Presentation is loading. Please wait.

Presentation is loading. Please wait.

Draft-ietf-sidr-bgpsec-reqs-01 diffs from -00 (Jul) sidr / IETF Taipei 2011.11.15 Randy Bush 2011.11.15 sidr bgpsec reqs 1.

Published byLindsay Boyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Draft-ietf-sidr-bgpsec-reqs-01 diffs from -00 (Jul) sidr / IETF Taipei 2011.11.15 Randy Bush 2011.11.15 sidr bgpsec reqs 1."— Presentation transcript:

1 draft-ietf-sidr-bgpsec-reqs-01 diffs from -00 (Jul) sidr / IETF Taipei 2011.11.15 Randy Bush 2011.11.15 sidr bgpsec reqs 1

2 Detect Modifications A BGPsec design must allow the receiver of an announcement to detect if an AS has added or deleted any AS number other than its own in the path attribute. This includes modification to the number of AS prepends. 2011.11.15 sidr bgpsec reqs 2

3 Transparent RSs A BGPsec design MUST support 'transparent' route servers, meaning that the AS of the route server is not counted in downstream BGP AS-path- length tie-breaking decisions. 2011.11.15 sidr bgpsec reqs 3

4 Route Leaks What are ‘Route Leaks’? 2011.11.15 sidr bgpsec reqs 4

5 Not Mis-Originations Hijack - no permission from resource holder Squatting - had permission from the resource holder once upon a time Rent - permission from the resource holder for some time period (customer is leaving) Transfer - Resource moves from one party to the other Note that these are all ‘caught’ by BGPsec Reqs 2011.11.15 sidr bgpsec reqs 5

6 Not Protocol Violations AS-Path – modification of AS-Path NLRI – modification of NLRI Note that these are all ‘caught’ by BGPsec Reqs 2011.11.15 sidr bgpsec reqs 6

7 Policy Violations? Are they ‘Policy Violations’? What Policy? Peer ‘leaking’ from one peer to another? Customer offering transit between upstreams? Peer offering transit to peer? These are ‘violations’ of business policy 2011.11.15 sidr bgpsec reqs 7

8 Protocol Not Intent We can not know business relationships, is A a peer of B, a customer, or something more complex? So we can not know if A should have announced P to B, we can only know if she did announce the prefix to B Business policy on the Internet changes every 36ms We already have a protocol to distribute policy or its effects, it is called BGP BGPsec validates that the protocol has not been violated, and is not about intent or business policy 2011.11.15 sidr bgpsec reqs 8

9 http://puck.nether.net/bgp/leakinfo.cgi Jared Mauch’s useful service to “find either persistent or Transient routing leaks that exist.” Relies on built-in ‘knowledge’ of which ASs are Tier-1s and Detects customers leaking between Tier-1s Raises significant false positives because of this assumed knowledge No one would think of betting their routing on it 2011.11.15 sidr bgpsec reqs 9

10 Business Intent is a Human Concept We do not have the Do What I Mean button We have a means to say what we mean, BGP BGP shows the effects of what we mean, not the actual intent Any external publication of what we mean is not acceptable at any sufficiently detailed level would change every 36ms 2011.11.15 sidr bgpsec reqs 10

11 Bar Time So let’s meet in the bar and see if we can actually define ‘route leaks’ in a useful way. I.e. they can be formally described They can be formally detected with known error bounds 2011.11.15 sidr bgpsec reqs 11

Download ppt "Draft-ietf-sidr-bgpsec-reqs-01 diffs from -00 (Jul) sidr / IETF Taipei 2011.11.15 Randy Bush 2011.11.15 sidr bgpsec reqs 1."

Similar presentations

NOPEER Route Attribute Propose a well-known transitive advisory scope attribute Applied by originating AS to route prefixes Interpretable as advice to.

NOPEER Route Attribute Propose a well-known transitive advisory scope attribute Applied by originating AS to route prefixes Interpretable as advice to.
Route Leaks Sandra Murphy. Is This a Route Leak? To be able to detect a route leak: Given Update with AS_PATH AS1…ASn Is this a route leak?

Route Leaks Sandra Murphy. Is This a Route Leak? To be able to detect a route leak: Given Update with AS_PATH AS1…ASn Is this a route leak?
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
1 Interdomain Traffic Engineering with BGP By Behzad Akbari Spring 2011 These slides are based on the slides of Tim. G. Griffin (AT&T) and Shivkumar (RPI)

1 Interdomain Traffic Engineering with BGP By Behzad Akbari Spring 2011 These slides are based on the slides of Tim. G. Griffin (AT&T) and Shivkumar (RPI)
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
ROAs and Detecting “Bad” Originations Geoff Huston SIDR WG IETF 74.

ROAs and Detecting “Bad” Originations Geoff Huston SIDR WG IETF 74.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
Path Vector Routing NETE0514 Presented by Dr.Apichan Kanjanavapastit.

Path Vector Routing NETE0514 Presented by Dr.Apichan Kanjanavapastit.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Quantitative Analysis of BGP Route Leaks Benjamin Wijchers Benno Overeinder.

Quantitative Analysis of BGP Route Leaks Benjamin Wijchers Benno Overeinder.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
Announcement  Slides and reference materials available at  Slides and reference materials available.

Announcement  Slides and reference materials available at  Slides and reference materials available.
CDNI Footprint Advertisement draft-previdi-cdni-footprint-advertisement-00 Stefano Previdi Francois Le Faucheur Allan Guillou Jan Medved IETF-82 Taipei,

CDNI Footprint Advertisement draft-previdi-cdni-footprint-advertisement-00 Stefano Previdi Francois Le Faucheur Allan Guillou Jan Medved IETF-82 Taipei,
1 Tutorial 5 Safe “Peering Backup” Routing With BGP Based on:

1 Tutorial 5 Safe “Peering Backup” Routing With BGP Based on:
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Tutorial 5 Safe Routing With BGP Based on: Internet.

Tutorial 5 Safe Routing With BGP Based on: Internet.

Similar presentations

Ads by Google