Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jessica Yu ANS Communication Inc. Feb. 9th, 1998

Published byKai Acker Modified over 6 years ago

Similar presentations

Presentation on theme: "Jessica Yu ANS Communication Inc. Feb. 9th, 1998"— Presentation transcript:

1 Jessica Yu ANS Communication Inc. Feb. 9th, 1998
A Routing Filtering Model for Improving Global Routing Robustness an IOPS proposal Jessica Yu ANS Communication Inc. Feb. 9th, 1998

2 Background Internet suffered a series of outages as a result of leakage of ‘bad’ routing information IOPS identifies a mechanism to improve routing system robustness IOPS encourages its member and other ISPs to implement it

3 What’s the Problem? Current global routing system is open thus vulnerable ‘Bad’ routing information injecting from anywhere of the Internet will be propagated allover resulting outages (one dead mouse spoils the whole pot of soup) Proven by several incidents occurred - unfortunately

4 What’s the Problem? (con’t)
Could happen due to misconfiguration, software bugs or malicious attempt The ‘openness’ can be potentially used by attackers to inject routes for denial of service attacks such as smurf attack

5 Current Picture: Vulnerable

6 Bad routing information can cause big outage

7 IOPS Goals To identify or define mechanism to improve global routing robustness Using existing technology as much as possible so it can be implemented fast since the problem is an urgent one

8 The Routing Filtering Model
Sparse filtering on ‘trusted’ and Dense filtering on ‘less-trusted’ routing boundaries Trusted routing boundary - the peer does dense filtering at all of its customers boundaries and all of it’s downstream providers implement such routing filtering model Otherwise, it’s less-trusted boundary This is mainly verify against the border AS which advertising the route

9 Scenario 1: All ISPs Dense Filter customers

10 Scenario 2: Some ISPs do not dense filter customers, immediate upstreams have to

11 Scenario 3: ISP does not dense filter less-trusted downstream ISPs, peer have to

12 Benefits bad routes will be stopped from propagating near or at its source thus reduce impact to a small scope of the Internet Attackers has less chance to introduce routes on the fly to the whole Internet and launch attacks To localize the impact of the ‘bad’ routes To Reducing the weakness which potentially will be explored by attackers The more ISPs or AS implement this model the better protection we have The more ISP does this, the less work everyone need to do ( less boundaries needs dense filtering, and shorter prefix each has to manage

13 Tools The key to this is to maintain an prefix list to generate filtering list on the border routers Private database which install customer to be announced prefix IRR Other means

14 Issues how to validate if someone is entitled to advertise a route
Provider check its customers route match with address assignment information Add features in IRR to validate such information in combination with assignment information (working under way)

15 Future work This work was done 6 months ago which at the time was the best viable option This is model of checking against neighbor AS, another model is to check against the Origin AS If there is other viable proposal which will address the problem better, will consider that.

Download ppt "Jessica Yu ANS Communication Inc. Feb. 9th, 1998"

Similar presentations

NOPEER Route Attribute Propose a well-known transitive advisory scope attribute Applied by originating AS to route prefixes Interpretable as advice to.

NOPEER Route Attribute Propose a well-known transitive advisory scope attribute Applied by originating AS to route prefixes Interpretable as advice to.
An Operational Perspective on BGP Security Geoff Huston February 2005.

An Operational Perspective on BGP Security Geoff Huston February 2005.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
BGP Security APNIC Open Policy Meeting Routing SIG 23 February 2005 Kyoto, Japan Russ Housley

BGP Security APNIC Open Policy Meeting Routing SIG 23 February 2005 Kyoto, Japan Russ Housley
Dongkee LEE 1 Understanding BGP Misconfiguration Ratul Mahajan, David Wetherall, Tom Anderson.

Dongkee LEE 1 Understanding BGP Misconfiguration Ratul Mahajan, David Wetherall, Tom Anderson.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—7-1 Optimizing BGP Scalability Limiting the Number of Prefixes Received from a BGP Neighbor.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—7-1 Optimizing BGP Scalability Limiting the Number of Prefixes Received from a BGP Neighbor.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Protecting the BGP Routes to Top Level DNS Servers NANOG-25, June 11, 2002 UCLA Lan Wang Dan Pei Lixia Zhang USC/ISI Xiaoliang Zhao Dan Massey Allison.

Protecting the BGP Routes to Top Level DNS Servers NANOG-25, June 11, 2002 UCLA Lan Wang Dan Pei Lixia Zhang USC/ISI Xiaoliang Zhao Dan Massey Allison.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—7-1 Integrating Internet Access with MPLS VPNs Implementing Internet Access as a Separate VPN.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—7-1 Integrating Internet Access with MPLS VPNs Implementing Internet Access as a Separate VPN.
Allocations vs Announcements A comparison of RIR IPv4 Allocation Records with Global Routing Announcements Geoff Huston May 2004 (Activity supported by.

Allocations vs Announcements A comparison of RIR IPv4 Allocation Records with Global Routing Announcements Geoff Huston May 2004 (Activity supported by.
Securing your IP based Phone System By Kevin Moroz VP Technology Snom Inc.

Securing your IP based Phone System By Kevin Moroz VP Technology Snom Inc.
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)

Similar presentations

Ads by Google