ROAs and Detecting “Bad” Originations Geoff Huston SIDR WG IETF 74.

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

A Threat Model for BGPSEC Steve Kent BBN Technologies.
NOPEER Route Attribute Propose a well-known transitive advisory scope attribute Applied by originating AS to route prefixes Interpretable as advice to.
RPKI Standards Activity Geoff Huston APNIC February 2010.
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN SSAC Meeting, March 2008.
SHIM6 Update Geoff Huston Kurtis Lindqvist SHIM6 co-chairs.
BGP Unallocated Address Route Server Geoff Huston March 2002.
Experimental Internet Resource Allocations Philip Smith, Geoff Huston September 2002.
4-Byte AS Numbers The view from the old BGP world Geoff Huston October 2006 APNIC.
BGP Status Update Geoff Huston September What Happening (AS4637) Date.
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
BGP Security APNIC Open Policy Meeting Routing SIG 23 February 2005 Kyoto, Japan Russ Housley
The Border Gateway Protocol and Classless Inter-Domain Routing
RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
Securing BGP Geoff Huston November Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions.
SIDR WORKING GROUP IETF 80 PRAGUE draft-manderson-sidr-geo-00.
MPLS additions to RSVP Tunnel identification Tunnel parameter negotiation Routing policy distribution Routing debugging information Scalability improvements.
Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
The Resource Public Key Infrastructure Geoff Huston APNIC.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.
Distance Vector Routing Protocols W.lilakiatsakun.
Draft-campbell-dime-load- considerations-01 IETF 92 DIME Working Group Meeting Dallas, Texas.
1 AutoconfBOF2.PPT / Aug / Singh,Perkins,Clausen IETF Not Confidential Ad hoc network autoconfiguration: definition and problem statement (draft-singh-autoconf-adp-00.txt)
RFC6374 in the presence of LSP merging draft-bryant-mpls-flow-ident and draft-chen-mpls-source-label M. Chen, X. Xu, Z. Li, L. Fang, G. Mirsky, S. Bryant,
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
Using Resource Certificates Progress Report on the Trial of Resource Certification November 2006 Geoff Huston APNIC.
CIDR Classless Inter Domain Routing Give the IP address space some breathing room! Basic idea: allocate the remaining IP addresses in variable-size blocks.
AS Numbers NANOG 35 Geoff Huston APNIC. Current AS Number Status.
4 Byte AS Number Update Geoff Huston August 2008.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Draft-ietf-sidr-bgpsec-reqs-01 diffs from -00 (Jul) sidr / IETF Taipei Randy Bush sidr bgpsec reqs 1.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Overview of draft-ietf-sidr-roa-00.txt Steve Kent BBN Technologies.
Securing the Internet Backbone: Current activities in the IETF’s Secure InterDomain Routing Working Group Geoff Huston Chief Scientist, APNIC.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
Draft-ietf-sidr-roa-format draft-ietf-sidr-arch Matt Lepinski BBN Technologies.
NEMO Basic Support update IETF 61. Status IANA assignments done Very close to AUTH48 call Some issues raised recently We need to figure out if we want.
BGP L3VPN origin validation (draft-ymbk-l3vpn-origination-02) November 2012.
Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. Organization's activities Strategic initiatives.
AS Numbers - Again Geoff Huston APNIC October 2009
94th IETF, Yokohama, November 2015 Segment Routing Conflict Resolution draft-ginsberg-spring-conflict-resolution-00 Les Ginsberg
Securing BGP: The current state of RPKI
Auto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes?
November 2006 Geoff Huston APNIC
Goals of soBGP Verify the origin of advertisements
BGPSEC Potential Optimizations for AS-PATH Prepending and Transparent Route Servers. sidr wg / Québec City Doug Montgomery
Addressing 2016 Geoff Huston APNIC.
Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008
Geoff Huston APNIC August 2009
APNIC Trial of Certification of IP Addresses and ASes
Resource Certificate Profile
Geoff Huston September 2002
RIPE October 2005 Geoff Huston APNIC
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
Progress Report on Resource Certification
ROA Content Proposal November 2006 Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Experimental Internet Resource Allocations
Design Expectations vs. Deployment Reality in Protocol Development
Presentation transcript:

ROAs and Detecting “Bad” Originations Geoff Huston SIDR WG IETF 74

What’s the Problem ? Assumption that the aim of the SIDR work is to allow the identification of “bad” routing information – What forms of routing information is “bad”? We are not (yet) working on the integrity of AS path and hop-by-hop attributes in the routing system – Lets restrict the question a little: What forms of origination information in routing is “bad”?

What’s the Problem? All Routing Advertisements Routing Advertisements with matching ROAs Scenario A: Comprehensive Use of ROAs Bad Routing Advertisements

What’s the Problem? All Routing Advertisements Routing Advertisements with matching ROAs Scenario A: Comprehensive Use of ROAs Bad Routing Advertisements This set is easy to define This is the complement of the other set

What’s the Problem? All Routing Advertisements Routing Advertisements with matching ROAs Valid Routing Advertisements without ROAs Scenario B: Piecemeal Use of ROAs BAD Routing Advertisements

What’s the Problem? All Routing Advertisements Routing Advertisements with matching ROAs BAD Routing Advertisements Valid Routing Advertisements without ROAs Scenario B: Piecemeal Use of ROAs How to distinguish between these two sets in a consistent manner? This set is easy to define

“Bad” Originations No ROA – Use of a prefix that is not currently allocated for public use – Use of an AS that is not currently allocated for public use A valid ROA exists, but… – Use of a prefix (address and mask) that is more specific than authorized by the prefix holder – Use of a prefix (address and mask) that is an aggregate of what is authorized by the prefix holder – Use of a prefix (address and mask) by an AS that is not authorized by the prefix holder

ROA Scope Considerations ROA: Prefix and Origin AS binding – More specific than ROA Prefix? – Aggregate Prefix? – Unauthorized Origin AS ROA = prefix: /16, maxlength: 20, origin: AS /24, originated by AS /16, originated by AS /15, originated by AS64500

Approaches (1) A ROA implicitly defines its complete “anti-set”: – The AS’s listed in this ROA are authorized to originate a prefix in the range of this ROA and no other AS’s have this authority, and no more specific prefix may be used by any AS (unless another ROA specifically authorizes such use)

Approaches (2) The AS 0 ROA (with maxlength=32 v4, 128 v6 ) – A ROA authorizing AS 0 to originate a prefix is an explicit (and verifiable) declaration by the prefix holder that NO AS should originate this prefix, and NO AS should originate any more specific prefix (unless there is a ROA explicitly authorizing such use) – This approach is a refinement of the “anti-set” interpretation of a ROA in so far as an AS 0 ROA authorizes NO use, so the AS 0 ROA has an anti-set interpretation that is intended to encompass ALL AS’s

Approaches (3) The BOA – A signed instrument with a similar (but not identical) structure to a ROA that asserts that set of prefixes (and their more specifics) AND the set of AS’s listed in the instrument should not be used in a public routing context, unless there is a ROA explicitly authorizing such use.

Some Open Issues In the AS 0 approach, do conventional ROAs include an implicit “anti-set” interpretation, or is this strictly limited to AS 0 ROAs? In the AS 0 approach, what is the interpretation of a ROA with an AS list that includes 0 with a maxlength less than 32 (128)? Should the anti-set be limited to the prefix up to maxlength and say nothing about more specifics? In the BOA approach, should ROAs carry an anti-set interpretation as well, or should all forms of authority ‘negation’ be performed by the BOA?

Some Open Issues What, if any, authority framework would allow a route for, say, /8 to be flagged as invalid? (invalid aggregate) What authority framework would allow a route for /8 to be flagged as invalid? (unallocated address) Should AS 0 and/or BOAs include semantics that include aggregates?

What is “partial deployment”? This uncertainty in validity stems from partial deployment of ROAs What scenarios should these ‘partial deployment’ approaches encompass? – Should a prefix holder be required to operate in an “all or none” mode with respect to ROA issuance? – once a prefix holder issues a ROA then ALL uses of the prefix and more specifics of that prefix that are not described by a ROA should be considered unauthorized? – What if the prefix holder wants to indicate that NO authority has been given to any AS? – Should the actions of a prefix holder in issuing a ROA force a more specific prefix holder to issue ROAs? – coerced ROA issuance for more specifics – Should the actions of a more specific prefix holder in issuing a BOA for the force the encompassing prefix holder to issue ROAs? – coerced ROA issuance for aggregates

Yet More Open Issues In a world of partial deployment, where some valid routes do not have ROAs, how should ROAs (and BOAs) be interpreted? – Accept / Reject? – Relative local preference setting? In a relative local preference setting framework are some omissions or authority failures more serious than others? (i.e. how should the failure modes be compared relative to each other?)

One possible way forward? A ROA implicitly defines an AS “anti-set”: – The AS’s listed in this ROA are authorized to originate a prefix in the range of this ROA and no other AS’s have this authority, and no more specific prefix may be used by any AS (unless another ROA specifically authorizes such use) A ROA for AS0 with a maxlength=32 v4, 128 v6 acts as a verifiable attestation in terms of an explicit denial capability

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.