Presentation is loading. Please wait.

Presentation is loading. Please wait.

Peering Security DKNOG, March 14-15, 2019 Susan Forney and Walt Wollny

Published byKellie Richardson Modified over 5 years ago

Similar presentations

Presentation on theme: "Peering Security DKNOG, March 14-15, 2019 Susan Forney and Walt Wollny"— Presentation transcript:

1 Peering Security DKNOG, March 14-15, 2019 Susan Forney and Walt Wollny
Hurricane Electric AS6939

2 The Most Peering Exchanges
Hurricane Electric - Massive Peering!

3 Why worry about peering security?
A peering connection not much safer than the ports you expose to the Internet. A peering port can be a back door to your network. As the Internet as a whole is getting very serious about security, it’s probably time to take a very critical look at your peering sessions. Let’s start by reviewing the basics. Hurricane Electric - Massive Peering!

4 Defending your network
The basic defenses for an exchange port are: Logical Port Security Routing Security Best practices Hurricane Electric - Massive Peering!

5 Hurricane Electric - Massive Peering!
Port Security Your IX port exposes your network to security risks that are inherent to a layer 2 port. Don’t connect an interface with a default configuration to an IX Port. Dozens, sometimes hundreds, of other networks are directly connected. Many IXPs will post their recommended port configuration (HKIX, AMS-IX, etc ). Most IXs allow only unicast traffic. (IPv6 neighbor discovery uses multicast, which is the exception.) Hurricane Electric - Massive Peering!

6 Hurricane Electric - Massive Peering!
Port Security Configure IPv4 and IPv6 ACLs for your interfaces: Permit traffic from the IX subnet to the IX subnet. Deny traffic from any other IPs to the IX subnet . Permit any any at the end of the ACL. Many exchanges have suggested port configurations. Hurricane Electric - Massive Peering!

7 Hurricane Electric - Massive Peering!
interface ethernet 0/1 no cdp enable no lldp transmit no mop enable udld port disable no ip directed-broadcast no ip redirects no ip proxy-arp ipv6 nd suppress-ra [if ra suppress does not work] ipv6 nd ra suppress [if suppress-ra does not work] no ipv6 mfib forwarding no ipv6 mld router no ipv6 pim no ipv6 redirects Hurricane Electric - Massive Peering!

8 Hurricane Electric - Massive Peering!
Routing Security Routing security is important in two directions: The routes you receive The routes you announce We will start with the routes you receive. Hurricane Electric - Massive Peering!

9 Hurricane Electric - Massive Peering!
Routing Security The IXP is responsible for protecting the infrastructure, but only you can prevent route leaks. The IX LAN is not Internet-routed IP space and should not be advertised by anyone and least of all, accepted by you. Hurricane Electric - Massive Peering!

10 Hurricane Electric - Massive Peering!
Routing Security Hurricane Electric - Massive Peering!

11 Hurricane Electric - Massive Peering!

12 Hurricane Electric - Massive Peering!
Routing Security Take control of the routes you receive: Install prefix filters Use AS-path filters to prevent leaks—not sure who they are? Limit peers to a maximum number of prefixes Hurricane Electric - Massive Peering!

13 Routing Security Most networks don’t filter their peers. This is behavior hurts both the network that doesn’t filter and its peers. Filters that only allow routes with valid origins and authorized advertisements should be on every peer. You can automate filter generation to make it easier. Free tools like bgpq3 can do most of the work for you. When you create a filter, you should be checking services like Spamhaus to prevent acceptance of blocked prefixes.

14 Routing Security: Why it matters
On 28 December 2018 China Telecom hijacked a US Department of Energy prefix ( /24) and did not correct the problem for 6 days. Hurricane Electric - Massive Peering!

15 Hurricane Electric - Massive Peering!

16 Hurricane Electric - Massive Peering!
Routing Security route:      /23 descr:      Western Area Power Administration             Lakewood, CO 80228 origin:     AS36404 notify:     notify:     notify:     mnt-by:     MAINT-AS36404 changed:      #12:56:20Z source:     RADB Hurricane Electric - Massive Peering!

17 Routing Security AS-path filters can help you prevent leaks and other routing issues. In most cases, you should not be accepting routes from your peers that have major ISPs in their paths.

18 Hurricane Electric - Massive Peering!

19 Hurricane Electric - Massive Peering!
Routing Security Maximum prefix limits are another tool to help you prevent route leaks into your network. Put them in place. Most of your peers will specify their suggested prefix limits on peeringdb.com. If you do not have your prefix limits documented on peeringdb.com, today would be a great day to do that. Hurricane Electric - Massive Peering!

20 Hurricane Electric - Massive Peering!
Routing Security The next task is to secure the routes you announce. Leaks are easy to prevent. Create prefix lists or use communities to manage your advertisements. A best practice is to announce only directly learned routes to your peers. Be sure you are advertising routes with valid IRR records. If you don’t know, bgp.he.net is a quick and easy way to check. Hurricane Electric - Massive Peering!

21 Hurricane Electric - Massive Peering!

22 Hurricane Electric - Massive Peering!
Routing Security Appearances matter. Check your route announcements. Do not advertise prefixes smaller than a /24. Do not advertise bogons. Do not leak your private (RFC 1918) IP space. Advertise all of the IP space that you are allocated, even if you currently don’t use it. Hurricane Electric - Massive Peering!

23 Hurricane Electric - Massive Peering!
Routing Security Your peering connection is a target for DDoS Attacks. Set your blackhole communities up in advance. Applying the best security practices will help keep your network online during attacks. Hurricane Electric - Massive Peering!

24 Hurricane Electric - Massive Peering!
Routing Security Validate that your routes are being advertised to your peers as expected. Looking glasses and route servers can provide you with visibility. Contact peers when you think there may be an issue. For Hurricane Electric peers, routing.he.net will help you if your prefixes are being denied. Hurricane Electric - Massive Peering!

25 In the Wild

26 In the Wild

27

28

29 Routing Security susan$ whois -h whois.radb.net 66.235.200.0/24
route:      /24 descr:      CMI  (Customer Route) origin:     AS38082 mnt-by:     MAINT-AS58453 changed:    source:     RADB descr:      CMI IP Transit admin-c:    MAINT-CMI-INT-HK tech-c:     MAINT-CMI-INT-HK mnt-by:     MAINT-CMI-INT-HK source:     NTTCOM

30 Hurricane Electric Route Filtering Algorithm
Read more here Example: xx /24,rejected,does not strictly match IRR policy or RIR handles xx /23,accepted,strictly matched IRR policy xx /24,accepted,strictly matched IRR policy xx /22,rejected,does not strictly match IRR policy or RIR handles xx /24,rejected,does not strictly match IRR policy or RIR handles Hurricane Electric - Massive Peering!

31 Hurricane Electric - Massive Peering!
Routing Security Only you can ensure that route registries correctly reflect your network. Please check your IRR records and correct anything that is not valid. If you peer with Hurricane Electric, check your routing here: Hurricane Electric - Massive Peering!

32 Hurricane Electric - Massive Peering!
Best Practices External monitors can help you detect leaks or hijacks. They can monitor how your prefixes are routed your prefixes and let you know if paths change in a way you were not expecting. An example of a free one is bgpmon.net. You can get monitoring and notification of when errors occur for up to five prefixes per month free. Hurricane Electric - Massive Peering!

33 Basics - Routing Security
Hurricane Electric - Massive Peering!

34 Best Practices Other good security habits that your network can adopt are found in MANRS: Coordination Global validation in terms of IRR records and RPKI. Anti-spoofing Get it from the source:

35 Best Practices Lastly, protect what you have worked so hard to achieve. Put processes in place to ensure that all of your deployments are secure. Guard against social engineering.

36 Susan Forney Hurricane Electric AS6939 susan@he.net
Thanks! Susan Forney Hurricane Electric AS6939

37 Resources and Acknowledgements
Links to resources used in this presentation or as source material: DYN Thanks to Tom Paseka of Cloudflare. Hurricane Electric - Massive Peering!

Download ppt "Peering Security DKNOG, March 14-15, 2019 Susan Forney and Walt Wollny"

Similar presentations

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
IP Forwarding Relates to Lab 3.

IP Forwarding Relates to Lab 3.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Instructor & Todd Lammle

Instructor & Todd Lammle
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
– Chapter 4 – Secure Routing

– Chapter 4 – Secure Routing
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Copyright © 2011 Japan Network Information Center JPNIC ’ s RQA and Routing Related Activities JPNIC IP Department Izumi Okutani APNIC32 Aug 2011, Busan.

Copyright © 2011 Japan Network Information Center JPNIC ’ s RQA and Routing Related Activities JPNIC IP Department Izumi Okutani APNIC32 Aug 2011, Busan.
TCOM 515 Lecture 6.

TCOM 515 Lecture 6.
Concerns about designating the MAG as a Default Router James Kempf NETLMM Interim Sept. 27, 2006.

Concerns about designating the MAG as a Default Router James Kempf NETLMM Interim Sept. 27, 2006.
APNIC Internet Routing Registry An introduction to the IRR TWNIC Meeting, 3 December 2003 Nurani Nimpuno, APNIC.

APNIC Internet Routing Registry An introduction to the IRR TWNIC Meeting, 3 December 2003 Nurani Nimpuno, APNIC.
BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak.

BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak.
RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.

RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk

BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.

Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://www.sans.org/reading-room/whitepapers/protocols/complete-guide-

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Similar presentations

Ads by Google