Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
RPKI	at CNNIC
Zhiwei Yan
Why	do	we	need	RPKI?
Feb,	2014
Hacker	Redirects	
Traffic	From	19	
Internet	Providers	
to	Steal	Bitcoins
Feb	2008
Pakistan	...
Prefix	hijacking:	Attackers	can	use	bogus	BGP	UPDATE	(NLRI	and	Path	Attributes)	messages	to	disrupt	
routing	without	break...
Bogus BGP UPDATE Message
According	to	“prefer	the path with	the shortest AS_PATH”	rule,		AS4	prefers message	from	AS5	to m...
Actually,	BGP	protocol	accepts	any	routes	they	learn	from	their	neighbors.
Obviously,	this	may	result	in	Route	Hijacking	o...
BGP	is	vulnerable	to	a	variety	of	routing	attacks	because	of	the	lack	of	a	verification	mechanism	to	ensure	the	
legitimac...
Certificate	Authority,	CA
Any	resource	holder	who	is	authorized	to	sub-allocate	these	resources	must	be	able	to	issue	reso...
The	Architecture	of RPKI-the relation	of	roles	and	data
Resource Holders
CA
LIR/ISP
Subscribers
IANA
RIR
NIR
CRL
CA
certif...
ROA	Profile	–RFC6482
Challenges NOW:
BGPSEC
RPKI-Safegurad
RFC	6480
An	Infrastructure	to	Support	
Secure	Internet	Routing
RFC	6487
A	Profile	fo...
Industrial	products	of	RPKI
Cisco	BGP	routers
Supporting BGP	Command	(match	RPKI)
Juniper	routers	
Configuring	Origin	Vali...
Deployment	situation
5	RIRs	have	finished	the	deployment	of	RPKI.	
A	number	of	countries	have	also	started	to	deploy	RPKI	...
RPKI	at	CNNIC
• Standardization	work	in	IETF
• X.	Lee,	X.	Liu,	Z.	Yan	and	Y.	Fu,	RPKI	Deployment	Considerations:	Problem	A...
RPKI	at	CNNIC
• Standardization	work	in	CCSA
• In	charge	of	the	standardization	of	RPKI	in	China
RPKI	at	CNNIC
• Published	two	white-papers	to	guide	the	test	of	RPKI	and	BGPSEC
RPKI	at	CNNIC
• Published	the	first	RPKI-Pilot	system	in	China
RPKI	at	CNNIC
• Published	several	academic	papers
• Cuicui Wang,	Zhiwei Yan	and	Anlei Hu.	An	Efficient	Data	Management	Arc...
What	is	the	future	of	RPKI?
• Will	RPKI	be	SECURE	enough?
• We	should	avoid	additional	risks	caused	by	a	security	enhancem...
What	is	the	future	of	RPKI?
• Will	RPKI	be	deployed	widely?
• Let’s	have	a	glimpse	of	DNSSEC
• 2010-12~
2013-03
Experiment...
What	is	the	future	of	RPKI?
• Will	RPKI	be	deployed	widely?
• Let’s	have	a	glimpse	of	DNSSEC
DNSSEC	COVERAGE	RATE	OF	
ALEX...
What	is	the	future	of	RPKI?
• Analyze	the	challenges	for	deployment:
• Up-bottom	model	has	difficulty	in	the	Internet	worl...
•I	am	not	NEGATIVE	or	UNCONFIDENT	to	RPKI
• But	I	am	sure	it	has	a	long	way	to	go	for:
• Protocol	improvement
• Deployment...
Thank	you	for	your	attention~
Zhiwei Yan@CNNIC
Upcoming SlideShare
Loading in …5
×

ION Hangzhou - RPKI At CNNIC

499 views

Published on

14 July 2016, ION Hangzhou (China) - RPKI Deployment at CNNIC

Published in: Technology
  • Login to see the comments

  • Be the first to like this

ION Hangzhou - RPKI At CNNIC

  1. 1. RPKI at CNNIC Zhiwei Yan
  2. 2. Why do we need RPKI? Feb, 2014 Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins Feb 2008 Pakistan Telecom brought down YouTube worldwide Jan , 2015 An ISP in USA hijack an IP prefix of IIJ from Japan Nov, 2015, An ISP in India as Bharti Airtel hijack a lot of IP prefix Prefix hijacking is one of the large-scale BGP specific routing anomalies that are able to paralyze the Internet. RPKI (Resource Public Key Infrastructure) is designed to prevent route hijacking and other attacks on BGP.
  3. 3. Prefix hijacking: Attackers can use bogus BGP UPDATE (NLRI and Path Attributes) messages to disrupt routing without breaking the peer-peer connection. BGP UPDATE Message Format : NLRI:Network Layer Reachability Information Why do we need RPKI?
  4. 4. Bogus BGP UPDATE Message According to “prefer the path with the shortest AS_PATH” rule, AS4 prefers message from AS5 to message from AS1. AS3 AS2 AS4 AS1 AS5 218.241.0.0/16 AS_PATH: 2 1 NLRI: 218.241.0.0/16 AS_PATH: 3 2 1 AS1 was authorized to originate prefix 218.241.0.0/16 NLRI: 218.241.0.0/16 AS_PATH: 1 AS3 AS2 AS4 AS1 AS5 218.241.0.0/16 AS_PATH: 2 1 NLRI: 218.241.0.0/16 AS_PATH: 3 2 1 NLRI: 218.241.0.0/20 AS_PATH: 5 NLRI: 218.241.0.0/16 AS_PATH: 1 AS5 forges BGP UPDATE Message Why do we need RPKI?
  5. 5. Actually, BGP protocol accepts any routes they learn from their neighbors. Obviously, this may result in Route Hijacking on the Internet. Authorization Ownership Unable to verify who is the legitimate holder of the INRs (Internet Number Resources). Unable to verify who has the authorization to originate specific IP prefixes Why do we need RPKI?
  6. 6. BGP is vulnerable to a variety of routing attacks because of the lack of a verification mechanism to ensure the legitimacy of BGP messages (especially the origin information). RPKI is proposed in IETF to offers a verification mechanism to protect the ownership and authorization of the INRs (Internet Number Resources). Why do we need RPKI?
  7. 7. Certificate Authority, CA Any resource holder who is authorized to sub-allocate these resources must be able to issue resource certificates to correspond to these sub-allocations. Thus, for example, CA certificates will be associated with IANA and each of the RIRs, NIRs, and LIRs/ISPs. Also, a CA certificate is required to enable a resource holder to issue ROAs, because it must issue the corresponding end-entity certificate used to validate each ROA. End-entity, EE The private key corresponding to a public key contained in an EE certificate is not used to sign other certificates in a PKI. The primary function of end-entity certificates in this PKI is the verification of signed objects that relate to the usage of the resources described in the certificate, e.g., ROAs and manifests. Trust Anchor, TA A trust anchor in the RPKI is represented by a self-signed X.509 Certification Authority (CA) certificate, a format commonly used in PKIs and widely supported by RP software The Architecture of RPKI
  8. 8. The Architecture of RPKI-the relation of roles and data Resource Holders CA LIR/ISP Subscribers IANA RIR NIR CRL CA certificate EE certificate ROA manifest Repository INR (Internet Number Resources) Entity PKI Resources Signed Objects
  9. 9. ROA Profile –RFC6482
  10. 10. Challenges NOW: BGPSEC RPKI-Safegurad RFC 6480 An Infrastructure to Support Secure Internet Routing RFC 6487 A Profile for X.509 PKIX Resource Certificates RFC 6481 Resource Certificate Repository Structure RFC 6489 Key Rollover RFC 6490 RPKI Trust Anchor Locator RFC 6484 Certificate Policy for the RPKI RFC 6485 The Profile for Algorithms and Key Sizes for Use in RPKI RFC 6482 A Profile for ROAs RFC 6486 Manifests for the RPKI RFC 6488 Signed Object Template for RPKI RFC 6483 Validation of Route Origination Using RPKI and ROAs The standardization process of RPKI
  11. 11. Industrial products of RPKI Cisco BGP routers Supporting BGP Command (match RPKI) Juniper routers Configuring Origin Validation for BGP Alcatel-Lucent Service Router(Release 12.0 R4) Trying to support RPKI
  12. 12. Deployment situation 5 RIRs have finished the deployment of RPKI. A number of countries have also started to deploy RPKI interiorly, Ecuador, Japan, Bangladesh, China, etc.
  13. 13. RPKI at CNNIC • Standardization work in IETF • X. Lee, X. Liu, Z. Yan and Y. Fu, RPKI Deployment Considerations: Problem Analysis and Alternative Solutions, draft-lee-sidr-rpki-deployment-01, Jan, 2016. • RPKI Deployment Problems:Existing and Potential Problems , such as Technical, Economic and Political • Alternative Solutions • Y. Fu, Z. Yan, X. Liu and C. Wang, Scenarios of unexpected resource assignment in RPKI, draft-fu-sidr-unexpected-scenarios-01, March 2016. • Problem: Unbelonged resource allocation, Duplicated allocation, Resource transfer • Solution: Safeguard of CA function • Z.Yan, Y.Fu, X.Liu, G.Geng, Problem Statement and Considerations for ROA Mergence, draft-yan-sidr-roa-mergence-00, May 2016 • analyzes and presents some operational • Problems caused by the misconfigurations of ROAs containing multiple IP prefixes. • Suggestions and considerations
  14. 14. RPKI at CNNIC • Standardization work in CCSA • In charge of the standardization of RPKI in China
  15. 15. RPKI at CNNIC • Published two white-papers to guide the test of RPKI and BGPSEC
  16. 16. RPKI at CNNIC • Published the first RPKI-Pilot system in China
  17. 17. RPKI at CNNIC • Published several academic papers • Cuicui Wang, Zhiwei Yan and Anlei Hu. An Efficient Data Management Architecture for the Large-scale Deployment of Resource Public Key Infrastructure • Xiaowei Liu, Zhiwei Yan, Guanggang Geng, Xiaodong Lee, Shian-ShyongTseng and Ching-Heng Ku. RPKI Deployment: Risks and Alternative Solutions • Xiaowei Liu, Zhiwei Yan, Guanggang Geng and XiaodongLee. Research of ResourceAllocation Risks by CAs in RPKI and Feasible Solutions • Zhiwei Yan, Xiaowei Liu, Guanggang Geng and SheraliZeadally. Secure and Scalable Deployment of Resource Public Key Infrastructure (RPKI)
  18. 18. What is the future of RPKI? • Will RPKI be SECURE enough? • We should avoid additional risks caused by a security enhancement • More than One TA • Operational Errors • Unilateral Resource Revocation • Mirror World Attacks • …… • Data Synchronization • Problems of Staged and Incomplete Deployment • Combining with BGP Production Synchronization Usage
  19. 19. What is the future of RPKI? • Will RPKI be deployed widely? • Let’s have a glimpse of DNSSEC • 2010-12~ 2013-03 Experimental • 2013-04 Announced • 2013-08 Partial • 2013-11 DS in Root • Keep going… Operational Experimental: ü Risk analysis ü Software development Announced: ü Hardware & software deployment ü Training and drills Partial: ü Signing & roller ü Observations & verification DS in Root: ü Generation & submission ü Observations & verification Operational: ü Upgrades and improvements ü Debugging Over 800 days 120 days
  20. 20. What is the future of RPKI? • Will RPKI be deployed widely? • Let’s have a glimpse of DNSSEC DNSSEC COVERAGE RATE OF ALEXA TOP 1 MILLION WEBSITES: 1.6%
  21. 21. What is the future of RPKI? • Analyze the challenges for deployment: • Up-bottom model has difficulty in the Internet world • PKI has too high requirements for the managers • Security is a huge investment for the enterprises
  22. 22. •I am not NEGATIVE or UNCONFIDENT to RPKI • But I am sure it has a long way to go for: • Protocol improvement • Deployment enlargement
  23. 23. Thank you for your attention~ Zhiwei Yan@CNNIC

×