Presentation is loading. Please wait.

Presentation is loading. Please wait.

Amreesh Phokeer Research Manager AfPIF-10, Mauritius

Published byCarmem Clementino Modified over 5 years ago

Similar presentations

Presentation on theme: "Amreesh Phokeer Research Manager AfPIF-10, Mauritius"— Presentation transcript:

1 Amreesh Phokeer Research Manager AfPIF-10, Mauritius
Routing Security 101 Amreesh Phokeer Research Manager AfPIF-10, Mauritius

2 Routing security BGP is based entirely on trust
No in-built security mechanism to validate BGP announcements No single point of control Work on the basis of unreliable sources of data (WHOIS, IRR, etc)

3

4 Route hijacking When a network operator impersonates another network operator (I advertise your prefix) or pretends that announced prefixes are their clients BGP principles: More specifics and Shortest path Malicious or unintentional Might create outages

5 Route hijacking When a network operator impersonates another network operator (I advertise your prefix) or pretends that announced prefixes are their clients BGP principles: More specifics and Shortest path Malicious or unintentional Might create outages

6 Route hijacking Internet ISP AS C Transit Provider AS D AS X AS A AS B
2001:db8:1001::/48 /24 2001:db8:2002::/48 /24

7 Route hijacking Internet ISP AS C Transit Provider AS D AS X AS A AS B
2001:db8:1001::/48 /24 2001:db8:2002::/48 /24

8 Route hijacking Internet ISP Normal path AS C Transit Provider AS D
AS X AS A AS B 2001:db8:1001::/48 /24 2001:db8:2002::/48 /24

9 Route hijacking Internet ISP Normal path 192.0.2.0/24 AS C
Transit Provider AS D Normal path AS X AS A AS B /24 2001:db8:1001::/48 /22 2001:db8:2002::/48 /22

10 Route hijacking Internet ISP Normal path 192.0.2.0/24 AS C
Transit Provider AS D Normal path AS X AS A AS B /24 2001:db8:1001::/48 /22 2001:db8:2002::/48 /22

11 Route leaks When a network operator who is multi-homing (2 upstream) accidentally announces routes learned from one upstream to the other upstream Customer AS become an intermediary Usually unintentional

12 Route leaks Internet ISP 8.8.8.0/24 8.8.8.0/24 8.8.8.0/24 8.8.8.0/24
2001:db8:2002::/48 /22 Route leaks AS A /24 Transit AS T /24 Google Internet ISP /24 /24 AS B 2001:db8:1001::/48 /22

13 Route leaks Internet ISP 8.8.8.0/24 8.8.8.0/24 Leaks 8.8.8.0/24
2001:db8:2002::/48 /22 Route leaks AS A /24 Transit AS T /24 Google Internet Leaks /24 ISP /24 /24 AS B 2001:db8:1001::/48 /22

14 Route leaks Internet ISP 8.8.8.0/24 8.8.8.0/24 Leaks 8.8.8.0/24
2001:db8:2002::/48 /22 Route leaks AS A /24 Transit AS T /24 Google Internet Leaks /24 ISP /24 /24 AS B Prefer Customer routes 2001:db8:1001::/48 /22

15 Route leaks Internet ISP 8.8.8.0/24 8.8.8.0/24 Leaks 8.8.8.0/24
2001:db8:2002::/48 /22 Route leaks AS A /24 Transit AS T /24 Google Internet Leaks /24 ISP /24 /24 AS B Prefer Customer routes 2001:db8:1001::/48 /22

16 Solutions Yes a few: Prefix and AS-PATH filtering RPKI, IRR
BGPSEC (now standardised) Issues Lack of incentives for deployment Lack of reliable data

17 Build filters! 12,600 total incidents (outages or route leaks)
Some Stats for 2018: 12,600 total incidents (outages or route leaks) Over 4% of ASNs were affected 2,737 ASNs were victim of a least one routing incident 1,294 networks caused routing incidents Yes a few: Prefix and AS-PATH filtering RPKI, IRR BGPSEC (now standardised) Issues Lack of incentives for deployment Lack of reliable data Source: BGPStream

18 Tragedy of the commons Mutually Agreed Norms for Routing Security
Internet Routing: Security is more often in the hands of your peers. Securing you own network does not necessarily make it more secure. Mutually Agreed Norms for Routing Security

19 Principles Filtering – Prevents announcements of incorrect routing information Filter your own announcements Filter incoming announcements from your peers and customers Filter AS-PATH Build filters using IRR, RPKI Big Network filters Anti-spoofing – Prevent traffic with spoofed source IP addresses Source address validation for stub customers Coordination – Facilitate global operational communication and coordination between network operators Maintain up-to-date data on IRR, WHOIS, etc Global Validation – Facilitate validation of routing information on a global scale Publish your routing policies

20 Thank you for your Attention
afrinic afrinic afrinic afrinic media .net twitter.com/ flickr.com/ facebook.com/ linkedin.com/company/ youtube.com/ www. Thank you for your Attention Questions?

Download ppt "Amreesh Phokeer Research Manager AfPIF-10, Mauritius"

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
Multihoming and Multi-path Routing

Multihoming and Multi-path Routing
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.

Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Best Practices for ISPs

Best Practices for ISPs
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)

Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)
Economic Incentives in Internet Routing Jennifer Rexford Princeton University

Economic Incentives in Internet Routing Jennifer Rexford Princeton University
1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.

Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
Information-Centric Networks04a-1 Week 4 / Paper 1 Open issues in Interdomain Routing: a survey –Marcelo Yannuzzi, Xavier Masip-Bruin, Olivier Bonaventure.

Information-Centric Networks04a-1 Week 4 / Paper 1 Open issues in Interdomain Routing: a survey –Marcelo Yannuzzi, Xavier Masip-Bruin, Olivier Bonaventure.

Similar presentations

Ads by Google