BFOC’13. Boston University Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon Goldberg Leonid Reyzin Princeton University Boston University
How Secure is Internet Routing Today? (1) I am Verizon 69.82.0.0/15 Verizon “The Internet” China Telecom London Internet Exchange UK ISP
How Secure is Internet Routing Today? (2) April 2010 : China Telecom intercepts traffic I am Verizon This packet is destined 69.82.0.0/15 for Verizon. Verizon “The Internet” China telecom London Internet Exchange I am Verizon 69.82.0.0/15 UK ISP (and 50k other networks)
How Secure is Routing on the Internet Today? (3) February 2008 : Pakistan Telecom hijacks Youtube “The Internet” Pakistan I’m YouTube: YouTube Telecom IP 208.65.153.0 / 22 Multinet Telnor Pakistan Pakistan Aga Khan University
How Secure is Routing on the Internet Today? (3) February 2008 : Pakistan Telecom hijacks Youtube “The Internet” Pakistan I’m YouTube: YouTube Telecom IP 208.65.153.0 / 22 Multinet Telnor Pakistan Pakistan Aga Khan University
How Secure is Routing on the Internet Today? (4) Here’s what should have happened…. “The Internet” Drop packets going to YouTube Pakistan I’m YouTube: YouTube Telecom IP 208.65.153.0 / 22 Multinet Telnor Pakistan Pakistan Aga Khan University Block your own customers.
How Secure is Routing on the Internet Today? (5) But here’s what Pakistan ended up doing… No, I’m YouTube! IP 208.65.153.0 / 24 “The Internet” Pakistan Pakistan I’m YouTube: Telecom YouTube Telecom IP 208.65.153.0 / 22 Multinet Telnor Pakistan Pakistan Aga Khan University Draw traffic from the entire Internet!
the IP address allocation hierarchy (1) ARIN American Registry of Internet Numbers 8.0.0.0/8 aka 8.*.*.* Level 3 8 * * * 0 0 0 0 1 0 0 0 1 8 16 24 32
the IP address allocation hierarchy (2) ARIN American Registry of Internet Numbers 8.0.0.0/8 Level 3 8.23.195.0/24 8.3.210.0/24 aka 8.3.210.* ChinaCache Xeex Comm 8 3 210 * 0 0 0 0 1 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 1 0 0 0 1 8 16 24 32
Internet routing security AS 23724 8.3.210.0/24 “The Internet” China China Telecom Telecom AS 27524 Xeex AS 23724 AS 23724 8.3.210.0/24 AS 27524 A prefix hijack: Traffic for 8.3.210.0/24 splits between Xeex and China Telecom (Real events from April 8, 2010) see [Hiran, Carlsson, Gill’12]
the fix: use RPKI as part of routing policies RPKI Invalid! AS 23724 8.3.210.0/24 “The Internet” China Pakistan Telecom AS 27524 Xeex Telecom AS 23724 8.3.210.0/24 AS 27524 RPKI Valid! ROA: “ AS 27524 is authorized to announce 8.3.210.0/24” RPKI Importantly, RPKI validity must impact routing decisions.
the RPKI: a cryptographic certificate hierarchy ARIN American Registry of Internet Numbers Resource cert: 8.0.0.0/8 8.21.37.0/24 IP prefix to org Level 3 AS40470 8.23.195.0/24 8.3.210.0/24 ChinaCache Xeex Comm ROA: 8.23.195.0/24 IP prefix to ASN AS37958 8.3.210.0/24 8.23.195.0/24 AS27524 AS38958
RIRs (routing info registries) Is there a single root of trust? Unclear; maybe run by IANA. Image source: http://www.iana.org/numbers
Who runs the IANA? New IANA contract solicitation, posted November 10, 2011: “The United States Department of Commerce (DoC), National Telecommunications and Information Administration (NTIA) intends to award a contract to maintain the continuity and stability of services related to certain interdependent Internet technical management functions, known collectively as the Internet Assigned Numbers Authority (IANA).” A successful bidder … must be a wholly U.S. owned and operated firm or university … and organized under the laws of one of the 50 U.S. states. … Any operations and activities can be inspected by U.S. government officials at any time. …the "Internet user community" is included as an "interested and affected party" in section C.1.3. This means that the Contractor … must develop a "close and constructive working relationship" with it, and that Internet users are given standing in regards to commenting … on certain things… http://blog.internetgovernance.org/blog/_archives/2011/11/16/4940638.html
Recommend
More recommend