Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.

Slides:



Advertisements
Similar presentations
RPKI Standards Activity Geoff Huston APNIC February 2010.
Advertisements

An Operational Perspective on BGP Security Geoff Huston February 2005.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Guide to Network Defense and Countermeasures Second Edition
FCC CSRIC III Working Group 4 Network Security Best Practices Rodney Joffe SVP and Senior Technologist, Neustar, Inc.
Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
The need for BGP AfNOG Workshops Philip Smith. “Keeping Local Traffic Local”
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University January.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Computer Science Department Princeton University
Challenge: Securing Routing Protocols Adrian Perrig
Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University July.
Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University August,
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
#ICANN49 Security and Stability Advisory Committee Activities Update ICANN Singapore Meeting March 2014.
Inter-domain Routing Outline Border Gateway Protocol.
Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
– Chapter 4 – Secure Routing
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Information-Centric Networks04a-1 Week 4 / Paper 1 Open issues in Interdomain Routing: a survey –Marcelo Yannuzzi, Xavier Masip-Bruin, Olivier Bonaventure.
Introduction to BGP.
By Sylvia Ratnasamy, Andrey Ermolinskiy, Scott Shenker Presented by Fei Jia Revisiting IP Multicast.
Working Group 6: Secure BGP Deployment December 16, 2011 Andy Ogielski, Renesys Jennifer Rexford, Princeton U. WG 6 Co-Chairs.
Draft-mickles-v6ops-isp-cases-01.txt September 19, 2002 Cleveland Mickles V6OPS ISP Breakout Session.
Working Group 6: Secure BGP Deployment 14 March 2013 Andy T Ogielski, Renesys Jennifer Rexford, Princeton WG 6 Co-Chairs.
Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs.
BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.
Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.
Working Group #4: Network Security Best Practices March 22, 2012 Presenter: Tony Tauber, Comcast WG #4 Member Via teleconference: Rod Rasmussen, Internet.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.
DSSA Update Costa Rica – March, Goals for today Update you on our progress Raise awareness Solicit your input 2.
SDX: A Software-Defined Internet eXchange Jennifer Rexford Princeton University
Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair.
Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.
IPv6 Site-Local Discussion Bob Hinden & Margaret Wasserman IETF 56 San Francisco March 2003.
IPv6 Operation Study Group in Japan March 5, 2002 Akihiro Inomata/Fujitsu Limited Chair of IPv6 Operation Study Group.
CSCI-1680 Network Layer: Inter-domain Routing Based partly on lecture notes by Rob Sherwood, David Mazières, Phil Levis, Rodrigo Fonseca John Jannotti.
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
Working Group 6: Secure BGP Deployment March 22, 2012 Andy Ogielski, Renesys Jennifer Rexford, Princeton U. WG 6 Co-Chairs.
Site Multihoming for IPv6 Brian Carpenter IBM TERENA Networking Conference, Poznan, 2005.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Forwarding Packets in a Transit AS.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
A BCOP document: Implementing MANRS Job Snijders (NTT) Andrei Robachevsky (ISOC)
Working Group 6: Secure BGP Deployment September 23, 2011 Andy Ogielski, Renesys Jennifer Rexford, Princeton U. WG 6 Co-Chairs.
Inter-domain Routing Outline Border Gateway Protocol.
Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Elliott Karpilovsky, Princeton University on behalf of Jennifer Rexford, Princeton.
Securing Access to Data Using IPsec Josh Jones Cosc352.
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
1 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
Auto-Detecting Hijacked Prefixes?
Goals of soBGP Verify the origin of advertisements
Jessica Yu ANS Communication Inc. Feb. 9th, 1998
Improving global routing security and resilience
FIRST How can MANRS actions prevent incidents .
Presentation transcript:

Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4

2 Working Group #4: Network Security Best Practices Description: This Working Group will examine and make recommendations to the Council regarding best practices to secure the Domain Name System (DNS) and routing system of the Internet during the period leading up to some significant deployment of protocol extensions such as the Domain Name System Security Extensions (DNSSEC), Secure BGP (Border Gateway Protocol) and the like. The scope and focus is currently deployed and available feature-sets and processes and not future or non-widely deployed protocol extensions. Duration: September 2011 – March 2013

Working Group #4 – Participants  Co-Chairs  Rod Rasmussen – Internet Identity  Rodney Joffe – Neustar  Participants  30 Organizations represented  Service Providers  Network Operators  Academia  Government  IT Consultants 3

Working Group #4 – Participant List 4

Working Group #4 – Deliverables  Domain Name Service (DNS) Security Issues  Reported on in September 2012  BGP and Inter-Domain Routing Security Issues  Report and vote today 5

Working Group #4: Network Security Best Practices FINAL Report – Routing Security Best Practices March 6, 2013 Presenter: Tony Tauber, Comcast WG #4

Routing Key Points  Routing security is an environmental good  Unilateral action does not entirely benefit practitioners  Deployment details and scenarios vary  Recommendations should as well  Autonomy is sacrosanct  Key feature of the operational Internet 7

Report Scope  Capabilities in currently deployed gear  Not commenting on protocol extension work  Handled in WG #6  ISP Network Operational Practices  Enterprise Network Operational Practices  Administrative Practices 8

Routing Issues Considered  BGP Session-Level Vulnerability  Session Hijacking  Denial of Service (DoS) Vulnerability  Source-address filtering  BGP Injection and Propagation Vulnerability  BGP Injection and Propagation Countermeasures  BGP Injection and Propagation Recommendations  Other Attacks and Vulnerabilities of Routing Infrastructure  Hacking and unauthorized 3rd party access to routing infrastructure  ISP insiders inserting false entries into routers  Denial-of-Service Attacks against ISP Infrastructure  Attacks against administrative controls of routing identifiers 9

Deployment Scenarios  Vary according to topology  Stub network vs. Transit network  Vary as a function of scale  Number of BGP routers  Number of BGP sessions  Size of Operational staff 10

Recommendation Process  Leverage existing security recommendations  Taken together recommendations can be confusing, contradictory  Tailor advice based on deployment scenarios  IETF RFCs and BCPs, ICANN SSAC Papers, NIST Special Reports, ISOC papers, SANS Reports  Over a dozen separate documents referenced 11

Recommendation Highlights  Perform explicit filtering of BGP prefixes  Customer relationships  Protect against spoofed IP source addresses  Source validation at network edge  Filter internal address space inbound from Internet  Use extra steps to lessen impact of route leaks  Coarse AS-path filters  Maximum-Prefix limits 12

Working Group #4: Network Security Best Practices March 6, 2013 Questions/Comments Presenter: Tony Tauber, Comcast WG #4 Co-Chair

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.