Quantitative Analysis of BGP Route Leaks Benjamin Wijchers Benno Overeinder.

Slides:



Advertisements
Similar presentations
Routing Basics.
Advertisements

Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.
A Study of BGP Origin AS Changes and Partial Connectivity Ratul Mahajan David Wetherall Tom Anderson University of Washington Asta Networks † † ‡ † ‡ ‡
CSE534- Fundamentals of Computer Networking Lecture 12-13: Internet Connectivity + IXPs (The Underbelly of the Internet) Based on slides by D. Choffnes.
1/27 Evaluating Potential Routing Diversity for Internet Failure Recovery *Chengchen Hu, + Kai Chen, + Yan Chen, *Bin Liu *Tsinghua University, + Northwestern.
Dongkee LEE 1 Understanding BGP Misconfiguration Ratul Mahajan, David Wetherall, Tom Anderson.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
Inferring Autonomous System Relationships in the Internet Lixin Gao Dept. of Electrical and Computer Engineering University of Massachusetts, Amherst
Inferring Autonomous System Relationships in the Internet Lixin Gao.
Announcement  Slides and reference materials available at  Slides and reference materials available.
1 Internet Path Inflation Xenofontas Dimitropoulos.
Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
Progress in inferring business relationships between ASs Dmitri Krioukov 4 th CAIDA-WIDE Workshop.
BGP in 2009 Geoff Huston APNIC May Conventional BGP Wisdom IAB Workshop on Inter-Domain routing in October 2006 – RFC 4984: “routing scalability.
Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada ISP-Friendly Peer Matching without ISP Collaboration Mohamed Hefeeda (Joint.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 Tutorial 5 Safe “Peering Backup” Routing With BGP Based on:
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Tutorial 5 Safe Routing With BGP Based on: Internet.
Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.
Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK
Analysis of BGP Routing Tables
Internet Networking Spring 2004 Tutorial 5 Safe “Peering Backup” Routing With BGP.
Internet Routing Instability Labovitz et al. Sigcomm 1997 Largely adopted from Ion Stoica’s slide at UCB.
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
Near-Deterministic Inference of AS Relationships Udi Weinsberg A thesis submitted toward the degree of Master of Science in Electrical and Electronic Engineering.
University of Massachusetts, Amherst 1 On the Evaluation of AS Relationship Inferences Jianhong Xia and Lixin Gao Department of Electrical and Computer.
Stable Internet Routing Without Global Coordination Jennifer Rexford AT&T Labs--Research Joint work with Lixin Gao.
RIS Resource Allocations A special report on an endangered species …
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
Real-Time BGP Data Access 1 Mikhail Strizhov Colorado State University.
1 Interdomain Routing (BGP) By Behzad Akbari Fall 2008 These slides are based on the slides of Ion Stoica (UCB) and Shivkumar (RPI)
CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
CAIDA’s AS-rank: measuring the influence of ASes on Internet Routing
TDTS21: Advanced Networking Lecture 7: Internet topology Based on slides from P. Gill and D. Choffnes Revised 2015 by N. Carlsson.
SEP: Sensibility analysis of BGP convergence and scalability using network simulation Sensibility analysis of BGP convergence and scalability using network.
Inter-Domain Routing Trends Geoff Huston APNIC March 2007.
CAIDA’s AS-rank: measuring the influence of ASes on Internet Routing Matthew Luckie Bradley Huffaker Amogh Dhamdhere k claffy
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
A Measurement Study on the Impact of Routing Events on End-to-End Internet Path Performance Feng Wang 1, Zhuoqing Morley Mao 2 Jia Wang 3, Lixin Gao 1,
T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 COMP/ELEC 429/556 Introduction to Computer Networks Inter-domain routing Some slides used with.
On Understanding of Transient Interdomain Routing Failures Feng Wang, Lixin Gao, Jia Wang, and Jian Qiu Department of Electrical and Computer Engineering.
1 Quantifying Path Exploration in the Internet Ricardo Oliveira, Rafit Izhak-Ratzin, Lixia Zhang, UCLA Beichuan Zhang, UArizona Dan Pei, AT&T Labs -- Research.
Advancements in the Inference of AS Relationships Xenofontas Dimitropoulos (Fontas) (CAIDA/GaTech) Dmitri Krioukov Bradley Huffaker k claffy George Riley.
Eliminating Packet Loss Caused by BGP Convergence Nate Kushman Srikanth Kandula, Dina Katabi, and Bruce Maggs.
CSE534- Fundamentals of Computer Networking Lecture 12-13: Internet Connectivity + IXPs (The Underbelly of the Internet) Based on slides by D. Choffnes.
Draft-ietf-sidr-bgpsec-reqs-01 diffs from -00 (Jul) sidr / IETF Taipei Randy Bush sidr bgpsec reqs 1.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Internet Routing Verification John “JI” Ioannidis AT&T Labs – Research Copyright © 2002 by John Ioannidis. All Rights Reserved.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
Inferring AS Relationships. The Problem  One view  AS relationships  BGP route tables  The other view  BGP route tables  AS relationships  Available.
BGP Validation Russ White Rule11.us.
Doing Don’ts: Modifying BGP Attributes within an Autonomous System Luca Cittadini, Stefano Vissicchio, Giuseppe Di Battista Università degli Studi RomaTre.
1 Internet Routing 11/11/2009. Admin. r Assignment 3 2.
Inferring Autonomous System Relationships in the Internet Lixin Gao Dept. of Electrical and Computer Engineering University of Massachusetts, Amherst.
No Direction Home: The True cost of Routing Around Decoys
The Internet: A System of Interconnected Autonomous Systems
The real-time Internet routing observatory
Identifying problematic inter-domain routing issues
Improving global routing security and resilience
Fixing the Internet: Think Locally, Impact Globally
Stable and Practical AS Relationship Inference with ProbLink
Amreesh Phokeer Research Manager AfPIF-10, Mauritius
Presentation transcript:

Quantitative Analysis of BGP Route Leaks Benjamin Wijchers Benno Overeinder

NLnet Labs The Problem With Route Leaks Route leaks are not route hijacks (in my definition) –route hijack: originate prefixes you do not “own” –route leaks: forward BGP announcements you shouldn’t according policies Route leaks not easy to detect Potential security risk –examples Belarusian and Iceland traffic misdirection

NLnet Labs Business Relations and Route Leaks ASes have business relationship –Client pays provider –Provider provides transit –Peers share client routes Routing should reflect business relations –But in practice not always the case Route leak

NLnet Labs The Valley Free Rule Relations between ASes: –Customer-provider –Peer-peer –Siblings Valley Free Rule: –C2P( * ) – P2P ( 1|0 ) – P2C ( * )

NLnet Labs The Valley Free Rule

NLnet Labs Origins of Route Leaks Misconfiguration Malicious –Man in the middle Intentional –Indirect peering IXP Research / Educational –Complex relations Find characteristics for categorizing

NLnet Labs Why Analyse Them? Counter-measures planned –part of ongoing IETF SIDR WG activities –discussions in the context of BGPSEC Traffic routes incorrectly causing: –ASes paying for transit of other ASes clients –Potentially slower connections –Potential hijacking of data (mitm) Not much statistics available

NLnet Labs Previous Work Jared Mauch –Detection without relation data –Not much statistics List of route leaks General counts

NLnet Labs Detecting Valleys Relations between ASes –Non-disclosure agreement –Inferred relations BGP data dumps to investigate –RIPE Remote Route Collector –RouteViews ASPATH attribute –Shows path of ASes traversed

NLnet Labs Relation Inferences Lixin Gao –Valley free rule Ricardo Oliveira et al (UCLA) –Every non-tier-1 AS is (indirect) client (or peer) of tier-1 Matthew Lucky et al (CAIDA) 1.C2P to reach global connectivity 2.Peering clique at top of topology 3.No cycles of C2P links CAIDA chosen for project –Validation of relations –No valley freeness used in inference

NLnet Labs Methodology CAIDA relationship data –Combined with siblings data BGP MRT files from –RIPE RIS RRC00 –Routeviews WIDE –Routeviews Oregon Custom BGPdump Detecting valleys

NLnet Labs Methodology (2) All valleys in database with –violation type e.g. P2C-C2P –AS Leak triplet leaked from, leaker and receiver –duration check updates for same AS & prefix

NLnet Labs About the results Current results from 1 month from RIPE, Oregon and WIDE –~4% of routes investigated valley –Over valley announces detected

NLnet Labs Distribution of Violation Types Top left area are no real valleys P2P-P2P occurs most frequently

NLnet Labs Distribution of Durations Peaks at <2 seconds and seconds –Default MRAI Cisco: 30 seconds –Probably unintentional

NLnet Labs Most Frequent Leak Triplets Duration > 1 minute ~12% of valleys found in top 10 Next challenge –categorize in classes

NLnet Labs Geography of Most Frequent Leaks

NLnet Labs Top Leaks Further Investigated WIDE appears to provide transit for peer APNIC APAN, WIDE and APNIC are all research ASes –who commonly have “special” relationships Likely intentional behaviour

NLnet Labs Top Leaks Further Investigated Both AS12880 and AS48159 from Iran –possible merge -> sibling –cannot say for certain with data available WHOIS AS12880 no mention of AS48159 –WHOIS AS48159 mentions AS12880 as default route

NLnet Labs Top Leaks Further Investigated Different policies IPv4 and IPv6 –mp-import: afi ipv6.unicast from AS6939 action pref=150; accept ANY –mp-import: afi ipv4.unicast from AS6939 action pref=150; accept AS-HURRICANE

NLnet Labs Conclusion Most route leaks are peer routes propagated to other peers ~65% valleys are very short-lived (< minute) –but ~6% very persistent (> day) About 12% AS triplets reoccur frequently in found route leaks –most of them “special” relations –not enough knowledge to define others

NLnet Labs Future Work Broader date range –monthly reports, history with less storage Separate relation data IPv4/IPv6 RPSL data usage for automatic detection of complex relations

NLnet Labs Questions Acknowledgments –Jared Mauch –Stella Vouteva

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.