Measuring routing (in)security

Slides:



Advertisements
Similar presentations
IPV6 Multihoming and Traffic Engineering Marla Azinger ARIN Advisory Council Sr. IP Engineer Frontier Communications.
Advertisements

RPKI Certificate Policy Status Update Stephen Kent.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting Address Policy (Procedures) SIG 1 March 2001.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
Philips iSite 3.5 Administration
Employee Central Presentation
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Providing A Subset of Whois Data Via DNS Shuang Zhu Xing Li CERNET Center.
IPv6 Interim Policy Draft RIPE 42 Amsterdam, The Netherlands 1 May 2002.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Database SIG APNIC Database Privacy Issues 1 March 2001 APRICOT, Malaysia Fabrina.
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Policy Proposal 109 Standardize IP Reassignment Registration Requirements ARIN XXV 18 April, 2010 – Toronto, Ontario Chris Grundemann.
Copyright © 2011 Japan Network Information Center JPNIC ’ s RQA and Routing Related Activities JPNIC IP Department Izumi Okutani APNIC32 Aug 2011, Busan.
Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
Supportive Services for Veteran Families (SSVF) Data HMIS Lead and Vendor Training Updated 5/22/14.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
Building a More Trusted and Secure Internet RIPE 70, May
Internet Number Resource Governance ARIN & LACNIC.
Information-Centric Networks04b-1 Week 4 / Paper 2 Understanding BGP Misconfiguration –Rahil Mahajan, David Wetherall, Tom Anderson –ACM SIGCOMM 2002 Main.
CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)
IP Addressing and ICT Development in the Pacific Islands Anne Lord and Save Vocea, APNIC ICT Workshop, Fiji, November, 2002.
Addressing Prefix Reachability Issues Frank Salanitri Project & Systems Services Manager, APNIC.
How can we work together to improve security and resilience of the global routing system? Andrei Robachevsky.
Policies for ASN Management in the Asia Pacific Region – Revised Draft Address Policy SIG APNIC14, Kitakyushu, Japan 4 Sept 2002.
Information-Centric Networks Section # 4.2: Routing Issues Instructor: George Xylomenos Department: Informatics.
CONTRIBUTING TO THE ELABORATION AND IMPLEMENTATION OF STRATEGIES FOR INTELLECTUAL PROPERTY (IP) DEVELOPMENT Loretta Asiedu Senior Counselor WIPOWindhoek,
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
A BCOP document: Implementing MANRS Job Snijders (NTT) Andrei Robachevsky (ISOC)
Introduction to ITIL and ITIS. CONFIDENTIAL Agenda ITIL Introduction  What is ITIL?  ITIL History  ITIL Phases  ITIL Certification Introduction to.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
1 Internet Society Collaborative Security & MANRS ENOG 10 – 14 October 2015, Odessa Maarit Palovirta
Making Routing Registries Great Again Jared Mauch – NTT Communications
Whois & Data Accuracy Across the RIRs. Terms ISP – An Internet Service Provider is allocated address space by an RIR for the purpose of providing connectivity.
Configuring and Troubleshooting DHCP
Securing BGP Bruce Maggs.
Internet Routing Health Measurement Bar BoF
Beyond Technical Solutions
BGP supplement Abhigyan Sharma.
Legacy Resources in the Research & Education Community
We Care About Data Quality at IXPs
Interdomain Traffic Engineering with BGP
Introduction to ARIN and the Internet Registry System
Some Thoughts on Integrity in Routing
Cisco Learning Credits A Solid Business Value Proposition
Working together to improve routing security for all
MANRS IXP Partnership Programme
Propuestas Concepción 2018
Contact Center Security Strategies
MANRS for IXPs Why we did it? What did we do?
APNIC 29 Policy SIG report
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
COS 561: Advanced Computer Networks
PP – Resource Authentication Key ( RAK ) code for third party authentication Presenter : Erik Bais –
Securing BGP Bruce Maggs.
Improving global routing security and resilience
Fixing the Internet: Think Locally, Impact Globally
Peering Security DKNOG, March 14-15, 2019 Susan Forney and Walt Wollny
AS15169.
FIRST How can MANRS actions prevent incidents .
Projects of Common Interest
MANRS Implementation Guides
By Keessun Fokeerah Member Services(MS) Team
Amreesh Phokeer Research Manager AfPIF-10, Mauritius
WMO Global Campus: Open Educational Practice in Action
APNIC Solving problems for our community
Validating MANRS of a network
APNIC Solving problems for our community
IXP FilterCheck A New Route Analysis Tool for IXPs
Presentation transcript:

Measuring routing (in)security Disclaimer – this is not a scientific research Andrei Robachevsky manrs@isoc.org

Why to measure? Provide a factual state of routing security as it relates to MANRS Support the problem statement with data Demonstrate the impact and progress Network, country, region, over time Inform MANRS members about their degree of commitment Improve reputation and transparency of the effort Automate the process Make it more comprehensive and consistent Reduce the load Allow preparation (self-assessment)

How to measure? Transparent. Passive The measurements should use publicly available data sources and the code should be made open source. Passive No cooperation is required from a network.

MANRS Actions Filtering Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS-path granularity Anti-spoofing Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure Coordination Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information in common routing databases Global Validation Facilitate validation of routing information on a global scale Publish your data, so others can validate

What can we measure?

Action 1: Filtering M1 route leak by the AS M2 route hijack by the AS Metric Description M1 route leak by the AS M2 route hijack by the AS M1C route leak by a customer and not filtered by the AS M2C route hijack by a customer and not filtered by the AS M3 announcement of bogon prefixes M4 announcement of bogon ASNs (unallocated/reserved)

Action 2: Anti-spoofing Metric Description M5 spoofable IP blocks M5C spoofable IP blocks of client AS’es

Action 3: Coordination M8 contact registration (RIR, IRR, PeeringDB) Metric Description M8 contact registration (RIR, IRR, PeeringDB)

Action 4: Facilitate global validation Metric Description M6 policy documented in an IRR (aut-num w/import/export, as-set) M7IRR registered routes (% of routes registered) M7RPKI valid ROAs (% of routes registered) M7CIRR registered customer routes (% of routes registered) M7CRPKI valid ROAs for customer routes (% of routes registered)

How to calculate? E.g. M2 - route hijack by an AS? Impact M2 = f(#prefixes, address span, duration) Not all prefixes are equal Does size matter? Hard to normalize/define thresholds Conformity M2 = f(#distinct incidents, resolution time) # incidents and resolution time show the degree of negligence What is an incident? Finite number – easy to define thresholds

Events and incidents. E.g. M2C Weight Events are weighted depending on the distance from the culprit M1C (ASPATH-1), 0.5*M1C(ASPATH-2), 0.25*M1C(ASPATH-3)… min 0.01 Incident Events with the same weight that share the same time span are merged into an incident. Duration Non-action is penalized < 30mins -> 0.5 * weight < 24hours -> 1.0 * weight < 48hours -> 2.0 * weight

Example: direct customer hijacks prefixes M2C = 0.5 + 1.0 + 2.0 = 3.5

Feedback and ideas are welcome! robachevsky@isoc.org

Backup slides

How does it all fit together?

MANRS@isoc.org

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.