Presentation is loading. Please wait.

Presentation is loading. Please wait.

BGPSEC Potential Optimizations for AS-PATH Prepending and Transparent Route Servers. sidr wg / Québec City 2011.07.28 Doug Montgomery <dougm@nist.gov>

Published byKelly Cummings Modified over 6 years ago

Similar presentations

Presentation on theme: "BGPSEC Potential Optimizations for AS-PATH Prepending and Transparent Route Servers. sidr wg / Québec City 2011.07.28 Doug Montgomery <dougm@nist.gov>"— Presentation transcript:

1 BGPSEC Potential Optimizations for AS-PATH Prepending and Transparent Route Servers.
sidr wg / Québec City Doug Montgomery Randy Bush sidr-wg

2 AS0 (origin) Path Signature
bgpsec-00 Level Set Requirements: Provide cryptographic assurance that: Origin AS was authorized by IP holder to announce route. Every AS in the AS_Path explicitly authorized the advertisement of the route to the subsequent AS in the AS_Path. Semantics: Each AS’s Signature computed over Target AS for the update (forward chaining of path) and previous AS Sig (backward chaining of authorization). Expire Time & beaconing subject of another presentation ….. AS0 (origin) Path Signature Hash(…) Signed by Router Key AS0.rtr-xx  Sig0 AS1 Path Signature Hash(…) Signed by Router Key AS1.rtr-yy  Sig1 Exp Time NLRI AS0 Algo ID AS1 Sig0 AS1 Algo ID AS2 Sig1 sidr-wg

3 bgpsec-00 Path_Sigs …….. …….. Syntax:
BGPSEC Path_Signatures attribute elements correspond 1-1 with AS_Path attribute elements. AS_Path attribute umodified, nor is Path data (ASNs) replicated in Path_Sig. bgpsec-00 – focus on requirements and semantics – purposefully ignore syntax optimizations until we get the first two right. See: draft-sriram-bgpsec-design-choices-00 BGPSEC Path_Signatures Attribute …….. Exp Time Algo ID ^A0.RtrCert Sig0 ^A1.RtrCert Sig1 …….. AS_Seq ASN 0 ASN 1 BGP AS_PATH Attribute sidr-wg

4 Optimizations / Enhancements
From recent WG discussions: AS_Path Prepending – current 1-1 correspondence of elements would require repeating signatures when using Path prepending. Transparent Route Servers: - AS_Path does not reflect the actual sequence of AS’s that the update traversed. Going Forward: Important to separate the requirement, semantics and syntax discussions of how we address these and future enhancements. Requirement? – ensure BGPSEC doesn’t interfere with some current/proposed use case, or enhance BGPSEC to protect use case? Depending upon which BGP services / capabilities / uses we are trying to preserve / protect there are numerous ways to spec solutions. Strawman Approaches in response to recent discussions … sidr-wg

5 AS0 (origin) Path Signature
Prepending Strawman Requirements: Support current uses of prepending without incurring expense of repeating Path_Signature elements. Use BGPSEC to protect prepended AS’s from modification. Semantics: Prepend Count (pCNT) included as input to ASx signature noting how many times ASx appears in the actual AS_PATH. Normally pCNT=1. AS0 (origin) Path Signature Hash(…) Signed by Router Key AS0.rtr-xx  Sig0 AS1 Path Signature Hash(…) Signed by Router Key AS1.rtr-yy  Sig1 Exp Time NLRI AS0 Algo ID pCNT AS1 Sig0 AS1 Algo ID pCNT AS2 Sig1 sidr-wg

6 Transparent Route Servers
Use Case: Multi-Lateral Peering where sender does not know all the receivers. Router Server’s AS not included in AS_PATH so as to not contribute to the Path Length for purposes of downstream best path computation. BGPSEC Issue: BGPSEC speaker can’t forward sign to other RS customers – not peering with them directly, may not even explicitly know them, defeats the transmission efficiency of RS architectures. Total transparency – violates the fundamental service of BGPSEC to provide a cryptographically verified sequence of route authorizations. sidr-wg

7 “Translucent” RS Strawman
Requirements: Support current business/use model of transparent RS’s. Use BGPSEC to protect / verify the complete AS_PATH (including RS AS) without impacting AS_Path_Length computations. Be completely transparent when sending updates to non-BGPSEC peers. Semantics: RS AS fully participates in BGPSEC to/from its customer AS’s, including explicitly carrying the RS AS# in the update. Use previously proposed Prepend Count (pCNT=0) to indicate that an AS is operating as a transparent RS. BGPSEC validates complete AS_PATH, but pCNT=0 hops do not contribute to Path_Length. When sending to non-BGPSEC peer, RS AS# is stripped. sidr-wg

8 Further Details … Not important now … unless we agree on the requirements/semantics: … if we do agree on the basic approach, then we can consider further details. Tradeoffs between optimization and minimizing BGPSEC changes to current BGP attributes / behaviors. Strawman Syntax: Extend BGPSEC Path_Signatures Field to carry pCNT for each Sig. Modify Sig generation / verification procedures to address pCNT. Modify Path_Length computation on BGPSEC implementations to ignore pCNT=0 hops. Add rules to strip RS AS when sending to non-BGPSEC peer. sidr-wg

Download ppt "BGPSEC Potential Optimizations for AS-PATH Prepending and Transparent Route Servers. sidr wg / Québec City 2011.07.28 Doug Montgomery <dougm@nist.gov>"

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
BGP.

BGP.
Routing: Exterior Gateway Protocols and Autonomous Systems Chapter 15.

Routing: Exterior Gateway Protocols and Autonomous Systems Chapter 15.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,

IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,
1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.

1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
CS 672 1 Summer 2003 Lecture 3. CS 672 2 Summer 2003 What is a BGP Path Attribute? BGP uses a set of parameters known as path attributes to characterize.

CS Summer 2003 Lecture 3. CS Summer 2003 What is a BGP Path Attribute? BGP uses a set of parameters known as path attributes to characterize.
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
IETF81 Secure IDR Rollup – TREX Workshop 2011 David Freedman, Claranet.

IETF81 Secure IDR Rollup – TREX Workshop 2011 David Freedman, Claranet.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.
© Janice Regan, CMPT 128, 2007-2012 0 CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
Border Gateway Protocol

Border Gateway Protocol
Xuan Zheng (modified by M. Veeraraghavan) 1 BGP overview BGP operations BGP messages BGP decision algorithm BGP states.

Xuan Zheng (modified by M. Veeraraghavan) 1 BGP overview BGP operations BGP messages BGP decision algorithm BGP states.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

Similar presentations

Ads by Google