Are We There Yet? On RPKI Deployment and Security

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.
The Resource Public Key Infrastructure Geoff Huston APNIC.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
RPKI Tutorial Andy Newton Chief Engineer, ARIN. Agenda Resource Public Key Infrastructure(RPKI) Route Origin Authorizations (ROAs) Certificate Authorities.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
On the Impact of Clustering on Measurement Reduction May 14 th, D. Saucez, B. Donnet, O. Bonaventure Thanks to P. François.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Internet Routing Verification John “JI” Ioannidis AT&T Labs – Research Copyright © 2002 by John Ioannidis. All Rights Reserved.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
BGP security some slides borrowed from Jen Rexford (Princeton U)
BGP Validation Russ White Rule11.us.
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
1 On the Impact of Route Monitor Selection Ying Zhang* Zheng Zhang # Z. Morley Mao* Y. Charlie Hu # Bruce M. Maggs ^ University of Michigan* Purdue University.
The Use of Maxlength in the RPKI draft-yossigi-rpkimaxlen-00
Are We There Yet? On RPKI Deployment and Security
Are We There Yet? On RPKI Deployment and Security
Securing BGP: The current state of RPKI
Auto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes?
November 2006 Geoff Huston APNIC
Securing BGP Bruce Maggs.
Goals of soBGP Verify the origin of advertisements
Beyond Technical Solutions
CS590B/690B Detecting Network Interference
RPKI Trust Anchor Geoff Huston APNIC.
Are We There Yet? On RPKI Deployment and Security
APNIC Trial of Certification of IP Addresses and ASes
COS 561: Advanced Computer Networks
Does Scale, Size, and Locality Matter
Measuring the Adoption of Route Origin Validation and Filtering
Some Thoughts on Integrity in Routing
APNIC Trial of Certification of IP Addresses and ASes
IPv6 Address Allocation APNIC
BGP Multiple Origin AS (MOAS) Conflict Analysis
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
COS 561: Advanced Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Securing BGP Bruce Maggs.
Fixing the Internet: Think Locally, Impact Globally
Amreesh Phokeer Research Manager AfPIF-10, Mauritius
Presentation transcript:

Are We There Yet? On RPKI Deployment and Security Yossi Gilad joint work with: Avichai Cohen, Amir Herzberg, Michael Schapira, Haya Shulman

The Resource Public Key Infrastructure (informally) The Resource Public Key Infrastructure (RPKI) maps IP prefixes to the organizations that own them [RFC 6480] Intended to prevent prefix/subprefix hijacks Lays the foundation for protection against more sophisticated attacks on interdomain routing BGPsec, SoBGP,…

Prefix Hijacking Deutsche Telekom AS X 91.0.0.0/10 Path: Y-3320 prefers shorter route AS X 91.0.0.0/10 Path: Y-3320 91.0.0.0/10 Path: 666 AS Y AS 666 91.0.0.0/10 Path: 3320 AS 3320 BGP Ad. Data flow Deutsche Telekom

Subprefix Hijacking Deutsche Telekom AS X 91.0.0.0/10 Path: 3320 Longest prefix match Path length does not matter AS X 91.0.0.0/10 Path: 3320 91.0.0.0/16 Path: Y-666 AS 3320 AS Y Deutsche Telekom 91.0.0.0/16 Path: 666 AS 666 BGP Ad. Data flow

Certifying Ownership with RPKI RPKI assigns an IP prefix to a public key via a Resource Certificate (RC) Owners can use their private key to issue a Route Origin Authorization (ROA) ROAs identify ASes authorized to advertise an IP prefix in BGP

Example: Certifying Ownership Deutsche Telekom certified by RIPE for address space 91.0.0.0/10 91.0.0.0/10 Max-length = 10 AS 3320 RIPE Réseaux IP Européens Network Coordination Centre ROA Legend: Org with RC Deutsche Telekom

RPKI Can Prevent Prefix Hijacks AS X uses the authenticated mapping (ROA) from 91.0/10 to AS 3320 to discard the attacker’s route-advertisement 91.0.0.0/10 Path: Y-3320 AS X 91.0.0.0/10 Path: 666 91.0.0.0/10 Max-length = 10 AS 3320 AS Y AS 666 AS 3320 BGP Ad. Data flow

Talk Outline Challenges facing deployment Route origin validation in partial deployment

Insecure Deployment: Loose ROAs 1.2.0.0/16 Max-length = 16 AS A ROA allows advertising only one /16 prefix Picks shorter path Valid advertisement since AS A is the “origin” AS X 1.2.0.0/16 Path: A 1.2.0.0/16 Path: 666-A AS A AS 666 BGP Ad. Data flow Lychev et al. show that this attack is much less effective than prefix hijack

Insecure Deployment: Loose ROAs 1.2.0.0/16 Max-length = 24 AS A ROA allows advertising subprefixes up to length /24 Longest-prefix-match Path length does not matter AS A originates 1.2.0.0/16 but not 1.2.3.0/24 ROA is “loose” Valid advertisement since AS A is the “origin” AS X 1.2.0.0/16 Path: A 1.2.3.0/24 Path: 666-A AS A AS 666 BGP Ad. Data flow RFC 7115 mentions this attack

Insecure Deployment: Loose ROAs Loose ROAs are common! almost 30% of IP prefixes in ROAs 89% of prefixes with maxLen > prefixLen manifests even in large providers! Attacker can hijack all traffic to non-advertised subprefixes covered by a loose ROA Vulnerability will be solved only when BGPsec is fully deployed, but a long way to go until then… better not to issue loose ROAs!

Challenges to Deployment: Human Error Many other mistakes in ROAs (see RPKI monitor) ``bad ROAs’’ cause legitimate prefixes to appear invalid filtering by ROAs may cause disconnection from legitimate destinations extensive measurements in [Iamartino et al., PAM’15]

Improving Accuracy with ROAlert roalert.org allows you to check whether your network is properly protected by ROAs … and if not, why not

Improving Accuracy with ROAlert Online, proactive notification system Retrieves ROAs from the RPKI and compares them against BGP advertisements Alerts network operators about “loose ROAs” & “bad ROAs”

Improving Accuracy with ROAlert Initial results are promising! notifications reached 168 operators 42% of errors were fixed within a month ROAlert is: constantly monitoring (not only at registration) not opt-in We advocate that ROAlert be adopted and adapted by RIRs!

Talk Outline Challenges facing deployment Route origin validation in partial deployment

Filtering Bogus Advertisements Route-Origin Validation (ROV): use ROAs to discard/deprioritize route-advertisements from unauthorized origins [RFC 6811] Autonomous System Verify: signer authorized for subject prefix signature is valid RPKI cache RCs and ROAs RPKI pub. point 91.0.0.0/10: AS = 3320, max-length = 10 BGP Routers

ROV in Partial Deployment Major router vendors support ROV with negligible overhead Any AS, anywhere, can do ROV But is it actually enforced?

ROV in Partial Deployment We gain empirical insights regarding ROV enforcement via invalid BGP advertisements We monitored BGP paths from multiple vantage points afforded by 44 Route Views sensors¹ Active techniques presented earlier today ¹ http://www.routeviews.org/

Measurements: Non-Filtering ASes ASes that propagate invalid BGP advertisements do not perform filtering Origin 2 E RV sensor 4.5.6.0/24 D B C Origin 1 A 1.2.3.0/24 Origin 1 & 2 advertise in BGP RPKI-invalid IP prefixes F

Measurements: Non-Filtering ASes ASes that propagate invalid BGP advertisements do not perform filtering Origin 2 E RV sensor 4.5.6.0/24 Route Views sensor observes “bad” route to: 1.2.3/24 AS path: C, A, Origin 1 D F B C A Origin 1 1.2.3.0/24 Route Views sensor observes “bad” route to: 4.5.6.0/24 AS path: F, E, D, Origin 2

Measurements: Non-Filtering ASes ASes that propagate invalid BGP advertisements do not perform filtering Origin 1 1.2.3.0/24 Origin 2 E RV sensor 4.5.6.0/24 D F B C A We find that at least 80 of 100 largest ISPs do not filter ASes that don’t filter invalid advertisements

What is the Impact of Partial ROV Adoption? Collateral benefit: Adopters protect ASes behind them by discarding invalid routes 1.1.0.0/16 Max-length = 16 AS 1 AS 666 To: 1.1.1/24 AS path: 666 AS 3 is only offered a good route AS 2 AS 3 To: 1.1/16 AS path: 2-1 Origin AS 1

What is the Impact of Partial ROV Adoption? Collateral damage: ASes not doing ROV might cause ASes that do ROV to fall victim to attacks! Disconnection: Adopters might be offered only bad routes 1.1.0.0/16 Max-length = 16 AS 1 AS 666 To: 1.1/16 AS path: 2-666 AS 3 receives only bad advertisement and disconnects from 1.1/16 AS 2 prefers to advertise routes from AS 666 over AS 1 AS 2 AS 3 To: 1.1/16 AS path: 1 Origin AS 1

What is the Impact of Partial ROV Adoption? Collateral damage: ASes not doing ROV might cause ASes that do ROV to fall victim to attacks! Control-Plane-Data-Plane Mismatch! data flows to attacker, although AS 3 discarded it 1.1.0.0/16 Max-length = 16 AS 1 AS 666 To: 1.1.1/24 AS path: 2-666 AS 3 discards bad subprefix route AS 2 advertises both prefix & subprefix routes AS 2 AS 3 AS 2 does not filter and uses bad route for subprefix To: 1.1/16 AS path: 2-1 Origin AS 1

Quantify Security in Partial Adoption: Simulation Framework Pick victim & attacker Victim’s prefix has a ROA Pick set of ASes doing ROV Evaluate which ASes send traffic to the attacker 1.1.0.0/16 Max-length = 16 AS A A B C D E F G H I J K L Empirically-derived AS-level network from CAIDA Including inferred peering links [Giotsas et al., SIGCOMM’13]

Quantify Security in Partial Adoption Top ISP adopts with probability p Significant benefit only when p is high Subprefix hijack success rate Prefix hijack success rate

Quantify Security in Partial Adoption Comparison between two scenarios: today’s status, as reflected by our measurements all top 100 ISPs perform ROV Each other AS does ROV with fixed probability Adoption by the top 100 ISPs makes a huge difference! Subprefix hijack success rate

Security in Partial Adoption Bottom line: ROV enforcement by the top ISPs is both necessary and sufficient for substantial security benefits from RPKI

Getting RPKI Adopted: What Can We Improve? Information accuracy ROAlert informs & alerts operators about: Bad ROAs Loose ROAs Preventing hijacks Incentivize ROV adoption by the top ISPs! Both sufficient and necessary for significant security benefits

Thank You! This work appeared at NDSS’17 Tech report at https://eprint.iacr.org/2016/1010.pdf Questions? 

Data Sources BGP advertisements are constantly fed to ROAlert using CAIDA’s BGPStream ROAs and RCs obtained from RPKI repositories trust anchors: afrinic, arin, ripe, lacnic, apnic, iana Simulations use CAIDA’s AS topology graph from July 2016 Including inferred peering links Measurements and examples are from a snapshot of our dataset from July 26th 2016