21 Sep 2005Internet21 Securing the Routing Infrastructure Sandra Murphy Sparta, Inc

21 Sep 2005Internet22 BGP Operation AS 10 ASPATH=10, NLRI=12/8 ASPATH=20,10, NLRI=12/8 ASPATH=30,20,10, NLRI=12/8 AS 20 AS 30 AS 22 ASPATH=22,20,10, NLRI=12/8 Net 12/8 ASPATH=20,10, NLRI=12/8

21 Sep 2005Internet23 BGP Operation – More specific prefixes AS 10 ASPATH=10, NLRI=12/8 ASPATH=20,10, NLRI=12/8 ASPATH=30,20,10, NLRI=12/8 ASPATH=22, NLRI=12.12/16 AS 20 AS 30 AS 22 ASPATH=22,20,10, NLRI=12/8 ASPATH=22, NLRI=12.12/16 Net 12/8 ASPATH=20,10, NLRI=12/8 Net 12.12/16

21 Sep 2005Internet24 Misconfiguration (we hope) Attacks Apr 1997 AS7007 announces classful addresses for the whole world Feb/Apr/Aug 2001 Abovenet/Quest/Digex announces routes with private AS numbers in them Typical consequences: –Dec 1999 a mis-origination by a downstream takes out ATT’s dial-up net – WSJ notices –Apr/May 2003 Trafalgar House/LA County space hijacked by registry spoof –Side effect on operation Covad does not aggregate their prefix announcements because they tried it and someone announced more specific prefixes

21 Sep 2005Internet25 Think we’re past all that? Dec 24, 2004 – AS9121 (TTNet) announced 100K+ routes for 1hr20min (shorter event later) –According to May 2005 NANOG presentation, 1/3 of Rensys’s 100 peers saw the bad routes within 3 min –The bad routes spread far and wide –Affected networks included (from NANOG slide): Blue Cross Blue Shield of Iowa - Thomson Financial Services - Citicorp Global Information Network -MetLife Capital Corp - Pitney Bowes Credit Corporation - Brown Brothers Harriman & Company - LaSalle Partners - Kuwait Fund for Arab Economic Development

21 Sep 2005Internet26 And recently… Sep 9, 9:29-10:47, 26210, a Bolivian ISP, announced 12/8, 64/8 and 65/8. –12/8, –GX-Sprint-Telefonica-AES Comm (Bolivia) On Sep 10, another anomaly –12/8, (GX-TeliaNet-NCORE) –“FYI, happened again this morning for (at least) 12/8 duration approx 30 minutes starting at 5:45 AM PDT. Notice that AT&T is no longer taking chances, and is announcing 2 /9s.

21 Sep 2005Internet27 Consequences Note to NANOG Sep 9: “And wouldn't you know it, we have an application that needs to reach servers in 12/8 and 65/8, and someone just came over to me asking for help in figuring out why that application isn't working. I guess I should have checked my NANOG mail before I told them I had no idea what was going on. :)”

21 Sep 2005Internet28 Moral of the Story Your network operation may be an inspiration to us all, but: The other parts of the Internet hold your fate: –Your users may not be able to reach the sites they want to reach –Your users’s remote users may not be able to reach your users Need more than effective local operation

21 Sep 2005Internet29 A Sequence of Solutions Increasingly stringent – increasing cost: 1.Peer-peer Connection Protection 2.Filters – prefix filters and AS-path filters 3.Origination Protection 4.Origination and AS_PATH Adjacency Protection 5.Origination and AS_PATH Route Protection 6.Origination, Transit and Policy Protection 7.“Freshness”

21 Sep 2005Internet210 In Common Use Peer-Peer protection methods –TCP MD5, IPSEC, TLS, GTSM, (BTNS?) For crypto techniques, management the biggest problem –Managing keys for many, many peers, key rollover, hash algorithm rollover Performance scale comes up frequently as well

21 Sep 2005Internet211 In Common Use (2) Filters – prefix filters and AS-PATH filters Requires transitive trust –“Transitively trusting all peers’ on-net customers: fundamentally unsafe” (NANOG Renesys presentation) Management hard (particularly at large AS’s) – keeping filter lists current –Manual configuration –Authority based Team Cymru Bogon Route Server Project for VIP, bogon and martians; IRR based filter generators OTOH: Mar /8 allocated; Jan 2004 – 83/8 and 84/8 allocated – installed filters did not keep up For large ISP’s – filter lists stress hardware

21 Sep 2005Internet212 Requirements for Authorities Must scale to Internet size and routing dynamics Design issues: –Non-hierarchical, singly rooted, multiply rooted? –Centralized, replicated, or distributed? –Client/server vs peer-peer? –Query/response vs wholesale download? –Event based vs periodic download? ISP distaste for relying on external info for configuration of their routing; chicken and egg

21 Sep 2005Internet213 Origination Protection Authorization only (AS is authorized address) Authorization and Authentication (AS is also currently announcing address) protects that “17%” unannounced but allocated Need authority (not necessarily central) that: –Stores info completely, accurately and securely –Accepts changes securely – model for authorization Need architecture and mechanisms for communication with “authority” Need procedures and tools for putting info into use

21 Sep 2005Internet214 Origination and AS_PATH Adjacency Protection Checks that adjacent AS’s in AS_PATH have peering –SoBGP, Garcia-Lunes-Aceves/Smith Need way to securely transmit adjacency – inline or query/download from database Processing demands (crypto stuff) Residual vulnerabilities –existence of peering adjacency gives no assurance AS’s will transit traffic –does not assure loop freedom

21 Sep 2005Internet215 Origination and AS_PATH Route Protection Protection to show update propagating through AS’s AS_PATH –indicates each AS in path has willingness and capability to forward traffic toward the stated route –SBGP; SPV Protection may or may not be passed inline Processing demands – crypto and storage Residual vulnerabilities –Freshness; policy compliance

21 Sep 2005Internet216 Origination, Route and Policy Protection Policy protection – e.g., AS A has a peering relationship with B, not transit – B should not announce A’s addresses Need to express and communicate policy –That means expose policy – anathema to many Policy is specific to one AS –But may target remote AS No current mechanisms to express, communicate or ensure policies (caveat: SoBGP)

21 Sep 2005Internet217 Freshness Receive replacement route, send replacement route – then send original route again BGP has no features that would facilitate discerning maintenance of update ordering

21 Sep 2005Internet218 Current Activity Concerned community working on this –ISP’s, Registry, Security, Router Vendor folk Consensus is that the most pressing need is: –Registration database integrity improved –Authenticated list of AS-prefix origination authorizations Useful in many ways: –Operational debugging –Customer care –Security protection Fundamental basis for ANY security solution

21 Sep 2005Internet219 Query Anyone interested in participating in discussion? In putting this to a trial? –Start with AS->prefix mapping for Internet2 –See how difficult it is to include in operational procedures Sponsor - DHS S&T, SPRI program (Secure Protocols for the Routing Infrastructure)