Presentation is loading. Please wait.

Presentation is loading. Please wait.

Draft-ietf-sidr-bgpsec-protocol Matt Lepinski

Published byBlanche Hunter Modified over 9 years ago

Similar presentations

Presentation on theme: "Draft-ietf-sidr-bgpsec-protocol Matt Lepinski"— Presentation transcript:

1 Draft-ietf-sidr-bgpsec-protocol Matt Lepinski mlepinski@bbn.com

2 Draft-ietf-sidr-bgpsec-01 Thank you to everyone who provided comments on the -00 draft Additional thanks to Wes George and Sandy Murphy who have already sent comments on the -01 draft!

3 pCount Field There was consensus at the Quebec meeting that BGPSEC should accommodate route servers that do not wish to increase the length of the AS-PATH. The -01 version adds a “pCount” field to address this route server issue and to permit adding multiple copies of an AS number without multiple signatures

4 Example (copies of AS number) OLD NEW AS-PATH : X Y Z Z Z (5 signatures) AS-PATH : X Y Z pCount : 1 1 3 (3 signatures) Note: This requires “expanding” the AS-PATH when we send an update From a BGPSEC speaker to a non-BGPSEC speaker Note: AS Path Length is Sum of pCount

5 pCount = 0 (Route Servers) A Route Server signs with its own AS –Maintains the security properties of BGPSEC A Route Server may set pCount to 0 –This way a route server does not bias traffic away from itself by increasing the length of the AS-PATH Security Consideration –An entity that is not a route server could set pCount to 0 to bias traffic towards itself –If your peer is not a route server and sends you an update with pCount = 0, you should drop the update

6 Another pCount Example OLD NEW AS-PATH : W Y Z Z Z Z (6 signatures) AS-PATH : W X Y Z pCount : 1 0 1 4 (4 signatures) Question for the Working Group: Is this a reasonable way to handle route servers? Note: X is an “invisible” Route Server between W and Y

7 Preventing Replay Attacks The primary goal of BGPSEC is to prevent your routes from being hijacked by malicious entities that have never legitimately been on the path for your prefix An additional goal of BGPSEC is to prevent someone that you used to do business with from replaying stale information to keep attracting your traffic

8 Preventing Replay Attacks Properties of replay attacks –Business relationships change on a slow time-scale –May be more difficult for humans to detect replay attacks than other types of route hijacking Current -01 draft has an expire-time mechanism to limit vulnerability to replay attacks –Goal of this mechanism is just to make sure that ancient business relationships do not come back to haunt you –Intent is that validity periods will be long, because business relationships don’t change overnight

9 Preventing Replay Attacks There has been active discussion on the list on –Whether the benefits (replay protection) of the current expire-time mechanism are worth the cost –Concerns about the dangers of a misbehaving party who “beacons” too often –Possible alternative mechanisms We are not going to solve all this today –In order to have an informed debate about this mechanism, we probably need a better analysis of what is truly the cost of the current mechanism

Download ppt "Draft-ietf-sidr-bgpsec-protocol Matt Lepinski"

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Call Server LIS VPC ESGW SR Manhattan PSAP LO=Wall St Route=Manhattan PSAP The Location Object (LO) is provided in the call setup information to the Call.

Call Server LIS VPC ESGW SR Manhattan PSAP LO=Wall St Route=Manhattan PSAP The Location Object (LO) is provided in the call setup information to the Call.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Route Leaks Sandra Murphy. Is This a Route Leak? To be able to detect a route leak: Given Update with AS_PATH AS1…ASn Is this a route leak?

Route Leaks Sandra Murphy. Is This a Route Leak? To be able to detect a route leak: Given Update with AS_PATH AS1…ASn Is this a route leak?
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
DDOS Defense by Offense OFFENSE Presented by: Anup Goyal Aojan Su.

DDOS Defense by Offense OFFENSE Presented by: Anup Goyal Aojan Su.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Similar presentations

Ads by Google