secure routing with rpki status challenges and the smart
play

Secure Routing with RPKI: Status, Challenges and the Smart-Validator - PowerPoint PPT Presentation

Jul 14, 2023 •320 likes •687 views

Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of Connec2cut, Bar Ilan Univ, Fraunhofer SIT Joint project with Tomas Hlavacek, Yafim Kazak, Rafi Peretz, Fabian Sauer and Haya Shulman Route-Hijacking:

  1. Secure Routing with RPKI: Status, Challenges and the Smart-Validator Amir Herzberg Univ of Connec2cut, Bar Ilan Univ, Fraunhofer SIT Joint project with Tomas Hlavacek, Yafim Kazak, Rafi Peretz, Fabian Sauer and Haya Shulman

  2. Route-Hijacking: Real-Life Example A"ack Goals: Eavesdropping Spam/phishing Malware distribu2on Censorship - Many proposed/deployed defenses, over many years… - Challenge & focus : deployable yet effecBve defenses Denial of service Traffic Analysis

  3. Pre%ix Hijacking: prefer shorter route 1 1.2.0.0/16 1.2.0.0/16 Route: 22-333 Route: 666 22 666 1.2.0.0/16 333 Route: 333 BGP Data flow Inter-domain announcement to 1.2.0.0/16 link 3 ….

  4. Subpre>ix Hijacking: always prefer longest matching pre%ix 1 1.2.0.0/16 1.2.3.0/24 Route: 333 Route: 6-666 333 6 666 BGP Data flow Inter-domain announcement to 1.2.3.0/24 link 4 ….

  5. Idea: prevent hijacks using Route Origin Validation (ROV) How?? Route Origin 1.2.0.0/16 1.2.0.0/16 1 ValidaBon (ROV) Route: 22-333 Route: 666 22 666 333 BGP Ann. Data flow Domain 1 uses the (longer but correct) route 22-333, since 5 only domain 333 is authorized origin for prefix 1.2.0.0/16

  6. How to do Route Origin Validation (ROV) ??

  7. How to do Route Origin Validation (ROV) ?? Naïvely: keep a list of valid (authorized) origin ASes for each prefix Online check: consult DBs, e.g., Internet Rou2ng Registries (IRRs) Offline: digitally-signed Route Origin AuthorizaBon (ROA)

  8. Route Origin Validation (ROV) prevents Pre%ix and Subpre%ix Hijacks ROA: 1.2.0.0/16 Origin 333 Route Origin 1.2.0.0/16 1.2.0.0/16 1 ValidaBon (ROV) Route: 22-333 Route: 666 22 666 333 BGP Ann. Data flow Domain 1 uses the (longer but correct) route 22-333, since 8 only domain 333 is authorized origin for prefix 1.2.0.0/16

  9. RPKI: Resource Public Key Infrastructure • IETF standard [RFC 6480]; main goal: prevent (sub)prefix hijacks (false origin domain) • Allows signing Route Origin AuthorizaBons (ROAs) : Prefix: 1.2.0.0/16 Origin: 333 Max-length: 20 • Facilitates Route Origin ValidaBon (ROV): • Drop BGP announcements where origin AS conflicts with ROA • I.e.: Origin AS is not 333 Or: more specific than /20

  10. RPKI Deployment: Agenda • RPKI: What and Why [done] • State of Deployment • ROA adop2on: trends • Wrong ROA: causes and damages • ROV adop2on status, challenges • Impact of par2al ROV adop2on • Improving deployment: The Smart Validator • Phase I • Demo • Phase II • Conclusions

  11. ROA Adoption History Drop BGP announcements è lose (good?) traffic … So, how many domains do Route Origin Validation? Announced without ROA: 647,192 (93%) Valid ROAs: 43,796 (6.3%) Wrong ROAs: 5,015 (0.7%) About 10% wrong ROAs!! Consistently!!

  12. Wrong ROAs?? • Requires both authoriza2ons (ROAs) and valida2on (ROV) • Risk: ROV with Wrong ROA è drop legit-yet-invalid announcements • Does wrong-ROAs happen? – Typical, real-life example: Legend: RIPE Resource 194.2.0.0/15 Cer2ficate Domain 3215 Orange (France telecom) Wrong ROA 194.2.0.0/15 Legit-yet-Invalid BGP Announcement 194.2.35.0/24 194.3.118.0/24 Domain 1272 (Danone) 194.2.155.0/24 Domain 34444 (Eutelsat) Domain 8361 (Ubisor)

  13. Measuring Adoption of Route Origin Validation - Challenge: no direct way to measure the adop2on of ROV è no published measurements - Idea: use Route-View-project’s BGP-collectors – and wrong ROAs! - Observa2on: if collector receives invalid announcement è En2re route does not enforce ROV ! ROA: 1.2.0.0/16 Domain 333 1.2.0.0/16 1 A Route: C-A-1 1.2.0.0/16 Collector B C 2 1.2.0.0/16 D Route: F-E-D-2 1.2.0.0/16 E Collector F 13 13

  14. Measuring Adoption of Route Origin Validation - Challenge: no direct way to measure the adop2on of ROV è no published measurements - Observa2on : if collector receives invalid announcement è En2re route does not enforce ROV ! At least 80 of 100 largest domains do not enforce ROV ! Can we meaure more precisely? ROA: 1.2.0.0/16 1 A More precise results: very very few domains Domain 333 1.2.0.0/16 enforce ROV (skipping details – ask me) B C Collector 2 D 1.2.0.0/16 E Collector F 14 14

  15. Better ROV Measurements… • Dependency on exis2ng wrong ROAs may be misleading • More reliable: publish correct/wrong ROAs (same origin) • Three different controlled experiments, mul2ple 2mes: • Use RouteView Collectors (as before) • Use Trace-route to RIPE atlas probes • Use `echo’ from servers (ICMP ping or TCP SYN/ACK) • Experiments s2ll ongoing • Ini2al results: only handful of domains enforce ROV • None of the 100 largest domains (cf. <20) • Similar results apparently from measurements by Randy Bush and others (didn’t yet see details) • What’s the impact of par2al-deployment of ROV?

  16. Partial Adoption of ROV: Collateral damage • Domains not doing ROV might cause ROV-enforcing domains to fall vic2m to prefix hijacking • Control-Plane vs. Data-Plane Mismatch: domain discards invalid announcement, yet data flows to awacker To: 1.1.1.0/24 666 Domain 2 adver2ses both route: 2-666 Domain 3 enforces ROV: valid and invalid routes discards invalid subprefix route 2 3 ROA: 1.1.0.0/16 Domain 2 uses invalid route Origin 1 To: 1.1.0.0/16 for subprefix è traffic to route: 2-1 1.1.1.0/24 s2ll hijacked! 16 1

  17. Partial Adoption of ROV: Collateral bene%it Adopters protect domains behind them by discarding invalid announcements ROA: 1.1.0.0/16 Domain 1 To: 1.1.1.0/24 Domain 3 is only 666 route: 666 offered valid routes 2 3 To: 1.1.0.0/16 route: 2-1 Origin 1 Drawback: less incen2ve to deploy (`free-riders’)

  18. Security in Partial ROV Adoption: Simulation Framework • Use Internet domain topology of CAIDA ROA: 1.1.0.0/16 Origin: A • Pick vic2m & awacker • Vic2m’s prefix has a ROA A • Pick domains doing ROV B • Find domains sending to vic2m C vs. domains sending to awacker D E F G H I J Empirically-derived topology from CAIDA. Includes inferred K peering links [Giotsas et al., L SIGCOMM’13] 18

  19. Security with Partial ROV Adoption • Subprefix-hijack success rate for adop2on by x largest domains • Compare: 100% vs. 25% adop2on by other domains • Significant benefit - but only if almost all large domains adopt – and most other domains adopt too • We are very far from this! Subprefix hijack success rate

  20. RPKI Deployment: Agenda • RPKI: What and Why • State of Deployment • ROA adop2on: trends • Wrong ROA: causes and damages • ROV adop2on status, challenges • Impact of par2al ROV adop2on • Improving deployment: The Smart Validator • Phase I • Demo • Phase II • Conclusions

  21. Fixing ROAs and ROV deployment • Improve deployment of ROAs • ROAlert.org: idenBfy wrong ROAs • email alerts when sysadmin-email located: 40% fixed! • è Should be deployed `officially’ • Smart validator (h"ps://github.com/SmartValidator/SmartValidator ) • Encourage, improve adop2on of Route Origin Valida2on (ROV) • Free, open source; extends RIPE’s RPKI validator • Phase I: `easy and safe deployment’ – Do No Harm • Fix Conflic2ng-ROAs [conflic2ng with long-lived BGP announcments] • Ready, experiments beginning – join us ! • Phase II: improved security, incen2ves • In development, will be based on new version of RIPE validator

  22. Idea: Hijacks are Short Lived Possible Hijacks duraBon [Days] from 08-2016 -> 06-2017 60% [BGPStream.com] 50% è Allowing long-lived (>3weeks) 40% BGP announcements, even if conflic2ng with ROA, would s2ll 30% catch most hijacks! 20% 10% 0% 1 Day 1 Week 2 Weeks 3 Weeks 4 Weeks 1-2 months 2 months+ Serie1 60,90% 8,84% 28,46% 0,56% 0,38% 0,44% 0,42%

  23. Smart-Validator: Phase I • Easy and safe to deploy: `plug and play’ • Do No Harm • Recommend Mode (default): • Observes ROAs and BGP announcements • Recommend BGP announcement filters • Operator manually applies BGP announcement filters • `What-if’ measurements: impact of safe-deployment modes • Safe-deployment modes • Ignore mode : ignore conflic2ng-ROAs • Extend mode: add auto-ROAs to cancel conflicts • Experiments: Cisco, LinkedIn, … You?? • Based on RIPE’s validator; free, open source

  24. Smart-Validator: Architecture Data warehouse Dashboard The engine Data resources

  25. Smart Validator Dashboard Examples Recommend mode Extend safe-deployment mode

  26. Demo ( github.com/SmartValidator/SmartValidator )

  27. Smart-Validator: Phase II • Extend phase I with new ROV features: • ROV++ : • Prefer ROV++ compliant providers • When learning of awack… or always/usually • Reduces risk of collateral-damage • An incenBve to deploy • Path-end validaBon: easy, strong extension to RPKI • Prevent `origin hijacking’ by extending ROA to iden2fy neighbor AS • SigComm16 paper shows: surprisingly effec2ve!!

  28. Beyond BGP: Routing Against DoS • BGP is limited to single fixed route • Easier to congest – e.g., in Denial-of-Service (DoS) • BGP isn’t conges2on-sensi2ve • Route does not depend on conges2on, delays, loss • Slow response to link failure • IP provides only best-effort service • No quality guarantees (max delay, max loss rate) • Quality-of-Service (QoS) extensions: only within domain • è Secure Accountable Inter-domain Forwarding • On going project – talk to me…

Recommend

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

890 views • 51 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

702 views • 54 slides
From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

660 views • 27 slides
AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

662 views • 54 slides
Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon

Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon

BFOC13. Boston University Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon Goldberg Leonid Reyzin Princeton University Boston University How Secure is Internet Routing Today? (1) I am

375 views • 14 slides
Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Applied Networking Research Workshop 2020 acm sigcomm Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer SIT Motivation - Resource Public Key Infrastructure (RPKI) secures the interdomain routing

586 views • 39 slides
Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure Routing? Current routing protocols assume trusted environment! Even misconfigurations severely disrupt Internet routing Secure routing

245 views • 22 slides
A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

583 views • 43 slides
Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of

Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of

Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of conventional routing schemes Proactive wireless routing Hierarchical routing Reactive (on demand) wireless routing Geographic routing

893 views • 60 slides
Internet Resource Certification (RPKI) Building a More Secure Internet Sint-Maarten Internet Week

Internet Resource Certification (RPKI) Building a More Secure Internet Sint-Maarten Internet Week

Internet Resource Certification (RPKI) Building a More Secure Internet Sint-Maarten Internet Week Carlos Mar2nez Cagnazzo carlos @ lacnic.net A9acks on rou;ng: IP hijacks How Internet number resources are managed IANA ARIN LACNIC APNIC

788 views • 31 slides
Secure Routing for Mobile Ad hoc Networks Panagiotis Papadimitratos &amp; Zygmunt J. Haas

Secure Routing for Mobile Ad hoc Networks Panagiotis Papadimitratos &amp; Zygmunt J. Haas

Secure Routing for Mobile Ad hoc Networks Panagiotis Papadimitratos &amp; Zygmunt J. Haas Presented by Leland Smith CS 6204, Spring 2005 1 Overview What are MANETs? Motivation Secure Routing Protocol Protocol Description

560 views • 15 slides
Routing Table Status Report November 2005 IPv4 Routing Table Size - Aug IPv4 Routing Table Size

Routing Table Status Report November 2005 IPv4 Routing Table Size - Aug IPv4 Routing Table Size

Geoff Huston APNIC Routing Table Status Report November 2005 IPv4 Routing Table Size - Aug IPv4 Routing Table Size - Nov Data assembled from Route Views data. Each colour represents a time series for a single AS. The major point here is

686 views • 45 slides
Smart City Mission Status Report Contents Introduction Smart city initiative

Smart City Mission Status Report Contents Introduction Smart city initiative

Smart City Mission Status Report Contents Introduction Smart city initiative Strategies, Selection Process, Implementation of Smart cities, Mission Monitoring and Financing of Smart Cities Current Status Selected

356 views • 22 slides
Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1 Thursday, August 1, 13 RPKI Tools The authors believe the information already contained in the RPKI has value in itself, even for operators not

305 views • 11 slides
UPM DAY 1: SMART GRIDS TABLE 1: TECHNOLOGICAL CHALLENGES RELATED WITH SMART GRIDS DEVELOPMENT

UPM DAY 1: SMART GRIDS TABLE 1: TECHNOLOGICAL CHALLENGES RELATED WITH SMART GRIDS DEVELOPMENT

Guillermo del Campo UPM DAY 1: SMART GRIDS TABLE 1: TECHNOLOGICAL CHALLENGES RELATED WITH SMART GRIDS DEVELOPMENT INTERNATIONAL SUMMER SCHOOL SMART GRIDS AND SMART CITIES Barcelona, 6-8 June 2017 Context Dramatic growth of energy

618 views • 16 slides
Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania December 10, 2019 Research supported by NSF EAGER Award #1748362 Global RPKI Deployment ASes Validating Routes 5%, 5 3%, 3 9%, 8 12%, 11 71%, 65

216 views • 8 slides
verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at

verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at

verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at ETH Security and Correctness Protocol-level properties - Path validity : Constructed paths are valid and reflect the routing decisions by on-path

294 views • 8 slides
Routing Table Status Report March 2005 IPv4 Routing Table Size Data assembled from Route Views

Routing Table Status Report March 2005 IPv4 Routing Table Size Data assembled from Route Views

Geoff Huston Routing Table Status Report March 2005 IPv4 Routing Table Size Data assembled from Route Views data. Each colour represents a time series for a single AS. The major point here is that there is no single view of routing. Each

335 views • 14 slides
Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why

Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why

Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why do we keep seeing these headlines? 1. The Meta Goal Can we devise changes to operational practices, or operational tools or routing technologies

572 views • 15 slides
RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI Overview Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 2 Simply put 3 parts - Create certificates - Install/run validator -

562 views • 17 slides
Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0 Project: New RPKI system DNSSEC v2.0 Project: New DNSSEC signer IETF activities: Identity and join key WGs and RGs African Internet Resources

308 views • 13 slides
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

T-79.194 Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner presentation by Maarit Hietalahti Helsinki University of Technology Laboratory for Theoretical Computer Science

298 views • 14 slides
Quest(-V): A Secure and Predictable System for Smart IoT Devices Richard West richwest@cs.bu.edu

Quest(-V): A Secure and Predictable System for Smart IoT Devices Richard West richwest@cs.bu.edu

Quest(-V): A Secure and Predictable System for Smart IoT Devices Richard West richwest@cs.bu.edu Computer Science Emerging Smart Devices Need an OS Multiple cores GPIOs PWM Virtualization support Integrated Graphics

547 views • 52 slides

More recommend