Andrzej Wolski - RIPE
Language: English
Securing BGP has been on the todo list of the the community at large for many years. Resource Public Key Infrastructure (RPKI) is the latest and most successful initiative. RPKI solves one of the most fundamental problems, it allows to verify whether an Autonomous System (AS) is authorized to announce a specific IP address range. We will look at closely at the state of the RPKI deployment. Successes and failures globally, define areas for improvement and quickly zoom in into our region.
Register to the next PLNOG edition: krakow.plnog.pl
2. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Internet Registry System 2
IANA
AFRINIC
Africa
APNIC
Asia Pacific
ARIN
North America
LACNIC
Latin America
RIPE NCC
Eurasia
Middle East
3. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Who we are? 3
•RIPE NCC
• Located in Amsterdam
• Not for profit membership
organisation
• One of five RIRs
•RIPE Community
• Open community
• Develops policies
• Organised in Working Groups
4. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
What we do? 4
•Distribute IP addresses and AS numbers
•Support RIPE community
•RIPE Database
•Resource Certification (RPKI)
•Reverse DNS and K-root server
•Training
•Research and Statistics
•Tools and measurements (RIPE Atlas, RIPEstat)
•Resource Certification (RPKI)
5. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
The State of the Global Routing 5
•Largely a trust-based system
• Maximum prefix lists
• Static prefix lists
• IRR sourced
• Often unfiltered
•Auditing is almost impossible
6. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Types of Routing Incidents 6
•Misconfiguration
• No malicious intentions
• Software bugs
•Malicious
• Competition
• Claiming “unused” space
•Targeted Traffic Misdirection
• Collect and/or temper with data
7. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
BGP Hijacking events in 2014
• Turkey Censorship
- Affected open DNS resolvers: Google / Open DNS / Level3
• Syrian Telecom
- 1480 prefixes
- 206 ASNs
• The Bitcoin Hijack
- 51 prefixes
- 19 ASNs
7
9. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
The Case for BGP Origin Validation 9
“Would you like a reliable way of telling whether a
BGP Route Announcement is authorised by the
legitimate holder of the address space?”
10. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
That Should Be Easy, Right?!
• Current legitimate holder should be able to make a
statement to protect it resources that:
- specifies which AS can originate your prefix, and
- what the maximum length of that prefix is…
10
AS Number Prefix Maximum Length
Submit
Route Origin Authorization
11. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
RPKI: Ultra Quick Intro
• RIR becomes a Certificate Authority
- Puts IPs and ASNs on a digital certificate; issues to LIRs
- LIRs use certificate to make statements about their IPs
- Statement is called a Route Origin Authorization (ROA)
• BGP Origin Validation
- Out-of-band solution (whitelisting)
- Operators validate and compare ROAs to real-world BGP
• Authorised announcements make them happy 😊
• Unauthorised announcements make them sad 😡
PLNOG 10: "BGP Origin Validation with RPKI" Alex Band
11
12. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Slow start
• RIPE NCC worked on a prototype since 2006
• Launched an open beta mid-2010
- Get operational experience and feedback before launch
• A limited production service on 1 January 2011
- Only LIR’s address space (no PI, no Legacy)
- Only hosted system available with a web interface
- No production grade support for Delegated RPKI
- First version of RIPE NCC Validator
• Other types of address space added with time
12
13. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Keeping It Simple
• Conscious decision to keep it simple
- Offer a stable and robust service
- Gain operational experience
- Gather user feedback
- Automate all crypto complexity
• Mantra: Simplicity will spur on adoption
- RPKI is a new technology
- Small to no gains for early adopters
- Avoid making users jump through burning hoops
13
17. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Less Functionality, More Usability
• Automate signing and key roll overs
- One click setup of resource certificate
- User has a valid and published certificate for as long as
they are the holder of the resources
- Changes in resource holdership are handled automatically
• Hide all the crypto complexity from the UI
- Hashes, SIA and AIA pointers, etc.
• Just focus on creating and publishing ROAs
- Match you intended BGP configuration
17
18. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
18
The current global reality…
19. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
People Requesting a Certificate 19
Source: http://certification-stats.ripe.net
20. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
People Actually Creating ROAs 20
Source: http://certification-stats.ripe.net
24. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
A Success Story
• Ecuador Internet Exchange (NAP.EC)
- two Cisco ASR-1001 route servers in different locations
- two redundant servers installed
• each one with two different validators
- RIPE NCC and rpki.net
24
• Origin validation was
implemented in the route
servers
• No action was taken
regarding RPKI validity
status
25. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
What Operators Tell Us…
• Give me new data faster!
• Running the delegated model is not interesting
- They prefer an API into the hosted system for now
• Used to have stale route objects, now stale ROAs
• The various relying party tools are not that mature
• There are different flavours of invalid announcement
but I can’t filter on them in my router
- “Unauthorized AS” and “Too specific prefix”
25
26. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Our Future Plans
• Merge IRR ‘route’ object management in RPKI UI
• Replace rsync as protocol for fetching data
- something faster and more scalable (HTTP)
• Support Inter-RIR transfers
• Aligning efforts between RIRs
• Production support for the delegated model
- Yes, really… 😉
• End Goal: Path Validation (BGPSEC)
• Major change to BGP msgs (on-line crypto)
26
27. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
Why Should You Care?
• Your inbound and outbound traffic
can be passively intercepted
• Your data can be:
• stored
• dropped
• filtered
• modified
• It’s unlikely to be noticed, unless
you’re looking for it
27
28. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
What Should You DO?
• Go to LIR Portal >
Resource Certification
• create your CA
• create a Route Origin
Authorisations (ROAs) for
your announcements
28
• Feedback button and live chat in the mgmt UI
• Monthly webinars dedicated to RPKI
• Integral part of RIPE NCC Routing Security course
29. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
You decide 29
• As an announcer/LIR
• You choose if you want certification
• You choose if you want to create ROAs
• You choose AS, max length
• As a Relying Party
• You can choose if you use the validator
• You can override the lists of valid ROAs in the cache,
adding or removing valid ROAs locally
• You can choose to make any routing decisions based on
the results of the BGP Verification (valid/invalid/unknown)
30. Andrzej Wolski – PLNOG 14 – Warsaw, Poland
RPKI Support in Routers 30
• RPKI and RPKI-RTR Protocol are an IETF standard
• All router vendors can implement it
• Cisco support:
• XR 4.2.1 (CRS-x, ASR9000, c12K) / XR 5.1.1 (NCS6000, XRv)
• XE 3.5 (C7200, c7600, ASR1K, CSR1Kv, ASR90x, ME3600…)
• IOS15.2(1)S
• Juniper has support since version 12.2
• Quagga has support through BGP-SRX
• BIRD has support for ROA but does not do RPKI-RTR