Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Published byHester Bradley Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb."— Presentation transcript:

1 1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb

2 2 A protocol from better times A protocol from the early Internet People were friendly and trustworthy Internet was a warm and fuzzy place BGP: protocol from admins for managers Main assumption: Routers do not lie Idea 1: Announce what you have Idea 2: Redistribute politically Inject locally, route globally

3 3 An example

4 4 Policy documentation Whois database Distributed store of resource allocation Database ensures correctness RPSL database Centralized store of peering information Both views of a peering: Sender / Receiver Detailed peering policy incl. filter, precedence Software available Generates router configuration

5 5 Threats to BGP Fat fingers Announcing wrong network Prepending foreign ASN Broken devices Bitflip in memory or transit Commercial/criminal attacks Redirect traffic (claim prefix, claim peering) Inject unallocated networks (sending Spam) Governmental/Lawful attacks Filtering traffic to protect the innocent

6 6 soBGP Trustworthy ISP approach Transport authorisations as BGP attribute Certifying assignment of a prefix by parent Each AS is a X.509-CA Certifying injection policy per prefix (which ASNs are/is/isn’t the first peerings) Certifying it own peering policy with peers Web of trust Resilience against erroneous behaviour Permitting multiple hierarchies

7 7 S(ecure)-BGP RPKI approach Transport authorisations as BGP attribute Certifying allocation of prefix/ASN top-down Each ISP is a X.509-CA Certifying injection policy: Prefixes per ASN Certifying it own routers to sign redistribution Trust anchor management Accessing various CA repositories

8 8 S-BGP operation Routers Access external caches for object verification Sign each update announcement New hardware for storage and crypto operation Resource deallocation Prefix updates time out => ~15 updates/s Certificate and CRL times out => rsync Only one structure Errors are disastrous Ideal for LE

9 9 An other approach RPSL / Whois Use it for non-local checks (was it allowed?) No modification to BGP protocol Skips gaps in deployment Fails to deal with non-public policies Use DNSSEC ? DNS as a trustworthy, distributed database Routers: Offload crypto to AD-bit, caching implicit Drastic RPSL simplification necessary

10 10 Comparison CriteriasoBGPSecure-BGPRPSLDNSSEC ASN AllocWeb of trustRPKIWhoisDNS Prefix AllocWeb of trustRPKIWhoisDNS Private IP/ASOther TA NoStub zone Router in ASValidated Unchecked Outgoing PeerValidatedTracedValidatedExistence Incoming PeerValidatedUncheckedValidatedExistence WithdrawUnchecked Validated Early scopeMany islandsFew islandsFull network BGP protocolChange Keep Router HWChange Keep Helper DeviceNoSimple CacheComplex APIResolver

11 11 Questions?

12 12 Why the approach is wrong

13 13 Why the approach is still wrong

Download ppt "1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb."

Similar presentations

RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
Presenter: Mark Elkins Topic: Things not getting done.

Presenter: Mark Elkins Topic: Things not getting done.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Multihoming in IPV6 Habib Naderi Department of Computer Science University of Auckland.

Multihoming in IPV6 Habib Naderi Department of Computer Science University of Auckland.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
BGP Security APNIC Open Policy Meeting Routing SIG 23 February 2005 Kyoto, Japan Russ Housley

BGP Security APNIC Open Policy Meeting Routing SIG 23 February 2005 Kyoto, Japan Russ Housley
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.

SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.
Best Practices for ISPs

Best Practices for ISPs
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.

Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,

FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,

Similar presentations

Ads by Google