RPKI & Route Origin Validation - BKNIX

2y ago
77 Views
2 Downloads
5.55 MB
83 Pages
Last View : Today
Last Download : 2m ago
Upload by : Lilly Kaiser
Transcription

Securing Internet RoutingRPKI & Route Origin ValidationThaiNOG, 8 May 2019Tashi Phuntsho (tashi@apnic.net)Senior Network Janitor/Technical Trainer1v1.0

Recent - Fat-finger/Hijacks/Leaks Google prefix leaks – Nov 2018qGoogle services (G-Suite, Google searchand Google analytics) affected by the leak§§Traffic dropped at AS4809 (China Telecom) 74mins2v1.0

Recent - Fat-finger/Hijacks/Leaks Google prefix leaks (contd )qHow did it happen?§AS37282 (MainOne) leaked Google prefixes to AS4809 (CT) at IXPN, wholeaked it to other transit providers like AS20485 et-vulnerability-takes-down-google/3v1.0

Recent - Fat-finger/Hijacks/Leaks Amazon (AS16509) Route53 hijack – April2018qAS10279 (eNET) originated more specifics (/24s) of AmazonRoute53’s prefix (205.251.192.0/21)205.251.192.0/24 . -ranges.jsonqqIts peers, like AS6939 (HE), shared these routes with 100s of theirown peers The motive?§§During the period, DNS servers in the hijacked range only responded to queriesfor myetherwallet.comResponded with addresses associated with AS41995/AS486934v1.0

Recent - Fat-finger/Hijacks/Leaks Route53 hijack (contd )qResolvers querying any Route53managed names, would ask theauthoritative servers controlledthrough the BGP hijack§qPossibly, used an automated cert issuerto get a cert for myetherwallet.comuse THEIR crypto to end-users tosee everything (including d-crypto-currencies5v1.0

Recent - Fat-finger/Hijacks/Leaks Bharti (AS9498) originates 103.0.0.0/10 - Dec 2017qq 2 daysNo damage done – more than 8K specific routes! Google brings down Internet in Japan - Aug 2017qq 24 hours)Google (AS15169) leaked 130K prefixes to Verizon (AS701) – inChicago§§§qNormally 50 prefixes 25K of those were NTT OCN’s (AS4713) more specificswhich was leaked onwards to KDDI and IIJ (and accepted)Everyone who received the leaked more specifics, preferred theVerizon-Google path to reach NTT OCN!6v1.0

Recent - Fat-finger/Hijacks/Leaks Google leak (contd )After leak(JP- JP)Before leak (JP- JP)After leak(EU- isrupts-internet-in-japan/7v1.0

Fat-finger/Hijacks/Leaks YouTube (AS36561) Incident - Feb 2008qq 2 hoursAS17557 (PT) announced 208.65.153.0/24 (208.65.152.0/22)§Propagated by AS3491 (PCCW)8v1.0

Why do we keep seeing these? As always, there is no E-bit (evil!)qqqA bad routing update does not identify itself as BADAll we can do is identify GOOD updatesBut how do we identify what is GOOD?9v1.0

Why should we worry? Because it’s just so easy to do bad in routing!By Source (WP:NFCC#4), Fair use,https://en.wikipedia.org/w/index.php?curid 4251522410v1.0

How do we address these? Filtering!qFilters with your peers, upstream(s) and customers§§§§§Prefix filtersPrefix limitAS-PATH filtersAS-PATH limitRFC 8212 – BGP default reject or something similar11v1.0

Current practiceLOA CheckPeering/TransitRequestFilters (in/out)12v1.0

Tools & TechniquesLOA CheckWhois(manual)Letter ofAuthority13IRR (RPSL)v1.0

Tools & Techniques Look up whoisqverify holder ofa resource14v1.0

Tools & Techniques Ask for a Letter of AuthorityqAbsolve from any liabilities15v1.0

Tools & Techniques Look up (or ask to enter)details in internet routingregistries (IRR)qdescribes route origination andinter-AS routing policies16v1.0

Tools & Techniques IRRqHelps auto generate network(prefix/as-path) filters using RPSLtools§Filter out route advertisements notdescribed in the registry17v1.0

Tools & Techniques Problem(s) with IRRqNo single authority model§§qMany RRs§qIf two RRs contain conflicting data, which one do I trust and use?Incomplete data - Not all resources are registered in an IRR§qHow do I know if a RR entry is genuine and correct?How do I differentiate between a current and a lapsed entry?If a route is not in a RR, is the route invalid or is the RR just missing data?Scaling§How do I apply IRR filters to upstream(s)?18v1.0

Tools & Techniques Automating network filters (IRR filters) - CautionqIRR filters only as good as the correctness of the IRR entries§§Might require manual overrides and offline verification of resource holdersGood idea to use specific sources (-S in bgpq3, -s in rtconfig) whengenerating filters, assuming mirrors are up to date19v1.0

Back to basics – identify GOOD Could we use a digital signature to convey the “authority touse”?qqUsing a private key to sign the authority, andthe public key to validate the authority The idea being:qIf the holder of the resource has the private key, it cansign/authorize the use of the resource20v1.0

How about trust? How do we build a chain of trust in this framework?qFollow the resource allocation/delegation hierarchyIANA à RIRs à NIRs/LIRs à End Holders VEnd Holders§To describe the address allocation using digital certificates21v1.0

RPKI Chain of TrustIANACert(CA)AllocationHierarchyTrust rs ISPImage 422v1.0

RPKI Chain of Trust RIRs hold a self-signed root certificate for all the resourcesthey have in the registry§they are the Trust Anchor for the system The root certificate signs the resource certificates for endholder allocations§binds the resources to the end-holders public key Any attestations signed by the end-holder’s private key, cannow be validated up the chain of trust23v1.0

X.509 Certificates recap (RFC5280) Associates a public key with an individual or an organizationVERSIONSERIAL NUMBERSIGNATURE ALGORITHMISSUER NAMEVALIDITY PERIODSUBJECT NAMESUBJECT PUBLIC KEYEXTENSIONS (ISSUER KEY ID)EXTENSIONS (SUBJECT KEY ID)EXTENSIONS (CRL)CA DIGITAL SIGNATUREVersion of X.509Uniquely identifies the certificateAlgorithms used by the CA to sign the certId of the CA (that issued the cert)Cert validityEntity associated with the public keyOwner’s public keyIdentify the pub key of issuer of the certExtra info (owner of the cert)Extensions (CRL)Certifies the binding between the pub key & subject of the cert24v1.0

Signed by parent’s private keyRPKI profile Resource CertificatesX.509 CERTCA RFC 3779 extensions – binds a listof resources (IPv4/v6,ASN) to thesubject of the certificate (privatekey holder) SIA (subject information access)contains a URI that identifies thepublication point of the objectssigned by the subject of the cert.RFC 3779EXTENSIONIP RESOURCES(ADDRESS & ASN)SIA(URI WHERE THIS PUBLISHES)OWNER’S PUBLIC KEY25v1.0

Resource Certificates When an address holder A (*IRs) allocates resources (IPaddress/ASN) to B (end holders)qqA issues a public-key/resource certificat that binds the allocatedaddress with B’s public key, all signed by A’s (CA) private keyThe resource certificate proves the holder of the private key (B) isthe legitimate holder of the number resource!26v1.0

Route Origin Authorization (ROA) The resource holder (B) can now sign authorities using itsprivate key, which can be validated by any third partyagainst the TA For routing, the address holder can authorize a network(ASN) to originate a route into the BGP routing system, andsign this permission with its private key (ROA)27v1.0

Route Origin Authorization (ROA) Digitally signed objectqlist of prefixes and the nominated ASNqcan be verified 4Origin ASNAS17821 ** Multiple ROAs can exist for the same prefix28v1.0

What can RPKI do? Authoritatively proof:qqWho is the legitimate owner of an address, andIdentify which ASNs have the permission from the holder tooriginate the address Hence, can help:qprevent route hijacks/mis-origination/misconfiguration29v1.0

RPKI Components Issuing Party – Internet Registries (*IRs)qqCertificate Authority (CA) that issues resource certificates to end-holdersPublishes the objects (ROAs) signed by the resource certificate nic.netMyAPNIC GUI30v1.0

RPKI Components Relying Party (RP)qqRPKI Validator tool that gathers data (ROA) from the distributed RPKIrepositoriesValidates each entry’s signature against the TA to build a “Validated cache”rsync/RRDPIANA Reporpki.apnic.netrsync/RRDPRIPE RepoAPNICReporsync/RRDPrsync/RRDPLIR RepoLIR Repo31RP(RPKIValidator)ValidatedCachev1.0

RPKI Service Models Hosted model:qThe RIR (APNIC) runs the CA functions on members’ behalf§§Manage keys, repo, etc.Generate certificates for resource delegations Delegated model:qMember becomes the CA (delegated by the parent CA) and operatesthe full RPKI system§JPNIC, TWNIC, CNNIC (IDNIC in progress)32v1.0

Route Origin Validation PKI-to-Router(RtR)ASXXXX2406:6400::/32-48RPKI Validator/RPKI Cache server1782133v1.0

Route Origin Validation Router fetches ROA information from the validated RPKI cacheqCrypto stripped by the validator BGP checks each received BGP update against the ROAinformation and labels them34v1.0

Validation States Validqthe prefix and AS pair found in the database. Invalidqqprefix is found, but origin AS is wrong, ORthe prefix length is longer than the maximum length Not Found/UnknownqNo valid ROA found§Neither valid nor invalid (perhaps not created)35v1.0

Validation StatesROAASNPrefixMax Length6542010.0.0.0/1618BGP RoutesASNPrefixRPKI 010.0.0.0/8NOT FOUND36v1.0

Possible actions - RPKI states Do Nothing (observe & learn)Tag with BGP communitiesqIf you have downstream customers or run a route server (IXP)§qEx:§§§ Valid (ASN:65XX1)Not Found (ASN:65XX2)Invalid (ASN:65XX3)Modify preference valuesq Let them decideRFC7115 (High, Low, Lowest)Drop Invalidsq 6K IPv4 routes (might want to check your top ?p 3&s 037v1.0

ROV – Industry trends AT&T (AS7018) drops Invalids!q11 Feb 201938v1.0

ROV – Industry trends Workonline Comms (AS37271) & SEACOM (AS37100) dropsInvalids!q1 and 5 April 2019 (does not use ARIN’s TAL)39v1.0

Are ROAs enough? What if I forge the origin AS in the AS path?qWould be accepted as “good” – pass origin validation! Which means, we need to secure the AS path as wellqNeed AS path validation (per-prefix) We can use RPKI certificates for this40v1.0

AS keys (per-router keys)APNIC TrainingCA202.125.96.0/24AS45192IANACert(CA)Public KeyCert(CA)APNICPrefix ic KeyPublic KeyPublic KeyROAAPNIC TrainingCert(CA)AS Cert CACAAPNIC Training202.125.96.0/24AS4519241Router EERouter EERouter EEAS45192AS45192rtr-00AS45192rtr-00rtr-00Public KeyPublic KeyPublic KeyEncodesASN androuter IDv1.0

AS path validation - BGPsecAS1 - AS2(Signed AS1)AS2- AS3(signed AS2)AS1AS2AS1 - AS2(Signed AS1)AS1 - AS2(Signed AS1)AS2- AS4(signed AS2)§§qAS3AS4AS1 router crypto signs the message to AS2AS2 router signs the message to AS3 and AS4, encapsulating AS1’s messageA BGPsec speaker validates the received update by checking:§§If there is a ROA that describes the prefix and origin ASIf the received AS path can be validated as a chain of signatures (for each ASin the AS path) using the AS keys42v1.0

So why is AS path validation NOT happening? Cannot have partial adoptionq Cannot jump across non-participating networksMore HW resourcesqqCPU - high crypto overhead to validate signatures, andMemory§§Updates in BGPsec would be per prefixNew attributes carrying signatures and certs/key IDs for every AS in the AS path No clarity on how to distribute the collection of certificatesrequired to validate the signatures Given so much overhead, can it prevent more than route hijacks?qRoute leaks?43v1.0

RPKI Further ReadingX.509 PKI Certificates5280Extensions for IP Addresses and ASNs377964816493Resource Public Key Infrastructure44v1.0

Acknowledgement Geoff Huston, APNIC Randy Bush, IIJ Labs/Arrcus528045v1.0

Implementation46v1.0

Create & publish your ROA MyApnic portalqResources RPKIHere is a detailed 7/12/ROUTE MANAGEMENT GUIDE.pdf47v1.0

Create (publish) your ROA Available prefixes for which you can create ROA48v1.0

Create (publish) your ROA49v1.0

Check your ROAhttp://nong.rand.apnic.net:8080/roas50v1.0

Check your ROA# whois -h rr.ntt.net :ee00::/48RPKI ROA for 2001:df2:ee00::/48This route object represents routing data retrieved from the RPKIThe original data can be found here: :/48This route object is the result of an automated RPKI-to-IRR conversion process.maxLength 48AS131107MAINT-JOBjob@ntt.net 20180802RPKI # Trust Anchor: APNIC RPKI Root51v1.0

Check your ROA# whois -h whois.bgpmon.net 2001:df2:ee00::/48Prefix:Prefix description:Country code:Origin AS:Origin AS Name:RPKI status:First seen:Last seen:Seen by PNICTRAINING LAB DCROA validation successful2016-06-302018-01-2197# whois -h whois.bgpmon.net "--roa 131107 2001:df2:ee00::/48"-----------------------ROA Details-----------------------Origin ASN:AS131107Not valid Before: 2016-09-07 02:10:04Not valid After: 2020-07-30 00:00:00 Expires in 2y190d9h34m23.2000000029802sTrust Anchor:rpki.apnic.netPrefixes:2001:df2:ee00::/48 (max length /48) 202.125.96.0/24 (max length /24)52v1.0

Check your ROAhttps://bgp.he.net/53v1.0

Deploy RPKI Validator Many options:qRIPE RPKI cesqDragon Research Labs RPKI OctoRPKI & GoRTR (Cloudflare’s RPKI toolkit)https://github.com/cloudflare/cfrpki54v1.0

RIPE Validator Download RPKI Validator# wget z Installationtar -zxvf rpki-validator-app-2.25-dist.tar.gzcd rpki-validator-app-2.25./rpki-validator.sh startqNeed to download ARIN’s TAL separatelywget ator.tal§Move it to “ base-folder /conf/tal” and restart55v1.0

RIPE 080/56v1.0

Dragon Research - Validator Installation on Ubuntu 16.04 lob/master/doc/quickstart/xenial-rp.md InstallationqAdd the GPG public key# wget -q -O /etc/apt/trusted.gpg.d/rpki.gpg d the repo to the APT source list# wget -q -O /etc/apt/sources.list.d/rpki.list : quite (wget output)-O: output to file # apt update# apt install rpki-rp57v1.0

Dragon Research - net/rcynic/58v1.0

Configuration (IOS) Establishing session with the validatorrouter bgp 131107bgp rpki server tcp validator-IP port 323/8282/3323 refresh 120 Note:qqCisco IOS by default does not include invalid routes for best path selection!If you don’t want to drop invalids, we need explicitly tell BGP (under respective addressfamilies)bgp bestpath prefix-validate allow-invalid59v1.0

Configuration (IOS) Policies based on validation:route-map ROUTE-VALIDATION permit 10match rpki validset local-preference 110!route-map ROUTE-VALIDATION permit 20match rpki not-foundset local-preference 100!route-map ROUTE-VALIDATION permit 10match rpki invalidset local-preference 90!60v1.0

Configuration (IOS) Apply the route-map to inbound updatesrouter bgp 131107!---output omitted-----!address-family ipv4bgp bestpath prefix-validate allow-invalidneighbor X.X.X.169 activateneighbor X.X.X.169 route-map ROUTE-VALIDATION inexit-address-family!address-family ipv6bgp bestpath prefix-validate allow-invalidneighbor X6:X6:X6:X6::151 activateneighbor X6:X6:X6:X6::151 route-map ROUTE-VALIDATION inexit-address-family!61v1.0

Configuration (JunOS) Establishing session with the validatorrouting-options {autonomous-system 131107;validation {group rpki-validator {session validator-IP {refresh-time 120;port 323/3323/8282 ;local-address X.X.X.253;}}}}62v1.0

Configuration (JunOS) Define policies based on the validation statespolicy-options {policy-statement ROUTE-VALIDATION {term valid {from {protocol bgp;validation-database valid;}then {local-preference 110;validation-state valid;accept;}}term invalid {from {protocol bgp;validation-database invalid;}then {local-preference 90;validation-state invalid;accept;}}term unknown {from {protocol bgp;validation-database unknown;}then {local-preference 100;validation-state unknown;accept;}}}}63v1.0

Router Configuration (JunOS) Apply the policy to inbound updatesprotocols {bgp {group external-peers {#output-ommittedneighbor X.X.X.1 {import ROUTE-VALIDATION;family inet {unicast;}}}group external-peers-v6 {#output-ommittedneighbor X6:X6:X6:X6::1 {import ROUTE-VALIDATION;family inet6 {unicast;}}}}64v1.0

RPKI Verification (IOS) IOS has only#sh bgp ipv6 unicast rpki ?servers Display RPKI cache server informationtableDisplay RPKI table entries#sh bgp ipv4 unicast rpki ?servers Display RPKI cache server informationtableDisplay RPKI table entries65v1.0

RPKI Verification (IOS) Check the RTR session#sh bgp ipv4 unicast rpki serversBGP SOVC neighbor is X.X.X.47/323 connected to port 323Flags 64, Refresh time is 120, Serial number is 1516477445, Session ID is 8871InQ has 0 messages, OutQ has 0 messages, formatted msg 7826Session IO flags 3, Session flags 4008Neighbor Statistics:Prefixes 45661Connection attempts: 1Connection failures: 0Errors sent: 0Errors received: 0Connection state is ESTAB, I/O status: 1, unread input bytes: 0Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255Local host: X.X.X.225, Local port: 29831Foreign host: X.X.X.47, Foreign port: 32366v1.0

RPKI Verification (IOS) Check the RPKI cache#sh bgp ipv4 unicast rpki table37868 BGP sovc network entries using 6058880 bytes of memory39655 BGP sovc record entries using 1268960 bytes of urce 25.96.47/3230202.125.96.47/323#sh bgp ipv6 unicast rpki table5309 BGP sovc network entries using 976856 bytes of memory6006 BGP sovc record entries using 192192 bytes of S Source .0

Check routes (IOS)#sh bgp ipv4 unicast 202.144.128.0/19BGP routing table entry for 202.144.128.0/19, version 3814371Paths: (1 available, best #1, table default)Advertised to update-groups:2Refresh Epoch 154826 1766049.255.232.169 from 49.255.232.169 (114.31.194.12)Origin IGP, metric 0, localpref 110, valid, external, bestCommunity: 4826:5101 4826:6570 4826:51011 24115:17660path 7F50C7CD98C8 RPKI State validrx pathid: 0, tx pathid: 0x0#sh bgp ipv6 unicast 2402:7800::/32BGP routing table entry for 2402:7800::/32, version 1157916Paths: (1 available, best #1, table default)Advertised to update-groups:2Refresh Epoch 1548262402:7800:10:2::151 from 2402:7800:10:2::151 (114.31.194.12)Origin IGP, metric 0, localpref 100, valid, external, bestCommunity: 4826:1000 4826:2050 4826:2110 4826:2540 4826:2900 4826:5203path 7F50B266CBD8 RPKI State not foundrx pathid: 0, tx pathid: 0x068v1.0

RPKI Verification (JunOS) Check the RPKI cache show validation ses

q All we can do is identify GOOD updates q But how do we identify what is GOOD? 10 v1.0 Why should we worry? Because it’s just so easy to do bad in routing! . APNIC APNIC Training Cert (CA) Cert (CA) Cert (CA) APNIC Training 202.125.96.0/24 AS45192 Public Key CA APNIC Training 202.125.96.0/24 AS45192 Public Key CA AS Cert AS45192

Related Documents:

Modern database technology is more than adequate to support an RPKI-based data repository for every active phone number in the UK Numbering Plan. . Telecommunications and High Technology Law. . (2001), Bandwagon Effects in High-Technology Industries. 4 Use of Resource Public Key Infrastructure (RPKI) to verify caller ID authenticity of VoIP .

Stalloris: RPKI Downgrade Attack Tomas Hlavacek*§, Philipp Jeitner*§, Donika Mirdita*§‡, Haya Shulman*§† and Michael Waidner*§‡ §National Research Center for Applied Cybersecurity ATHENE *Fraunhofer Institute for Secure Information Technology SIT ‡Technische Universität Darmstadt †Goethe-Universität Frankfurt Abstract We demonstrate the first downgrade attacks against RPKI.

Router Software Origin Validation (RPKI RTR & BGP Modifications) available in Cisco IOS and IOS-XR Cisco IOS code available in IOS XE-3.5.0/15.1(3)S Cisco IOS platforms targeted ASR1K, 7600, ME3600/ ME3800, ASR 903 Cisco IOS-XR available in the XR-4.2.1 Cisco IOS-X

Cleaning validation Process validation Analytical method validation Computer system validation Similarly, the activity of qualifying systems and . Keywords: Process validation, validation protocol, pharmaceutical process control. Nitish Maini*, Saroj Jain, Satish ABSTRACTABSTRACT Sardana Hindu College of Pharmacy, J. Adv. Pharm. Edu. & Res.

address-family ipv6 unicast network . 2001:468::/48 route-policy EX1 redistribute connected route-policy EX2 neighbor 2001:db8::1 route-policy EXAMPLE1 in route-policy EXAMPLE2 out vrf FOO address-family ipv6 unicast import route-policy EXAMPLE1 export route-policy EXAMPLE2 Single-policy at attachment point Attach a policy at:

4/1/2019 4 Route Numbers Route Signing Route Number Route Suffix Route Qualifier New York State Department of Transportation HPMS Codes: Route Signing 1 Not Signed 2 Interstate 3 US 4 State 5 Off‐Interstate Business 6 County 7 Township 8 Municipal 9 Parkway or Forest Route 10 None of the above

Dipl.-Ing. Becker EN ISO 13849-1 validation EN ISO 13849-2: Validation START Design consideration validation-plan validation-principles documents criteria for fault exclusions faults-lists testing is the testing complete? Validation record end 05/28/13 Seite 4 Analysis category 2,3,4 all

Service Level Agreement For any other Business Broadband Service, We’ll aim to restore the Service within 24 hours of you reporting the Fault. Where we need a site visit to resolve a Fault, we only do site visits on Working Days during Working Hours (please see definitions at the end of the document). Service Credits are granted at our discretion date by which Exclusions (applicable to all .