disco sidestepping rpki s deployment barriers
play

DISCO: Sidestepping RPKIs Deployment Barriers Tomas Hlavacek 1 Italo - PowerPoint PPT Presentation

Oct 15, 2022 •182 likes •540 views

DISCO: Sidestepping RPKIs Deployment Barriers Tomas Hlavacek 1 Italo Cunha 23 Yossi Gilad 4 Amir Herzberg 5 Ethan Katz-Bassett 3 Michael Schapira 4 Haya Shulman 1 1 Fraunhofer SIT 2 Universidade Federal de Minas Gerais 3 Columbia University 4

  1. DISCO: Sidestepping RPKI’s Deployment Barriers Tomas Hlavacek 1 Italo Cunha 23 Yossi Gilad 4 Amir Herzberg 5 Ethan Katz-Bassett 3 Michael Schapira 4 Haya Shulman 1 1 Fraunhofer SIT 2 Universidade Federal de Minas Gerais 3 Columbia University 4 Hebrew University of Jerusalem 5 University of Connecticut

  2. The Border Gateway Protocol (BGP) ◮ The Internet is composed of many Autonomous Systems (ASes) ◮ Aka ISPs or Domains ◮ Inter-AS routing uses BGP ◮ Example: AS 10 announces it has prefix 1.2.0.0/16 to AS 2 Inter-AS routing with BGP: AS 10 announces prefix 1.2.0.0/16 to AS 2.

  3. The Border Gateway Protocol (BGP) ◮ The Internet is composed of many Autonomous Systems (ASes) ◮ Aka ISPs or Domains ◮ Inter-AS routing uses BGP ◮ Example: AS 10 announces it has prefix 1.2.0.0/16 to Inter-AS routing with BGP: AS 10 AS 2 announces prefix 1.2.0.0/16 to AS 2, ◮ AS 2 forwards to AS 3 who forwards to AS 3.

  4. The Border Gateway Protocol (BGP) ◮ The Internet is composed of many Autonomous Systems (ASes) ◮ Aka ISPs or Domains ◮ Inter-AS routing uses BGP ◮ Example: AS 10 announces it has prefix 1.2.0.0/16 to AS 2 Inter-AS routing with BGP: AS 10 ◮ AS 2 forwards to AS 3 announces prefix 1.2.0.0/16 to AS 2, who forwards to AS 3. Now AS 3 sends ◮ AS 3 routes to 1.2/16 via traffic to 1.2/16 (via AS 2). AS 2

  5. Internet Inter-Domain Routing (In)Security ◮ BGP has no built-in security mechanism ◮ Long history of attacks and problems: ◮ route manipulations, mostly prefix hijacks ◮ route leaks ◮ intentional and benign - but always painful... ◮ Example of prefix hijack: AS 666 claims to host 1.2.0.0/16. AS 666 announces prefix 1.2.0.0/16 to AS 3.

  6. Internet Inter-Domain Routing (In)Security ◮ BGP has no built-in security mechanism ◮ Long history of attacks and problems: ◮ route manipulations, mostly prefix hijacks ◮ route leaks ◮ intentional and benign - but always painful... AS 666 announces prefix 1.2.0.0/16 to AS 3. AS 3 sends traffic to 666 (e.g., shorter path)

  7. Internet Inter-Domain Routing (In)Security ◮ BGP has no built-in security mechanism ◮ Long history of attacks and problems: ◮ route manipulations, mostly prefix hijacks ◮ route leaks ◮ intentional and benign - but always painful... ◮ Defenses? ad-hod, proprietary (expensive), weak

  8. Internet Inter-Domain Routing (In)Security ◮ BGP has no built-in security mechanism ◮ Long history of attacks and problems: ◮ route manipulations, mostly prefix hijacks ◮ route leaks ◮ intentional and benign - but always painful... ◮ Defenses? ad-hod, proprietary (expensive), weak ◮ BGPsec (RFCs published in 2017) ◮ Ambitious: prevent all route manipulations

  9. Internet Inter-Domain Routing (In)Security ◮ BGP has no built-in security mechanism ◮ Long history of attacks and problems: ◮ route manipulations, mostly prefix hijacks ◮ route leaks ◮ intentional and benign - but always painful... ◮ Defenses? ad-hod, proprietary (expensive), weak ◮ BGPsec (RFCs published in 2017) ◮ Ambitious: prevent all route manipulations ◮ But deployment is hard/unlikely ◮ And: builds on RPKI... ◮ RPKI (RFCs published in 2012) ◮ (only) prevent prefix hijacks ◮ Our focus

  10. RPKI: Resource Public Key Infrastructure ◮ Routing Certificate (RC): binds IP prefix π to public key pk ◮ Route Origin Authorization (ROA): binds (prefix,origin) pair ◮ Max-Length : most-specific subprefix allowed ◮ Signed by public key pk (certified for π ) ◮ Route Origin Validation (ROV): validate origin in BGP announcements ◮ Deployed by BGP routers ◮ Discard announcement with ‘invalid’ (prefix,origin) pair (differ from ROA)

  11. RPKI: Resource Public Key Infrastructure ◮ Routing Certificate (RC): binds IP prefix π to public key pk ◮ Route Origin Authorization (ROA): binds (prefix,origin) pair ◮ Max-Length : most-specific subprefix allowed ◮ Signed by public key pk (certified for π ) ◮ Route Origin Validation (ROV): validate origin in BGP announcements ◮ Deployed by BGP routers ◮ Discard announcement with ‘invalid’ (prefix,origin) pair (differ from ROA) ◮ 18.5% of (prefix,origin) pairs are ‘valid’, 0.8% ‘invalid’ [NIST] ◮ Others (81.7%): no ROA ◮ Concern: most ‘invalid’ due to ‘wrong’ ROA, not to hijack ◮ Limited security benefits - esp. for partial adoption ◮ ⇒ Slow adoption

  12. Research on Deploying RPKI ◮ RPKI ecosystem and deployment: Wahlisch*CCR12, Iamartino*PAM15, Wahlisch*HotNet15, Gilad*NDSS17, Gilad*HotNts18, Reuters*CCR18, Hlavacek*DSN18, Chung*IMC19, Testart*PAM20 ◮ RPKI security concerns, extensions: ◮ Misbehaving authority: Cooper*HotNts13, Heilman*SigCom14 ◮ ‘Path-end’ extension: Cohen*SigComm16 ◮ Max-Length considered harmful: Gilad*CoNext17

  13. Research on Deploying RPKI ◮ RPKI ecosystem and deployment: Wahlisch*CCR12, Iamartino*PAM15, Wahlisch*HotNet15, Gilad*NDSS17, Gilad*HotNts18, Reuters*CCR18, Hlavacek*DSN18, Chung*IMC19, Testart*PAM20 ◮ RPKI security concerns, extensions: ◮ Misbehaving authority: Cooper*HotNts13, Heilman*SigCom14 ◮ ‘Path-end’ extension: Cohen*SigComm16 ◮ Max-Length considered harmful: Gilad*CoNext17 ◮ This work ( DISCO ): ◮ Complementary, automated Routing Certification mechanism ◮ Goal: easy-to-issue and correct ROAs, RCs

  14. Pitfalls with RPKI Issuing of RCs, ROAs ◮ Routing Certificates (RCs): ◮ Manual application by Origin-AS network manager ◮ Errors have legal/business implications! ◮ Room for errors, e.g., forgotten/wrong prefix, origin-AS ◮ No (immediate) feedback on errors ◮ Validation: manual - based on records of assignment, transfer ◮ Route Origin Authorizations (ROAs): ◮ Manual issuing by Origin-AS network manager ◮ Errors have legal/business implications! ◮ Large space for errors ◮ Forgotten prefix/originAS/subprefix, wrong/missing Max-Length,. . . ◮ No validation, no (immediate) feedback on errors

  15. Pitfalls with RPKI Issuing of RCs, ROAs ◮ Routing Certificates (RCs): ◮ Manual application by Origin-AS network manager ◮ Errors have legal/business implications! ◮ Room for errors, e.g., forgotten/wrong prefix, origin-AS ◮ No (immediate) feedback on errors ◮ Validation: manual - based on records of assignment, transfer ◮ Route Origin Authorizations (ROAs): ◮ Manual issuing by Origin-AS network manager ◮ Errors have legal/business implications! ◮ Large space for errors ◮ Forgotten prefix/originAS/subprefix, wrong/missing Max-Length,. . . ◮ No validation, no (immediate) feedback on errors ◮ Like Waltz: great - if done well... But few do it (right)! ◮ Let’s DISCO: easier, and: ‘fool-proof’

  16. DISCO Decentralized Infrastructure for Securing & Certifying Origins ◮ Automated to reduce errors, ease adoption ◮ Let’s focus on issuing of Route Certificate (RC) ◮ ROAs: later ◮ DISCO -agent distributes (prefix π , pk) via BGP ◮ Registrar-agents (1) validate, (2) certify and send to repositories ◮ Details: next DISCO : automated issuing of RC for prefix π . DISCO registrars validate the ( π , pk) pair sent by agent.

  17. DISCO Decentralized Infrastructure for Securing & Certifying Origins ◮ Automated to reduce errors, ease adoption ◮ Let’s focus on issuing of Route Certificate (RC) ◮ ROAs: later ◮ DISCO -agent distributes (prefix π , pk) via BGP ◮ Registrar-agents (1) validate, (2) certify and send to repositories ◮ Details: next DISCO : automated issuing of RC for ◮ DISCO RCs complement prefix π . DISCO registrars validate the RPKI RCs ( π , pk) pair sent by agent. ◮ Conflict handling TBD

  18. DISCO : (1) automated validation of (pk, π ) to issue RC ◮ DISCO -agent announces prefix π , via iBGP, as optional transitive attribute ◮ RFC: should relay such attributes ◮ Experiments: relayed by almost all ASes DISCO : automated issuing of RCs. DISCO Registrars validate the ( π , pk) pair sent by agent. Agent encodes pk in transitive attribute.

  19. DISCO : (1) automated validation of (pk, π ) to issue RC ◮ DISCO -agent announces prefix π , via iBGP, as optional transitive attribute ◮ RFC: should relay such attributes ◮ Experiments: relayed by almost all ASes ◮ Registrars validate same pk received from (most) announcements of π DISCO : automated issuing of RCs. DISCO Registrars validate the ( π , pk) ◮ Same or different origin AS pair sent by agent. Agent encodes pk in transitive attribute.

  20. DISCO : (1) automated validation of (pk, π ) to issue RC ◮ DISCO -agent announces prefix π , via iBGP, as optional transitive attribute ◮ RFC: should relay such attributes ◮ Experiments: relayed by almost all ASes ◮ Registrars validate same pk received from (most) announcements of π DISCO : automated issuing of RCs. DISCO Registrars validate the ( π , pk) ◮ Same or different origin AS pair sent by agent. Agent encodes pk in ◮ Works for ≥ 97% of prefixes transitive attribute. ◮ N/A for un-announced prefixes, multi-home ( < 1%)

  21. DISCO : (2) automated issuing, distributing RC (after validation) ◮ Each DISCO registrar R i has a share of threshold signing-key s i ◮ Registrar R i uses share s i to partially-sign (pk, π ) pair, and sends to repository DISCO : automated issuing of RCs. Registrar R i validates the ( π , pk) pair, then partially-signs it and sends to repositories. Repositories combine partial-signatures to create RC for π .

Recommend

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania December 10, 2019 Research supported by NSF EAGER Award #1748362 Global RPKI Deployment ASes Validating Routes 5%, 5 3%, 3 9%, 8 12%, 11 71%, 65

216 views • 8 slides
A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

583 views • 43 slides
Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabin Meja Why and who? BGP origin validation based on RPKI is in early stages of deployment. It is necessary to

314 views • 13 slides
IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6

IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6

IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6 Deployment WG Chair Takashi Arano (Intec NetCore, Inc.) IPv6 Deployment Guideline solves barriers for deployment I cant see IPv6s

319 views • 7 slides
Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

889 views • 51 slides
NOTICE OF PROPOSED RULEMAKING . Accelerating Wireless Broadband Deployment by Removing Barriers

NOTICE OF PROPOSED RULEMAKING . Accelerating Wireless Broadband Deployment by Removing Barriers

NOTICE OF PROPOSED RULEMAKING . Accelerating Wireless Broadband Deployment by Removing Barriers to Infrastructure Investment . WT Docket No. 1779 Jeffrey Steinberg, Deputy Chief Jill Springer, Acting Federal Preservation Officer

514 views • 22 slides
Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1 Thursday, August 1, 13 RPKI Tools The authors believe the information already contained in the RPKI has value in itself, even for operators not

305 views • 11 slides
AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

662 views • 54 slides
From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

660 views • 27 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
Unlocking Barriers to Large Scale Deployment of Mini-Grids in Nigeria Upscaling Mini grid for

Unlocking Barriers to Large Scale Deployment of Mini-Grids in Nigeria Upscaling Mini grid for

Unlocking Barriers to Large Scale Deployment of Mini-Grids in Nigeria Upscaling Mini grid for least cost and timely access to electricity Action Leaning Event Abuja 4 th - 8 th December INTRODUCTION 3 ACHIEVING THE RURAL ELECTRIFICATION AGENCY

400 views • 20 slides
RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI Overview Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 2 Simply put 3 parts - Create certificates - Install/run validator -

562 views • 17 slides
Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Applied Networking Research Workshop 2020 acm sigcomm Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer SIT Motivation - Resource Public Key Infrastructure (RPKI) secures the interdomain routing

586 views • 39 slides
Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0 Project: New RPKI system DNSSEC v2.0 Project: New DNSSEC signer IETF activities: Identity and join key WGs and RGs African Internet Resources

308 views • 13 slides
A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Validator http://rpki.net/ A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts Connection Counts Objects/Connection Seconds/Object Rob Austein

663 views • 32 slides
Deployment on BGP Security Alexandru tefnescu alex.stefa@gmail.com Benno Overeinder

Deployment on BGP Security Alexandru tefnescu alex.stefa@gmail.com Benno Overeinder

Effects of RPKI Deployment on BGP Security Alexandru tefnescu alex.stefa@gmail.com Benno Overeinder Guillaume Pierre NLnetLabs VU Amsterdam benno@nlnetlabs.nl gpierre@cs.vu.nl VU Amsterdam 12 July 2011 Outline BGP Routing

402 views • 26 slides
Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop

Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop

Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop R U Ready? This is my vest this is my CORE. These are all of the things I need as a Marine to be successful during this deployment: Who

426 views • 25 slides
Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop

Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop

Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop R U Ready? This is my vest this is my CORE. These are all of the things I need as a Marine to be successful during this deployment: Who

453 views • 34 slides
A RELOAD Usage for Distributed Conference Control (DisCo) Update draft-knauf-p2psip-disco-02

A RELOAD Usage for Distributed Conference Control (DisCo) Update draft-knauf-p2psip-disco-02

A RELOAD Usage for Distributed Conference Control (DisCo) Update draft-knauf-p2psip-disco-02 Alexander Knauf, Gabriel Hege Thomas Schmidt, Matthias Whlisch alexander.knauf@haw-hamburg.de, hege@fhtw-berlin.de,

251 views • 14 slides
Downs Industry Schools Co-Op (DISCO) Working with Cross Generational Teams Downs Industry

Downs Industry Schools Co-Op (DISCO) Working with Cross Generational Teams Downs Industry

Downs Industry Schools Co-Op (DISCO) Working with Cross Generational Teams Downs Industry Schools Co-Op (DISCO) What is DISCO? (Downs Industry Schools Co-Op Inc) Commenced in 1997 Provide support to young people both in and out of

622 views • 12 slides
Workshop on Addressing Barriers to Scaling - Up Renewable Energy Session 3: Implementation

Workshop on Addressing Barriers to Scaling - Up Renewable Energy Session 3: Implementation

Organised by Supported by Workshop on Addressing Barriers to Scaling - Up Renewable Energy Session 3: Implementation Challenges, Financing Schemes and Innovative Business Models for Deployment of Solar Rooftop 9 May,2017 Mumbai 1

432 views • 16 slides
MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston University Outline Background How does BGP work? How does RPKI work? What is the maxLength? How maxLength causes problems

741 views • 34 slides
Using Disco and MapReduce to study mRNA complexity Dan Williams SciPy 2011 Lightning Talk

Using Disco and MapReduce to study mRNA complexity Dan Williams SciPy 2011 Lightning Talk

Using Disco and MapReduce to study mRNA complexity Dan Williams SciPy 2011 Lightning Talk 7/14/2011 | Life Technologies Proprietary &amp; Confidential | 1 Disco MapReduce framework written in Python and Erlang useful for dealing with

199 views • 7 slides
Family Communication During Deployment Please download the Family Communication during Deployment

Family Communication During Deployment Please download the Family Communication during Deployment

Family Communication During Deployment Please download the Family Communication during Deployment Worksheet before beginning this class. Family Communication during Deployment (MAR 2103) What are the options? Care E-mail Packages Letters

221 views • 9 slides

More recommend