Draft-ietf-sidr-bgpsec-reqs-01 diffs from -00 (Jul) sidr / IETF Taipei 2011.11.15 Randy Bush 2011.11.15 sidr bgpsec reqs 1.

Slides:

Advertisements

Similar presentations

NOPEER Route Attribute Propose a well-known transitive advisory scope attribute Applied by originating AS to route prefixes Interpretable as advice to.

Advertisements

Route Leaks Sandra Murphy. Is This a Route Leak? To be able to detect a route leak: Given Update with AS_PATH AS1…ASn Is this a route leak?

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Interdomain Traffic Engineering with BGP By Behzad Akbari Spring 2011 These slides are based on the slides of Tim. G. Griffin (AT&T) and Shivkumar (RPI)

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

ROAs and Detecting “Bad” Originations Geoff Huston SIDR WG IETF 74.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

Path Vector Routing NETE0514 Presented by Dr.Apichan Kanjanavapastit.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

Quantitative Analysis of BGP Route Leaks Benjamin Wijchers Benno Overeinder.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

Announcement  Slides and reference materials available at  Slides and reference materials available.

CDNI Footprint Advertisement draft-previdi-cdni-footprint-advertisement-00 Stefano Previdi Francois Le Faucheur Allan Guillou Jan Medved IETF-82 Taipei,

1 Tutorial 5 Safe “Peering Backup” Routing With BGP Based on:

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.

Tutorial 5 Safe Routing With BGP Based on: Internet.

The Border Gateway Protocol (BGP) Sharad Jaiswal.

CS Summer 2003 Quiz 1 A1) IGP (IS-IS, OSPF) BGP A2) Stub Transit. because it is adverting AS2’s routes to AS1 and vice versa. A3) Traffic discarded.

Feb 12, 2008CS573: Network Protocols and Standards1 Border Gateway Protocol (BGP) Network Protocols and Standards Winter

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)

IETF81 Secure IDR Rollup – TREX Workshop 2011 David Freedman, Claranet.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.

Advertising Equal Cost Multi-Path Routes in BGP Manav Bhatia Samsung India Software Operations, Bangalore – India July 17, th IETF - Vienna draft-ecmp-routes-in-bgp-00.txt.

CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.

How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.

Commercial Peering Service Community Attribute Use in Internet2 CPS Caren Litvanyi lead network engineer peering team Internet2 NOC GigaPoP Geeks BOF January.

Lecture 4: BGP Presentations Lab information H/W update.

© Synergon Informatika Rt., 1999 Chapter 12 Connecting Enterprises to an Internet Service Provider.

Border Gateway Protocol

David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)

Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.

Draft-ietf-sidr-bgpsec-protocol Matt Lepinski

BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.

BGPSEC : A BGP Extension to Support AS-Path Validation Matt Lepinski BBN Technologies.

Internet Protocols. ICMP ICMP – Internet Control Message Protocol Each ICMP message is encapsulated in an IP packet – Treated like any other datagram,

AS Numbers NANOG 35 Geoff Huston APNIC. Current AS Number Status.

4 Byte AS Number Update Geoff Huston August 2008.

The New Policy for Enterprise Networking Robert Bays Chief Scientist June 2002.

Meet the Falcons Ciprian Marginean Aris Lambrianidis

Draft-ietf-sidr-roa-format draft-ietf-sidr-arch Matt Lepinski BBN Technologies.

A Measurement Study on the Impact of Routing Events on End-to-End Internet Path Performance Feng Wang 1, Zhuoqing Morley Mao 2 Jia Wang 3, Lixin Gao 1,

Border Gateway Protocol BGP-4 BGP environment How BGP works BGP information BGP administration.

BGP Validation Russ White Rule11.us.

Doing Don’ts: Modifying BGP Attributes within an Autonomous System Luca Cittadini, Stefano Vissicchio, Giuseppe Di Battista Università degli Studi RomaTre.

Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 BGPSEC Protcol Error Handling IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013.

Migratory ASs Sandra Murphy

CS 3700 Networks and Distributed Systems

BGP Flexible Communities

IETF 81 Quebec, QC, Canada Thursday, 28 July, 2011

ICMP ICMP – Internet Control Message Protocol

Goals of soBGP Verify the origin of advertisements

Interdomain Traffic Engineering with BGP

BGPSEC Potential Optimizations for AS-PATH Prepending and Transparent Route Servers. sidr wg / Québec City Doug Montgomery

Module Summary BGP is a path-vector routing protocol that allows routing policy decisions at the AS level to be enforced. BGP is a policy-based routing.

BGP Overview BGP concepts and operation.

Some Thoughts on Integrity in Routing

COS 561: Advanced Computer Networks

BGP Multiple Origin AS (MOAS) Conflict Analysis

COS 561: Advanced Computer Networks

Why don’t we have a Secure and Trusted Inter-Domain Routing System?

An Analysis of BGP Multiple Origin AS (MOAS) Conflicts

Fixing the Internet: Think Locally, Impact Globally

Computer Networks Protocols

Amreesh Phokeer Research Manager AfPIF-10, Mauritius

Presentation transcript:

draft-ietf-sidr-bgpsec-reqs-01 diffs from -00 (Jul) sidr / IETF Taipei Randy Bush sidr bgpsec reqs 1

Detect Modifications A BGPsec design must allow the receiver of an announcement to detect if an AS has added or deleted any AS number other than its own in the path attribute. This includes modification to the number of AS prepends sidr bgpsec reqs 2

Transparent RSs A BGPsec design MUST support 'transparent' route servers, meaning that the AS of the route server is not counted in downstream BGP AS-path- length tie-breaking decisions sidr bgpsec reqs 3

Route Leaks What are ‘Route Leaks’? sidr bgpsec reqs 4

Not Mis-Originations Hijack - no permission from resource holder Squatting - had permission from the resource holder once upon a time Rent - permission from the resource holder for some time period (customer is leaving) Transfer - Resource moves from one party to the other Note that these are all ‘caught’ by BGPsec Reqs sidr bgpsec reqs 5

Not Protocol Violations AS-Path – modification of AS-Path NLRI – modification of NLRI Note that these are all ‘caught’ by BGPsec Reqs sidr bgpsec reqs 6

Policy Violations? Are they ‘Policy Violations’? What Policy? Peer ‘leaking’ from one peer to another? Customer offering transit between upstreams? Peer offering transit to peer? These are ‘violations’ of business policy sidr bgpsec reqs 7

Protocol Not Intent We can not know business relationships, is A a peer of B, a customer, or something more complex? So we can not know if A should have announced P to B, we can only know if she did announce the prefix to B Business policy on the Internet changes every 36ms We already have a protocol to distribute policy or its effects, it is called BGP BGPsec validates that the protocol has not been violated, and is not about intent or business policy sidr bgpsec reqs 8

Jared Mauch’s useful service to “find either persistent or Transient routing leaks that exist.” Relies on built-in ‘knowledge’ of which ASs are Tier-1s and Detects customers leaking between Tier-1s Raises significant false positives because of this assumed knowledge No one would think of betting their routing on it sidr bgpsec reqs 9

Business Intent is a Human Concept We do not have the Do What I Mean button We have a means to say what we mean, BGP BGP shows the effects of what we mean, not the actual intent Any external publication of what we mean is not acceptable at any sufficiently detailed level would change every 36ms sidr bgpsec reqs 10

Bar Time So let’s meet in the bar and see if we can actually define ‘route leaks’ in a useful way. I.e. they can be formally described They can be formally detected with known error bounds sidr bgpsec reqs 11