the challenges of routing security - trex - trex regional ... · !3 inter-domain routing •border...
TRANSCRIPT
![Page 1: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/1.jpg)
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
The challenges of routing security
Just give me a button!
![Page 2: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/2.jpg)
!2
RIPE NCC
• Members organisation founded in 1992
• Manages IP and ASN allocations in Europe, Middle East and former Soviet Union - Ensure unique holdership
- Document holdership in RIPE Database (whois)
- Facilitate operators to document use of their addresses
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
![Page 3: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/3.jpg)
!3
Inter-Domain Routing
• Border Gateway Protocol - IETF Standard, RFC1105, 1989
- BGPv2, 1990
- BGPv3, 1991
- BGPv4, 1994
- Many other extensions…
• Problem remains - Any network (ASN) can announce any IP prefix
- No built-in security in BGP protocol
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
![Page 4: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/4.jpg)
!4
Accidents Happen
https://www.maxpixel.net/Police-Ambulance-Accident-Cars-Crash-Car-Accident-1752868
![Page 5: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/5.jpg)
!5
Accidents Happen
• Fat Fingers - 2 and 3 are really close on our keyboards..
• Policy violations (leaks) - Oops, we didn’t mean this to go the public internet
- Infamous incident Pakistan Telecom blackholed YouTube, for the world..
Nathalie Trenaman |15 June 2018 | TREX Workshop 2018
![Page 6: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/6.jpg)
• April 2018 - BGP and DNS hijack
- Targeting MyEtherWallet
- Unnoticed for 2 hours
!6
Or worse..
https://pixabay.com/en/burglar-crime-criminal-theft-thief-157142/
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
![Page 7: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/7.jpg)
!7
Incidents are common
• 2017 Routing Security Review by Internet Society - 14k incidents - 10% of all ASNs affected - 3k ASN victim of at least one incident - 1.5k ASN caused at least one incidenthttps://www.internetsociety.org/blog/2018/01/14000-incidents-2017-routing-security-year-review/
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
![Page 8: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/8.jpg)
!8Presenter name | Event | DatePhoto by Hush Naidoo on Unsplash
![Page 9: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/9.jpg)
!9
Internet Routing Registry
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
• Many exist, most widely used - RIPE Database
- RADB
• Verification of holdership over resources - RIPE Database for RIPE region resources only
- RIPE Database allows anyone to create out-of-region(about to be deprecated)
- RADB allows paying customers to create any object
- Lot of other IRR don’t formally verify holdership
![Page 10: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/10.jpg)
!10
Automate using IRR
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
IRR IRR
irrtoolset bgpq3 scripts
…
AS65003
static router configquery / fetch (typically 24h)
![Page 11: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/11.jpg)
!11
Filtering Value Proposition
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
• Most commonly done by providers
• Internet Exchange points have started offering filtering as a service
• Transit providers usually do not filter
• Stub networks may filter because they want to block poisonous traffic
![Page 12: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/12.jpg)
!12
Coverage - RIPE IRR
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
Fraction of IPv4 announcements valid according to ROUTE objects
![Page 13: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/13.jpg)
!13
Accuracy - RIPE IRR
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
Accuracy - Valid announcements / covered announcements
![Page 14: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/14.jpg)
!14
Coverage - RADB IRR
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
Fraction of IPv4 announcements valid according to ROUTE objects
![Page 15: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/15.jpg)
!15
Accuracy - RADB IRR
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
Accuracy - Valid announcements / covered announcements
![Page 16: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/16.jpg)
!16Presenter name | Event | DatePhoto by Hush Naidoo on Unsplash
Photo by Jerry Kiesewetter on Unsplash
![Page 17: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/17.jpg)
!17
Resource Public Key Infrastructure
• Resource Public Key Infrastructure - Ties IP addresses and ASNs to public keys
- Follows the hierarchy of the registry
• Authorised statements from resource holders - ASN X is authorised to announce my IP Prefix Y
- Signed, holder of Y
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
![Page 18: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/18.jpg)
!18
Give me a button! — When I authorise
• We show members announcements - Member chooses to authorise, or not
- No need to worry about the crypto
- It’s there, but let the machines handle it..
• APNIC and Lacnic also have easy to use portals - Uptake and quality of data is a function of the interface
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
![Page 19: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/19.jpg)
!19
How to set up ROAs
![Page 20: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/20.jpg)
!20
How to set up ROAs
![Page 21: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/21.jpg)
!21
How to set up ROAs
![Page 22: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/22.jpg)
!22
Coverage - RPKI (all RIRs)
Nathalie Trenaman | 15 June2018 | TREX Workshop 2018
Fraction of IPv4 announced addresses valid according to ROAs
![Page 23: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/23.jpg)
!23 Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
IPv4 addresses in valid announcements / covered announcements
Accuracy - RPKI (all RIRs)
![Page 24: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/24.jpg)
!24
RPKI in some European countries
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
Country % Prefixes % Addreses AccuracyNL 25% 44% 99,9%BE 27% 78% 100,0%DE 17% 42% 100,0%SI 23% 40% 98,9%GB 14% 26% 99,9%IE 20% 21% 99,9%FI 20% 40% 100,0%SE 12% 38% 100,0%GR 46% 75% 100,0%ES 6% 2% 98,0%IT 12% 2% 99,1%
source: https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html
![Page 25: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/25.jpg)
!25
Give me a button! — When I validate
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
RPKI repos
validator
AS65003
static router configscripts
RPKI to Router Protocol
apirsync or delta protocol (~15 minutes)
![Page 26: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/26.jpg)
!26
Search through validated ROAs
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
![Page 27: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/27.jpg)
!27
Manage local exceptions
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
![Page 28: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/28.jpg)
!28
Analyse any announcement
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018
![Page 29: The challenges of routing security - TREX - TREX Regional ... · !3 Inter-Domain Routing •Border Gateway Protocol - IETF Standard, RFC1105, 1989 - BGPv2, 1990 - BGPv3, 1991 - BGPv4,](https://reader033.vdocuments.site/reader033/viewer/2022053120/60a409034fb1fa620879d9a8/html5/thumbnails/29.jpg)
!29
RPKI Validator references
• RIPE NCC RPKI Validator 2.24https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources
• RIPE NCC RPKI Validator 3https://github.com/RIPE-NCC/rpki-validator-3/wiki - Release Candidate out NOW - Please try it! Your feedback is much appreciated
• Rcynichttps://github.com/dragonresearch/rpki.net/
• RPSTIR https://github.com/bgpsecurity/rpstir
Nathalie Trenaman | 15 June 2018 | TREX Workshop 2018