Route Hijacking and the role of RPKI in Securing Internet Routing Infrastructure презентация

Август 4, 2022

Главная
Информатика
Route Hijacking and the role of RPKI in Securing Internet Routing Infrastructure

Содержание

2. 2 BGP 101 2001:db8::/32 Network Next Hop AS_PATH Age Attrs 65530 65533 64512 65535 2001:db8:ab::1 65532
3. Current Practice Filtering limited to the edges facing the customer Filters on peering and transit sessions
4. Filter Where? Secure BGP Templates http://www.cymru.com/gillsr/doc uments/junos-bgp-template.htm https://www.team- cymru.org/ReadingRoom/Templ ates/secure-bgp-template.html
5. IP Address & AS Number Digital Certificate RPKI Resource Public Key Infrastructure
6. 6 BGP 101 + RPKI 2001:db8::/32 Network Next Hop AS_PATH Age 05:30:49 05:30:49 Attrs [{Origin: i}]
7. PKI In Other Application HTTPS Web Address as RESOURCE Hierarchical Trust Model CA as the root
8. What About RPKI?
9. The Eco System
10. RPKI Trust Anchor IANA AFRINIC RIPE NCC ARIN APNIC LACNIC NIR NIR ISP ISP ISP ISP
11. RPKI Implementation As an Announcer/LIR You choose if you want certification You choose if you want
12. Activate RPKI engine
13. Create ROA 1. Write your ASN 2. Your IP Block Create ROA for smaller block. 3.
14. How Do We Verify?
15. RPKI in Action {bgp4} Routers validate updates from other BGP peers {rtr} Caches feeds routers using
16. RPKI Implementation Issues
17. RPKI Data Violation : Invalid ASN Invalid origin AS is visible From private ASN!
18. RPKI Data Violation : Fixed Length Mismatch Most of the cases involve an invalid prefix (fixed
19. Fiji Total ASNs delegated by RIR: 8, Visible IPv4 routes: 50, Visible IPv6 routes: 5 http://rpki.apnictraining.net/output/fj.html
20. Moving Forward RPKI adoption is growing You are encouraged to create ROA. Experiment, test, play and
21. Data Collection GoBGP https://github.com/osrg/gobgp RPKI Dashboard https://github.com/remydb/RPKI-Dashboard RIPE RPKI Statistics https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html RIPE Cache Validator API http://rpki-validator.apnictraining.net:8080/export
23. Скачать презентацию

Слайд 2

2
BGP 101
2001:db8::/32
Network
Next Hop
AS_PATH
Age
Attrs
65530
65533
64512
65535
2001:db8:ab::1
65532
2406:6400::/32
65531
65420
65534

Слайд 3

Current Practice
Filtering limited to the edges facing the customer
Filters on peering

and transit sessions are often too complex or take too many resources
Check prefix before announcing it

Receive Request

LOA Check

Create Associate Prefix / AS Filter

Слайд 4

Filter Where?
Secure BGP Templates
http://www.cymru.com/gillsr/doc uments/junos-bgp-template.htm
https://www.team- cymru.org/ReadingRoom/Templ ates/secure-bgp-template.html

Слайд 5

IP Address & AS Number
Digital Certificate
RPKI
Resource Public Key Infrastructure

Слайд 6

6
BGP 101 + RPKI
2001:db8::/32
Network
Next Hop
AS_PATH
Age
05:30:49
05:30:49
Attrs
[{Origin: i}]
[{Origin: i}]
V*> 2406:6400::/32
I > 2406:6400::/32
2001:df2:ee00::1
2001:df2:ee11::1
65531 65533 65535
65530 65420
65530
65533
64512
65535
2001:db8:ab::1
65532
2406:6400::/32
65531
65420
65534

Слайд 7

PKI In Other Application
HTTPS
Web Address as RESOURCE
Hierarchical Trust Model
CA as the

root of the TRUST
Browser does the VERIFICATION
DNSSEC
Zone as RESOURCE
Hierarchical Trust Model
. as the root of the TRUST
DNS Resolver does the VERIFICATION

Слайд 8

What About RPKI?

Слайд 9

The Eco System

Слайд 10

RPKI Trust Anchor
IANA
AFRINIC
RIPE NCC
ARIN
APNIC
LACNIC
NIR
NIR
ISP
ISP
ISP
ISP
ISP
Trust Anchor Certificate
Resource Allocation Hierarchy
Issued Certificates match
allocation actions

Слайд 11

RPKI Implementation
As an Announcer/LIR
You choose if you want certification
You choose if

you want to create ROAs
You choose AS, max length
As a Relying Party
You can choose if you use the validator
You can override the lists of valid ROAs in the cache, adding or removing valid ROAs locally
You can choose to make any routing decisions based on the results of the BGP Verification (valid/invalid/unknown)

1. Publish ROA

RPKI Cache Validator
Router Configuration

Слайд 12

Activate RPKI engine

Слайд 13

Create ROA
1. Write your ASN 2. Your IP Block
Create ROA for smaller

block.

3. Subnet

4. Click Add

131107

2001:df2:ee00::/48

Слайд 14

How Do We Verify?

Слайд 15

RPKI in Action
{bgp4} Routers validate updates from other BGP peers
{rtr} Caches

feeds routers using RTR protocol with ROA information
{rsync} Caches retrieves and cryptographically validates certificates & ROAs from repositories

ASBR

{rtr}

DNS

Trust Anchors

DNS

Trust Anchors

DNS

Trust Anchors

DNS

RPKI Cache Validator

{rsync}

{bgp4}

repository

upstream

Слайд 16

RPKI Implementation Issues

Слайд 17

RPKI Data Violation : Invalid ASN
Invalid origin AS is visible
From private

ASN!

Слайд 18

RPKI Data Violation : Fixed Length Mismatch
Most of the cases involve

an invalid prefix (fixed length mismatch)
– Further allocation to the customer

Слайд 19

Fiji
Total ASNs delegated by RIR: 8, Visible IPv4 routes: 50, Visible

IPv6 routes: 5

http://rpki.apnictraining.net/output/fj.html

Слайд 20

Moving Forward
RPKI adoption is growing
You are encouraged to create ROA. Experiment,

test, play and develop
You can implement in you infrastructure and do origin validation
Something to consider
Upgrade at least ASBRs to RPKI capable code
In most cases, operators create ROAs for min length and advertise longest prefix
Some ROAs are invalid due to further allocation to customers
https://www.apnic.net/ROA

Слайд 21

Data Collection
GoBGP
https://github.com/osrg/gobgp
RPKI Dashboard
https://github.com/remydb/RPKI-Dashboard
RIPE RPKI Statistics
https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html
RIPE Cache Validator API
http://rpki-validator.apnictraining.net:8080/export

Route Hijacking and the role of RPKI in Securing Internet Routing Infrastructure презентация

Содержание

2BGP 1012001:db8::/32NetworkNext HopAS_PATHAgeAttrs655306553364512655352001:db8:ab::1655322406:6400::/32655316542065534

Current PracticeFiltering limited to the edges facing the customerFilters on peering

Filter Where?Secure BGP Templateshttp://www.cymru.com/gillsr/doc uments/junos-bgp-template.htmhttps://www.team- cymru.org/ReadingRoom/Templ ates/secure-bgp-template.html

IP Address & AS NumberDigital CertificateRPKIResource Public Key Infrastructure

6BGP 101 + RPKI2001:db8::/32NetworkNext HopAS_PATHAge05:30:4905:30:49Attrs[{Origin: i}][{Origin: i}]V*> 2406:6400::/32I > 2406:6400::/322001:df2:ee00::12001:df2:ee11::165531 65533 6553565530 65420655306553364512655352001:db8:ab::1655322406:6400::/32655316542065534

PKI In Other ApplicationHTTPSWeb Address as RESOURCEHierarchical Trust ModelCA as the

What About RPKI?

The Eco System

RPKI Trust AnchorIANAAFRINICRIPE NCCARINAPNICLACNICNIRNIRISPISPISPISPISPTrust Anchor CertificateResource Allocation HierarchyIssued Certificates matchallocation actions

RPKI ImplementationAs an Announcer/LIRYou choose if you want certificationYou choose if

Activate RPKI engine

Create ROA1. Write your ASN 2. Your IP BlockCreate ROA for smaller

How Do We Verify?

RPKI in Action{bgp4} Routers validate updates from other BGP peers{rtr} Caches

RPKI Implementation Issues

RPKI Data Violation : Invalid ASNInvalid origin AS is visibleFrom private

RPKI Data Violation : Fixed Length MismatchMost of the cases involve

FijiTotal ASNs delegated by RIR: 8, Visible IPv4 routes: 50, Visible

Moving ForwardRPKI adoption is growingYou are encouraged to create ROA. Experiment,

Data CollectionGoBGPhttps://github.com/osrg/gobgpRPKI Dashboardhttps://github.com/remydb/RPKI-DashboardRIPE RPKI Statisticshttps://lirportal.ripe.net/certification/content/static/statistics/world-roas.htmlRIPE Cache Validator APIhttp://rpki-validator.apnictraining.net:8080/export

Похожие презентации

2
BGP 101
2001:db8::/32
Network
Next Hop
AS_PATH
Age
Attrs
65530
65533
64512
65535
2001:db8:ab::1
65532
2406:6400::/32
65531
65420
65534

Current Practice
Filtering limited to the edges facing the customer
Filters on peering

Filter Where?
Secure BGP Templates
http://www.cymru.com/gillsr/doc uments/junos-bgp-template.htm
https://www.team- cymru.org/ReadingRoom/Templ ates/secure-bgp-template.html

IP Address & AS Number
Digital Certificate
RPKI
Resource Public Key Infrastructure

6
BGP 101 + RPKI
2001:db8::/32
Network
Next Hop
AS_PATH
Age
05:30:49
05:30:49
Attrs
[{Origin: i}]
[{Origin: i}]
V*> 2406:6400::/32
I > 2406:6400::/32
2001:df2:ee00::1
2001:df2:ee11::1
65531 65533 65535
65530 65420
65530
65533
64512
65535
2001:db8:ab::1
65532
2406:6400::/32
65531
65420
65534

PKI In Other Application
HTTPS
Web Address as RESOURCE
Hierarchical Trust Model
CA as the

RPKI Trust Anchor
IANA
AFRINIC
RIPE NCC
ARIN
APNIC
LACNIC
NIR
NIR
ISP
ISP
ISP
ISP
ISP
Trust Anchor Certificate
Resource Allocation Hierarchy
Issued Certificates match
allocation actions

RPKI Implementation
As an Announcer/LIR
You choose if you want certification
You choose if

Create ROA
1. Write your ASN 2. Your IP Block
Create ROA for smaller

RPKI in Action
{bgp4} Routers validate updates from other BGP peers
{rtr} Caches

RPKI Data Violation : Invalid ASN
Invalid origin AS is visible
From private

RPKI Data Violation : Fixed Length Mismatch
Most of the cases involve

Fiji
Total ASNs delegated by RIR: 8, Visible IPv4 routes: 50, Visible

Moving Forward
RPKI adoption is growing
You are encouraged to create ROA. Experiment,

Data Collection
GoBGP
https://github.com/osrg/gobgp
RPKI Dashboard
https://github.com/remydb/RPKI-Dashboard
RIPE RPKI Statistics
https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html
RIPE Cache Validator API
http://rpki-validator.apnictraining.net:8080/export