Presentation is loading. Please wait.

Presentation is loading. Please wait.

Are We There Yet? On RPKI Deployment and Security

Published byὙάκινθος Καψής Modified over 5 years ago

Similar presentations

Presentation on theme: "Are We There Yet? On RPKI Deployment and Security"— Presentation transcript:

1 Are We There Yet? On RPKI Deployment and Security
Yossi Gilad joint work with: Avichai Cohen, Amir Herzberg, Michael Schapira, Haya Shulman

2 The Resource Public Key Infrastructure
Intended to prevent prefix/subprefix hijacks Lays the foundation for protection against more sophisticated attacks on interdomain routing BGPsec, SoBGP,…

3 Prefix Hijacking AS X 91.0.0.0/10 Path: Y-3320 91.0.0.0/10 Path: 666
prefers shorter route AS X /10 Path: Y-3320 /10 Path: 666 AS Y AS 666 /10 Path: 3320 AS 3320 BGP Ad. Data flow

4 Subprefix Hijacking AS X 91.0.0.0/10 Path: 3320 91.0.0.0/16
Longest prefix match Path length does not matter AS X /10 Path: 3320 /16 Path: Y-666 AS 3320 AS Y /16 Path: 666 AS 666 BGP Ad. Data flow

5 Certifying Ownership with RPKI
RPKI assigns an IP prefix to a public key via a Resource Certificate (RC) Owners can use their private key to issue a Route Origin Authorization (ROA) ROAs identify ASes authorized to advertise an IP prefix in BGP

6 Example: Certifying Ownership
Deutsche Telekom certified by RIPE for address space /10 /10 Max-length = 10 AS 3320 RIPE Réseaux IP Européens Network Coordination Centre ROA Legend: Org with RC Deutsche Telekom

7 RPKI Can Prevent Prefix Hijacks
AS X uses the authenticated mapping (ROA) from 91.0/10 to AS 3320 to discard the attacker’s route-advertisement /10 Path: Y-3320 AS X /10 Path: 666 /10 Max-length = 10 AS 3320 AS Y AS 666 AS 3320 BGP Ad. Data flow

8 Talk Outline Challenges facing deployment
Route origin validation in partial deployment

9 Insecure Deployment: Loose ROAs
/16 Max-length = 16 AS A ROA allows advertising only one /16 prefix Picks shorter path Valid advertisement since AS A is the “origin” AS X /16 Path: A /16 Path: 666-A AS A AS 666 BGP Ad. Data flow Lychev et al. show that this attack is much less effective than prefix hijack

10 Insecure Deployment: Loose ROAs
/16 Max-length = 24 AS A ROA allows advertising subprefixes up to length /24 Longest-prefix-match Path length does not matter AS A originates /16 but not /24 ROA is “loose” Valid advertisement since AS A is the “origin” AS X /16 Path: A /24 Path: 666-A AS A AS 666 BGP Ad. Data flow RFC 7115 mentions this attack

11 Insecure Deployment: Loose ROAs
Loose ROAs are common! almost 30% of IP prefixes in ROAs 89% of prefixes with maxLen > prefixLen manifests even in large providers! Attacker can hijack all traffic to non-advertised subprefixes covered by a loose ROA Vulnerability will be solved only when BGPsec is fully deployed, but a long way to go until then… better not to issue loose ROAs!

12 Challenges to Deployment: Human Error
Many other mistakes in ROAs (see RPKI monitor) ``bad ROAs’’ cause legitimate prefixes to appear invalid filtering by ROAs may cause disconnection from legitimate destinations extensive measurements in [Iamartino et al., PAM’15]

13 Improving Accuracy with ROAlert
roalert.org allows you to check whether your network is properly protected by ROAs … and if not, why not

14 Improving Accuracy with ROAlert
Online, proactive notification system Retrieves ROAs from the RPKI and compares them against BGP advertisements Alerts network operators about “loose ROAs” & “bad ROAs”

15 Improving Accuracy with ROAlert
Initial results are promising! notifications reached 168 operators 42% of errors were fixed within a month ROAlert is: constantly monitoring (not only at registration) not opt-in We advocate that ROAlert be adopted and adapted by RIRs!

16 Talk Outline Challenges facing deployment
Route origin validation in partial deployment

17 Filtering Bogus Advertisements
Route-Origin Validation (ROV): use ROAs to discard/deprioritize route-advertisements from unauthorized origins [RFC 6811] Autonomous System Verify: signer authorized for subject prefix signature is valid RPKI cache RCs and ROAs RPKI pub. point /10: AS = 3320, max-length = 10 BGP Routers

18 What is the Impact of Partial ROV Adoption?
Collateral benefit: Adopters protect ASes behind them by discarding invalid routes /16 Max-length = 16 AS 1 AS 666 To: 1.1.1/24 AS path: 666 AS 3 is only offered a good route AS 2 AS 3 To: 1.1/16 AS path: 2-1 Origin AS 1

19 What is the Impact of Partial ROV Adoption?
Collateral damage: ASes not doing ROV might cause ASes that do ROV to fall victim to attacks! Disconnection: Adopters might be offered only bad routes /16 Max-length = 16 AS 1 AS 666 To: 1.1/16 AS path: 2-666 AS 3 receives only bad advertisement and disconnects from 1.1/16 AS 2 prefers to advertise routes from AS 666 over AS 1 AS 2 AS 3 To: 1.1/16 AS path: 1 Origin AS 1

20 What is the Impact of Partial ROV Adoption?
Collateral damage: ASes not doing ROV might cause ASes that do ROV to fall victim to attacks! Control-Plane-Data-Plane Mismatch! data flows to attacker, although AS 3 discarded it /16 Max-length = 16 AS 1 AS 666 To: 1.1.1/24 AS path: 2-666 AS 3 discards bad subprefix route AS 2 advertises both prefix & subprefix routes AS 2 AS 3 AS 2 does not filter and uses bad route for subprefix To: 1.1/16 AS path: 2-1 Origin AS 1

21 Quantify Security in Partial Adoption: Simulation Framework
Pick victim & attacker Victim’s prefix has a ROA Pick set of ASes doing ROV Evaluate which ASes send traffic to the attacker /16 Max-length = 16 AS A A B C D E F G H I J K L Empirically-derived AS-level network from CAIDA Including inferred peering links [Giotsas et al., SIGCOMM’13]

22 Quantify Security in Partial Adoption
Top ISP adopts with probability p Significant benefit only when p is high Subprefix hijack success rate Prefix hijack success rate

23 Conclusion: What Can We Improve?
Information accuracy ROAlert informs & alerts operators about: Bad ROAs Loose ROAs Preventing hijacks Incentivize ROV adoption by the top ISPs!

24 Thank You! This work appeared at NDSS’17 Tech report at Questions? 

Download ppt "Are We There Yet? On RPKI Deployment and Security"

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.

Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
The Resource Public Key Infrastructure Geoff Huston APNIC.

The Resource Public Key Infrastructure Geoff Huston APNIC.
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
A LIGHT-WEIGHT DISTRIBUTED SCHEME FOR DETECTING IP PREFIX HIJACKS IN REAL TIME Changxi Zheng, Lusheng Ji, Dan Pei, Jia Wang and Paul Francis. Cornell University,

A LIGHT-WEIGHT DISTRIBUTED SCHEME FOR DETECTING IP PREFIX HIJACKS IN REAL TIME Changxi Zheng, Lusheng Ji, Dan Pei, Jia Wang and Paul Francis. Cornell University,
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.

Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.

Similar presentations

Ads by Google