Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Use of Maxlength in the RPKI draft-yossigi-rpkimaxlen-00

Published by瑛朋 伏 Modified over 7 years ago

Similar presentations

Presentation on theme: "The Use of Maxlength in the RPKI draft-yossigi-rpkimaxlen-00"— Presentation transcript:

1 The Use of Maxlength in the RPKI draft-yossigi-rpkimaxlen-00
Yossi Gilad, Sharon Goldberg, Kotikalapudi Sriram

2 When used properly, the RPKI defeats subprefix hijacks
RPKI valid AS 666 fails to attract traffic! Path: AS 111 /16 X RPKI invalid AS 666 Cyberbunker AS 34109 Path: AS 666 /24 AS 111 AS 111 ROA: AS 111 /16 RPKI RPKI /16

3 Loose maxlength  forged-origin subprefix hijack
this attack is highly effective because /24 is unannouced RPKI valid longest prefix match  AS 666 attracts all traffic for the subprefix! Path: AS 111 /16 RPKI valid AS 666 Cyberbunker AS 34109 Path: AS 666, AS111 /24 AS 111 AS 111 ROA: AS 111 /16 to maxlength 24 RPKI RPKI /16

4 Maxlength misconfigurations are common!
forged-origin subprefix hijack affects any ROA where maxlength m > prefixlen p, unless every subprefix of length m is announced in BGP 16% of the IP prefixes in ROAs have maxlength > prefixlen 89% of these are vulnerable to forged-origin subprefix hijacks Even large providers are vulnerable

5 https://github.com/yossigi/compress_roas
Recommendations As a best common practice: Operators should refrain from using maxlength in ROAs Each ROA should instead have explicit lists of prefixes authorized to be originated by a single AS Whenever possible, use minimal ROAs where each listed prefix is originated in BGP. The RPKI already support this. No extra ROAs needed. To reduce the number of RPKI filtering rules, we developed software that RPKI local caches can use to compresses lists of prefixes from ROAs back to (AS, prefix,maxlength) tuples See also our technical report:

6 Sometimes ROAs need to include unannounced prefixes
AS 222 gives traffic-scrubbing service to AS 111 during DDoS attacks Path: AS 111 /16 Path: AS 222 /17 /17 Scrubbing service AS 222 Scrubs traffic, relays to AS 111 AS 111 AS 111 /16

7 Sometimes ROAs need to include unannounced prefixes
Scrubbing would fail if there was only the ROA for announced pfx RPKI valid Path: AS 111 /16 RPKI invalid X Path: AS 222 /17 /17 Scrubbing service AS 222 RPKI invalid X AS 111 AS 111 RPKI /16 ROA: AS 111 /16

8 Sometimes ROAs need to include unannounced prefixes
Add a (non “minimal”) ROA for AS 222 that does not use maxlength RPKI valid RPKI valid Path: AS 111 /16 Path: AS 222 /17 /17 RPKI valid Scrubbing service AS 222 ROA: AS 222 /17 /17 AS 111 AS 111 RPKI /16 ROA: AS 111 /16

Download ppt "The Use of Maxlength in the RPKI draft-yossigi-rpkimaxlen-00"

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
BGP Prefix Origin Validation

BGP Prefix Origin Validation
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery 1IETF 802/12/2014.

BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery 1IETF 802/12/2014.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
ROAs and Detecting “Bad” Originations Geoff Huston SIDR WG IETF 74.

ROAs and Detecting “Bad” Originations Geoff Huston SIDR WG IETF 74.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.

RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.

Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
String Recognition Simple case: recognize 1101 “ ” 0 “1” 0 “11” 0 Reset 1 “110” 0 101 “1101” 1 1 1 0 0 0 0.

String Recognition Simple case: recognize 1101 “ ” 0 “1” 0 “11” 0 Reset 1 “110” “1101”
Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan.

Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
RIS Resource Allocations A special report on an endangered species …

RIS Resource Allocations A special report on an endangered species …
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)

Similar presentations

Ads by Google