The Use of Maxlength in the RPKI draft-yossigi-rpkimaxlen-00

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

BGP Prefix Origin Validation
A Threat Model for BGPSEC Steve Kent BBN Technologies.
BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery 1IETF 802/12/2014.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
ROAs and Detecting “Bad” Originations Geoff Huston SIDR WG IETF 74.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
String Recognition Simple case: recognize 1101 “ ” 0 “1” 0 “11” 0 Reset 1 “110” “1101”
Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
RIS Resource Allocations A special report on an endangered species …
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
A LIGHT-WEIGHT DISTRIBUTED SCHEME FOR DETECTING IP PREFIX HIJACKS IN REAL TIME Changxi Zheng, Lusheng Ji, Dan Pei, Jia Wang and Paul Francis. Cornell University,
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
DNS security. How DNS works Ask local resolver first about name->IP mapping – It returns info from cache if any If info not in cache, resolver asks servers.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Fast Packet Classification Using Bloom filters Authors: Sarang Dharmapurikar, Haoyu Song, Jonathan Turner, and John Lockwood Publisher: ANCS 2006 Present:
Finding Vulnerable Network Gadgets in the Internet Topology Author: Nir Amar Supervisor: Dr. Gabi Nakibly Author: Nir Amar Supervisor: Dr. Gabi Nakibly.
Sign What You Really Care About -- Secure BGP AS Paths Efficiently Yang Xiang, Z. Wang, J. Wu, X. Shi, X. Yin Tsinghua University, Beijing AsiaFI 2011.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
Draft-ietf-sidr-bgpsec-protocol Matt Lepinski
Efficient Secure BGP AS Path using FS-BGP Xia Yin, Yang Xiang, Zhiliang Wang, Jianping Wu Tsinghua University, Beijing 81th Quebec.
BGPSEC : A BGP Extension to Support AS-Path Validation Matt Lepinski BBN Technologies.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
BGPSEC router key rollover as an alternative to beaconing Roque Gagliano Keyur Patel Brian Weis draft-ietf-sidr-bgpsec-rollover-01.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Meet the Falcons Ciprian Marginean Aris Lambrianidis
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
Wed 24 Mar 2010SIDR IETF 77 Anaheim, CA1 SIDR Working Group IETF 77 Anaheim, CA Wednesday, Mar 24, 2010.
Covering Prefixes Outbound Route Filter for BGP-4 draft-bonica-l3vpn-orf-covering-prefixes-01 H. Jeng, l. Jalil, R. Bonica, Y. Rekhter, K. Patel, L. Yong.
RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
BGP L3VPN origin validation (draft-ymbk-l3vpn-origination-02) November 2012.
A RPKI RTR Client C Lib (RTRlib) - Implementation Update & First, Preliminary Performance Results Fabian Holler, Thomas C. Schmidt, and Matthias Wählisch.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Making Routing Registries Great Again Jared Mauch – NTT Communications
EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.
BGP security some slides borrowed from Jen Rexford (Princeton U)
BGP Validation Russ White Rule11.us.
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
Are We There Yet? On RPKI Deployment and Security
Are We There Yet? On RPKI Deployment and Security
Are We There Yet? On RPKI Deployment and Security
Securing BGP: The current state of RPKI
Securing BGP Bruce Maggs.
Beyond Technical Solutions
BGPSEC Potential Optimizations for AS-PATH Prepending and Transparent Route Servers. sidr wg / Québec City Doug Montgomery
Are We There Yet? On RPKI Deployment and Security
COS 561: Advanced Computer Networks
Does Scale, Size, and Locality Matter
Measuring the Adoption of Route Origin Validation and Filtering
Some Thoughts on Integrity in Routing
MANRS IXP Partnership Programme
BGP Multiple Origin AS (MOAS) Conflict Analysis
Bamboozling Certificate Authorities with BGP
COS 561: Advanced Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Improving global routing security and resilience
FIRST How can MANRS actions prevent incidents .
Amreesh Phokeer Research Manager AfPIF-10, Mauritius
Validating MANRS of a network
Presentation transcript:

The Use of Maxlength in the RPKI draft-yossigi-rpkimaxlen-00 Yossi Gilad, Sharon Goldberg, Kotikalapudi Sriram

When used properly, the RPKI defeats subprefix hijacks  RPKI valid AS 666 fails to attract traffic! Path: AS 111 168.122.0.0/16 X RPKI invalid AS 666 Cyberbunker AS 34109 Path: AS 666 168.122.0.0/24 AS 111 AS 111 ROA: AS 111 168.122.0.0/16 RPKI RPKI 168.122.0.0/16

Loose maxlength  forged-origin subprefix hijack this attack is highly effective because 168.122.0.0/24 is unannouced  RPKI valid longest prefix match  AS 666 attracts all traffic for the subprefix! Path: AS 111 168.122.0.0/16  RPKI valid AS 666 Cyberbunker AS 34109 Path: AS 666, AS111 168.122.0.0/24 AS 111 AS 111 ROA: AS 111 168.122.0.0/16 to maxlength 24 RPKI RPKI 168.122.0.0/16

Maxlength misconfigurations are common! forged-origin subprefix hijack affects any ROA where maxlength m > prefixlen p, unless every subprefix of length m is announced in BGP 16% of the IP prefixes in ROAs have maxlength > prefixlen 89% of these are vulnerable to forged-origin subprefix hijacks Even large providers are vulnerable

https://github.com/yossigi/compress_roas Recommendations As a best common practice: Operators should refrain from using maxlength in ROAs Each ROA should instead have explicit lists of prefixes authorized to be originated by a single AS Whenever possible, use minimal ROAs where each listed prefix is originated in BGP. The RPKI already support this. No extra ROAs needed. To reduce the number of RPKI filtering rules, we developed software that RPKI local caches can use to compresses lists of prefixes from ROAs back to (AS, prefix,maxlength) tuples https://github.com/yossigi/compress_roas See also our technical report: http://eprint.iacr.org/2016/1015.pdf

Sometimes ROAs need to include unannounced prefixes AS 222 gives traffic-scrubbing service to AS 111 during DDoS attacks Path: AS 111 168.122.0.0/16 Path: AS 222 168.122.0.0/17 168.122.128.0/17 Scrubbing service AS 222 Scrubs traffic, relays to AS 111 AS 111 AS 111 168.122.0.0/16

Sometimes ROAs need to include unannounced prefixes Scrubbing would fail if there was only the ROA for announced pfx  RPKI valid Path: AS 111 168.122.0.0/16 RPKI invalid X Path: AS 222 168.122.0.0/17 168.122.128.0/17 Scrubbing service AS 222 RPKI invalid X AS 111 AS 111 RPKI 168.122.0.0/16 ROA: AS 111 168.122.0.0/16

Sometimes ROAs need to include unannounced prefixes Add a (non “minimal”) ROA for AS 222 that does not use maxlength  RPKI valid  RPKI valid Path: AS 111 168.122.0.0/16 Path: AS 222 168.122.0.0/17 168.122.128.0/17  RPKI valid Scrubbing service AS 222 ROA: AS 222 168.122.0.0/17 168.122.128.0/17 AS 111 AS 111 RPKI 168.122.0.0/16 ROA: AS 111 168.122.0.0/16

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.