Presentation is loading. Please wait.

Presentation is loading. Please wait.

21 Sep 2005Internet21 Securing the Routing Infrastructure Sandra Murphy Sparta, Inc

Published byMuriel West Modified over 9 years ago

Similar presentations

Presentation on theme: "21 Sep 2005Internet21 Securing the Routing Infrastructure Sandra Murphy Sparta, Inc"— Presentation transcript:

1 21 Sep 2005Internet21 Securing the Routing Infrastructure Sandra Murphy Sparta, Inc sandy@tislabs.com, sandy@sparta.com

2 21 Sep 2005Internet22 BGP Operation AS 10 ASPATH=10, NLRI=12/8 ASPATH=20,10, NLRI=12/8 ASPATH=30,20,10, NLRI=12/8 AS 20 AS 30 AS 22 ASPATH=22,20,10, NLRI=12/8 Net 12/8 ASPATH=20,10, NLRI=12/8

3 21 Sep 2005Internet23 BGP Operation – More specific prefixes AS 10 ASPATH=10, NLRI=12/8 ASPATH=20,10, NLRI=12/8 ASPATH=30,20,10, NLRI=12/8 ASPATH=22, NLRI=12.12/16 AS 20 AS 30 AS 22 ASPATH=22,20,10, NLRI=12/8 ASPATH=22, NLRI=12.12/16 Net 12/8 ASPATH=20,10, NLRI=12/8 Net 12.12/16

4 21 Sep 2005Internet24 Misconfiguration (we hope) Attacks Apr 1997 AS7007 announces classful addresses for the whole world Feb/Apr/Aug 2001 Abovenet/Quest/Digex announces routes with private AS numbers in them Typical consequences: –Dec 1999 a mis-origination by a downstream takes out ATT’s dial-up net – WSJ notices –Apr/May 2003 Trafalgar House/LA County space hijacked by registry spoof –Side effect on operation Covad does not aggregate their prefix announcements because they tried it and someone announced more specific prefixes

5 21 Sep 2005Internet25 Think we’re past all that? Dec 24, 2004 – AS9121 (TTNet) announced 100K+ routes for 1hr20min (shorter event later) –According to May 2005 NANOG presentation, 1/3 of Rensys’s 100 peers saw the bad routes within 3 min –The bad routes spread far and wide –Affected networks included (from NANOG slide): Blue Cross Blue Shield of Iowa - Thomson Financial Services - Citicorp Global Information Network -MetLife Capital Corp - Pitney Bowes Credit Corporation - Brown Brothers Harriman & Company - LaSalle Partners - Kuwait Fund for Arab Economic Development

6 21 Sep 2005Internet26 And recently… Sep 9, 9:29-10:47, 26210, a Bolivian ISP, announced 12/8, 64/8 and 65/8. –12/8, 3549 1239 12956 26210 –GX-Sprint-Telefonica-AES Comm (Bolivia) On Sep 10, another anomaly –12/8, 3549 1299 12676 (GX-TeliaNet-NCORE) –“FYI, happened again this morning for (at least) 12/8 duration approx 30 minutes starting at 5:45 AM PDT. Notice that AT&T is no longer taking chances, and is announcing 2 /9s.

7 21 Sep 2005Internet27 Consequences Note to NANOG Sep 9: “And wouldn't you know it, we have an application that needs to reach servers in 12/8 and 65/8, and someone just came over to me asking for help in figuring out why that application isn't working. I guess I should have checked my NANOG mail before I told them I had no idea what was going on. :)”

8 21 Sep 2005Internet28 Moral of the Story Your network operation may be an inspiration to us all, but: The other parts of the Internet hold your fate: –Your users may not be able to reach the sites they want to reach –Your users’s remote users may not be able to reach your users Need more than effective local operation

9 21 Sep 2005Internet29 A Sequence of Solutions Increasingly stringent – increasing cost: 1.Peer-peer Connection Protection 2.Filters – prefix filters and AS-path filters 3.Origination Protection 4.Origination and AS_PATH Adjacency Protection 5.Origination and AS_PATH Route Protection 6.Origination, Transit and Policy Protection 7.“Freshness”

10 21 Sep 2005Internet210 In Common Use Peer-Peer protection methods –TCP MD5, IPSEC, TLS, GTSM, (BTNS?) For crypto techniques, management the biggest problem –Managing keys for many, many peers, key rollover, hash algorithm rollover Performance scale comes up frequently as well

11 21 Sep 2005Internet211 In Common Use (2) Filters – prefix filters and AS-PATH filters Requires transitive trust –“Transitively trusting all peers’ on-net customers: fundamentally unsafe” (NANOG Renesys presentation) Management hard (particularly at large AS’s) – keeping filter lists current –Manual configuration –Authority based Team Cymru Bogon Route Server Project for VIP, bogon and martians; IRR based filter generators OTOH: Mar 2003 - 69/8 allocated; Jan 2004 – 83/8 and 84/8 allocated – installed filters did not keep up For large ISP’s – filter lists stress hardware

12 21 Sep 2005Internet212 Requirements for Authorities Must scale to Internet size and routing dynamics Design issues: –Non-hierarchical, singly rooted, multiply rooted? –Centralized, replicated, or distributed? –Client/server vs peer-peer? –Query/response vs wholesale download? –Event based vs periodic download? ISP distaste for relying on external info for configuration of their routing; chicken and egg

13 21 Sep 2005Internet213 Origination Protection Authorization only (AS is authorized address) Authorization and Authentication (AS is also currently announcing address) protects that “17%” unannounced but allocated Need authority (not necessarily central) that: –Stores info completely, accurately and securely –Accepts changes securely – model for authorization Need architecture and mechanisms for communication with “authority” Need procedures and tools for putting info into use

14 21 Sep 2005Internet214 Origination and AS_PATH Adjacency Protection Checks that adjacent AS’s in AS_PATH have peering –SoBGP, Garcia-Lunes-Aceves/Smith Need way to securely transmit adjacency – inline or query/download from database Processing demands (crypto stuff) Residual vulnerabilities –existence of peering adjacency gives no assurance AS’s will transit traffic –does not assure loop freedom

15 21 Sep 2005Internet215 Origination and AS_PATH Route Protection Protection to show update propagating through AS’s AS_PATH –indicates each AS in path has willingness and capability to forward traffic toward the stated route –SBGP; SPV Protection may or may not be passed inline Processing demands – crypto and storage Residual vulnerabilities –Freshness; policy compliance

16 21 Sep 2005Internet216 Origination, Route and Policy Protection Policy protection – e.g., AS A has a peering relationship with B, not transit – B should not announce A’s addresses Need to express and communicate policy –That means expose policy – anathema to many Policy is specific to one AS –But may target remote AS No current mechanisms to express, communicate or ensure policies (caveat: SoBGP)

17 21 Sep 2005Internet217 Freshness Receive replacement route, send replacement route – then send original route again BGP has no features that would facilitate discerning maintenance of update ordering

18 21 Sep 2005Internet218 Current Activity Concerned community working on this –ISP’s, Registry, Security, Router Vendor folk Consensus is that the most pressing need is: –Registration database integrity improved –Authenticated list of AS-prefix origination authorizations Useful in many ways: –Operational debugging –Customer care –Security protection Fundamental basis for ANY security solution

19 21 Sep 2005Internet219 Query Anyone interested in participating in discussion? In putting this to a trial? –Start with AS->prefix mapping for Internet2 –See how difficult it is to include in operational procedures Sponsor - DHS S&T, SPRI program (Secure Protocols for the Routing Infrastructure)

Download ppt "21 Sep 2005Internet21 Securing the Routing Infrastructure Sandra Murphy Sparta, Inc"

Similar presentations

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.

Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.

Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.
1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Computer Networks Layering and Routing Dina Katabi

Computer Networks Layering and Routing Dina Katabi
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.

Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
© Janice Regan, CMPT 128, 2007-2012 0 CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.

Similar presentations

Ads by Google