Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Published byCullen Male Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb."— Presentation transcript:

1 1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb

2 2 The Problem BGP announcements can be „fat fingered“ Prominent examples: AS7007, YouTube Most common usage: Spam injection Proposed solutions like s-BGP, so-BGP, ps-BGP, SIDR are too detailed DNS(SEC) mapping by Tony Li and Randy Bush was a theoretical proposal

3 3 Design principles Don´t solve everything, only „config errors“ KISS principle: Minimal impact to routers Deployment: Use existing software, do not modify protocols on the wire Goal: Verify a BGP prefix and path after the injection point (missing filters) Allow cold start, allow private exceptions

4 4 Verification process BGP Updates contain prefixes with paths –2003::/19 ”1273 3320 i” ”5400 3356 3320 i” Check origin (prefix to AS check) –Is 3320 allowed to announce by 2003::/19 ? Check path (peering/upsteam/...) –Does 3320 export ”3320” to peer 3356 ? –Does 3356 import ”3320” from peer 3320 ? –Does 3356 export ”3356,3320” to peer 3356 ? –Does 5400 import ”3356,3320” from 3356 ?

5 5 Testbed Verify spec by real world data –Full IANA allocates –Almost all RIPE allocates –Almost all IRDB (RIPE) assignments –Spec changes are result of real problems Simulation of RIPE region –Running 260 DNS servers (IPv6, single host) –~ 15000 AS, 1700 IPv6, 70000 IPv4 zones, 1GB compressed zone data

6 6 Using the Testbed Stub/slave zone –zone "bgp.arpa" { type stub; masters { 2001:4bd8::3:0; }; }; –DS 48622 5 1 5EC22EB16EB4E6E94889BF249EE82920608D3558 Signed root –http[s]://www.iks-jena.de/leistungen/keys.txt Real tests should use a remote resolver w/ signed root and the AD bit from DNSSEC

7 7 Mapping into bgp.arpa. AS# in asdot+ format 15725 > 0.15725 > 5.2.7.5.1.0.as.bgp.arpa. 3.10 > 3.00010 > 0.1.0.0.0.3.as.bgp.arpa. Prefix mapping like in-addr/ip6.arpa 217.17.192.0/20 > 192/20.17.217.ipv4.bgp.arpa. 2003::/20 > 0/20.3.0.0.2.ipv6.bgp.arpa. Different namespace to follow allocations and assignments as closely as possible

8 8 Mapping into bgp.arpa. Route origin –192/20.17.217.ipv4.bgp.arpa. ASSET 15725 –$ORIGIN 0/19.3.0.0.2.ipv6.bgp.arpa. 0/19 ASSET 3320 0/20 ASSET 3320 Peering information –$ORIGIN unicast.ipv4.3.0.0.0.0.3.as.bgp.arpa. 5539.import ASSET ANY 5539.export ASSET 3.3 6695.import ASSET as-decix.5.9.6.6.0.0.as.bgp.arpa. 6695.export ASSET 3.3

9 9 ASSET Ressouce Record Deaggregated AS-Sets are huge References allow „auto-update“ Aggregated AS-Sets are still large Fallback to TXT (exploiting NSEC) Transition mode: Allow, warn, and reject Everybody can create the origin and the peering information DNS right now

10 10 DNSSEC as PKI No crypto processing in routing devices –External validating resolver => AD bit Delegate maintainance to special Ops Private address space: Local zones Private peerings: Local secondaries No special software necessary

11 11 Bootstrap and Self-DDoS Self DDoS –„All“ routers ask when route flaps –Utilize peers cache by asking routers Boot1: Waiting for DNS before verifying –Accept routes and postpone verification –Redistribute only verified routes Boot2: Chaining peers –UUCP like DNS query routing

12 12 Securing BGP using DNSSEC Questions?

Download ppt "1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb."

Similar presentations

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
Worst Current Practice Lutz Donnerhacke IKS GmbH.

Worst Current Practice Lutz Donnerhacke IKS GmbH.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.
Addressing the Network IPv4

Addressing the Network IPv4
Module 4: Configuring Network Connectivity

Module 4: Configuring Network Connectivity
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
Swinog-7, 22nd october 2003 BGP filtering André Chapuis,

Swinog-7, 22nd october 2003 BGP filtering André Chapuis,
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
IPv6: The Future of the Internet? July 27th, 1999 Auug.

IPv6: The Future of the Internet? July 27th, 1999 Auug.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Similar presentations

Ads by Google