An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Slides:



Advertisements
Similar presentations
An Operational Perspective on Routing Security
Advertisements

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.
An Operational Perspective on Routing Security Geoff Huston Chief Scientist, APNIC.
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN SSAC Meeting, March 2008.
An Operational Perspective on BGP Security Geoff Huston February 2005.
Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
An Operational Perspective on Routing Security Geoff Huston Chief Scientist, APNIC November 2006.
Internet Protocol Security (IPSec)
1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston.
The Resource Public Key Infrastructure Geoff Huston APNIC.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
Security fundamentals Topic 10 Securing the network perimeter.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Securing the Internet Backbone: Current activities in the IETF’s Secure InterDomain Routing Working Group Geoff Huston Chief Scientist, APNIC.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
Moving towards an IRS WG Charter Ross Callon IETF 85, Atlanta.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 Course Introduction.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Internet Routing Verification John “JI” Ioannidis AT&T Labs – Research Copyright © 2002 by John Ioannidis. All Rights Reserved.
NEMO Basic Support update IETF 61. Status IANA assignments done Very close to AUTH48 call Some issues raised recently We need to figure out if we want.
Inter-domain Routing Outline Border Gateway Protocol.
BGP Validation Russ White Rule11.us.
Security fundamentals
Securing BGP: The current state of RPKI
Auto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes?
Goals of soBGP Verify the origin of advertisements
An Operational Perspective on Routing Security
APNIC Trial of Certification of IP Addresses and ASes
COS 561: Advanced Computer Networks
Some Thoughts on Integrity in Routing
APNIC Trial of Certification of IP Addresses and ASes
An Update on Multihoming in IPv6 Report on IETF Activity
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
COS 561: Advanced Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Improving global routing security and resilience
FIRST How can MANRS actions prevent incidents .
Design Expectations vs. Deployment Reality in Protocol Development
Validating MANRS of a network
Presentation transcript:

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005

Risk Management Operational security is not about being able to create and maintain absolute security. Its about a pragmatic approach to risk mitigation, using a trade-off between cost, complexity, flexibility and outcomes Its about making an informed and reasoned judgment to spend a certain amount of resources in order to achieve an acceptable risk outcome

Threat Model Understanding the threat model for routing  What might happen?  What are the likely consequences?  How can the consequences be mitigated?  What is the cost tradeoff?  Does the threat and its consequences justify the cost of implementing a specific security response?

Routing Security… Protecting routing protocols and their operation  What you are attempting to protect against: Compromise the topology discovery / reachability operation of the routing protocol Disrupt the operation of the routing protocol Protecting the protocol payload  What you are attempting to protect against: Insert corrupted address information into your network’s routing tables Insert corrupt reachability information into your network’s forwarding tables

Threats Corrupting the routers’ forwarding tables can result in:  Misdirecting traffic (subversion, denial of service, third party inspection, passing off)  Dropping traffic (denial of service, compound attacks)  Adding false addresses into the routing system (support compound attacks)  Isolating or removing the router from the network

Operational Security Measures Security considerations in:  Network Design  Device Management  Configuration Management  Routing Protocol deployment Issues:  Mitigate potential for service disruption  Deny external attempts to corrupt routing behaviour or payload

Protecting the BGP payload How to increase your confidence in determining that what routes you learn from your eBGP peers is authentic and accurate How to ensure that what you advertise to your eBGP peers is authentic and accurate

Routing Security The basic routing payload security questions that need to be answered are:  Who injected this address prefix into the network?  Did they have the necessary credentials to inject this address prefix? Is this a valid address prefix?  Is the forwarding path to reach this address prefix credible? What we have today is a relatively insecure system that is vulnerable to various forms of disruption and subversion  While the protocols can be reasonably well protected, the management of the routing payload cannot reliably answer these questions

What I (personally) really want to see… The use of authenticatable attestations to allow automated validation of:  the authenticity of the route object being advertised  authenticity of the origin AS  the binding of the origin AS to the route object Such attestations used to provide a cost effective method of validating routing requests  as compared to the today’s state of the art based on techniques of vague trust and random whois data mining

And what would be even better… Such attestations to be carried in BGP as payload attributes Attestation validation to be a part of the BGP route acceptance / readvertisement process

And what (I think) should be retained… BGP as a “block box” policy routing protocol  Many operators don’t want to be forced to publish their route acceptance and redistribution policies. BGP as a “near real time” protocol  Any additional overheads of certificate validation should not impose significant delays in route acceptance and readvertisement

Status of Routing Security It would be good to adopt some basic security functions into the Internet’s routing domain  Certification of Number Resources Is the current controller of the resource verifiable?  Explicit verifiable trust mechanisms for data distribution Signed routing requests Adoption of some form of certificate repository structure to support validation of signed routing requests Have they authorized the advertisement of this resource? Is the origination of this resource advertisement verifiable?  Injection of reliable trustable data into the protocol Address and AS certificate / authorization injection into BGP

Next Steps? PKI infrastructure support for IP addresses and AS numbers Certificate Repository infrastructure Operational tools for nearline validation of signed routing requests / signed routing filter requests / signed entries in route registries Carrying signature information as part of BGP Update attribute

Question for GROW Is there interest in working on specification / description of tools that use a resource PKI for near line validation of routing requests?