE
ISP ISP
Customer CustomerISP
Customer
EnterpriseEachsuballoca-onisrepresentedinacer-ficate
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
ResourcecerPficate,notidenPtycerPficate
________________________
________________________
Legacy________________________
11/17/15 Parsons,NOTRStLouis,MO 15
Certificate lists the addresses you hold and who gave them to you
OriginValida$on:Certs&RouteOriginAuthoriza$on
Enterprise
IANA
ARIN
ISP
Sign a Route Origin Authorization (ROA) for your address space Your certificate validates the signature ISP
ROASignedObject Signed by: EnterpriseKey Addresses: someofyouraddresses Valid Origin: some ASn
The ROA lists the valid origins for those addresses
CA certificate Key: EnterpriseKey Signed by: ARIN Addresses: 10.2/16 (10.2.0.0 – 10.2.255.255)
______ ______ ______ ______
____ ____
____ ____
____ ____
11/17/15 Parsons,NOTRStLouis,MO 16
RPKIArchitectureinSingleASGloballyDistributedRepositories
• Localcacheiskeptinsyncwithglobaldistributedrepositories• Localcachedoesallneededcrypto• Routersneedonlyreceivelistof(authorizedorigin,address)pairs• *N*O*cryptointherouters
Localrepositorycaches
PoP
PoP
PoP
ISP
11/17/15 Parsons,NOTRStLouis,MO 17
TwoSidesofThis
• Securingroutestoyouraddresses– Getcer$ficatesforyour
addressspace– SignROAs– MaintainaCArepository– Createcer$ficatesforyour
customers• Ifyougivethemaddresses
• Thinkofthisassigningthebackofyourcreditcard
• Securingroutestoothers’addresses– RetrieveROAsfromotherCA
repositories– Validatereceivedroutesagainst
theRPKIdata• Thinkofthisascheckingtheback
ofacreditcardtenderedtoyouforasale
Hosted service Outsourced service Offline retrieval & crypto
Thinking “Wow, Lots of WORK!”? Don’t Panic
1811/17/15
StatusonMul$pleFronts:Specs• IETFSIDRRFCs
– 24documentspublishedasRFCs
IANA
AFRNIC APNIC ARIN LACNIC RIPE
ISP ISPEnterprise
________________________
________________________
Legacy
ISP
________________________
ISP
________________________
________________________
ISP
________________________
Certs,ROAs,cer$ficatepolicy,repositorystructure,cer$ficatemanagementprotocol(aka“up/down”),etc.
routevalida$on,RPKI-to-routerprotocol,commonopera$ons,MIB,etc.
GloballyDistributedRepositories
Localrepositorycaches
PoP
PoP
PoP
ISP
11/17/15 Parsons,NOTRStLouis,MO 19
RIPE:20%ofmembers,7000prefixes,>6/8s1500ASNs
StatusonMul$pleFronts:RPKI
StatusonMul$pleFronts-RPKI
11/17/15 Parsons,NOTRStLouis,MO 20
TakenfromhQp://cer$fica$on-stats.ripe.net/
RPKIstatsandmonitors
• hQp://www.labs.lacnic.net/rpkitools/looking_glass/
• hQp://www-x.antd.nist.gov/rpki-monitor/• hQp://cer$fica$on-stats.ripe.net/• hQp://rpki.surfnet.nl/index.html• hQp://www.hactrn.net/opaque/rcynic/
11/17/15 Parsons,NOTRStLouis,MO 21
StatusonMul$pleFronts:OriginValida$on
• Cisco:– High-end&mid-rangeroutersrunningIOS-XR
• MinimumreleaseXR4.2.1– Access/EnterpriseroutersrunningIOS-XE
• MinimumreleaseXE3.5
• Juniper– JuniperprovidesofficialsupportforRPKIsincerelease12.2.
• Alcatel-Lucent
11/17/15 Parsons,NOTRStLouis,MO 22
OriginValida$onConfigura$on• SeeexamplesatRIPE
hQps://www.ripe.net/manage-ips-and-asns/resource-management/cer$fica$on/router-configura$on• JunOS
– First:Setupcommunica$onwithlocalRPKIcache– Second:Assignalocal-preferencebasedontheRPKIvalidityaQribute
policy-op$ons{policy-statementvalida$on{termvalid{from{protocolbgp;valida$on-databasevalid;}then{valida$on-statevalid;communityaddorigin-valida$on-state-valid;nextpolicy;}}}}
11/17/15 Parsons,NOTRStLouis,MO 23
OriginValida$onConfigura$ons• Seeexamplesat
hQps://www.ripe.net/manage-ips-and-asns/resource-management/cer$fica$on/router-configura$on
• CISCO– First:Setupcommunica$onwithlocalRPKIcache– Second:Assignalocal-preferencebasedontheRPKIvalidityaQribute
!route-maprpki-loc-prefpermit10matchrpkiinvalidsetlocal-preference90!route-maprpki-loc-prefpermit20matchrpkinot-foundsetlocal-preference100!route-maprpki-loc-prefpermit30matchrpkivalidsetlocal-preference110
11/17/15 Parsons,NOTRStLouis,MO 24
MoreCISCOConfigOp$ons
11/17/15 Parsons,NOTRStLouis,MO 25
Fairly Secure route-map validity-0
match rpki valid
set local-preference 100
route-map validity-1
match rpki not-found
set local-preference 50
! invalid is dropped
DRL RPKI Origin Validation 68
Paranoid
route-map validity-0
match rpki valid
set local-preference 110
! everything else dropped
DRL RPKI Origin Validation 69
JunosShowValida$on
195.24.160.0/19*[BGP/170]00:03:59,MED2000,localpref50,from87.238.63.5 ASpath:335635494788693939648I,valida$on-state:unverified >to87.238.63.56viaae0.0 [BGP/170]00:05:24,MED0,localpref50,from87.238.63.2 ASpath:335635494788693939648I,valida$on-state:unverified >to87.238.63.56viaae0.0 [BGP]01:16:00,MED25245,localpref100 ASpath:35494788693939648I,valida$on-state:unverified >to64.210.69.85viaxe-1/1/0.0
11/17/15 Parsons,NOTRStLouis,MO 26
CiscoShowValida$on
11/17/15 Parsons,NOTRStLouis,MO 27
Valid! r0.sea#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24, version 3043542 Paths: (3 available, best #1, table default) 6939 27318 206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid 2914 4459 27318 199.238.113.9 from 199.238.113.9 (129.250.0.19) Origin IGP, metric 43, localpref 100, valid, external Community: 2914:410 2914:1005 2914:3000 3130:380 path 09AF35CC RPKI State valid
DRL RPKI Origin Validation 60
Invalid! r0.sea#show bgp 198.180.150.0 BGP routing table entry for 198.180.150.0/24, version 2546236 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 8 Refresh Epoch 1 1239 3927 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid
DRL RPKI Origin Validation 61
11/17/15 Parsons,NOTRStLouis,MO 28
RIPE:20%ofmembers,7000prefixes,>6/8s1500ASNs
StatusonMul$pleFronts:OriginValida$on
OriginValida$onDeployment• IETFhasusedrpki.netforseveralIETFsinarow(seesfewinvalids)• IXPs
– Sep2015:AMS-IXbeginningtoofferRPKIbasedfilteringintheirrouteservers
– Oct2014:FrenchIXPannouncestheyhavebeguntouseRPKIforfiltering
– IXPsinRIPEhavesuggestedRPKIasserviceformembers• EsnetdoingRPKIbasedoriginvalida$on–prefvalid• MajorEuropeanISPtes$ngininternallab,requestsforfeatures• Rpki.netvirtualtestbedandAltCA–adozenorsoac$ve
par$cipants(Comcast,ATT,ESnet,LACNIC,Europeanfolk,Google)• FCCCSRICIIIWG6report2013“Cau$ous,stageddeploymentof
RPKIRouteOriginValida$on”• FrenchANSSIagency2014recommendsuseofRPKIandROAs
11/17/15 Parsons,NOTRStLouis,MO 29
CurrentIssues• Technical
– Legacyspace(44%oforgsinARIN,56%ofaddresses)– Rsyncperformance– Valida$onreconsidered– Legacyspace
• Non-technical– Mis-useofhierarchicalauthority(errors,courtorders)– Impactonrou$ngfromRIRac$ons,servicelevel,etc.– Theusualproblemswithnewtechnology–effortandcost–
• andusualproblemwithnewsecuritytechnology–hardforuserstoseeimmediatedirectbenefit–
• andinfrastructuretechnology–nooneisincharge• SeeWesGeorgetalkathQps://www.nanog.org/sites/default/files/
wednesday_george_adventuresinrpki_62.9.pdf
11/17/15 Parsons,NOTRStLouis,MO 30
Extraslides
11/17/15 Parsons,NOTRStLouis,MO 31
11/17/15 Parsons,NOTRStLouis,MO 32
TheWayThisGoes...ARIN
Acme AS27
Customer S
ISP AS56 ISP AS12 Acme’s service providers
ARIN allocates 10.2/16 Acme signs two ROAs
Acme suballocates 10.2.1/24
ROASignedObject, Signed by S Addresses: 10.2.1/24 Valid Origin: AS27
S signs one ROA CA certificate Customer S’s key Signed by: Acme Addresses: 10.2.1/24
CA certificate ACME’s key Signed by: ARIN Addresses: 10.2/16
ROASignedObject, Signed by ACME Addresses: 10.2/16 Valid Origin: AS12 ROASignedObject, Signed by ACME
Addresses: 10.2/16 Valid Origin: AS56
11/17/15 Parsons,NOTRStLouis,MO 33
BGPProcess
Ingress filters
Best path decision
Egress filters
AS_PATH =123, prefix= 2/8
AS 123 AS 345 AS 567
AS_PATH=345, 123, prefix= 2/8
Net 2.0.0.0
AS 789 AS 891
AS_PATH=789, prefix= 2/8
• BGPreceivesmanyroutestothesameprefix• Ingressfilterdecideswhatroutestoconsider• Decisionprocesspicksjustonebestroute• Egressfilterdecideswhatneighborsreceiveanupdate
11/17/15 34
IRRBasedFilters• RegistriescouldbeusedtocheckNLRIorigina$on,AS_PATHs,etc.
• Levelofprotec$onfromuseofregistryreliesonregistrycontainingcompleteandaccurateinforma$on,includingpeeringandpolicy
• Communica$onwithregistrywouldhavetobeprotected
• IRRsareknowntobeinaccurate,incomplete,stale,andmanyhaveliQletonosecurityapplied
Parsons,NOTRStLouis,MO
WorkshopinaBox
DynaMIPS on MacMini
Global Internet
2-4-1 RPKI Lab 7 Seattle Dallas
98.128.0.0/16!98.128.0.0/24!98.128.1.0/24!…!98.128.31.0/24!
98.128.0.0/16!98.128.0.0/24!98.128.1.0/24!…!98.128.31.0/24!
AS3130 AS4128
AS65000
RPKI Cache
RPKI-Rtr Protocol
AS65001
202.144.137.27
10.0.0.0/8
Creative Commons: Attribution & Share Alike
ExtractedfromRandyBush’sworkshopslidesh;ps://psg.com/140118.pdf
RandyBush’sWorldTraveledWorkshopSet-Up
11/17/15 2Parsons,NOTRStLouis,MO
VMtotallyself-containedenvironment–nooutsidedependenciesComeswithlocaltrustanchorsoyoucangeneratecertsforyourownprefixesUseforexperimentaVon,training,tesVng,whatever
BIRD1 BIRD2
Quagga1 Quagga8.......
RPKICache
WorkshopinaBox
11/17/15 3Parsons,NOTRStLouis,MO
Announcing192.168.0.0/16192.168.1.0/24etc
11/17/15 4Parsons,NOTRStLouis,MO
WorkshopGUI
11/17/15 Parsons,NOTRStLouis,MO 5
11/17/15 6Parsons,NOTRStLouis,MO