Improving reliability of IRR database

Slides:

Advertisements

Similar presentations

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

Advertisements

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

Routing: Exterior Gateway Protocols and Autonomous Systems Chapter 15.

Dongkee LEE 1 Understanding BGP Misconfiguration Ratul Mahajan, David Wetherall, Tom Anderson.

Distributed Route Aggregation on the Global Network (DRAGON) João Luís Sobrinho 1 Laurent Vanbever 2, Franck Le 3, Jennifer Rexford 2 1 Instituto Telecomunicações,

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.

1 ELEN 602 Lecture 20 More on Routing RIP, OSPF, BGP.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.

Inter-domain Routing security Problems Solutions.

COS 420 Day 16. Agenda Finish Individualized Project Please Have Grading sheets to me by Tomorrow Group Project Discussion Assignment 3 moved back to.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

Router Configuration Management Tools

Network Abuse Handling in CNNIC and JPNIC Terence Zhang, CNNIC Izumi Okutani, JPNIC.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Introduction to BGP.

Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.

Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.

Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.

Route Selection Using Policy Controls

1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Multihomed BGP Networks.

Internet Routing Verification John “JI” Ioannidis AT&T Labs – Research Copyright © 2002 by John Ioannidis. All Rights Reserved.

BGP Validation Russ White Rule11.us.

Mobility With IP, implicit assumption that there is no mobility. Addresses -- network part, host part -- so routers determine how to get to correct network.

CS 3700 Networks and Distributed Systems

Connecting an Enterprise Network to an ISP Network

Auto-Detecting Hijacked Prefixes?

Auto-Detecting Hijacked Prefixes?

21-2 ICMP(Internet control message protocol)

Pass4itsure Microsoft Dumps

Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization All routers are identical Network is flat. Not true in Practice Hierarchical.

Chapter 25: Advanced Data Types and New Applications

Goals of soBGP Verify the origin of advertisements

Beyond Technical Solutions

COS 561: Advanced Computer Networks

Distance-Vector Routing Protocols

Routing: Distance Vector Algorithm

STRUCTURE OF A ROUTER We represent a router as a black box that accepts incoming packets from one of the input ports (interfaces), uses a routing table.

APNIC Trial of Certification of IP Addresses and ASes

STRUCTURE OF A ROUTER We represent a router as a black box that accepts incoming packets from one of the input ports (interfaces), uses a routing table.

COS 561: Advanced Computer Networks

Measuring the Adoption of Route Origin Validation and Filtering

Some Thoughts on Integrity in Routing

Realities of Multi-Domain Gateway Network Management

Introduction to Local Area Networks

COS 561: Advanced Computer Networks

COS 561: Advanced Computer Networks

BGP Multiple Origin AS (MOAS) Conflict Analysis

An Analysis of BGP Multiple Origin AS (MOAS) Conflicts

COMP/ELEC 429/556 Introduction to Computer Networks

BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)

COS 461: Computer Networks

Improving global routing security and resilience

Chapter 4 Network Management Standards and Models

BGP Instability Jennifer Rexford

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

STRUCTURE OF A ROUTER We represent a router as a black box that accepts incoming packets from one of the input ports (interfaces), uses a routing table.

FIRST How can MANRS actions prevent incidents .

Chapter 4 Network Management Standards and Models

Improvement of Consistency among AS Policies on IRR Database

STRUCTURE OF A ROUTER We represent a router as a black box that accepts incoming packets from one of the input ports (interfaces), uses a routing table.

Validating MANRS of a network

Presentation transcript:

Improving reliability of IRR database The University of Tokyo Kengo Nagahashi (kenken@elab.ic.i.u-tokyo.ac.jp) Nara Institute of Science and Technology Masasi Eto (masash-e@is.aist-nara.ac.jp) JPNIC IRR Planning Team 2018/11/29

Research Activity of JPIRR Nagahashi Prefix Validation using IRR Database Eto Improvement of consistency among AS policies on IRR database Our goal is Improving reliability of IRR database More widespread use of IRR JPIRR Planning Team investigates 2 research activities One is checking invalid origin AS using IRR Database By Kengo Nagahashi. And the other is Improvement of consistency among AS Policies on IRR database. Our goal is to improve reliability of IRR database and Though its activities, we aim to more wide spread use of IRR 2018/11/29

Prefix Validation using IRR Database The University of Tokyo Kengo Nagahashi (kenken@elab.ic.i.u-tokyo.ac.jp) 2018/11/29

Background One of severe problems in Inter-domain routing; Why happen? Hijacking prefix (black hole) Why happen? One AS propagates invalid origin prefix AS2 AS3 There are several important issues in BGP. And one of severe problems is hijacking prefix also Said black hole problem. The reason why its problem happens is that One AS propagates invalid origin prefix. For example, in this figure, AS5 should announce 133.11/16 but AS4 announces its prefix and AS3,AS2 and AS1 goes AS4 and unreachable problem is happened AS1 AS5 originates 133.11/16 133.11/16=AS5->AS3->AS2 133.27/16=AS4-AS3->AS2 ⇒UNREACH!! AS4 133.11/16 2018/11/29

Counter major Approach Authenticate prefix in BGP update BGP Routers exchange Certificate Candidates: sBGP, soBGP Problem Take long time solution Heavy protocol: To verify certificate per one prefix BGP holds over 120,000 prefixes… There are several counter major approach for Detecting hijacking prefix. One of valid solution Is to authenticate prefix in BGP update To authenticate prefix, BGP routers exchange Certificate. The protocol to exchange Certificate is sBGP and soBGP. But problem is to take long time to deploy and Protocol is heavy . There needs to verify vertificate Per one prefix and current BGP holds One hundred and twenty thousands of prefixes , So it can say it is overhead 2018/11/29

Motivation To check a correct prefix by lightweight and simple What to “check” ? To identify invalid origin prefix To use certificate is too heavy (same as sBGP, soBGP) How to verify? Using IRR Database So our motivation is to check a correct prefix by Light weight and simple method. So what we check? The answer is to Identify invalid origin prefix. As we said previously, To use certificate is too heavy. And next, how to verify prefix? To verify it we use IRR database 2018/11/29

Approach Using IRR as Database router router DB (1)Download request for DB (once a day) router router DB Prefix announcement (2)Response prefix/origin-as pairs (3)Comparison with (1) and (2) Example: #show invalid route Network origin origin in DB 199.31.20.0/24 2400 568 Our approach is consists of 3 flows. One is router issues download request for Database one a day And second, Database response prefix/origin-as pairs to routers Finally, router can compare prefix in BGP update and prefix in Database. As database we us IRR 2018/11/29

simple protocol Download Response Router requests Download to DB Frequency is once a day Response DB responses to router Response prefix/origin-as pairs which stores in DB There needs simple protocol to communicate Router and Database. One is Download message . Router requests Download to Database one a day. Next is Response message , Database responses to router With prefix/origin-as pairs 2018/11/29

Problems to be solved Future Work Router Overhead Utilization of IRR To hold 120,000 prefix/origin-as pairs is overhead? Utilization of IRR All entries are registered in IRR database? Duration of update Is Once a day too long ? There are several issues to be solved. One is router overhead , this means Router hold one hundred twenty thousands of prefix/origin-as pairs The other is utilization of IRR. All Entries are no registered in IRR database. 2018/11/29

Consistency Check among AS policies Nara Institute of Science and Technology Masasi Eto (masash-e@is.aist-nara.ac.jp) 2018/11/29

auto-configuration with IRR Generate router configuration from routing policy registered in IRR with “RtConfig” Policy IRR RtConfig Config AS 1 AS 2 2018/11/29

Consistency among AS policies Inconsistencies Inconsistency of import in routing information Inconsistency of export in routing information As a result When we generate the router configurations from IRR database, the connectivity between peering ASes will be lost. IRR inspects only policy’s syntax. → Need to inspect policy’s semantics 2018/11/29

Inconsistency of import AS 3 import AS 2 AS 3 AS 4 AS 5 export AS 2 AS 3 AS 4 ------- IX 3 AS 1 AS 2 AS 4 AS 5 2018/11/29

Inconsistency of export AS 3 import AS 2 AS 3 AS 4 ------- export AS 2 AS 3 AS 4 AS 5 IX 3 AS 1 AS 2 AS 4 AS 5 2018/11/29

Classification of Inconsistencies Inconsistencies of import Peer AS-SET doesn’t exist on IRR database Peer AS doesn’t exist on IRR database Peer AS doesn’t export any route to the AS Peer AS doesn’t export route which the AS imports Inconsistencies of export Peer AS doesn’t import any route from the AS Peer AS doesn’t import route which the AS exports 2018/11/29

Policy Check Server Policy Checker Database Checker Inspects if the policy is consistent with peer ASes’ policies Database Checker Inspects how many inconsistencies exist on unified IRR database. 2018/11/29

Example - query 2018/11/29

Example - result 2018/11/29

Analysis of Inspection Result Registered Ases: 11696 -> 55.8% of AS has at least one inconsistency 2018/11/29

Detail of Inconsistencies Classification Number Rate Peer AS-SET doesn’t exist on IRR database 482 0.2 % Peer AS doesn’t exist on IRR database 7,971 4.0 % Peer AS doesn’t exist export any routes to the AS 36,333 18.6 % Peer AS doesn’t import any routes from the AS 34,710 17.8 % Peer AS doesn’t export route which the AS imports 11,436 5.8 % Peer AS doesn’t import route which the AS exports 17,753 9.1 % Total 108,685 55.8 % Rate of each inconsistency in all 194,820 import and export sentences 2018/11/29

Future Work Deploy Policy Checker on JPIRR. Implement a function to notify result of investigation to JPIRR users periodically. 2018/11/29