SlideShare a Scribd company logo

PacNOG 29: Routing security is more than RPKI

APNIC
APNIC

APNIC Chief Scientist presented on how much more there is to routing security than just RPKI at PacNOG 29, held online from 29 November to 9 December 2021.

Internet
1 of 49
Download to read offline
Routing Security is more than RPKI Geoff Huston AM Chief Scientist, APNIC
Don’t stop signing ROAs! • This is not saying RPKI is wrong and you shouldn’t use it • We have only a few tools to help us with keeping routing together, so we shouldn’t let the perfect become the enemy of the good Unless of course the entire Route Refresh story scares you, in which case turning on RoV might not be your best idea you’ve had today! But • If we can’t be honest in appraising the effectiveness of these various approaches then we’ve walked away from evidence-based engineering and headed right into the fantasy marketing department!
Don’t stop signing ROAs! • This is not saying RPKI is wrong and you shouldn’t use it • We have only a few tools to help us with keeping routing together, so we shouldn’t let the perfect become the enemy of the good Unless of course the entire Route Refresh story scares you, in which case turning on RoV might not be your best idea you’ve had today! But • If we can’t be honest in appraising the effectiveness of these various approaches then we’ve walked away from evidence-based engineering and headed right into the fantasy marketing department!
Routing incidents comes in all shapes and sizes • Some are malicious attacks intended to generate victims • But most are incidents we inflict upon ourselves in various inept and accidental ways
What do real routing attacks look like? Ethereum – 2018 • Deliberate attempt to subvert DNS, to take over Ethereum wallets • Subverted routing for Route 53 Authoritative DNS servers via more specific announcements for their own DNS server • This attack used a different origin AS (AS10297), but as it was a more specific prefix, they could’ve faked AS16509 if we were doing origination checks at the time • Replied SERVFAIL for domains it wasn’t attacking • Misdirected DNS for myetherwallet.com to intercepting website • If users clicked through a false SSL warning, then their Ethereum wallet was stolen • This attack could’ve been defeated by: • Users NOT clicking through a bad cert warning • Using DNSSEC signing for the myetherwallet.com domain • Using RPKI ROA with a maxlength parameter
What do real routing attacks look like? Lessons: Attacks tend to be multi-part these days • Subvert the infrastructure enough to fool a DNS registrar • Take over the name registration and delegate the name • Re-sign the name with DNSSEC • Grab a cert from an CA • You’re in! • Fool the CA’s tests to get a fake certificate • By a targeted attack on the DNS resolution infrastructure • Then attack routing and use the fake cert to redirect users • You’re in! Attacks are executed very quickly • From the original subversion to trigger the attack to completion is often less than a couple of hours • Anything after that is a bonus Attackers don’t bother to clean up afterwards • Attackers don’t care about certificate transparency, system logs or any other related forensic information • They rely on existing network capabilities to hide their identities
And then there are all the rest… • While these attacks get headlines, there are more mundane self-harm incidents in routing that happen all the time
We get routing wrong a lot of the time BGPMon report
We get routing wrong a lot of the time Annual summary of BGPStream reports
And we would all like to handle this better • So we take one or two proto-typical attacks • It’s simpler and focusses the effort to mitigate the issue • We hope that they are good examples of what we are trying to prevent • We design tools to prevent those attacks
The Archetypical BGP Incident February 2008
How? • AS36561 (YouTube) was announcing 208.65.152.0/22 • AS17557 (Pakistan Telecom) announced 208.65.153.0/24 In BGP more specific prefixes “win” every time – so if a network heard the /24 then it believed it as a refinement to the encompassing /22 This was a failure in filtering. But while (some) ISPs filtered their customers, the practise of applying filters to internal wholesale connections was less common. So the false route propagated and everyone else believed it. My
But that was 13 years ago • Are we getting better at filtering? • Not really • February 2021 AS 136168 (Campana MYTHIC) in Myanmar implements a government directive and propagates a more specific of Twitter’s service address (104.244.42.0/24) • Twitter had lodged an RADB entry and filtering on this RADB entry would’ve stopped the false route propagating • Yet the route still propagated outward to AS132132, AS61292, AS4844, AS8106 and AS23673 and onward to ~40 other ASes who don’t filter based on RADB entries
Maybe we need more than Route Registries… • We’ve been using Route Registries as the foundation of route filtering since the NSF-funded Routing Arbiter project of the early 90’s • The problem with route registries is that they require intense feeding and watering, as they develop bitrot very quickly • Surely we could use the Awesome Power of Digital Cryptography and automate the heck out of this and not just rely on hand-curated lists and fallible human operators?
Meanwhile, over the fence in RIR Land • We were looking at how to provide testable authenticity in supporting whois queries in the address registries • The RIRs were aware that many ISPs used these registries as a source of authenticity to process requests to route BYO prefixes from customers, and ISPs were keen to push the authenticity problem off to literally anyone else! • Maybe we could inject this testable authenticity directly into the routing system to literally make it impossible to lie!
All Hail RPKI! • Use the RIR registry as the source of authority • Registry operator “certifies” a resource holder through a public key certificate • Resource holders can digitally sign attestations with their resources • The signature also means that they are acknowledged resource holder and the resource is validly allocated or assigned • Validation of a signature means that the attestation is genuine, complete and current • We can feed this information into the routing system to audit announcements for veracity
RPKI, meet BGP! • Separate out origination and propagation and treat them separately
RPKI, meet BGP! • Separate out origination and propagation and treat them separately • Origination is protected by using a signed authority issued by the prefix holder to authorise an AS to originate a route or set of routes (ROA)
ROA Production 60% 40% https://stats.labs.apnic.net/ROAS Internet-wide average 27% of routes
ROA Production 60% 40% https://stats.labs.apnic.net/ROAS Internet-wide average 27% of routes
RPKI, meet BGP! • Separate out origination and propagation and treat them separately • Origination is protected by using a signed authority issued by the prefix holder to authorise an AS to originate a route or set of routes (ROA) • Then you assemble these digital authorities and generate a filter list in the router and drop all routing announcements that are invalid
Drop RoV-Invalid routes 55% of users 10% of users Internet-wide average 15% of users
Drop RoV-Invalid routes 55% of users 10% of users Internet-wide average 15% of users
RPKI, meet BGP! • Separate out origination and propagation and treat them separately • Origination is protected by using a signed authority issued by the prefix holder to authorise an AS to originate a route or set of routes (ROA) • Then you assemble these authorities and generate a filter list in the router and drop announcements that are invalid • Propagation
RPKI, meet BGP! • Separate out origination and propagation and treat them separately • Origination is protected by using a signed authority issued by the prefix holder to authorise an AS to originate a route or set of routes (ROA) • Then you assemble these authorities and generate a filter list in the router and drop announcements that are invalid • Propagation is a problem • Wholistic approaches that attempt to link the AS path to the propagation of an update (BGPSEC) resist piecemeal deployment and are crypto-intensive – BGPSEC is largely DOA • Piecemeal approaches offer more limited protections that limit the plausibility of some forms of lies
RPKI, meet BGP! It’s not an entirely comfortable match • The implicit withdrawal of ROA-invalid routes can cause spurious route refresh operations against your BGP peers • The hop-by hop aspects of BGP (withdrawals, communities) an not possible to validate against an origination “root cause” • Routing is “backwards” • BGP does NOT select the forwarding path • It creates a partial topology by passing reachability in the reverse direction • And that’s all • An AS Path describes the route propagation path, not the packet’s forwarding path • What matters is “forwards” • Our concern is with the forwarding path • And that’s what we can’t check from the routing system
So securing routing is hard But its still only part of the picture • What do we see in terms of “incidents” in todays network? • Would RPKI in BGP defend the network from such incidents in any case? • Let’s look at some more examples of incidents and outages that induced routing anomalies
Facebook Meta, October 2021 • Lost route to nameservers • Used a single route to all nameservers • Used short cache lifetime DNS records • Lost sight of all 4 anycast nameservers for @facebook.com • Lost access to secure entry tokens in @facebook.com • Even if they’d had DNS, NLRI routes to offline server surface would have looked pretty bad • Web service sending what? • 6-8 hour outage • (5nines is 5min/year unplanned outage, so that’s 72 years of ’credit’ for 5nines!) • Huge amounts of Africa functionally offline for business • WhatsApp for money exchange • 3 billion Facebook users totally disconnected from the platform
Own Goal Syndrome Yes, there was a BGP incident • It was a withdrawal that isolated the authoritative nameservers for facebook.com • But it was not an attack • It was an internal operational error • And RPKI/BGPSEC cannot “protect” inadvertent route withdrawals in any case • And the outage was multiplied by the withdrawal of the DNS records because of cache expiry • And made worse because the outage also locked them out of their facilities (!)
More recent Own Goals • June 2021 • A certain customer configuration change that was flagged as valid triggered a complete platform crash in their Varnish platform • Varnish is NOT a Fastly-developed platform – it is open source developed by a Norwegian newspaper site • July 2021 • A config change had a format error that disabled the front end load balancer, that disabled their DNS steering and took out the platform • Obviously, not a routing problem
Own Goals are insanely common! • But what about collateral damage?
Collateral Damage • November 2018, MainOne in Nigeria had a configuration error that leaked ~200 Google Cloud routes to various transits, including China Telecom, who propagated the routes onward • Two hours later Main One Leaked Cloudflare routes along the same transit paths • Would RPKI have helped here? • Assuming this was a path leak, then no, not really
Collateral Damage • June 2019 AS33154 (DQE Communications, US) had a Noction BGP Optimizer that announced a set of more specifics to its customer AS396531 (Allegheny Technologies) who readvertised these routes to AS7012 (Verizon) a Large Tier 1 transit network who was not performing route filtering • A large set of routes were redirected along this mule track detour, including AWS and Cloudflare, causing major disruption • RPKI? Maybe – depends on the use of ROAs with maxlength to reject more specifics
Other Recent Collateral Damage incidents • IBM cloud outage, June 2020 • “external provider leak” • Unnamed external provider, 2+ hours, multiple regions. • RPKI? Possibly, possibly not!
More • TWC, Rogers, Charter, July 2020 • Small ISP deploying “BGP optimisers” leaked routes • Propagated by Telia
Yes, More • Vodafone India prefix leak, April 2021 • 30,000 prefixes mistakenly leaked • Google, Akamai, Edgecast, Deutsche Telekom, TIM, Claro, Orange, Telefonica), Vodafone itself (worldwide) amongst others
Commonalities • Its an indirect sideswipe • But there is still a service loss, loss of business, customer/SLA effects • Yes, some of these could have been avoided by a ROA with careful use of maxlength But • ROAs are universal, not context specific • They don’t come with an “apply here, but not there, sticker” • If ROAs allow you to accept more specifics, then they won’t stop you propagating them onward • But many incidents are policy routing issues relating to leakage, not synthetic routes
Does Network Automation help here? Yes and No • A config change can flip the state of all components of the network all at once – amplifying the potential for a problem to be network wide though just one command transaction • Less margin for error and greater potential for damage. • And automated scripts within these system can generate completely unanticipated outcomes! • Some network managers see the purchase of an automated network management system as a compatible substitute for a skilled workforce • a stunning triumph of unwarranted optimism over reality!
Does RPKI help here? Well, yes sometimes, but its not the full picture: • And adding more moving parts to a complex system does not make it more robust – it often achieves the exact opposite • RPKI uses a single rule set that is applied everywhere – it does not provide context-specific conditional application • Many route leaks are a policy violation, not a protocol violation • And policies are often contextual, not universal • So RPKI won’t catch them • Some of the routing issues are the result of loss of a synchronised forwarding state, and BGP (and RPKI) don’t and can’t enforce synchronicity in state across BGP speakers • We’ve seen “ghost routes” in BGP that have been persistent for years!
So… what’s the answer? • We continue to push larger route sets and larger policy agendas onto the routing system • And because clue is finite, we are automating more and more of network management to make up for a serious skill gap • Which creates brittleness in the routing that is prone to fail in unsafe states that can’t be readily recovered How can we make routing more robust?
Routing is Difficult “The most complicated computation ever attempted by mankind is the global distributed routing algorithm that runs the Internet. In fact, if anybody thought about it very hard, before we started, they would've been too scared to try. Ah, because it runs in near real-time, it's an online algorithm, it runs on a multimillion node multicomputer, of an arbitrary topology, built by lots of people who have never met each other. Right? And, it's a very very complex computation because it's piecewise constructive, there is a lot of local consistency constraints, there is a bunch of global correctness criteria that are occasionally satisfied, and yet the thing mostly works. Which is astounding, when you actually look at what's going on.” Mike O’Dell, 2000 (http://www.dtc.umn.edu/~odlyzko/isources/odell-transcript.txt)
Routing Security is not a solved problem • I’m not sure we really know what we really mean when we talk of routing security • And I’m not sure that operationally focussed piecemeal incrementalism is really helping here with the bigger picture of tackling “routing robustness” and stopping these various routing mishaps • This is remains a problem space that would benefit from further research and experimentation • And research funding of course! J
But there really are some things you should do in routing • SECURE YOUR ROUTERS! • Avoid multi-hop EBGP wherever possible • And if you must multi-hop, use TCP-AO or MD5 to secure the channel • Use an IRR • Yeah, it may seem like a bit of a waste of time, but honestly the rigor of enumerating your routes and keeping these records up to date is worth it even if you are the only user of the IRR entry! • Apply Source filters to prevent source address spoofing • Look at your network from afar – all of the time! • Look at your routes from afar – all of the time!
More BGP Safety First • Rehearse every routing config change • Always have a backout plan prepared • Talk with your BGP peers, upstreams and customers • So at the very least you know how to reach them when you are desperate! • Don’t try and cover up any routing mistakes – be honest and open so that we can all help to clean it up as quickly as possible • And yes, we’ve all been responsible for our share of routing lapses • Certify your resources • Sign ROAs • Filter inbound and outbound routes when you (and your router) feel ready! • Follow the technology yourself • Reliance on vendors to do all the heavy lifting for you is generally a mistake
More safety first Its not directly related to routing, but it really helps your overall security stance • Use a DNSSEC-validating recursive resolver to server your customers • YES, all of the time! • No exceptions • DNSSEC-sign your domain names • Because the worst attacks corrupt the DNS as well as routing
It won’t catch everything • But hopefully you will feel more confident that you can manage your network to provide a stable service • And you will be more confident that you can recover quickly when things don’t quite go as planned!
Thanks!

Recommended

NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS OpennessAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 

Recommended

NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS OpennessAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
Linx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell HeillingLinx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell HeillingRussell Heilling
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12Bangladesh Network Operators Group
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
IETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingIETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingAPNIC
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end userAPNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73APNIC
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
Security in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & RealitySecurity in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & RealityChris Grundemann
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questionsrajasekar1712
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityAPNIC
 

More Related Content

What's hot

Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
Linx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell HeillingLinx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell HeillingRussell Heilling
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
IETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingIETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingAPNIC
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end userAPNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73APNIC
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
Security in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & RealitySecurity in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & RealityChris Grundemann
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questionsrajasekar1712
 

What's hot (20)

Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
Linx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell HeillingLinx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell Heilling
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practice
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
 
IETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingIETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routing
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end user
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
 
Security in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & RealitySecurity in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & Reality
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's asking
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental Website
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questions
 

Similar to PacNOG 29: Routing security is more than RPKI

NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityAPNIC
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challengesAPNIC
 
SANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardSANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingAPNIC
 
AusNOG 2022: Measuring RPKI use in BGP
AusNOG 2022: Measuring RPKI use in BGPAusNOG 2022: Measuring RPKI use in BGP
AusNOG 2022: Measuring RPKI use in BGPAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
mnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKImnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKIAPNIC
 
VNIXNOG 2019: Securing Internet Routing
VNIXNOG 2019: Securing Internet RoutingVNIXNOG 2019: Securing Internet Routing
VNIXNOG 2019: Securing Internet RoutingAPNIC
 
btNOG 7: Measuring RPKI
btNOG 7: Measuring RPKIbtNOG 7: Measuring RPKI
btNOG 7: Measuring RPKIAPNIC
 
PacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingPacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingAPNIC
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingAPNIC
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessAPNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringAPNIC
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingAPNIC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing SecurityRIPE NCC
 

Similar to PacNOG 29: Routing security is more than RPKI (20)

NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)Security
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges
 
SANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardSANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hard
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijacking
 
AusNOG 2022: Measuring RPKI use in BGP
AusNOG 2022: Measuring RPKI use in BGPAusNOG 2022: Measuring RPKI use in BGP
AusNOG 2022: Measuring RPKI use in BGP
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
mnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKImnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKI
 
VNIXNOG 2019: Securing Internet Routing
VNIXNOG 2019: Securing Internet RoutingVNIXNOG 2019: Securing Internet Routing
VNIXNOG 2019: Securing Internet Routing
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
btNOG 7: Measuring RPKI
btNOG 7: Measuring RPKIbtNOG 7: Measuring RPKI
btNOG 7: Measuring RPKI
 
PacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingPacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet Routing
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet Routing
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI Effectiveness
 
Bgp security 2
Bgp security 2Bgp security 2
Bgp security 2
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 

More from APNIC

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 

More from APNIC (20)

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 

Recently uploaded

"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024SOFTTECHHUB
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理F
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Sareena Khatun
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsrahman018755
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...kumargunjan9515
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...MOHANI PANDEY
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 

Recently uploaded (20)

"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 

PacNOG 29: Routing security is more than RPKI

  • 1. Routing Security is more than RPKI Geoff Huston AM Chief Scientist, APNIC
  • 2. Don’t stop signing ROAs! • This is not saying RPKI is wrong and you shouldn’t use it • We have only a few tools to help us with keeping routing together, so we shouldn’t let the perfect become the enemy of the good Unless of course the entire Route Refresh story scares you, in which case turning on RoV might not be your best idea you’ve had today! But • If we can’t be honest in appraising the effectiveness of these various approaches then we’ve walked away from evidence-based engineering and headed right into the fantasy marketing department!
  • 3. Don’t stop signing ROAs! • This is not saying RPKI is wrong and you shouldn’t use it • We have only a few tools to help us with keeping routing together, so we shouldn’t let the perfect become the enemy of the good Unless of course the entire Route Refresh story scares you, in which case turning on RoV might not be your best idea you’ve had today! But • If we can’t be honest in appraising the effectiveness of these various approaches then we’ve walked away from evidence-based engineering and headed right into the fantasy marketing department!
  • 4. Routing incidents comes in all shapes and sizes • Some are malicious attacks intended to generate victims • But most are incidents we inflict upon ourselves in various inept and accidental ways
  • 5. What do real routing attacks look like? Ethereum – 2018 • Deliberate attempt to subvert DNS, to take over Ethereum wallets • Subverted routing for Route 53 Authoritative DNS servers via more specific announcements for their own DNS server • This attack used a different origin AS (AS10297), but as it was a more specific prefix, they could’ve faked AS16509 if we were doing origination checks at the time • Replied SERVFAIL for domains it wasn’t attacking • Misdirected DNS for myetherwallet.com to intercepting website • If users clicked through a false SSL warning, then their Ethereum wallet was stolen • This attack could’ve been defeated by: • Users NOT clicking through a bad cert warning • Using DNSSEC signing for the myetherwallet.com domain • Using RPKI ROA with a maxlength parameter
  • 6. What do real routing attacks look like? Lessons: Attacks tend to be multi-part these days • Subvert the infrastructure enough to fool a DNS registrar • Take over the name registration and delegate the name • Re-sign the name with DNSSEC • Grab a cert from an CA • You’re in! • Fool the CA’s tests to get a fake certificate • By a targeted attack on the DNS resolution infrastructure • Then attack routing and use the fake cert to redirect users • You’re in! Attacks are executed very quickly • From the original subversion to trigger the attack to completion is often less than a couple of hours • Anything after that is a bonus Attackers don’t bother to clean up afterwards • Attackers don’t care about certificate transparency, system logs or any other related forensic information • They rely on existing network capabilities to hide their identities
  • 7. And then there are all the rest… • While these attacks get headlines, there are more mundane self-harm incidents in routing that happen all the time
  • 8. We get routing wrong a lot of the time BGPMon report
  • 9. We get routing wrong a lot of the time Annual summary of BGPStream reports
  • 10. And we would all like to handle this better • So we take one or two proto-typical attacks • It’s simpler and focusses the effort to mitigate the issue • We hope that they are good examples of what we are trying to prevent • We design tools to prevent those attacks
  • 11. The Archetypical BGP Incident February 2008
  • 12. How? • AS36561 (YouTube) was announcing 208.65.152.0/22 • AS17557 (Pakistan Telecom) announced 208.65.153.0/24 In BGP more specific prefixes “win” every time – so if a network heard the /24 then it believed it as a refinement to the encompassing /22 This was a failure in filtering. But while (some) ISPs filtered their customers, the practise of applying filters to internal wholesale connections was less common. So the false route propagated and everyone else believed it. My
  • 13. But that was 13 years ago • Are we getting better at filtering? • Not really • February 2021 AS 136168 (Campana MYTHIC) in Myanmar implements a government directive and propagates a more specific of Twitter’s service address (104.244.42.0/24) • Twitter had lodged an RADB entry and filtering on this RADB entry would’ve stopped the false route propagating • Yet the route still propagated outward to AS132132, AS61292, AS4844, AS8106 and AS23673 and onward to ~40 other ASes who don’t filter based on RADB entries
  • 14. Maybe we need more than Route Registries… • We’ve been using Route Registries as the foundation of route filtering since the NSF-funded Routing Arbiter project of the early 90’s • The problem with route registries is that they require intense feeding and watering, as they develop bitrot very quickly • Surely we could use the Awesome Power of Digital Cryptography and automate the heck out of this and not just rely on hand-curated lists and fallible human operators?
  • 15. Meanwhile, over the fence in RIR Land • We were looking at how to provide testable authenticity in supporting whois queries in the address registries • The RIRs were aware that many ISPs used these registries as a source of authenticity to process requests to route BYO prefixes from customers, and ISPs were keen to push the authenticity problem off to literally anyone else! • Maybe we could inject this testable authenticity directly into the routing system to literally make it impossible to lie!
  • 16. All Hail RPKI! • Use the RIR registry as the source of authority • Registry operator “certifies” a resource holder through a public key certificate • Resource holders can digitally sign attestations with their resources • The signature also means that they are acknowledged resource holder and the resource is validly allocated or assigned • Validation of a signature means that the attestation is genuine, complete and current • We can feed this information into the routing system to audit announcements for veracity
  • 17. RPKI, meet BGP! • Separate out origination and propagation and treat them separately
  • 18. RPKI, meet BGP! • Separate out origination and propagation and treat them separately • Origination is protected by using a signed authority issued by the prefix holder to authorise an AS to originate a route or set of routes (ROA)
  • 21. RPKI, meet BGP! • Separate out origination and propagation and treat them separately • Origination is protected by using a signed authority issued by the prefix holder to authorise an AS to originate a route or set of routes (ROA) • Then you assemble these digital authorities and generate a filter list in the router and drop all routing announcements that are invalid
  • 22. Drop RoV-Invalid routes 55% of users 10% of users Internet-wide average 15% of users
  • 23. Drop RoV-Invalid routes 55% of users 10% of users Internet-wide average 15% of users
  • 24. RPKI, meet BGP! • Separate out origination and propagation and treat them separately • Origination is protected by using a signed authority issued by the prefix holder to authorise an AS to originate a route or set of routes (ROA) • Then you assemble these authorities and generate a filter list in the router and drop announcements that are invalid • Propagation
  • 25. RPKI, meet BGP! • Separate out origination and propagation and treat them separately • Origination is protected by using a signed authority issued by the prefix holder to authorise an AS to originate a route or set of routes (ROA) • Then you assemble these authorities and generate a filter list in the router and drop announcements that are invalid • Propagation is a problem • Wholistic approaches that attempt to link the AS path to the propagation of an update (BGPSEC) resist piecemeal deployment and are crypto-intensive – BGPSEC is largely DOA • Piecemeal approaches offer more limited protections that limit the plausibility of some forms of lies
  • 26. RPKI, meet BGP! It’s not an entirely comfortable match • The implicit withdrawal of ROA-invalid routes can cause spurious route refresh operations against your BGP peers • The hop-by hop aspects of BGP (withdrawals, communities) an not possible to validate against an origination “root cause” • Routing is “backwards” • BGP does NOT select the forwarding path • It creates a partial topology by passing reachability in the reverse direction • And that’s all • An AS Path describes the route propagation path, not the packet’s forwarding path • What matters is “forwards” • Our concern is with the forwarding path • And that’s what we can’t check from the routing system
  • 27. So securing routing is hard But its still only part of the picture • What do we see in terms of “incidents” in todays network? • Would RPKI in BGP defend the network from such incidents in any case? • Let’s look at some more examples of incidents and outages that induced routing anomalies
  • 28.
  • 29.
  • 30. Facebook Meta, October 2021 • Lost route to nameservers • Used a single route to all nameservers • Used short cache lifetime DNS records • Lost sight of all 4 anycast nameservers for @facebook.com • Lost access to secure entry tokens in @facebook.com • Even if they’d had DNS, NLRI routes to offline server surface would have looked pretty bad • Web service sending what? • 6-8 hour outage • (5nines is 5min/year unplanned outage, so that’s 72 years of ’credit’ for 5nines!) • Huge amounts of Africa functionally offline for business • WhatsApp for money exchange • 3 billion Facebook users totally disconnected from the platform
  • 31. Own Goal Syndrome Yes, there was a BGP incident • It was a withdrawal that isolated the authoritative nameservers for facebook.com • But it was not an attack • It was an internal operational error • And RPKI/BGPSEC cannot “protect” inadvertent route withdrawals in any case • And the outage was multiplied by the withdrawal of the DNS records because of cache expiry • And made worse because the outage also locked them out of their facilities (!)
  • 32. More recent Own Goals • June 2021 • A certain customer configuration change that was flagged as valid triggered a complete platform crash in their Varnish platform • Varnish is NOT a Fastly-developed platform – it is open source developed by a Norwegian newspaper site • July 2021 • A config change had a format error that disabled the front end load balancer, that disabled their DNS steering and took out the platform • Obviously, not a routing problem
  • 33. Own Goals are insanely common! • But what about collateral damage?
  • 34. Collateral Damage • November 2018, MainOne in Nigeria had a configuration error that leaked ~200 Google Cloud routes to various transits, including China Telecom, who propagated the routes onward • Two hours later Main One Leaked Cloudflare routes along the same transit paths • Would RPKI have helped here? • Assuming this was a path leak, then no, not really
  • 35. Collateral Damage • June 2019 AS33154 (DQE Communications, US) had a Noction BGP Optimizer that announced a set of more specifics to its customer AS396531 (Allegheny Technologies) who readvertised these routes to AS7012 (Verizon) a Large Tier 1 transit network who was not performing route filtering • A large set of routes were redirected along this mule track detour, including AWS and Cloudflare, causing major disruption • RPKI? Maybe – depends on the use of ROAs with maxlength to reject more specifics
  • 36. Other Recent Collateral Damage incidents • IBM cloud outage, June 2020 • “external provider leak” • Unnamed external provider, 2+ hours, multiple regions. • RPKI? Possibly, possibly not!
  • 37. More • TWC, Rogers, Charter, July 2020 • Small ISP deploying “BGP optimisers” leaked routes • Propagated by Telia
  • 38. Yes, More • Vodafone India prefix leak, April 2021 • 30,000 prefixes mistakenly leaked • Google, Akamai, Edgecast, Deutsche Telekom, TIM, Claro, Orange, Telefonica), Vodafone itself (worldwide) amongst others
  • 39. Commonalities • Its an indirect sideswipe • But there is still a service loss, loss of business, customer/SLA effects • Yes, some of these could have been avoided by a ROA with careful use of maxlength But • ROAs are universal, not context specific • They don’t come with an “apply here, but not there, sticker” • If ROAs allow you to accept more specifics, then they won’t stop you propagating them onward • But many incidents are policy routing issues relating to leakage, not synthetic routes
  • 40. Does Network Automation help here? Yes and No • A config change can flip the state of all components of the network all at once – amplifying the potential for a problem to be network wide though just one command transaction • Less margin for error and greater potential for damage. • And automated scripts within these system can generate completely unanticipated outcomes! • Some network managers see the purchase of an automated network management system as a compatible substitute for a skilled workforce • a stunning triumph of unwarranted optimism over reality!
  • 41. Does RPKI help here? Well, yes sometimes, but its not the full picture: • And adding more moving parts to a complex system does not make it more robust – it often achieves the exact opposite • RPKI uses a single rule set that is applied everywhere – it does not provide context-specific conditional application • Many route leaks are a policy violation, not a protocol violation • And policies are often contextual, not universal • So RPKI won’t catch them • Some of the routing issues are the result of loss of a synchronised forwarding state, and BGP (and RPKI) don’t and can’t enforce synchronicity in state across BGP speakers • We’ve seen “ghost routes” in BGP that have been persistent for years!
  • 42. So… what’s the answer? • We continue to push larger route sets and larger policy agendas onto the routing system • And because clue is finite, we are automating more and more of network management to make up for a serious skill gap • Which creates brittleness in the routing that is prone to fail in unsafe states that can’t be readily recovered How can we make routing more robust?
  • 43. Routing is Difficult “The most complicated computation ever attempted by mankind is the global distributed routing algorithm that runs the Internet. In fact, if anybody thought about it very hard, before we started, they would've been too scared to try. Ah, because it runs in near real-time, it's an online algorithm, it runs on a multimillion node multicomputer, of an arbitrary topology, built by lots of people who have never met each other. Right? And, it's a very very complex computation because it's piecewise constructive, there is a lot of local consistency constraints, there is a bunch of global correctness criteria that are occasionally satisfied, and yet the thing mostly works. Which is astounding, when you actually look at what's going on.” Mike O’Dell, 2000 (http://www.dtc.umn.edu/~odlyzko/isources/odell-transcript.txt)
  • 44. Routing Security is not a solved problem • I’m not sure we really know what we really mean when we talk of routing security • And I’m not sure that operationally focussed piecemeal incrementalism is really helping here with the bigger picture of tackling “routing robustness” and stopping these various routing mishaps • This is remains a problem space that would benefit from further research and experimentation • And research funding of course! J
  • 45. But there really are some things you should do in routing • SECURE YOUR ROUTERS! • Avoid multi-hop EBGP wherever possible • And if you must multi-hop, use TCP-AO or MD5 to secure the channel • Use an IRR • Yeah, it may seem like a bit of a waste of time, but honestly the rigor of enumerating your routes and keeping these records up to date is worth it even if you are the only user of the IRR entry! • Apply Source filters to prevent source address spoofing • Look at your network from afar – all of the time! • Look at your routes from afar – all of the time!
  • 46. More BGP Safety First • Rehearse every routing config change • Always have a backout plan prepared • Talk with your BGP peers, upstreams and customers • So at the very least you know how to reach them when you are desperate! • Don’t try and cover up any routing mistakes – be honest and open so that we can all help to clean it up as quickly as possible • And yes, we’ve all been responsible for our share of routing lapses • Certify your resources • Sign ROAs • Filter inbound and outbound routes when you (and your router) feel ready! • Follow the technology yourself • Reliance on vendors to do all the heavy lifting for you is generally a mistake
  • 47. More safety first Its not directly related to routing, but it really helps your overall security stance • Use a DNSSEC-validating recursive resolver to server your customers • YES, all of the time! • No exceptions • DNSSEC-sign your domain names • Because the worst attacks corrupt the DNS as well as routing
  • 48. It won’t catch everything • But hopefully you will feel more confident that you can manage your network to provide a stable service • And you will be more confident that you can recover quickly when things don’t quite go as planned!