Why don’t we have a Secure and Trusted Inter-Domain Routing System?

Slides:



Advertisements
Similar presentations
RPKI Standards Activity Geoff Huston APNIC February 2010.
Advertisements

An Operational Perspective on BGP Security Geoff Huston February 2005.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Inter-domain Routing security Problems Solutions.
A victim-centric peer-assisted framework for monitoring and troubleshooting routing problems.
The Resource Public Key Infrastructure Geoff Huston APNIC.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Jessica Lavoie CSC 101 November 27, Societal Topics Weeks 7 and 8 Internet Regulation Internet regulation is restricting or controlling access to.
Lecture 4: BGP Presentations Lab information H/W update.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
Information-Centric Networks04b-1 Week 4 / Paper 2 Understanding BGP Misconfiguration –Rahil Mahajan, David Wetherall, Tom Anderson –ACM SIGCOMM 2002 Main.
CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Information-Centric Networks Section # 4.2: Routing Issues Instructor: George Xylomenos Department: Informatics.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Inter-domain Routing Outline Border Gateway Protocol.
BGP Validation Russ White Rule11.us.
Lecture 18 Page 1 CS 236 Online Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems.
Are We There Yet? On RPKI Deployment and Security
Constraints on Automated Key Management for Routing Protocols
Securing BGP: The current state of RPKI
Auto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes?
DNSSEC Deployment Challenges
More Specific Announcements in BGP
Goals of soBGP Verify the origin of advertisements
Beyond Technical Solutions
The Issue We all depend on the Internet
Are We There Yet? On RPKI Deployment and Security
APNIC Trial of Certification of IP Addresses and ASes
COS 561: Advanced Computer Networks
Link State on Data Center Fabrics
Some Thoughts on Integrity in Routing
More Specific Announcements in BGP
APNIC Trial of Certification of IP Addresses and ASes
Data Security in Local Networks using Distributed Firewalls
Strategic Uses of Information Technology
The real-time Internet routing observatory
Why is Securing the Internet’s Routing System so Hard?
COS 561: Advanced Computer Networks
Why is Securing the Internet’s Routing System so Damn Difficult?
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Improving global routing security and resilience
APNIC’s Engagement on Security
Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
FIRST How can MANRS actions prevent incidents .
Design Expectations vs. Deployment Reality in Protocol Development
Presentation transcript:

Why don’t we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC

Why do we keep seeing these headlines?

1. The Meta Goal Can we devise changes to operational practices, or operational tools or routing technologies that manage the inter-domain routing system that could prevent the propagation of false or artificial routing information in the Internet?

This is a Very Challenging Goal It’s a problem as old as the concept of a distributed inter-domain routing system Each actor applies local policy constraints on local topology knowledge to guide its local route object propagation decisions No single actor has sufficient “whole of system” data to determine the difference between what it should’ve learned and what it has learned

The ideal We want the interdomain routing system to advertise the correct reachability information for “legitimately connected” prefixes at all times That means that we want to avoid: promulgating reachability for bogus address prefixes promulgating incorrect paths for reachable prefixes blocking paths for legitimately connected prefixes

The problem While we’d like to think we understand the provenance for each and every IP address, that is not exactly the case And even if we did, we have no precise knowledge as to which network has the authority to originate a route object for that address And even then we have no exact knowledge of the inter-domain topology of the network And even then we have no clear knowledge of the local policy constraints that are applied to the propagation of reachability and topology information

The problem All of which means that we have no clear model of “truth” to compare to the information flow in the routing system

1. A Weaker Goal Can we devise changes to operational practices, or operational tools or routing technologies that manage the inter-domain routing system that could resist attempts to inject false or artificial routing information in the Internet?

2. What Data would we like? An (impossible) ideal data set is the “reference set” that describes a ‘correct’ route object set that should be visible at any vantage point in the network And access to a set of credentials that support any such attestation of “correctness” As a compromise we could settle for a reference set that describes a ‘stable’ route object set that should be visible at any vantage point in the network

What we want and don’t want BGP anomaly detectors and observatories are all well and good, but they have not proved to be all that useful to the operations community They are a bit like smoke alarms – they can’t prevent the root cause, but simply alarm after it happens What we would like is some form of route acceptance model that can be used as an acceptance filter

Some 10 years ago… We observed that we needed to improve “truth” in addressing and routing We designed a PKI to allow digitally signed attestations about addresses and AS numbers for use in routing We published tools to allow network operators to use this PKI We supported security extensions to BGP to make use of these signed attestations - BGPSEC

Is BGPSEC the Answer? Yes and No Yes, it can reject anomalous BGP updates upon receipt of the update But: it relies of the correct operation of the protocol, not the correct implementation of policy It is very expensive to run It relies on comprehensive adoption, and partial adoption is a worst case scenario for this protocol

What’s going wrong? BGP hijacking is not perceived as something we should work hard to prevent BGP hijacking is not an end in itself, but a part of a larger attack E.g. April ‘18 MyEtherWallet raid was an attack involving a domain name registrar, the DNS, a susceptible certificate authority and a BGP route injection to work The economics of this situation work against it Apparently there are inadequate commercial drivers to undertake extensive informed route monitoring that would enable hijack suppression at source Probably because integrity of common infrastructure is everyone’s problem which in turn quickly becomes nobody’s problem

How should we look at routing insecurity? Is this a failure of technology? If we had a better routing widget then we would no longer have a problem Is this an instance of failure in the market? Providers see no marginal competitive advantage in deploying these tools Is this a regulatory failure? If we have to turn to some form of imposition on network providers to secure the routing system then how will we do this? (The current national and regional regulatory examples in content control and encryption are woeful examples! Why would comparable efforts in routing security fare any better?)

What should we do? “Let’s do nothing” is an unsatisfactory response But anything other than “nothing” seems to head towards pointlessly ineffectual!