Presentation is loading. Please wait.

Presentation is loading. Please wait.

BGP L3VPN origin validation (draft-ymbk-l3vpn-origination-02) November 2012.

Published byMavis Robertson Modified over 8 years ago

Similar presentations

Presentation on theme: "BGP L3VPN origin validation (draft-ymbk-l3vpn-origination-02) November 2012."— Presentation transcript:

1 BGP L3VPN origin validation (draft-ymbk-l3vpn-origination-02) November 2012

2 Problem Statement  It is currently possible for BGP based L3VPN routes to accidentally be sourced in a unintended manner in transit.  This is usually due to unintentional mis-configuration in a transit service provider (SP) resulting in VPN prefixes originating from the transit SP  Malicious attacks are also possible.  No mechanism in place to authenticate VPN prefixes in terms of origin validation.  The draft (draft-ymbk-l3vpn-origination-02) attempts to define one such scheme.

3 BGP L3VPN origin validation– Scheme Description  Originator of the VPN route signs BGP update using a secret key  The scheme does not mandate a PKI, though one may be used, and symmetric or asymmetric keys may be used  The originator and validator have a trust agreement where they agree upon a secret key and associated Key Identifier.  Key Identifier is a opaque value used to identify the context of the key in the BGP update. Often the VPN-ID can be used as the Key Identifier.  The signature digest generated from the associated key is carried in a new BGP attribute and is validated at the receiver end by retrieving the key from the key Identifier context and computing the equivalent signature digest.

4 BGP L3VPN origin validation – BGP extensions  A new optional transitive attribute defined in BGP to carry the signature digest.  Signature digest is generated as  Signature = sign ( hash ( Prefix/Len || Key Identifier ))  Single BGP Prefix per update to maintain integrity of signature. Attribute Header Key Identifier Alg Suite MBZ Sig. Length Signature Digest (variable)

5 BGP L3VPN origin validation – Provider based validation CE1 PE1 ASBR2 ASBR1 1.Configured with Key Identifier and associated key (secret key (K) agreed upon between CE1 and ASBR2) 2.Originates Prefix and signs it with secret key to generate sig. digest - Signature = sign (K) ( hash ( Prefix || Key Identifier ) ) carried in L3POA 3.BGP update sent - single Prefix per update along with PATH attribute 1.Configured with Key Identifier and associated key (secret key (K) agreed upon between CE1 and ASBR2) 2.Validates BGP Updates from ASBR1 by computing verification digest using secret key (K) corresponding to key ID from BGP update as well as associated Prefix Verify_Signature = sign (K) (hash (Prefix || Key Identifier in rcvd update) ) 3.If verify_signature matches signature in PATH attribute the BGP update is classified as valid, else invalid.

6 BGP L3VPN origin validation – End CE to CE validation CE1 PE1 CE2 PE2 1.Configured with Key Identifier and associated key (secret key (K) agreed upon between CE1 and CE2) 2.Originates NLRI and signs it with secret key to generate sig. digest - Signature = sign (K) ( hash ( Prefix || Key Identifier ) ) carried in L3POA attribute 3.BGP update sent - single Prefix per update along with PATH attribute 1.Configured with Key Identifier and associated key (secret key (K) agreed upon between CE1 and CE2) 2.Validates BGP Updates from PE2 by computing verification digest using secret key (K) corresponding to key ID from BGP update as well as associated Prefix Verify_signature = sign (K) ( hash ( Prefix || Key Identifier) ) 3.If verify_signature matches signature in PATH attribute the BGP update is classified as valid, else invalid.

7 BGP L3VPN origin validation– PE - PE based validation CE1 PE1 ASBR2 ASBR1 1.Here PEs, possibly across ASes, agree on the keying. 2.The Key Identifier and associated keys would normally be configured on a per VPN basis, with the PE1 signing and PE2 validating similarly 3.Here we are protected against route originating from unauthorized PEs. PE2 CE2

8 BGP L3VPN origin validation - Advantages Origin validation for common L3VPN scenarios (inclusive of InterAS) – Provider based and CE based validation Does not mandate a PKI and can provide for lightweight authentication. Only end routers need to be aware of the new mechanism. Intermediate speakers do not need to be aware/upgraded so incrementally deployable

Download ppt "BGP L3VPN origin validation (draft-ymbk-l3vpn-origination-02) November 2012."

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.

Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Draft-ni-l3vpn-pm-bgp-ext-00IETF 87 L3VPN1 BGP Extension For L3VPN PM draft-ni-l3vpn-pm-bgp-ext-00 Hui Ni, Shunwan Zhuan, Zhenbin Li Huawei Technologies.

Draft-ni-l3vpn-pm-bgp-ext-00IETF 87 L3VPN1 BGP Extension For L3VPN PM draft-ni-l3vpn-pm-bgp-ext-00 Hui Ni, Shunwan Zhuan, Zhenbin Li Huawei Technologies.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

Similar presentations

Ads by Google