Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 BGP Prefix Origin Validation Keyur Patel May, 2011.

Similar presentations


Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 BGP Prefix Origin Validation Keyur Patel May, 2011."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 BGP Prefix Origin Validation Keyur Patel May, 2011

2 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 2 Security issues with sourcing of BGP Routes Any AS can source/announce incorrect prefixes within BGP - Either by mistake (most cases) - Or with a malicious intent In either case, AS can hijack prefixes owned by other AS - Has an impact on end-to-end data forwarding BGP prefixes can be hijacked by - Sourcing a prefix (with better BGP metrics) that is owned by some other AS - Sourcing a more specific for a prefix that is owned by some other AS

3 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 3 Prefix hijacking using same prefix with a shorter AS_PATH Source: nanog 46 preso

4 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 4 Prefix hijacking using a more specific prefix length Source: nanog 46 preso

5 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 5 BGP Prefix Origin Validation Mechanism within BGP to identify incorrectly sourced prefixes and prevent them from being selected as BGP Bestpaths Provides Origin AS Validation for BGP prefixes Solution for - You Tube accident accident (MAI) that affected SPRINT, UUNET and others - Any kind of accidental announcements due to incorrect sourcing of BGP prefixes (99% of mis-announcements fall under this category) Does NOT solve BGP path hijacking related issues - Origin validation does not provide assurance of BGP aspath received in an update message

6 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 6 Router Modifications for BGP Prefix Origin Validation Router Modifications involves implementation of 3 SIDR drafts Draft1: RPKI Router protocol defined in the ietf draft-sidr-rpki-rtr- protocol12.txt Means of communication between a trusted Cache and BGP routers Helps create and maintain within BGP a new address-family specific digested RPKI database in form of {IP prefixes, Origin AS} tuples - Edge routers *do NOT* deal with RPKI complexity. It instead uses digested RPKI information to do Origin validation Draft2: Origin Validation related BGP protocol modifications defined in the IETF draft-ietf-sidr-pfx-validate-01.txt Perform Origin AS validation on ASPATHS of received EBGP prefixes - Invalidate prefixes with incorrect origin AS

7 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 7 Router Modifications (Contd) Draft3: BGP RPKI origin validation state announcement defined in the ietf draft-ietf-sidr-origin-validation-signaling-00.txt Announce path validation state within an IBGP network - Using new extended community defined in draft-ietf-sidr-origin-validation- signaling-00.txt Alternate approach to using path validation state community - Implementations could translate path validation state into appropriate IBGP parameters that influence BGP Bestpath processing using route policies

8 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 8 RPKI Origin Validation Architecture IR Back End [Hardware] Signing Module IR RPKI Priv Keys Private RPKI Keys Issued ROAs My Misc Config Options Public RPKI Keys ID=Me RPKI Engine Resource PKI IP Resource Certs ASN Resource Certs Route Origin Attestations Internal CA Data Internal CA Data XML Object Transport & Handler Business Key/Cert Management Private IR Biz Trust Anchor Internal CA Data Up/Down EE Public Keys Keys for Talking to IR BackEnd Certs Issued to DownStreams My Resources My RightsToRoute Repo Mgt Up / Down Protocol Up / Down Protocol Publication Protocol Internal Protocol Biz EE Signing Key(s) 8 RCynic Gatherer RPKI to Rtr Protocol Near/In PoP Cache / Server 8 8 Provisioning GUI BGP Speaker

9 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 9 Large ISP deployment for Trusted Caches Global RPKI Asia Cache NoAm Cache Euro Cache in-PoP Cache in-PoP Cache in-PoP Cache in-PoP Cache in-PoP Cache in-PoP Cache in-PoP Cache in-PoP Cache in-PoP Cache Cust Facing Cust Facing Cust Facing Cust Facing Cust Facing

10 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 10 BGP RPKI Router Protocol Client-Server protocol used between trusted RPKI Caches and BGP Routers having EBGP internet peering Has TCP or SSHv2 as its transport Announces digested RPKI Prefix Origin information in form of protocol IPvx PDUs Has an ability: - to request/announce entire record table at any time during the lifetime of the session - Can do Incremental re-sync or Full announcement of prefix records on session re-establishment Initial Cisco IOS release plans to: - Run TCP as a transport on its BGP Routers - Implement Client side functionality of RPKI router protocol

11 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 11 RPKI Router Protocol PDUs Serial Notify – Local Cache informs router about new data Serial Query – Router requests Cache for updates Reset Query – Router requests Cache to send its entire database Cache Response – Cache replies to Reset Query by announcing its entire database End of Data PDU – Cache signals end of database announcements

12 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 12 RPKI Router Protocol PDU (contd) Cache Reset – Local Cache informs router about its inability to provide an incremental update for a particular Serial Query Error Report – Use to signal errors detected while parsing PDUs – Internal Errors: memory exhaustion, code assertion failures, etc – No Data Available: Cache cannot provide an incremental update to a particular Serial Query IPV4 Prefix - Use to announce IPV4 Prefix IPV6 Prefix - Use to announce IPV6 Prefix

13 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 13 RPKI Router Protocol Typical Exchange Validator Cache Router ~ ~ | <----- Reset Query | R requests data | | | Cache Response -----> | C confirms request | IPvX Prefix > | C sends zero or more | IPvX Prefix > | IPv4 and IPv6 Prefix | IPvX Prefix > | Payload PDUs | End of Data > | C sends End of Data | | and sends new serial

14 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 14 RPKI Router Protocol Incremental Exchange (contd) Validator Cache Router ~ ~ | Notify > | (optional) | | | <----- Serial Query | R requests data | | | Cache Response -----> | C confirms request | IPvX Prefix > | C sends zero or more | IPvX Prefix > | IPv4 and IPv6 Prefix | IPvX Prefix > | Payload PDUs | End of Data > | C sends End of Data | | and sends new serial ~ ~

15 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 15 RPKI Router Protocol and BGP Interaction RPKI Validator Cache ee AF specific Prefix Validation database RPKI Router protocol - Receives prefixes from ibgp & ebgp peers - Does Inline prefix validation - Does Event-based validation on cache updates AF Specific BGP tables eBGP peering BGP Border Router eBGP Neighbor Router RPKI Router Protocol (TCP based) Client i BGP Neighbor Router (ex. Route Reflector) iBGP peering

16 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 16 BGP Modifications - High Level Code Flow Process received EBGP update messages Set Validation State for BGP NLRIs and origin AS received in an update message Apply any inbound policies if configured – may use path validation state computed by Prefix origin validation to set different policies Store the path in Adj-Rib-In Run Modified BGP Bestpath Evaluate the prefix for update generation to ibgp peers – outbound policies may use path validation state to manipulate different BGP attributes – Use a well-known extended community to announce path validation state

17 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 17 Prefix Validation Logic 1. query key =, data = origin AS 2. result = BGP_PFXV_STATE_NOT_FOUND 3. walk prefix validation table to look for the query key 4. for each matched entry node in prefix validation table, 5. prefix_exists = TRUE 6. walk all records with different maxLength values 7. for each record within range (query masklen <= maxLength) 8. if query origin AS == record origin AS 9. result = BGP_PFXV_STATE_VALID 10. return (result) 11. endif 12. endfor 13. endfor 14. if prefix_exists == TRUE, 15. result = BGP_PFXV_STATE_INVALID 16. endif 17. return (result)

18 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 18 BGP Bestpath Selection Modifications Path Validation States (in order of preference) – BGP_FXV_STATE_VALID (Lookup Successful) – BGP_PFX_STATE_NOT_FOUND (Not in the table) – BGP_PFX_STATE_INVALID (Lookup invalid - different origin AS or masklen not in the range) BGP Bestpath Modifications Input: Received Path, Current Bestpath If Received Path is an ibgp learnt path without path validation state, then skip the Prefix Origination check If Received Paths Prefix Origination Check state is BGP_PFX_STATE_INVALID then prefer the Current Bestpath else If Received Paths Prefix Origination Check state > Current Bestpath Prefix Origination Check state, then prefer the Current Bestpath else (they are equal) proceed to next Bestpath check step Rest of the BGP Bestpath Steps Normal Bestpath computation to follow if the path validation state is converted into BGP parameters as part of policy change

19 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 19 Policy and Path Validation State Route-maps extended to modify policies based on path validation state Effective way of tweaking bestpath selection for ibgp paths based on its path validation state Route-map example: route-map rpki permit 10 match rpki invalid set local-preference 50 route-map rpki permit 20 match rpki incomplete set local-preference 100 route-map rpki permit 30 match rpki valid set local-preference 200

20 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 20 BGP CLI Modifications Global CLI to [de-]configure the cache server AF specific BGP Bestpath CLI Changes – Disable Prefix Validation Globally – Allow paths with an invalid rpki state for Bestpath computation iBGP Neighbor CLI Changes – Announcement of Prefix Validation State using a well-known extended community Route-map policy knob to filter on path validation state

21 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 21 IOS Show commands uut1# show ip bgp rpki-table 12 BGP sovc network entries using 1056 bytes of memory 13 BGP sovc record entries using 208 bytes of memory NetworkMaxlenOrigin -ASColorSource / / / / / / / / / / / / /

22 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 22 IOS Show Commands - Valid IPv4 Prefix uut1# show ip bgp /16 BGP routing table entry for /16, version 19 Paths: (1 available, best #1, table default) Advertised to update-groups: from ( ) Origin IGP, localpref 100, valid, external, best RPKI State valid

23 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 23 IOS Show Commands - Invalid IPv4 Prefix uut1#show ip bgp /6 BGP routing table entry for /6, version 25 Paths: (1 available, no best path) Not advertised to any peer from ( ) Origin IGP, localpref 100, valid, external RPKI State invalid

24 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 24 IOS Show Commands - Not Found IPv4 Prefix uut1#show ip bgp BGP routing table entry for /8, version 10 Paths: (1 available, best #1, table default) Advertised to update-groups: from ( ) Origin IGP, localpref 100, valid, external, best RPKI State not found

25 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 25 Code Status Prototype code for BGP Origin Validation available for IOS (7200s) and IOS-XR IOS Marketing Roadmap has it for RLS12 in Similar Roadmap for IOS-XR. Contact Ed Kern or Bertrand Duvivier if Remember: Please generate your Certificates and ROAs!

26


Download ppt "© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 BGP Prefix Origin Validation Keyur Patel May, 2011."

Similar presentations


Ads by Google