Presentation is loading. Please wait.

Presentation is loading. Please wait.

Measuring routing (in)security

Published byΜνήμη Κοντόσταυλος Modified over 6 years ago

Similar presentations

Presentation on theme: "Measuring routing (in)security"— Presentation transcript:

1 Measuring routing (in)security
Disclaimer – this is not a scientific research Andrei Robachevsky

2 Why to measure? Provide a factual state of routing security as it relates to MANRS Support the problem statement with data Demonstrate the impact and progress Network, country, region, over time Inform MANRS members about their degree of commitment Improve reputation and transparency of the effort Automate the process Make it more comprehensive and consistent Reduce the load Allow preparation (self-assessment)

3 How to measure? Transparent. Passive
The measurements should use publicly available data sources and the code should be made open source. Passive No cooperation is required from a network.

4 MANRS Actions Filtering Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS-path granularity Anti-spoofing Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure Coordination Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information in common routing databases Global Validation Facilitate validation of routing information on a global scale Publish your data, so others can validate

5 What can we measure?

6 Action 1: Filtering M1 route leak by the AS M2 route hijack by the AS
Metric Description M1 route leak by the AS M2 route hijack by the AS M1C route leak by a customer and not filtered by the AS M2C route hijack by a customer and not filtered by the AS M3 announcement of bogon prefixes M4 announcement of bogon ASNs (unallocated/reserved)

7 Action 2: Anti-spoofing
Metric Description M5 spoofable IP blocks M5C spoofable IP blocks of client AS’es

8 Action 3: Coordination M8 contact registration (RIR, IRR, PeeringDB)
Metric Description M8 contact registration (RIR, IRR, PeeringDB)

9 Action 4: Facilitate global validation
Metric Description M6 policy documented in an IRR (aut-num w/import/export, as-set) M7IRR registered routes (% of routes registered) M7RPKI valid ROAs (% of routes registered) M7CIRR registered customer routes (% of routes registered) M7CRPKI valid ROAs for customer routes (% of routes registered)

10 How to calculate? E.g. M2 - route hijack by an AS?
Impact M2 = f(#prefixes, address span, duration) Not all prefixes are equal Does size matter? Hard to normalize/define thresholds Conformity M2 = f(#distinct incidents, resolution time) # incidents and resolution time show the degree of negligence What is an incident? Finite number – easy to define thresholds

11 Events and incidents. E.g. M2C
Weight Events are weighted depending on the distance from the culprit M1C (ASPATH-1), 0.5*M1C(ASPATH-2), 0.25*M1C(ASPATH-3)… min 0.01 Incident Events with the same weight that share the same time span are merged into an incident. Duration Non-action is penalized < 30mins -> 0.5 * weight < 24hours -> 1.0 * weight < 48hours -> 2.0 * weight

12 Example: direct customer hijacks prefixes
M2C = = 3.5

13 Feedback and ideas are welcome!

14 Backup slides

15 How does it all fit together?

16

Download ppt "Measuring routing (in)security"

Similar presentations

IPV6 Multihoming and Traffic Engineering Marla Azinger ARIN Advisory Council Sr. IP Engineer Frontier Communications.

IPV6 Multihoming and Traffic Engineering Marla Azinger ARIN Advisory Council Sr. IP Engineer Frontier Communications.
RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting Address Policy (Procedures) SIG 1 March 2001.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting Address Policy (Procedures) SIG 1 March 2001.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
Philips iSite 3.5 Administration

Philips iSite 3.5 Administration
Employee Central Presentation

Employee Central Presentation
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Providing A Subset of Whois Data Via DNS Shuang Zhu Xing Li CERNET Center.

Providing A Subset of Whois Data Via DNS Shuang Zhu Xing Li CERNET Center.
IPv6 Interim Policy Draft RIPE 42 Amsterdam, The Netherlands 1 May 2002.

IPv6 Interim Policy Draft RIPE 42 Amsterdam, The Netherlands 1 May 2002.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Database SIG APNIC Database Privacy Issues 1 March 2001 APRICOT, Malaysia Fabrina.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Database SIG APNIC Database Privacy Issues 1 March 2001 APRICOT, Malaysia Fabrina.
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Policy Proposal 109 Standardize IP Reassignment Registration Requirements ARIN XXV 18 April, 2010 – Toronto, Ontario Chris Grundemann.

Policy Proposal 109 Standardize IP Reassignment Registration Requirements ARIN XXV 18 April, 2010 – Toronto, Ontario Chris Grundemann.
Copyright © 2011 Japan Network Information Center JPNIC ’ s RQA and Routing Related Activities JPNIC IP Department Izumi Okutani APNIC32 Aug 2011, Busan.

Copyright © 2011 Japan Network Information Center JPNIC ’ s RQA and Routing Related Activities JPNIC IP Department Izumi Okutani APNIC32 Aug 2011, Busan.
Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.

Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.

Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
Supportive Services for Veteran Families (SSVF) Data HMIS Lead and Vendor Training Updated 5/22/14.

Supportive Services for Veteran Families (SSVF) Data HMIS Lead and Vendor Training Updated 5/22/14.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk

BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
Building a More Trusted and Secure Internet RIPE 70, May 12 2015.

Building a More Trusted and Secure Internet RIPE 70, May
Internet Number Resource Governance ARIN & LACNIC.

Internet Number Resource Governance ARIN & LACNIC.
Information-Centric Networks04b-1 Week 4 / Paper 2 Understanding BGP Misconfiguration –Rahil Mahajan, David Wetherall, Tom Anderson –ACM SIGCOMM 2002 Main.

Information-Centric Networks04b-1 Week 4 / Paper 2 Understanding BGP Misconfiguration –Rahil Mahajan, David Wetherall, Tom Anderson –ACM SIGCOMM 2002 Main.

Similar presentations

Ads by Google