Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet routing registries (IRRs), data governance and security

Published byEugene O’Neal’ Modified over 6 years ago

Similar presentations

Presentation on theme: "Internet routing registries (IRRs), data governance and security"— Presentation transcript:

1 Internet routing registries (IRRs), data governance and security
Brenden Kuerbis and Milton Mueller School of Public Policy Georgia Institute of Technology, United States Thanks to RIPE meeting organizers, in particular Gergana and the RACI committee for the invitation to speak to you today. This paper, co-developed with my colleague Milton Mueller, is an output of research occurring at Georgia Tech’s School of Public Policy and the Internet Governance Project.

2 Introduction Supply and use of route announcement and policy data is highly distributed and decentralized, permitting many opportunities for errors or manipulation. Yet, distributed and decentralized exchanges of information among ISPs also makes the system flexible and responsive to local conditions. Research begins with a paradox: The supply and use of route announcement and policy data is highly distributed (i.e., entities maintain different amounts of data) and decentralized (i.e., data spread among numerous entities). This permits many opportunities for errors or manipulation of data. Yet, distributed and decentralized exchanges of information among ISPs also makes system flexible and responsive to local conditions. Operators can set policies and take action on the networks for which they are directly responsible.

3 The routing security problem
Not just a technical problem, but a governance of data problem. Organizational practices, contracts, policies, etc. Exchange of data - BGP announcements and AS policy objects, Internet routing registries - is essential to accurate routing. Differing, conflicting motivations of suppliers and users of data. Our research looks at routing security as a governance problem, not just a technical problem. I.e., organizational practices, contracts, policies, etc. – known as governance structures in institutional economics – are as important to Internet routing security as technological design of protocols. Source of routing security problems lies in the way routing data is exchanged among ISPs. While most operators have an incentive to cooperate in the exchange of data, we believe existing data sharing and governance methods make it difficult to identify and eliminate inaccurate data. For example, in theory, the Internet routing registries should contain and accurate view of operators intended routing policies. However, in practice, a handful of studies comparing BGP announcements to routing policies have shown differences in data accuracy across registries. But why is this? Our qualitative research based on interviews with operators suggests that governance structures and the underlying motivations of data suppliers and users play an important role.

4 Existing form of routing data governance ...and why it is broken
IRRs - multiple, diverse organizations for sharing routing policy information (route objects, AS-sets, etc.) Misaligned incentives Privacy of data Collective action problem, under production of public good Costs/benefits of data maintenance High transaction costs RPSL difficult, not uniformly used No systematic identification of authentic, accurate, or obsolete data Limited benefits of mirroring data Anomalies/filtering costs greater for some ASes Unmanageable interdependencies Unilateral changes in data can have unexpected, undesired consequences Existing form of routing data governance ...and why it is broken The main form of routing data governance today is the Internet routing registry (IRR) system. The supply of IRRs is decentralized and diverse, no inherent limit on the number of IRRs and any entity can decide to provide one. None of them are authoritative or sanctioned by laws or regulations. Some IRRs are operated as specialized, stand-alone registries (RADb, ALTDB), some run by national or regional IP address registries (like RIPE) and some are run by Internet service, hosting, or network security providers (Level3, NTT). In theory, IRRs become “better” (more useful) by attracting more registrants and having accurate data about their routing practices. The key issue for routing security, therefore, is the supply of complete and accurate data in the IRR, and the incentives of operators to utilize that data. Main point: But based on our research we see IRRs as a flawed governance structure because they are characterized by: 1) misaligned incentives; 2) high transaction costs; and 3) unmanageable interdependencies. Misaligned incentives - actors have different motivations Not all actors want to reveal their routing policies publicly; for that reason some network operators don’t enter data into IRRs; Participation in an IRR could be seen as a classic collective action problem leading to underproduction of a public good: the value of the IRR to operator’s filtering depends not entirely upon its efforts, but also on the actions of dozens or even hundreds of others, which any individual user cannot predict or control; There are weak incentives to delete obsolete objects, as it involves work and no immediate benefit; failure to update or correct one’s own obsolete data can affect others more than it affects the data supplier. High transaction costs - costs associated with exchange of data (search, info, decision, policing, enforcement) While standardized, RPSL is not uniformly used by operators who have extended it to meet their own needs. Despite existing tools, it’s difficult to develop and distribute configuration files to routers. There is no systematic way to verify the authenticity or accuracy of others' routing policies, or to identify obsolete routing policies ex ante Widespread mirroring of IRRs can be explained as an attempt to economize on transaction costs by simply copying entries generated by others, but practice does nothing to make the data consistent or more accurate across registries. (E.g. efforts like Job Snijders IRR lockdown tool is effort to address this) Routing anomalies are more likely to occur in larger ISPs with more interconnections, but the cost and effort required to configure filters for such ISPs with more frequently changing announcements can acts as a deterrent to use of the IRR. Unmanageable interdependencies Once IRR data has been used by a variety of uncoordinated actors to generate route filters, a unilateral change in the registry data by one party can have unexpected or undesired operational consequences.

5 Existing data governance alternatives to improve routing security
RPKI and BGSPEC Ex ante elimination of BGP announcement vulnerabilities Hierarchical, potential new risks (Cooper et al, 2013; Mueller & Kuerbis 2011) Real-time validation creates additional costs, requires some collective action too (Goldberg, 2014) Doesn’t address some routing vulnerabilities (Huston, 2015) Resource certification with routing policy data (Blunk, 2004; Karir & Blunk, 2011; Goldberg, 2014; Kisteleki & Haberman, 2016) Route monitoring services Ex post mitigation of BGP announcement vulnerabilities Turns functionality of public, shared good (IRR) into private good Existing data governance alternatives to improve routing security ...have shortcomings Existing data governance alternatives to improve routing security also have shortcomings: RPKI and BGSPEC (good body of research here) Is an ex ante solution, and as such it’s hard to justify given it is cost to protect networks from possible future events. Hierarchical organization of PKIs introduces potential new risks around accidental or intentional certificate revocation (Cooper et al, 2013; Mueller & Kuerbis 2011), Real time validation of BGPSEC creates additional costs and also requires collective action by operators along any particular AS path (Goldberg, 2015). And importantly, even if RPKI and BGPSEC are deployed some types of incidents, e.g., “route leaks”, require context about operators involved and policy data contained in IRR in order to make filtering decisions (Huston, 2015). Nonetheless, there is recognized value in combining resource certification with routing registries to provide policy data authentication and integrity. (Blunk, 2004; Karir & Blunk, 2011; Kisteleki & Haberman, 2016) Route monitoring services Several operators interviewed use commercial route monitoring services to detect unauthorized use of their resources. Easier to justify these ex post tools as they mitigate vulnerabilities after the fact. What distinguishes these paid services from the IRR is that the operator provides its routing policy information directly to the service in exchange for route monitoring. The operator’s routing policy information is compared against observed BGP announcements, and alerts are sent when anomalies occur. From an economic perspective, they turn the functionality of the public, shared good (i.e., data in the IRR) into a private good sold to the network operator. The fact that the operator is paying for the service strengthens its incentive to provide accurate, complete and up to date policy data about themselves to the service provider. Moreover, an operator’s routing policies remain confidential, rather than being published in open databases.

6 Data governance alternatives for routing security
Mutually Agreed Norms on Routing Security (MANRS) Operators should set, exchange, validate, enforce routing policies; validate resource authorization... Challenges of operator diversity, evolving practices, community enforcement, constraints A blockchain Internet routing registry? (BIRR) Another way to do trusted attestations? Distributed database with transactions securely recorded to a permanent ledger Key characteristics - distributed consensus, provable timeline, unforgeable transactions So where does this leave us? Having developed a conceptual framework, we set about testing it. This slide presents two additional ideas to promote routing security, one actual the other hypothetical. MANRS is a well known initiative to have operators who sign up commit to several practices, including setting, exchanging, validating and enforcing routing policies, among other activities. In general, there is a strong normative component that shapes ISP behavior. However, much of the academic work on norms (in other fields) illustrates how norm adherence can be challenged by growing diversity and changing practices, which leads to difficulty in community enforcement. Moreover, operators ability to abide by norms may also be constrained by states who are more likely to be unable to develop and conform to norms. Looking more generally at systems of trusted attestations, APNIC’s Geoff Huston has noted that blockchain technology, such as that used by the cryptocurrency Bitcoin, could provide an alternative to more hierarchically organized attestation systems (e.g., like DNSSEC, RPKI, or BGPSEC). In light of this, we considered the application of blockchain technology to IRR data. In theory, blockchain provides a resilient means to store and update data in a highly distributed fashion that is very hard to corrupt. While a complete evaluation of blockchain is beyond the scope of this project, its key characteristics of distributed consensus, provable timeline and unforgeable transactions suggest that it could resolve some of the problems we identified earlier. Next slide

7 Does either one resolve the economic issues?
But the important question is - would either one resolve the economic issues we’ve identified?

8 Do MANRS or blockchain address IRR data governance issues?
Economic issue Existing IRR system MANRS Blockchain IRR Misaligned incentives No privacy of routing policies Makes policies private to ASes exchanging data Can make policies private under certain implementations; combine open and closed blockchains Collective action among all operators Reduces collective action to any specific AS and its customer and adjacent ASes Could emphasize collective action of routing registry operators; requires standardization of distributed consensus protocol Weak incentives to delete or update objects Objects never deleted from registry This and next slide summarize the shortcomings of the IRR’s data governance, and shows how MANRS or blockchain technology might help resolve them. Looking at how these two alternatives address misaligned incentives, we see that: MANRS reduces the overall collective action required by fostering bilateral exchanges of routing policy data and encourages filtering between an AS and its customer and adjacent networks. It also makes that data private to those actors. However, MANRS doesn’t do anything to address the weaknesses of IRR system writ large, only suggesting that maintaining publicly documented routing data is an “advanced action” for ASes. Blockchain could potentially address several areas. Depending on implementation, access to data in a blockchain can be open or restricted. Moreover, public and private blockchains can be combined to achieve particular benefits. E.g., the Linux Foundation’s Hyperledger project is considering how private financial transactions with strong KYC requirements could be recorded in a private blockchain which is then incorporated to public blockchain for broader accountability purposes. A blockchain IRR could emphasize collective action among all operators or some number of registries using a to-be-developed distributed consensus protocol. While some blockchain’s consensus protocols involves remuneration as an incentive (e.g., Bitcoin), it’s not hard to envision a non-remunerative incentive system for the creation of blocks of policies in an blockchain IRR. The operation of registries by some large ISPs already demonstrates that they have incentives to aggregate valid routing policy data which can be used for filtering. In some regard, designing a distributed consensus protocol for routing policy would be much easier than one for a pseudonymous currency like Bitcoin. This is because there are far fewer, known entities that have to achieve consensus. A permanent ledger of all objects eliminates the need to delete objects. And presumably, if a blockchain IRR is providing more overall benefit to operators, then might be more inclined to update their objects in it.

9 Single, distributed registry
Economic issue Existing IRR system MANRS Blockchain IRR High transaction costs RPSL inadequate, difficult to use No systematic way to validate authenticity or accuracy of objects; identify obsolete objects Digital signature over object using key data provides object authenticity, integrity; objects are sequential No data consistency across registries Single, distributed registry Filtering not scalable for large ISPs Unmanageable interdependencies Unilateral changes to route objects can have unanticipated consequences for other operators Objects never deleted Looking at high transaction costs and unmanageable interdependencies: Object authenticity and integrity would play a key role, and would require more discussion about various resource authorization schemes. A provable timeline in blockchain would allow data users to determine if an object utilizing a particular resource has been obsoleted by a new object. A chief advantage of the blockchain approach would be production of a single, consistent routing registry that is distributed among multiple operators, unlike today where objects may be replicated and have possibly conflicting data across different registries. And a permanent ledger avoids situations where deleting an object inadvertently impacts another operator(s). Despite these advantages of blockchain, there remain areas that would need to be addressed. Specifically, the use of RPSL for sharing data and the ability to scale up use of IRR based filtering for large ISPs. But ongoing work in areas like software defined networking (e.g., OpenConfig), which provides logical separation and centralization of the control layer, might provide some complementary solutions.

10 Thanks. Feedback and questions?
brenden.kuerbis milton.mueller @pubpolicy.gatech.edu In conclusion, reconceptualizing the routing security problem as a data governance problem caused by a combination of misaligned incentives, high transaction costs, and an inability to manage organizational interdependencies provides a more realistic, if less elegant, basis for evaluating alternative solutions and technical paths going forward. Using this approach, new ideas like applying blockchain to IRR data seem initially promising. They could help address the supply and use of routing policy data, and improve the ability to accomplish collective action. Ideally, this can lead to greater data accuracy and better routing security without threatening decentralized decision making by operators. I welcome your thoughts and questions, and please feel free to approach me or my colleague this week or anytime by .

11 Table 2: Routing data quality and governance structure of select IRRs
Khan et al, 2013 Kuerbis & Mueller, 2016 Routing registry Direct-POM Mntnr-POM AS link-POM Total-POM Requires data entry? Restricts who can enter data? Authenticates data suppliers? Verifies address and AS resource authorization? Allows proxy registrations? Authenticates data users? JPIRR 0.92 0.02 0.01 0.95 No Yes BELL 0.83 0.08 NTTCOM 0.60 0.20 0.07 0.87 RIPE 0.78 0.04 0.86 TC 0.81 0.00 0.82 RADB 0.61 0.12 0.09 APNIC 0.70 0.10 ALTDB 0.52 0.18 0.11 ARIN 0.21 0.77 LEVEL3 0.43 0.22 GT 0.34 0.23 0.16 0.73 REACH 0.14 0.46 0.71 SAVVIS 0.39 0.13 0.17 0.69 EPOCH 0.33 0.68 Khan et al study measured various Prefix Origin Match figures, or consistency between IRR data and BGP announcements, for a variety of IRRs. We collected information concerning IRR data governance. Main point: Organizations operating routing registries follow a variety of policies regarding the supply of data. One particular set of policies does not necessarily correlate to higher data accuracy. E.g., while most registries allow proxy registrations, they differ in whether or not they verify who is authorized to use the resources identified in the route object. Positive relationship between higher POM rates and restricting and authenticating data suppliers. 3. No distinctly positive/inverse relationship between requiring data entry or authorizing resource use and . 4. No relationship between allowing proxy registrations and greater data quality.

Download ppt "Internet routing registries (IRRs), data governance and security"

Similar presentations

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
Auditing Concepts.

Auditing Concepts.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Database Systems: Design, Implementation, and Management Ninth Edition

Database Systems: Design, Implementation, and Management Ninth Edition
Chapter 1 Database Systems. Good decisions require good information derived from raw facts Data is managed most efficiently when stored in a database.

Chapter 1 Database Systems. Good decisions require good information derived from raw facts Data is managed most efficiently when stored in a database.
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Concepts of Database Management, Fifth Edition Chapter 1: Introduction to Database Management.

Concepts of Database Management, Fifth Edition Chapter 1: Introduction to Database Management.
Copyright © 2011 Japan Network Information Center JPNIC ’ s RQA and Routing Related Activities JPNIC IP Department Izumi Okutani APNIC32 Aug 2011, Busan.

Copyright © 2011 Japan Network Information Center JPNIC ’ s RQA and Routing Related Activities JPNIC IP Department Izumi Okutani APNIC32 Aug 2011, Busan.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Event Management & ITIL V3

Event Management & ITIL V3
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.

McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
DIGITAL SIGNATURE.

DIGITAL SIGNATURE.
A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,

A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Private key https://store.theartofservice.com/the-private-key-toolkit.html.

Private key
BGP Validation Russ White Rule11.us.

BGP Validation Russ White Rule11.us.

Similar presentations

Ads by Google