Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The 
Need 
For 
BGP 
Path 
Valida2on 
Wes 
Hardaker 
<wes.hardaker@parsons.com>
Example 
RPKI 
Origin 
Valida2on 
Bad Server 
X.509 Certificate 
AS4 
Is 
Legal 
Server 
Client 
1 
4 
3 
2 
7 
8 
5 
6 
A...
Bad Server 
Server 
Client 
What 
If 
AS5 
Lies? 
1 
4 
3 
2 
7 
8 
5 
6 
AS5 lies and 
pretends it has a 
direct route to...
Path 
Valida2on 
Is 
Cri2cal 
Step 
2 
in 
the 
Rou-ng 
Security 
Solu-on! 
l AS4 
must 
prove 
it 
started 
the 
route 
...
Bad Server 
Server 
Client 
BGPSEC's 
Path 
Valida2on 
1 
4 
3 
2 
7 
8 
5 
6 
Will be rejected again. 
Each router signs ...
RPKI 
and 
BGPSEC 
– 
Cer2ficate 
Tree 
IANA 
AFRNIC APNIC LACNIC ARIN RIPE 
ISP 1 ISP 2 ISP 3 
Client ISP 4 
Server l IS...
BGPSEC 
– 
Router 
Cer2ficates 
IANA 
AFRNIC APNIC ARIN LACNIC RIPE 
ISP 1 ISP 2 ISP 3 
Client ISP 4 
Server 
Origin Valid...
Upcoming SlideShare
Loading in …5
×

ION Santiago: The Need for BGP Path Validation (Wes Hardaker)

518 views

Published on

How do we improve the resilience and security of the Internet’s underlying routing infrastructure? While Internet routing has worked well over the years, there have been instances where errors and misconfigurations have caused stability issues. Malicious attackers have also created denial of service attacks and other issues by spoofing IP addresses and manipulating routing tables. What are the best practices we can use to help mitigate these kind of attacks?

In this session, our panel of experts will address technologies such as BCP 38, anti-spoofing, and BGP security efforts that can help secure the routing infrastructure. They will also consider the Internet Society’s new Routing Manifesto, which aims to introduce a minimum set of security measures which, if deployed on a wide scale, could result in visible improvements to the security and resilience of the global routing system.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

ION Santiago: The Need for BGP Path Validation (Wes Hardaker)

  1. 1. The Need For BGP Path Valida2on Wes Hardaker <wes.hardaker@parsons.com>
  2. 2. Example RPKI Origin Valida2on Bad Server X.509 Certificate AS4 Is Legal Server Client 1 4 3 2 7 8 5 6 AS2 checks the RPKI for authorization AS5 does not have an RPKI authorization! Will be rejected RPKI Provides Origin Validation: • Cryptographically signed authorization for AS4 to advertise Routes to Server l INVALID (Doesn't Go To AS4): AS1 ► AS2 ► AS5 l VALID (Origin is AS4): AS1 ► AS2 ► AS3 ► AS4 l VALID (Origin is AS4): AS1 ► AS2 ► AS6 ► AS7 ► AS3 ► AS4 2 issued verifies
  3. 3. Bad Server Server Client What If AS5 Lies? 1 4 3 2 7 8 5 6 AS5 lies and pretends it has a direct route to AS4 AS5 can still advertise a route with AS4 at the end: (even though AS5 isn't connected to AS4) l VALID (Origin is AS4): AS1 ► AS2 ► AS5 ► AS4 l VALID (Origin is AS4): AS1 ► AS2 ► AS3 ► AS4 l VALID (Origin is AS4): AS1 ► AS2 ► AS6 ► AS7 ► AS3 ► AS4 3
  4. 4. Path Valida2on Is Cri2cal Step 2 in the Rou-ng Security Solu-on! l AS4 must prove it started the route – It must prove that only AS3 is next in its path – No other router can reuse or copy its ini2al route l ASes can be assured the en2re path is valid l Enter BGPSEC! – Lies can now be detected! 4
  5. 5. Bad Server Server Client BGPSEC's Path Valida2on 1 4 3 2 7 8 5 6 Will be rejected again. Each router signs along the way; the paths can not be spoofed or modified l INVALID (Origin signed, path is not): AS1 ►AS2 ► AS5 ► AS4 l VALID (Origin and path signed): AS1 ►AS2 ► AS3 ► AS4 l VALID (Origin and path signed): AS1 ►AS2 ► … ► AS3 ► AS4 5
  6. 6. RPKI and BGPSEC – Cer2ficate Tree IANA AFRNIC APNIC LACNIC ARIN RIPE ISP 1 ISP 2 ISP 3 Client ISP 4 Server l ISPs issue certificates to each router they control 6
  7. 7. BGPSEC – Router Cer2ficates IANA AFRNIC APNIC ARIN LACNIC RIPE ISP 1 ISP 2 ISP 3 Client ISP 4 Server Origin Validation 7 Path Validation

×