• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Routing Security
 

Routing Security

on

  • 1,396 views

 

Statistics

Views

Total Views
1,396
Views on SlideShare
1,375
Embed Views
21

Actions

Likes
0
Downloads
13
Comments
0

1 Embed 21

http://www.ripe.net 21

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Routing Security Routing Security Presentation Transcript

    • Routing Security Daniel KarrenbergRIPE NCC<daniel.karrenberg@ripe.net>
    • Who is talking: Daniel Karrenberg• 1980s: helped build Internet in Europe - EUnet, Ebone, IXes, ... - RIPE• 1990s: helped build RIPE NCC - 1st CEO: 1992-2000• 2000s: Chief Scientist & Public Service - Trustee of the Internet Society: IETF, ... - Interests: Internet measurements, stability, trust & identity in the Internet, ... 2
    • Who is talking: Daniel Karrenberg• RIPE NCC - started in 1992 - first Regional Internet Registry (RIR) - Association of 6000+ ISPs - 70+ countries in “Europe & surrounding areas” - operational coordination - number resource distribution - trusted source of data - Motto: Neutrality & Expertise - not a lobby group! 3
    • My Messages Today• Routing security needs to be improved• The sky is not falling• Industry is moving• No need for public policies at this point 4
    • Outline• Internet Routing - How it works - What makes it work in practice - What can go wrong today• Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles• Public Policy Considerations• Discussion 5
    • The Internet 6
    • Part(s) of the Internet 7
    • “Autonomous Systems” 8
    • Packet Flow 9
    • Routing Information Flow (BGP) 10
    • Both Directions are Needed 11
    • Choice and Redundancy 12
    • Questions?
    • What makes it work 14
    • Business Relationships 15
    • Transmission Paths 16
    • Routing Engineering 17
    • Routing Engineering Methods• Inbound Traffic - Selectively announce routes. - Very little control over preferences by other ASes.• Outbound Traffic - Decide which of the known routes to use.• Inputs - Cost - Transmission Capacity - Load - Routing State 18
    • Routing Engineering Principles• Autonomous Decisions by each AS• Local tools• Local strategies• Local knowlege• Business advantages• Autonomous Decisions by each AS• (One of the reasons for rapid growth of the Internet) 19
    • Questions?
    • What can go wrong• Misconfiguration - Announcing too many routes (unitentional transit) - Originating wrong routes• Malicious Actions - Originating wrong routes (hijacking) 21
    • Hijacking 22
    • Hijacking 23
    • Hijacking 24
    • Questions?
    • Examples• YouTube & Pakistan Telecom (2008)• A number of full table exports• Various route leaks from China (2010) YouTube Movie 26
    • Outline• Internet Routing - How it works - What makes it work in practice - What can go wrong today• Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles• Public Policy Considerations• Discussion 27
    • Routing Hygiene• Do not accept customer routes from peers or upstreams• Limit number of prefixes accepted per adjacent AS• Use a routing registry - no global authoritative registry exists• Use own knowledge about topology - topology is constantly changing - distruptions can cause drastic changes 28
    • Routing Hygiene• Is applied locally / autonomously• Has a cost• Subservient to routing engineering - No obstruction - Maintain Autonomy• Cooperation - Trust - Community - Personal Relations 29
    • Resource Certification - Motivation• Good practice: - to register routes in an IRR - to filter routes based on IRR data• Problem: - only useful if the registries are complete - many IRRs exist, lacking standardisation• Result: - Less than half of all prefixes is registered in an IRR - Real world filtering is difficult and limited - Accidental leaks happen, route hijacking is possible 30
    • Resource Certification - Definition “Resource certification is a reliable method for proving the association between resource holders and Internet resources.” 31
    • Between who and what?• Resource Holders - Regional Internet Registries - Local Internet Registries - End Users• Internet Resources - IPv4 Address Blocks - IPv6 Address Blocks - AS Numbers 32
    • What Certification offers• Proof of holdership• Secure Inter-Domain Routing - Route Origin Authorisation - Preferred certified routing• Resource transfers• Validation is the added value! 33
    • The system 34
    • Proof of holdership • Public Key • Resources • Signature 35
    • Route Origin Authorisation (ROA) • IP Prefixes • AS Numbers • Signature 36
    • Automated Provisioning using ROAs Please route this part of my network: 192.0.2.0/24 Please sign a ROA for that resource using my AS number OK, I signed and published a ROA OK, that ROA is valid. I can trust this request 37
    • The road ahead• Production launch for all RIRs on 1 January 2011• Beta programme available in the LIR Portal now - You can create certificates and ROAs - Test key will be rolled over at launch date Feedback and input actively encouraged Mailing list: ca-tf@ripe.net 38
    • Obstacles• Fear of loosing autonomy• Cost• Low threat perception• Fear of loosing business advantage• Fear of loosing autonomy 39
    • Questions?
    • Outline• Internet Routing - How it works - What makes it work in practice - What can go wrong today• Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles• Public Policy Considerations• Discussion 41
    • My Messages Today• Routing security needs to be improved - Accidents do happen ... sometimes - Hijackings do happen ... sometimes• The sky is not falling - It does not happen all the time - It does not affect large areas of the Internet 42
    • My Messages Today• Industryis addressing the problems - Local measures taken autonomously - RPKI being deployed by RIRs - RPKI based routing tools being developed - RPKI based routing protocols being studied in IETF 43
    • My Messages Today• No need for public policies at this point - Not a strucutral problem endangering Internet - Mitigation works - Mitigation being improved - Global coordination is working 44
    • Outline• Internet Routing - How it works - What makes it work in practice - What can go wrong today• Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles• Public Policy Considerations• Discussion 45
    • The End! Kрай Y Diwedd Fí Соңы Finis Liðugt Ende Finvezh KiнецьKonec Kraj Ënn FundLõpp Beigas Vége Son Kpaj An Críoch ‫הסוף‬ EndirFine Sfârşit Fin Τέλος Einde Конeц Slut Slutt Pabaiga Amaia Loppu Tmiem Koniec Fim