Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proposal for signaling consent from whacked RPKI objects Sharon Goldberg Danny Cooper, Ethan Heilman, Leonid Reyzin Manifest RC ROA.dead Change Log.

Published byDustin Goacher Modified over 9 years ago

Similar presentations

Presentation on theme: "Proposal for signaling consent from whacked RPKI objects Sharon Goldberg Danny Cooper, Ethan Heilman, Leonid Reyzin Manifest RC ROA.dead Change Log."— Presentation transcript:

1 Proposal for signaling consent from whacked RPKI objects Sharon Goldberg Danny Cooper, Ethan Heilman, Leonid Reyzin Manifest RC ROA.dead Change Log

2 RIPE’s Publication point DARS Publication Point structure of the RPKI [RFC 6480] RC: 79.132.96.0/19 DARS RIPE NCC (Réseaux IP Européens) ROA: AS 51813 79.132.96.0/24 manifest (ROA) Route Origin Authorization Resource Cert (RC) ROA: AS 43782 79.132.96.0/19 One of five RIRs 2

3 DARS Publication Point how relying parties sync to the RPKI [RFC 6480]RPKI MANIFEST: filename – hash 25c.cert – 61F… 8e1.roa – 3E5… 0fa.roa – 71A… Router Alice Relying Party Prefix, AS AS X 54.214.242.0/24 AS X 54.214.242.0/24 Canadian ISP 3

4 RPKI authorities can blackhole BGP routes. Why? 1.RPKI authorities can delete ROAs 2.Deleted ROAs can cause invalid BGP routes 3.RPs should drop invalid BGP routes to stop subprefix hijacks. RIPE’s Publication point DARS Publication Point RPKI authorities can unilaterally whack ROAs RC: 79.132.96.0/19 DARS RIPE (Réseaux IP Européens) AS 51813 79.132.96.0/24 AS 43782 79.132.96.0/19 Dec 19 2013 AS 51813 79.132.96.0/24 AS 51813 79.132.96.0/24 AS51813 manifest (BTW: Manifest are important! They detect on-path attackers that whack ROAs!) “APNIC does not at this time commit that manifests track all contents of a repository.” http://www.apnic.net/services/services-apnic-provides/resource-certification/technical-implementation 4

5 IP prefix takedowns by whacking ROAs? Prior to the RPKI, authorities could allocate IPs but not revoke them. But RPKI authorities can revoke IP allocations! Creates a risk that the RPKI can be used for unilateral takedowns. –Law enforcement? Business disputes? Extortion? –The RPKI designed to secure routing, not enable takedowns. –[Mueller-Kuerbis’11, Mueller-Schmidt-Kuerbis’13, Amante’12, FCC’13,…] States seem to want the ability to takedown IP prefixes… –Dutch court ordered RIPE to lockdown prefixes registration (Nov’11) –US court issued a writ of attachment on Iran’s IP prefixes (June’14) –IP allocation does not reflect jurisdiction. # of RIPE ROAs by country (from our model RPKI) 5

6 proposal : require consent to whack objects [SIGCOMM’14] Design goals: –Consent: Resource certs (RCs) consent to be whacked. –Consistency: Relying parties have consistent views of the RPKI. –Transparency: Relying parties audit RPKI & alarm on problems. “Drop invalid” for prefixes that are not part of an alarm Manually audit prefixes that are part of an alarm. Threat Model: –Similar to certificate transparency [RFC 6962] –Relying parties honestly audit the RPKI –Everyone else (incl. RPKI authorities) is untrusted RPKI Alic e Prefix, AS RPKI 6

7 RIPE’s Publication point DARS Publication Point how to consent? introducing.dead objects RC: 79.132.96.0/19 DARS RIPE (Réseaux IP Européens) ROA: AS 51813 79.132.96.0/24 ROA: AS 43782 79.132.96.0/19 Dartel LTD Publication Point RC: 79.132.96.0/24 Dartel LTD ROA: AS 51813 79.132.96.0/24.dead! Dartel consents If an authority wants to revoke IP prefixes from a child RC, it needs consent from that child & its impacted* descendant RCs. *Descendants aren’t always impacted by changes to the parent; ask me why later! manifest 7

8 what about alarms between syncs? Alice Alice syncs in morning & misses violations between syncs! Morning RC ROA Afternoon RC ROA Night Morning RC ROA Why does Alice need to catch violations between syncs? So Alice can audit the RPKI So we can have consistency (explained later) 8

9 catching alarms between syncs! Alice RC ROA RC ROA RC ROA Hash Change Log (contains diffs) How Alice audits a publication point: 1.Sync to the publication point 2.Use change log to reconstruct intermediate manifests 3.Verify the hash chain & signature of the latest manifest 4.Alarm if a consent violation is detected. Alice Valid Remains Valid. Our auditing algorithm makes sure that once a relying party has seen a valid resource cert (RC), that RC remains valid until it consents to be deleted/modified..dead ROA 9

10 proposal : require consent to delete objects [SIGCOMM’14] Design goals: –Consent:.dead objects indicate consent to whack resource certs (RCs) –Consistency: Relying parties have consistent views of the RPKI. –Transparency: Relying parties audit RPKI & alarm on problems. “Drop invalid” for prefixes that are not part of an alarm Manually audit prefixes that are part of an alarm. RPKI Alic e Prefix, AS RPKI 10

11 mirror worlds: inconsistent views of the RPKIRPKI Mirror world: RPKI presents one view to one relying party and a different view to the others. Relying parties Alice Bob Why do we care? Auditing is less meaningful if Alice’s view is different from everyone else’s. 11

12 detecting mirror worlds using manifest hash chains No mirror worlds! If the consistency check passes, relying parties saw the same valid objects. Alice Bob Afternoon Night Morning Hash( ) Bob sends a hash of his latest manifest & Alice finds it in her hashchain. Night 12

13 our proposal vs suspenders ROOT A RC A ROOT ROA B RC B RLOCK ROA suspenders [draft-kent-sidr-suspenders-02] A INRD host INRD ROOT A RC A ROOT ROA B RC B.dead ROA our proposal [SIGCOMM’14] 13

14 our proposal vs suspenders Our proposalSuspenders Auditor:Any Relying Party Requirements Consent for whacking?Yes: RCsYes: RCs & ROAs “Consent” for “ROA competition”?NoYes Consistency?YesNo Limited non-repudiation?YesNo? Design New RPKI objects:.dead.roll change logs RLOCK INRD Requires changes to manifests?YesNo “Out of band” publication points?YesNo Proofs of security goals:YesNo Question for the room: What is the right set of requirements? 14

15 Questions ? http://www.cs.bu.edu/~goldbe/papers/RPKImanip.ht ml From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman, Danny Cooper, Leonid Reyzin, Sharon Goldberg SIGCOMM’14, Chicago, IL. August 2014. RC ROA Change Log (contains diffs).dead 15

16 how many parties need to consent? How many ASes need to be involved when a leaf resource cert is revoked? Production RPKI average 1.5 ASes / leaf RC Model fully-deployed RPKI average 1.6 ASes / leaf RC 99.3% need <10 ASes / leaf RC 0.02% need >100 ASes / leaf RC “With great power comes great responsibility” 2 ASes RC: 79.132.96.0/19 DARS RIPE (Réseaux IP Européens) ROA: DARS AS 43782 79.132.96.0/19 ROA: Dartel LTD AS 51813 79.132.96.0/24 16

17 How often does would the RPKI need.deads? RIPE restructuring (Mid-November 2013) 7,779 objects altered in total * Renewals Not needed in our design (3,569 objects) Doesn’t require a.dead (874 objects) Required participation of all impacted ASes (3,336 objects) * all data from a ~3 month trace of the taken RPKI 2013/10/23 to 2014/01/21

18 Blaming authorities with accountable alarms. Why should anyone trust Alice when she raises an alarm? When are alarms not accountable (ie others can’t trust Alice)? RPKI ? RPKI RPKI ?  Alarms are accountable in every circumstance other than missing information. 18

19 ARIN ‘s publication point Continental Broadband pub point ETB SA ESP pub point Sprint’s pub po consent in a deep hierarchy: deletion 63.174.16.0/20 Continental Broadband 63.168.93.0/24 ETB S.A. ESP. ARIN American Registry of Internet Numbers 63.160.0.0/12 Sprint 63.174.30.0/24 AS7341 63.174.16.0/22 AS7341 63.168.93.0/24 AS19429.dead Delete 19

20 ARIN ‘s publication point Sprint’s pub po consent in a deep hierarchy: ”address block narrowing” 63.174.16.0/20 Continental Broadband 63.168.93.0/24 ETB S.A. ESP. ARIN American Registry of Internet Numbers 63.160.0.0/12 Sprint 63.174.30.0/24 AS7341 63.174.16.0/22 AS7341 63.168.93.0/24 AS19429.dead 63.168.64.0/18 Sprint Narrow! 20

21 ARIN ‘s publication point Sprint’s pub po key rollover (step 0 and 1) 63.174.16.0/20 B 63.168.93.0/24 A ARIN American Registry of Internet Numbers 63.160.0.0/12 Sprint 63.174.30.0/24 AS7341 63.174.16.0/22 AS7341 63.168.93.0/24 AS19429 63.160.0.0/12 Sprint Preroll! 21

22 ARIN ‘s publication point Sprint’s pub po key rollover (step 2) 63.174.16.0/20 B 63.168.93.0/24 A ARIN American Registry of Internet Numbers 63.160.0.0/12 Sprint 63.174.30.0/24 AS7341 63.174.16.0/22 AS7341 63.168.93.0/24 AS19429 63.160.0.0/12 Sprint postroll! Preroll! 22

23 ARIN ‘s publication point Sprint’s pub po key rollover (step 3) 63.174.16.0/20 B 63.168.93.0/24 A ARIN American Registry of Internet Numbers 63.160.0.0/12 Sprint 63.174.30.0/24 AS7341 63.174.16.0/22 AS7341 63.168.93.0/24 AS19429.roll 63.160.0.0/12 Sprint postroll! Delete 23

24 RIPE’s Publication point DARS Publication Point Key Rollover RC: 79.132.96.0/19 DARS RIPE (Réseaux IP Européens) 24 ROA: DARS AS 43782 79.132.96.0/19 Dartel LTD Publication Point RC: 79.132.96.0/24 Dartel LTD ROA: Dartel LTD AS 51813 79.132.96.0/24 RC: 79.132.96.0/19 DARS.dead

25 IPv4 address allocation does not reflect jurisdiction Data-driven model of the RPKI (today’s RPKI is too small)  Using RIR direct allocations, routeviews, BGP table dumps  RIRs and their direct allocations get RCs, other (prefix,origin AS) pairs in the table dumps get a ROA  ASes mapped to countries using RIR data 8.0.0.0/8 Held by Level 3 RU, FR, NL, CN, TW, CA, JP, GU, US, AU, GB, MX 38.0.0.0/8 Held by Cogent CA, US, HK, GB, IN, PH, MX, PR, GU, GT, 25

26 Countries 26

27 Countries covered by RIPE 27

28 Number of ROAs issued by each direct allocation 28

29 Depth of the RPKI DepthROAs 3118,028 4108,043 510,863 6293 79 29

Download ppt "Proposal for signaling consent from whacked RPKI objects Sharon Goldberg Danny Cooper, Ethan Heilman, Leonid Reyzin Manifest RC ROA.dead Change Log."

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
Introduction to ARIN and the Internet Registry System.

Introduction to ARIN and the Internet Registry System.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)

IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
RPKI and Routing Security ICANN 44 June 2012. Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.

RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.

Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Similar presentations

Ads by Google