ESNOG 29-Alvaro_Vives-Routing_Security.pdf
•
0 likes•34 views
Presentation given by Alvaro Vives at ESNOG 29 in Madrid, Spain on 19 May 2023
Recommended
More Related Content
Similar to ESNOG 29-Alvaro_Vives-Routing_Security.pdf
Similar to ESNOG 29-Alvaro_Vives-Routing_Security.pdf (20)
More from RIPE NCC
More from RIPE NCC (20)
Recently uploaded
Recently uploaded (11)
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
- 1. ESNOG 29 | 19 May 2023 Alvaro Vives RIPE NCC BGP Routing Security: Update and Stats
- 2. 2 What is the RIPE NCC? RIR = Regional Internet Registry • Not-for-pro fi t organisation • Funded by membership fees • Policies developed by regional communities • Neutral, impartial, open, and transparent
- 3. 3 • Origin Hijack • RPKI • Stats for Spain
- 4. ACADEMY BGP Security E-learning Course academy.ripe.net/bgp-security/ Free online course Interactive, you can study at your own pace Practical lab environment and activities
- 5. 5 April 2018: Amazon-MyEtherWallet • BGP hijack of Amazon DNS • How did it happen? • Why? To steal cryptocurrency 5 BGP hijack What is myetherwallet.com? root .com myetherwallet.com is now in eastern Ukraine Imposter website Recursive DNS server Legitimate Authoritative DNS server Imposter Authoritative DNS server
- 6. 6 Origin Hijack: Same Pre fi x AS3 AS5 AS2 AS1 AS6 AS4 P/32, AS1 Pre fi x-P, 2001:db8::/32 P/32, AS2 AS1 P/32, AS3 AS2 AS1 P/32, AS5 P/32, AS6 AS5 This is a local hijack! Only some networks are affected based on BGP path selection process.
- 7. 7 Origin Hijack: More Speci fi c Pre fi x AS3 AS5 AS2 AS1 AS6 AS4 P/32, AS1 Pre fi x-P, 2001:db8::/32 P/32, AS2 AS1 P/32, AS3 AS2 AS1 P/48, AS5 P/48, AS6 AS5 This is a global hijack! All traf fi c for more speci fi c will be forwarded to the attacker’s network network.
- 8. 8
- 9. Resource Public Key Infrastructure 9 What is RPKI? • A security framework using Public Key Infrastructure and Resource certi fi cation (X.509 PKI certi fi cates) for BGP route origin validation (ROV) • Allows resource (IPs) holders to prove ownership, and create authorisations (ROAs) • ASNs can use ROAs to validate the origin of BGP announcements - Is the originating ASN authorised to originate a particular pre fi x?
- 10. 10 How does it work? You create an authorised statement for your pre fi x I have pre fi x Y! BGP announcement Authorised statement Sign Others use those statements to make better routing decisions! Pre fi x Y, AS300 AS300 Pre fi x Y Publish 4 Prefix Y ASN 300 is authorised to announce my prefix Y ASN 300 is authorised to announce my prefix Y RPKI Repository AS100 AS200 AS300 1 2 3 4
- 11. + SIGNING VALIDATION Create ROAs for your prefixes in the RPKI system Verify the information provided by others 11 Elements of RPKI • RPKI system consists of two parts…
- 12. 12 Trust in RPKI • RPKI relies on fi ve RIRs as Trust Anchors • Certi fi cate structure follows the RIR hierarchy • RIRs issue certi fi cates to resource holders ARIN APNIC RIPE NCC AFRINIC LACNIC LIR LIR LIR ROA ROA RIR Root CA Member CA Authorised Statements IANA RIRs LIRs End Users End Users
- 13. RPKI Chain of Trust ROA LIR Certificate Digital Signature Root Certificate Public Key All Resources LIR’s Resources Self-sign Root’s private key Signed by Root’s private key Signed by LIR’s private key Sign Sign Digital Signature Digital Signature Public Key
- 14. ROA 2001:db8::/48 /48 AS65536 Prefix Origin ASN Max Length 14 What are ROAs? • An authorised statement created by the resource holder • States that a certain pre fi x can be originated by a certain AS • LIRs can create ROAs for their resources • Multiple ROAs can exist for the same pre fi x • ROAs can overlap
- 15. 15 How to create a ROA? • Login to LIR Portal (my.ripe.net) • Go to the RPKI Dashboard • Choose which RPKI model to use Hosted Delegated
- 16. 16 Hosted RPKI RIPE NCC Hosted System RIPE NCC ROA ROA LIR ROA • ROAs are created and published using the RIR’s member portal • RIR hosts a CA (Certi fi cation Authority) for LIRs and signs all ROAs • Automated signing and key rollovers
- 17. 17 Delegated RPKI ROA ROA LIR LIR CA RIPE NCC Hosted System RIPE NCC ROA ROA LIR ROA • Each LIR manages its part of the RPKI system - Runs its own CA as a child of the RIR - Manages keys/key rollovers - Creates, signs and publishes ROAs • Certi fi cate Authority (CA) Software - Krill (NLnet Labs) - rpkid (Dragon Research Labs)
- 18. 18 Publication as a Service ROA ROA LIR LIR CA ROA ROA RIPE NCC Hosted System RIPE NCC ROA ROA LIR ROA • In-between Hosted and Delegated - Runs its own CA as a child of the RIR - Manages keys/key rollovers and ROAs - Maintain key pairs and objects and send them to RIR - RIR publishes ROAs on behalf of LIR • Also APNIC, ARIN, RIPE NCC, NIRs • AKA “Publication in parent” or “Hybrid RPKI”
- 19. + SIGNING VALIDATION Create ROAs for your prefixes in the RPKI system Verify the information provided by others 19 Elements of RPKI • RPKI system consists of two parts…
- 20. 20 RPKI Validation • Verifying the information provided by others - Proves holdership through a public key and certi fi cate infrastructure • In order to validate RPKI data, you need to … - install a validator software locally in your network • Goal is to validate the “origin of BGP announcements” - Known as BGP Origin Validation (BGP OV) or Route Origin Validation (ROV)
- 21. • Connects to RPKI repositories via rsync or RRDP protocol • Uses TALs to connect to the repositories and download ROAs • Validates chain of trust for all ROAs and associated CAs • Creates a local “validated cache” with all the valid ROAs RPKI Validator
- 22. 22 ROA Validation Process ELSE validation is unsuccessful, ROA is INVALID! IF chain is complete, it means ROA is VALID! ROA LIR Certificate Digital Signature Root Certificate Public Key Self-signed Digital Signature Digital Signature Public Key
- 23. 23 Valid ROAs Are Sent to the Router! Router uses this information to make better routing decisions! External Repositories RIPE NCC ARIN APNIC Validator RPKI Repositories Validated Cache rsync/RRDP RPKI-RTR LACNIC AFRINIC ROAs AS65500 BGP Update 2001:db8:1000::/48, AS65500 VALID OR INVALID
- 24. 24
- 25. 25 RPKI Validators are Mature • Much better than 5 years ago • Installation, con fi guration, documentation is way better • Big research work on vulnerabilities in 2021 - Multiple fi xes in all validators, mostly addressing potential DoS attacks - Source: https://arxiv.org/pdf/2203.00993.pdf
- 26. 26 Run Different Validators RIPE NCC RPKI Validator: STOP USING IT IF YOU STILL DO Source (13/5/23): https://rov-measurements.nlnetlabs.net/stats/ Validator Number (13/5/23) % Routinator 2297 79% rpki-client 253 9% OctoRPKI 181 6% FORT 91 3% Validator 87 3% Other 6 0%
- 27. 27 RPKI Validator Options • Routinator - Built by NLNetlabs • OctoRPKI - Cloud fl are’s relying party software • FORT - Open source RPKI validator • rpki-client - Integrated in OpenBsd Links for RPKI Validators https://github.com/NLnetLabs/routinator.git https://github.com/cloud fl are/cfrpki#octorpki https://github.com/NICMx/FORT-validator/ https://www.rpki-client.org/ https://rpki.readthedocs.io For more info…
- 28. 28 Steady growth: Adoption and ROAs Source (14/5/23): https://certi fi cation-stats.ripe.net/
- 29. 29 Adoption per RIR Source (14/5/23): https://ftp.ripe.net/pub/stats/ripencc/nro-adoption/latest/ RIR IPv4 Addr. Space IPv6 Addr. Space APNIC 33% 23% RIPE NCC 61% 37% LACNIC 42% 23% ARIN 29% 35% AFRINIC 25% 7%
- 30. 30
- 31. 31
- 32. 32
- 33. 33
- 34. Fin Ende Kpaj Konec Son Fine Pabaiga Einde Fim Finis Koniec Lõpp Kрай Sfârşit Конeц Kraj Vége Kiнець Slutt Loppu Τέλος Y Diwedd Amaia Tmiem Соңы Endir Slut Liðugt An Críoch Fund הסוף Fí Ënn Finvezh Beigas վերջ დასასრული النهاية پایان
- 35. Questions