SlideShare a Scribd company logo

Developments in Routing Security

RIPE NCC
RIPE NCC

Presentation given by Mirjam Kühne at BCIX Stammtisch 2019, Berlin, Germany on 10 September 2019.

Technology
1 of 28
Download to read offline
Mirjam Kühne | September 2019 | BCIX Developments in Routing Security Slides by Nathalie Trenaman
Mirjam Kühne | September 2019 | BCIX • We manage IP and ASN allocations in Europe, the Middle East and parts of Central Asia - Ensure unique holdership - Document holdership in the RIPE Database (whois) - Enable operators to document use of their address spaces Who We Are !2
Mirjam Kühne | September 2019 | BCIX • In 1994, RIPE-181 was the first document published that used a common language to describe routing policies • We co-developed standards for IRR and RPKI • We are one of the five RPKI Trust Anchors • Our Validator tool was, until recently, the only production- grade tool to do Origin Validation Routing Security is in Our DNA !3
Mirjam Kühne | September 2019 | BCIX !4 Routing on the Internet A
 193.x.x.x B
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” Routing table
 194.x.x.x = B Routing table
 193.x.x.x = A Can I trust B? Is A correct? “BGP protocol”
Mirjam Kühne | September 2019 | BCIX !5 How to Secure Routing? A
 193.x.x.x B
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” Can I trust B? Is A correct? RIPE Database
 A = 193.x.x.x
 B = 194.x.x.x “Internet Routing Registry”
Mirjam Kühne | September 2019 | BCIX • Fat Fingers - 2 and 3 are really close on our keyboards… • Policy violations (leaks) - Oops, we did not want this to go to the public Internet - Infamous incident with Pakistan Telecom and YouTube - https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a- ripe-ncc-ris-case-study Accidents Happen !6
Mirjam Kühne | September 2019 | BCIX • April 2018 - BGP and DNS hijack - Targeting MyEtherWallet - Unnoticed for 2 hours Or Worse… !7
Mirjam Kühne | September 2019 | BCIX • 2018 Routing Security Review - 12.6k incidents - 4.4% of all ASNs affected - 3k ASNs victims of at least one incident - 1.3k ASNs caused at least one incident source: https://www.bgpstream.com/ Incidents Are Common !8
Mirjam Kühne | September 2019 | BCIX • Many exist, most widely used - RIPE Database - RADB • Verification of holdership over resources - RIPE Database for RIPE region resources only - RADB allows paying customers to create any object - Lots of other IRRs do not formally verify holdership Internet Routing Registry !9
Mirjam Kühne | September 2019 | BCIX !10 Accuracy - RIPE IRR Accuracy - Valid announcements / covered announcements
Mirjam Kühne | September 2019 | BCIX !11 Accuracy - RADB IRR Accuracy - Valid announcements / covered announcements
Mirjam Kühne | September 2019 | BCIX • RPKI - Ties IP addresses and ASNs to public keys - Follows the hierarchy of the registry • Authorised statements from resource holders - ASN X is authorised to announce my IP Prefix Y - Signed, holder of Y Resource Public Key Infrastructure !12
Mirjam Kühne | September 2019 | BCIX • Operated since 2008 by all RIRs - Community-driven standardisation (IETF) - IRR was not sufficient (incomplete, incorrect) • Adds crypto-security to Internet Number Resources Resource Public Key Infrastructure !13
Mirjam Kühne | September 2019 | BCIX !14 Elements of RPKI Signing Create your ROAs Validating Verifying others
Mirjam Kühne | September 2019 | BCIX !15 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
Mirjam Kühne | September 2019 | BCIX !16 What’s in a ROA Prefix The network for which you are creating the ROA The ASN supposed to be originating the BGP AnnouncementOrigin ASN Max Length The Maximum prefix length accepted for this ROA
Mirjam Kühne | September 2019 | BCIX !17 Route Origin Validation RIPE NCC ARIN APNIC AFRINICLACNIC Validator
Mirjam Kühne | September 2019 | BCIX !18 Route Origin Validation ROA AS111 10.0.7.30/22 AS222 10.0.6.10/24 AS333 10.4.17.5/20 AS111 10.0.7.30/22 AS111 10.0.7.30/22 AS111 10.0.7.30/22 BGP Announcements BETTER ROUTING DECISIONS
Mirjam Kühne | September 2019 | BCIX !19 Elements of RPKI ROAs VALIDATOR SOFTWARE Verification Validated Cache RPKI-RTR ROUTERS RIR REPOSITORIES ROAs
Mirjam Kühne | September 2019 | BCIX !20 How to create a ROA
Mirjam Kühne | September 2019 | BCIX !21 Number of Certificates RIPE NCC: 8948 APNIC: 2135 LACNIC: 1322 ARIN:705 AFRINIC:218
Mirjam Kühne | September 2019 | BCIX !22 Coverage - RPKI (all RIRs)
Mirjam Kühne | September 2019 | BCIX !23 Accuracy - RPKI (all RIRs) IPv4 addresses in valid announcements / covered announcements
Mirjam Kühne | September 2019 | BCIX !24 RPKI in your region source: https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html Country % Addreses Accuracy DE 50% 99,9% NL 72% 99,8% FR 74% 100,0% IT 8% 99,9% BE 78% 99,9% AL 52% 99,5% CZ 46% 99,9% HR 18% 100,0% AT 18% 100,0% SK 10% 100,0%
Mirjam Kühne | September 2019 | BCIX • Create your ROAs in the LIR Portal • Pay attention to the Max Length attribute • Download and run a Validator • Check validation status manually, which routes are invalid? • Set up monitoring, for example pmacct • https://github.com/pmacct/ Recommendations to Get Started !25
Mirjam Kühne | September 2019 | BCIX • What breaks if you reject invalid BGP announcements? - “Not all vendors have full RPKI support, or bugs have been reported” - “Mostly nothing” -AT&T - “5 customer calls in 6 months, all resolved quickly” -Dutch medium ISP - “Customers appreciate a provider who takes security seriously” -Dutch medium ISP - “There are many invalids, but very little traffic is impacted” -very large cloud provider Invalid == Reject !26
Mirjam Kühne | September 2019 | BCIX • Is routing security on your agenda? • Initiate the conversation with providers and colleagues https://www.ripe.net/rpki Making the Difference !27 Are you leading by example ?
Questions Mirjam Kühne | September 2019 | BCIX rpki@ripe.net !28

Recommended

RIPE NCC Update
RIPE NCC UpdateRIPE NCC Update
RIPE NCC Update
APNIC
 
Network Automation at Colt
Network Automation at ColtNetwork Automation at Colt
Network Automation at Colt
Colt Technology Services
 
How APNIC can support law enforcement agencies in cybercrime investigtaion
How APNIC can support law enforcement agencies in cybercrime investigtaionHow APNIC can support law enforcement agencies in cybercrime investigtaion
How APNIC can support law enforcement agencies in cybercrime investigtaion
APNIC
 
SCF Technologies for Densification (Introduction)
SCF Technologies for Densification (Introduction)SCF Technologies for Densification (Introduction)
SCF Technologies for Densification (Introduction)
Small Cell Forum
 
Make Your Own Meridian Mobile App Workshop #AirheadsConf Italy
Make Your Own Meridian Mobile App Workshop #AirheadsConf ItalyMake Your Own Meridian Mobile App Workshop #AirheadsConf Italy
Make Your Own Meridian Mobile App Workshop #AirheadsConf Italy
Aruba, a Hewlett Packard Enterprise company
 
The business case for SD WAN in the enterprise
The business case for SD WAN in the enterprise The business case for SD WAN in the enterprise
The business case for SD WAN in the enterprise
Colt Technology Services
 
IoT in Action: Architecting, Securing, & Scaling Applications
IoT in Action: Architecting, Securing, & Scaling ApplicationsIoT in Action: Architecting, Securing, & Scaling Applications
IoT in Action: Architecting, Securing, & Scaling Applications
Open Networking Summit
 
Real World Orchestration & Automation
Real World Orchestration & AutomationReal World Orchestration & Automation
Real World Orchestration & Automation
Small Cell Forum
 

Recommended

RIPE NCC Update
RIPE NCC UpdateRIPE NCC Update
RIPE NCC Update
APNIC
 
Network Automation at Colt
Network Automation at ColtNetwork Automation at Colt
Network Automation at Colt
Colt Technology Services
 
How APNIC can support law enforcement agencies in cybercrime investigtaion
How APNIC can support law enforcement agencies in cybercrime investigtaionHow APNIC can support law enforcement agencies in cybercrime investigtaion
How APNIC can support law enforcement agencies in cybercrime investigtaion
APNIC
 
SCF Technologies for Densification (Introduction)
SCF Technologies for Densification (Introduction)SCF Technologies for Densification (Introduction)
SCF Technologies for Densification (Introduction)
Small Cell Forum
 
Make Your Own Meridian Mobile App Workshop #AirheadsConf Italy
Make Your Own Meridian Mobile App Workshop #AirheadsConf ItalyMake Your Own Meridian Mobile App Workshop #AirheadsConf Italy
Make Your Own Meridian Mobile App Workshop #AirheadsConf Italy
Aruba, a Hewlett Packard Enterprise company
 
The business case for SD WAN in the enterprise
The business case for SD WAN in the enterprise The business case for SD WAN in the enterprise
The business case for SD WAN in the enterprise
Colt Technology Services
 
IoT in Action: Architecting, Securing, & Scaling Applications
IoT in Action: Architecting, Securing, & Scaling ApplicationsIoT in Action: Architecting, Securing, & Scaling Applications
IoT in Action: Architecting, Securing, & Scaling Applications
Open Networking Summit
 
Real World Orchestration & Automation
Real World Orchestration & AutomationReal World Orchestration & Automation
Real World Orchestration & Automation
Small Cell Forum
 
Insyab Real-Time Streaming Video MANET
Insyab Real-Time Streaming Video MANET Insyab Real-Time Streaming Video MANET
Insyab Real-Time Streaming Video MANET
Ahmed Bader
 
Colt SDN and NFV - The Route to Automation
Colt SDN and NFV - The Route to Automation Colt SDN and NFV - The Route to Automation
Colt SDN and NFV - The Route to Automation
Colt Technology Services
 
CDN Cache Distribution through RINEX
CDN Cache Distribution through RINEXCDN Cache Distribution through RINEX
CDN Cache Distribution through RINEX
Internet Society
 
CNNIC OPM: Global IP address allocation update
CNNIC OPM: Global IP address allocation updateCNNIC OPM: Global IP address allocation update
CNNIC OPM: Global IP address allocation update
APNIC
 
IPv6 and Internet of Things: A Nice Couple
IPv6 and Internet of Things: A Nice CoupleIPv6 and Internet of Things: A Nice Couple
IPv6 and Internet of Things: A Nice Couple
RIPE NCC
 
Law Enforcement engagement capacity building
Law Enforcement engagement capacity buildingLaw Enforcement engagement capacity building
Law Enforcement engagement capacity building
APNIC
 
5G Enablers and Use Cases, an European Pespective
5G Enablers and Use Cases, an European Pespective5G Enablers and Use Cases, an European Pespective
5G Enablers and Use Cases, an European Pespective
Vietnam Open Infrastructure User Group
 
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS CloudCase Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Solo.io
 
NRO Statistics Report
NRO Statistics ReportNRO Statistics Report
NRO Statistics Report
APNIC
 
An Update on Mobility in Today's Internet
An Update on Mobility in Today's InternetAn Update on Mobility in Today's Internet
An Update on Mobility in Today's Internet
APNIC
 
APNIC Update: ARIN 37
APNIC Update: ARIN 37APNIC Update: ARIN 37
APNIC Update: ARIN 37
Bhadrika Magan
 
Whois - Addressing the Asia Pacifc
Whois - Addressing the Asia PacifcWhois - Addressing the Asia Pacifc
Whois - Addressing the Asia Pacifc
APNIC
 
Multi-access Edge Computing (MEC), Nokia
Multi-access Edge Computing (MEC), NokiaMulti-access Edge Computing (MEC), Nokia
Multi-access Edge Computing (MEC), Nokia
Small Cell Forum
 
Parallel Wireless Rural and Remote Case Studies
Parallel Wireless Rural and Remote Case StudiesParallel Wireless Rural and Remote Case Studies
Parallel Wireless Rural and Remote Case Studies
Small Cell Forum
 
Software Telco Congress - NFV and Voice Network as a Service
Software Telco Congress - NFV and Voice Network as a ServiceSoftware Telco Congress - NFV and Voice Network as a Service
Software Telco Congress - NFV and Voice Network as a Service
Alianza
 
Mavenir: RCS Business Messaging:​ The Key to a Successful Deployment​
Mavenir: RCS Business Messaging:​ The Key to a Successful Deployment​Mavenir: RCS Business Messaging:​ The Key to a Successful Deployment​
Mavenir: RCS Business Messaging:​ The Key to a Successful Deployment​
Mavenir
 
Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]
Solo.io
 
PITA 22: Addressing interconnection and security in the Pacific
PITA 22: Addressing interconnection and security in the PacificPITA 22: Addressing interconnection and security in the Pacific
PITA 22: Addressing interconnection and security in the Pacific
APNIC
 
Self-Driving Networks for Service Delivery
Self-Driving Networks for Service DeliverySelf-Driving Networks for Service Delivery
Self-Driving Networks for Service Delivery
APNIC
 
Colt's evolution from MPLS to Cloud Networking
Colt's evolution from MPLS to Cloud Networking Colt's evolution from MPLS to Cloud Networking
Colt's evolution from MPLS to Cloud Networking
Colt Technology Services
 
Developments in Routing Security
Developments in Routing SecurityDevelopments in Routing Security
Developments in Routing Security
RIPE NCC
 
RIPE NCC Data and Tools
RIPE NCC Data and ToolsRIPE NCC Data and Tools
RIPE NCC Data and Tools
RIPE NCC
 

More Related Content

What's hot

Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS CloudCase Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Solo.io
 

What's hot (20)

Insyab Real-Time Streaming Video MANET
Insyab Real-Time Streaming Video MANET Insyab Real-Time Streaming Video MANET
Insyab Real-Time Streaming Video MANET
 
Colt SDN and NFV - The Route to Automation
Colt SDN and NFV - The Route to Automation Colt SDN and NFV - The Route to Automation
Colt SDN and NFV - The Route to Automation
 
CDN Cache Distribution through RINEX
CDN Cache Distribution through RINEXCDN Cache Distribution through RINEX
CDN Cache Distribution through RINEX
 
CNNIC OPM: Global IP address allocation update
CNNIC OPM: Global IP address allocation updateCNNIC OPM: Global IP address allocation update
CNNIC OPM: Global IP address allocation update
 
IPv6 and Internet of Things: A Nice Couple
IPv6 and Internet of Things: A Nice CoupleIPv6 and Internet of Things: A Nice Couple
IPv6 and Internet of Things: A Nice Couple
 
Law Enforcement engagement capacity building
Law Enforcement engagement capacity buildingLaw Enforcement engagement capacity building
Law Enforcement engagement capacity building
 
5G Enablers and Use Cases, an European Pespective
5G Enablers and Use Cases, an European Pespective5G Enablers and Use Cases, an European Pespective
5G Enablers and Use Cases, an European Pespective
 
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS CloudCase Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
 
NRO Statistics Report
NRO Statistics ReportNRO Statistics Report
NRO Statistics Report
 
An Update on Mobility in Today's Internet
An Update on Mobility in Today's InternetAn Update on Mobility in Today's Internet
An Update on Mobility in Today's Internet
 
APNIC Update: ARIN 37
APNIC Update: ARIN 37APNIC Update: ARIN 37
APNIC Update: ARIN 37
 
Whois - Addressing the Asia Pacifc
Whois - Addressing the Asia PacifcWhois - Addressing the Asia Pacifc
Whois - Addressing the Asia Pacifc
 
Multi-access Edge Computing (MEC), Nokia
Multi-access Edge Computing (MEC), NokiaMulti-access Edge Computing (MEC), Nokia
Multi-access Edge Computing (MEC), Nokia
 
Parallel Wireless Rural and Remote Case Studies
Parallel Wireless Rural and Remote Case StudiesParallel Wireless Rural and Remote Case Studies
Parallel Wireless Rural and Remote Case Studies
 
Software Telco Congress - NFV and Voice Network as a Service
Software Telco Congress - NFV and Voice Network as a ServiceSoftware Telco Congress - NFV and Voice Network as a Service
Software Telco Congress - NFV and Voice Network as a Service
 
Mavenir: RCS Business Messaging:​ The Key to a Successful Deployment​
Mavenir: RCS Business Messaging:​ The Key to a Successful Deployment​Mavenir: RCS Business Messaging:​ The Key to a Successful Deployment​
Mavenir: RCS Business Messaging:​ The Key to a Successful Deployment​
 
Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]
 
PITA 22: Addressing interconnection and security in the Pacific
PITA 22: Addressing interconnection and security in the PacificPITA 22: Addressing interconnection and security in the Pacific
PITA 22: Addressing interconnection and security in the Pacific
 
Self-Driving Networks for Service Delivery
Self-Driving Networks for Service DeliverySelf-Driving Networks for Service Delivery
Self-Driving Networks for Service Delivery
 
Colt's evolution from MPLS to Cloud Networking
Colt's evolution from MPLS to Cloud Networking Colt's evolution from MPLS to Cloud Networking
Colt's evolution from MPLS to Cloud Networking
 

Similar to Developments in Routing Security

Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG
 

Similar to Developments in Routing Security (20)

Developments in Routing Security
Developments in Routing SecurityDevelopments in Routing Security
Developments in Routing Security
 
RIPE NCC Data and Tools
RIPE NCC Data and ToolsRIPE NCC Data and Tools
RIPE NCC Data and Tools
 
Internet Numbers
Internet NumbersInternet Numbers
Internet Numbers
 
Routing and Addressing in 2018
Routing and Addressing in 2018Routing and Addressing in 2018
Routing and Addressing in 2018
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
Increasing Routing Security through RPKI Deployathon
Increasing Routing Security through RPKI DeployathonIncreasing Routing Security through RPKI Deployathon
Increasing Routing Security through RPKI Deployathon
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
 
RIPE NCC Operator Tools
RIPE NCC Operator ToolsRIPE NCC Operator Tools
RIPE NCC Operator Tools
 
JANOG 45: prop-132: Policy implementation update
JANOG 45: prop-132: Policy implementation updateJANOG 45: prop-132: Policy implementation update
JANOG 45: prop-132: Policy implementation update
 
Secure Inter-domain Routing with RPKI
Secure Inter-domain Routing with RPKISecure Inter-domain Routing with RPKI
Secure Inter-domain Routing with RPKI
 
Data Virtualisation and API Management United
Data Virtualisation and API Management UnitedData Virtualisation and API Management United
Data Virtualisation and API Management United
 
RPKI
RPKIRPKI
RPKI
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
Core Registry and Related Services
Core Registry and Related ServicesCore Registry and Related Services
Core Registry and Related Services
 
What is new in Core Registry and Related Services
What is new in Core Registry and Related ServicesWhat is new in Core Registry and Related Services
What is new in Core Registry and Related Services
 
What is the RIPE NCC?
What is the RIPE NCC?What is the RIPE NCC?
What is the RIPE NCC?
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Developing the RIPE Routing Information System
Developing the RIPE Routing Information SystemDeveloping the RIPE Routing Information System
Developing the RIPE Routing Information System
 
RIPE NCC Data Sets for Researchers
RIPE NCC Data Sets for ResearchersRIPE NCC Data Sets for Researchers
RIPE NCC Data Sets for Researchers
 

More from RIPE NCC

More from RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 
IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Developments in Routing Security

  • 1. Mirjam Kühne | September 2019 | BCIX Developments in Routing Security Slides by Nathalie Trenaman
  • 2. Mirjam Kühne | September 2019 | BCIX • We manage IP and ASN allocations in Europe, the Middle East and parts of Central Asia - Ensure unique holdership - Document holdership in the RIPE Database (whois) - Enable operators to document use of their address spaces Who We Are !2
  • 3. Mirjam Kühne | September 2019 | BCIX • In 1994, RIPE-181 was the first document published that used a common language to describe routing policies • We co-developed standards for IRR and RPKI • We are one of the five RPKI Trust Anchors • Our Validator tool was, until recently, the only production- grade tool to do Origin Validation Routing Security is in Our DNA !3
  • 4. Mirjam Kühne | September 2019 | BCIX !4 Routing on the Internet A
 193.x.x.x B
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” Routing table
 194.x.x.x = B Routing table
 193.x.x.x = A Can I trust B? Is A correct? “BGP protocol”
  • 5. Mirjam Kühne | September 2019 | BCIX !5 How to Secure Routing? A
 193.x.x.x B
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” Can I trust B? Is A correct? RIPE Database
 A = 193.x.x.x
 B = 194.x.x.x “Internet Routing Registry”
  • 6. Mirjam Kühne | September 2019 | BCIX • Fat Fingers - 2 and 3 are really close on our keyboards… • Policy violations (leaks) - Oops, we did not want this to go to the public Internet - Infamous incident with Pakistan Telecom and YouTube - https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a- ripe-ncc-ris-case-study Accidents Happen !6
  • 7. Mirjam Kühne | September 2019 | BCIX • April 2018 - BGP and DNS hijack - Targeting MyEtherWallet - Unnoticed for 2 hours Or Worse… !7
  • 8. Mirjam Kühne | September 2019 | BCIX • 2018 Routing Security Review - 12.6k incidents - 4.4% of all ASNs affected - 3k ASNs victims of at least one incident - 1.3k ASNs caused at least one incident source: https://www.bgpstream.com/ Incidents Are Common !8
  • 9. Mirjam Kühne | September 2019 | BCIX • Many exist, most widely used - RIPE Database - RADB • Verification of holdership over resources - RIPE Database for RIPE region resources only - RADB allows paying customers to create any object - Lots of other IRRs do not formally verify holdership Internet Routing Registry !9
  • 10. Mirjam Kühne | September 2019 | BCIX !10 Accuracy - RIPE IRR Accuracy - Valid announcements / covered announcements
  • 11. Mirjam Kühne | September 2019 | BCIX !11 Accuracy - RADB IRR Accuracy - Valid announcements / covered announcements
  • 12. Mirjam Kühne | September 2019 | BCIX • RPKI - Ties IP addresses and ASNs to public keys - Follows the hierarchy of the registry • Authorised statements from resource holders - ASN X is authorised to announce my IP Prefix Y - Signed, holder of Y Resource Public Key Infrastructure !12
  • 13. Mirjam Kühne | September 2019 | BCIX • Operated since 2008 by all RIRs - Community-driven standardisation (IETF) - IRR was not sufficient (incomplete, incorrect) • Adds crypto-security to Internet Number Resources Resource Public Key Infrastructure !13
  • 14. Mirjam Kühne | September 2019 | BCIX !14 Elements of RPKI Signing Create your ROAs Validating Verifying others
  • 15. Mirjam Kühne | September 2019 | BCIX !15 RPKI Chain of Trust ROA signature LIR’s Resources signature public key ALL Resources signature public key
  • 16. Mirjam Kühne | September 2019 | BCIX !16 What’s in a ROA Prefix The network for which you are creating the ROA The ASN supposed to be originating the BGP AnnouncementOrigin ASN Max Length The Maximum prefix length accepted for this ROA
  • 17. Mirjam Kühne | September 2019 | BCIX !17 Route Origin Validation RIPE NCC ARIN APNIC AFRINICLACNIC Validator
  • 18. Mirjam Kühne | September 2019 | BCIX !18 Route Origin Validation ROA AS111 10.0.7.30/22 AS222 10.0.6.10/24 AS333 10.4.17.5/20 AS111 10.0.7.30/22 AS111 10.0.7.30/22 AS111 10.0.7.30/22 BGP Announcements BETTER ROUTING DECISIONS
  • 19. Mirjam Kühne | September 2019 | BCIX !19 Elements of RPKI ROAs VALIDATOR SOFTWARE Verification Validated Cache RPKI-RTR ROUTERS RIR REPOSITORIES ROAs
  • 20. Mirjam Kühne | September 2019 | BCIX !20 How to create a ROA
  • 21. Mirjam Kühne | September 2019 | BCIX !21 Number of Certificates RIPE NCC: 8948 APNIC: 2135 LACNIC: 1322 ARIN:705 AFRINIC:218
  • 22. Mirjam Kühne | September 2019 | BCIX !22 Coverage - RPKI (all RIRs)
  • 23. Mirjam Kühne | September 2019 | BCIX !23 Accuracy - RPKI (all RIRs) IPv4 addresses in valid announcements / covered announcements
  • 24. Mirjam Kühne | September 2019 | BCIX !24 RPKI in your region source: https://lirportal.ripe.net/certification/content/static/statistics/world-roas.html Country % Addreses Accuracy DE 50% 99,9% NL 72% 99,8% FR 74% 100,0% IT 8% 99,9% BE 78% 99,9% AL 52% 99,5% CZ 46% 99,9% HR 18% 100,0% AT 18% 100,0% SK 10% 100,0%
  • 25. Mirjam Kühne | September 2019 | BCIX • Create your ROAs in the LIR Portal • Pay attention to the Max Length attribute • Download and run a Validator • Check validation status manually, which routes are invalid? • Set up monitoring, for example pmacct • https://github.com/pmacct/ Recommendations to Get Started !25
  • 26. Mirjam Kühne | September 2019 | BCIX • What breaks if you reject invalid BGP announcements? - “Not all vendors have full RPKI support, or bugs have been reported” - “Mostly nothing” -AT&T - “5 customer calls in 6 months, all resolved quickly” -Dutch medium ISP - “Customers appreciate a provider who takes security seriously” -Dutch medium ISP - “There are many invalids, but very little traffic is impacted” -very large cloud provider Invalid == Reject !26
  • 27. Mirjam Kühne | September 2019 | BCIX • Is routing security on your agenda? • Initiate the conversation with providers and colleagues https://www.ripe.net/rpki Making the Difference !27 Are you leading by example ?
  • 28. Questions Mirjam Kühne | September 2019 | BCIX rpki@ripe.net !28