Amreesh Phokeer Research Manager AfPIF-10, Mauritius

Slides:

Advertisements

Similar presentations

A Threat Model for BGPSEC

Advertisements

A Threat Model for BGPSEC Steve Kent BBN Technologies.

Multihoming and Multi-path Routing

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

Best Practices for ISPs

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.

Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)

Economic Incentives in Internet Routing Jennifer Rexford Princeton University

1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.

Information-Centric Networks04a-1 Week 4 / Paper 1 Open issues in Interdomain Routing: a survey –Marcelo Yannuzzi, Xavier Masip-Bruin, Olivier Bonaventure.

How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.

Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.

AFRINIC Update AFRINIC APRICOT, Fukuoka, Japan 4 March 2015.

BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

Building a More Trusted and Secure Internet RIPE 70, May

Global Routing System Scaling Issues Cathy Wittbrodt - iVMG, Inc Moderator.

CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)

How can we work together to improve security and resilience of the global routing system? Andrei Robachevsky.

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.

Meet the Falcons Ciprian Marginean Aris Lambrianidis

Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.

1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Multihomed BGP Networks.

A BCOP document: Implementing MANRS Job Snijders (NTT) Andrei Robachevsky (ISOC)

Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.

Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.

1 Internet Society Collaborative Security & MANRS ENOG 10 – 14 October 2015, Odessa Maarit Palovirta

One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.

CS 3700 Networks and Distributed Systems

CS 3700 Networks and Distributed Systems

Auto-Detecting Hijacked Prefixes?

Securing BGP Bruce Maggs.

Internet Routing Health Measurement Bar BoF

Beyond Technical Solutions

We Care About Data Quality at IXPs

Interdomain Traffic Engineering with BGP

Everybody Leaks Alexander Azimov.

Are We There Yet? On RPKI Deployment and Security

Does Scale, Size, and Locality Matter

Some Thoughts on Integrity in Routing

Jessica Yu ANS Communication Inc. Feb. 9th, 1998

Working together to improve routing security for all

MANRS IXP Partnership Programme

Measuring routing (in)security

Propuestas Concepción 2018

COS 561: Advanced Computer Networks

Securing BGP Bruce Maggs.

Improving global routing security and resilience

COMPUTER NETWORKS CS610 Lecture-41 Hammad Khalid Khan.

Fixing the Internet: Think Locally, Impact Globally

Peering Security DKNOG, March 14-15, 2019 Susan Forney and Walt Wollny

FIRST How can MANRS actions prevent incidents .

MANRS Implementation Guides

By Keessun Fokeerah Member Services(MS) Team

Validating MANRS of a network

AFRINIC Update RIPE79 Rotterdam, The Netherlands 18 October 2019.

Presentation transcript:

Amreesh Phokeer Research Manager AfPIF-10, Mauritius Routing Security 101 Amreesh Phokeer Research Manager AfPIF-10, Mauritius

Routing security BGP is based entirely on trust No in-built security mechanism to validate BGP announcements No single point of control Work on the basis of unreliable sources of data (WHOIS, IRR, etc)

Route hijacking When a network operator impersonates another network operator (I advertise your prefix) or pretends that announced prefixes are their clients BGP principles: More specifics and Shortest path Malicious or unintentional Might create outages

Route hijacking When a network operator impersonates another network operator (I advertise your prefix) or pretends that announced prefixes are their clients BGP principles: More specifics and Shortest path Malicious or unintentional Might create outages

Route hijacking Internet ISP AS C Transit Provider AS D AS X AS A AS B 2001:db8:1001::/48 192.0.2.0/24 2001:db8:2002::/48 198.51.100.0/24

Route hijacking Internet ISP AS C Transit Provider AS D AS X AS A AS B 2001:db8:1001::/48 192.0.2.0/24 2001:db8:2002::/48 198.51.100.0/24

Route hijacking Internet ISP Normal path AS C Transit Provider AS D AS X AS A AS B 2001:db8:1001::/48 192.0.2.0/24 2001:db8:2002::/48 198.51.100.0/24

Route hijacking Internet ISP Normal path 192.0.2.0/24 AS C Transit Provider AS D Normal path AS X AS A AS B 192.0.2.0/24 2001:db8:1001::/48 192.0.2.0/22 2001:db8:2002::/48 198.51.100.0/22

Route hijacking Internet ISP Normal path 192.0.2.0/24 AS C Transit Provider AS D Normal path AS X AS A AS B 192.0.2.0/24 2001:db8:1001::/48 192.0.2.0/22 2001:db8:2002::/48 198.51.100.0/22

Route leaks When a network operator who is multi-homing (2 upstream) accidentally announces routes learned from one upstream to the other upstream Customer AS become an intermediary Usually unintentional

Route leaks Internet ISP 8.8.8.0/24 8.8.8.0/24 8.8.8.0/24 8.8.8.0/24 2001:db8:2002::/48 198.51.100.0/22 Route leaks AS A 8.8.8.0/24 Transit AS T 8.8.8.0/24 Google Internet ISP 8.8.8.0/24 8.8.8.0/24 AS B 2001:db8:1001::/48 192.0.2.0/22

Route leaks Internet ISP 8.8.8.0/24 8.8.8.0/24 Leaks 8.8.8.0/24 2001:db8:2002::/48 198.51.100.0/22 Route leaks AS A 8.8.8.0/24 Transit AS T 8.8.8.0/24 Google Internet Leaks 8.8.8.0/24 ISP 8.8.8.0/24 8.8.8.0/24 AS B 2001:db8:1001::/48 192.0.2.0/22

Route leaks Internet ISP 8.8.8.0/24 8.8.8.0/24 Leaks 8.8.8.0/24 2001:db8:2002::/48 198.51.100.0/22 Route leaks AS A 8.8.8.0/24 Transit AS T 8.8.8.0/24 Google Internet Leaks 8.8.8.0/24 ISP 8.8.8.0/24 8.8.8.0/24 AS B Prefer Customer routes 2001:db8:1001::/48 192.0.2.0/22

Route leaks Internet ISP 8.8.8.0/24 8.8.8.0/24 Leaks 8.8.8.0/24 2001:db8:2002::/48 198.51.100.0/22 Route leaks AS A 8.8.8.0/24 Transit AS T 8.8.8.0/24 Google Internet Leaks 8.8.8.0/24 ISP 8.8.8.0/24 8.8.8.0/24 AS B Prefer Customer routes 2001:db8:1001::/48 192.0.2.0/22

Solutions Yes a few: Prefix and AS-PATH filtering RPKI, IRR BGPSEC (now standardised) Issues Lack of incentives for deployment Lack of reliable data

Build filters! 12,600 total incidents (outages or route leaks) Some Stats for 2018: 12,600 total incidents (outages or route leaks) Over 4% of ASNs were affected 2,737 ASNs were victim of a least one routing incident 1,294 networks caused routing incidents Yes a few: Prefix and AS-PATH filtering RPKI, IRR BGPSEC (now standardised) Issues Lack of incentives for deployment Lack of reliable data Source: BGPStream

Tragedy of the commons Mutually Agreed Norms for Routing Security Internet Routing: Security is more often in the hands of your peers. Securing you own network does not necessarily make it more secure. Mutually Agreed Norms for Routing Security

Principles Filtering – Prevents announcements of incorrect routing information Filter your own announcements Filter incoming announcements from your peers and customers Filter AS-PATH Build filters using IRR, RPKI Big Network filters Anti-spoofing – Prevent traffic with spoofed source IP addresses Source address validation for stub customers Coordination – Facilitate global operational communication and coordination between network operators Maintain up-to-date data on IRR, WHOIS, etc Global Validation – Facilitate validation of routing information on a global scale Publish your routing policies

Thank you for your Attention afrinic afrinic afrinic afrinic media .net twitter.com/ flickr.com/ facebook.com/ linkedin.com/company/ youtube.com/ www. Thank you for your Attention Questions?