SlideShare a Scribd company logo

Routing Security, Another Elephant in the Room

RIPE NCC
RIPE NCC

Presentation given by Alex Semenyaka at BHNOG0 in Sarajevo, Bosnia and Herzegovina on 29 March 2023

Technology
1 of 31
Download to read offline
Routing security, another elephant in the room Alex Semenyaka | BHNOG | March 22, 2023
Alex Semenyaka | BHNOG | March 22, 2023 Border Gateway Protocol • To reveal routes in the Internet, the Border Gateway Protocol (BGP) was invented • Created in 1989 (RFC 1105) • Current BGP version (BGPv4) was released in 1994 • BGP was never created with the security in mind - The first major incident (AS 7007 incident): April 25, 1997 2
Alex Semenyaka | BHNOG | March 22, 2023 Border Gateway Protocol • To reveal routes in the Internet, the Border Gateway Protocol (BGP) was invented • Created in 1989 (RFC 1105) • Current BGP version (BGPv4) was released in 1994 • BGP was never created with the security in mind - The first major incident (AS 7007 incident): April 25, 1997 3 just 3 years
Alex Semenyaka | BHNOG | March 22, 2023 BGP Security • Alas, BGP was never created with the security in mind • BGP runs on a huge number of different devices, so it is difficult to quickly implement changes to the protocol • Improvements to the BGP security model have been going on for a long time - …but the legacy design problems are still many 4
Alex Semenyaka | BHNOG | March 22, 2023 Basic scenarios: prefix hijack 5 • “Ideal Denial-of- Service attack”: - no victim's resources are exhausted - all systems appear to be functioning normally - no accessibility from the world. • Maybe not the victim itself is attacked, but the infrastructure part (e.g., DNS server)
Alex Semenyaka | BHNOG | March 22, 2023 Basic scenarios: intentional route leak 6 • Ability to inspect the victim's traffic • Significant deterioration in the quality of service • Even harder to detect
Alex Semenyaka | BHNOG | March 22, 2023 The problem overview • Any AS can announce any pre fi x • Anyone can prepend any ASN to the BGP path • BGP announcements are accepted without validation • BGP packets are transmitted without any encryption or authentication mechanisms • No single authoritative source for who should be doing what 7
Alex Semenyaka | BHNOG | March 22, 2023 Sometimes it happens accidentally! • Typing errors - Also known as “fat fi ngers syndrome” - May cause mis-origination • Con fi guration errors - Faulty BGP fi lter con fi guration - AS path prepending mistakes - Cause routing policy violations and unintentional route leaks/pre fi x hijacks • Equipment malfunctioning 8
Alex Semenyaka | BHNOG | March 22, 2023 Malicious opportunities • The perfect DDoS - The victim has plenty of resources, but nothing works • Traffic surveillance - Encryption only protects data, but metadata can often be recovered or even surveilled • Identity theft - As an example, an attacker issues new TLS certificates, which can then be used for MitM attacks with full traffic disclosure • Digital Assets Theft • Etc. 9
Alex Semenyaka | BHNOG | March 22, 2023 Some examples • 2003,2008 - hijacking DoD USA address space to send spam • 2005 - hijacking the address space of Google blocked their services for 1 hour • 2007 - use of BGP to create fake root DNS servers • 2013 - DDoS attack by hosting company Cyberbunker on Spamhaus using BGP • 2014, 2018 - Theft of mined cryptocurrency through fake BGP announcements • 2017 - A BGP configuration error on the Google network caused the whole of Japan to lose connectivity with the rest of the world for about 30 minutes • 2019 - an attack on the national DNS of several countries led to the interception of the traffic of many organizations, obtaining logins and passwords to their systems 10
Alex Semenyaka | BHNOG | March 22, 2023 Statistics from Qrator Labs 11
Countermeasures Today and tomorrow
Alex Semenyaka | BHNOG | March 22, 2023 Existing approaches • Internet Routing Registries (IRR) Data • RPKI Framework - ROA - ASPA • BGPSEC • BGP Roles • Incidents detection 13
Alex Semenyaka | BHNOG | March 22, 2023 Can Internet Routing Registries help? 14 (From RPKI RIPE Training Course)
Alex Semenyaka | BHNOG | March 22, 2023 Can Internet Routing Registries help? 15 (From RPKI RIPE Training Course) That is, not really
Alex Semenyaka | BHNOG | March 22, 2023 Can Internet Routing Registries help? 16 (From RPKI RIPE Training Course) That is, not really •However, IRR data are important for other purposes •And in any case, the defense must be echeloned. Please, do use IRR!
Alex Semenyaka | BHNOG | March 22, 2023 That’s why RPKI was invented • RPKI is… - A resource certification (well familiar X.509 PKI certificates) - A security framework (extendable and flexible) • The currently implemented part of the RPKI is ROA - ROA = Route Origin Authorisation - verifying the right of an autonomous system to announce that it has a certain prefix • Next step: ASPA - verifying the sequence of ASes along the path 17
Alex Semenyaka | BHNOG | March 22, 2023 How does ROA work? 18 Ties IP addresses and ASNs to public keys Follow the RIR hierarchy, forming chains of trust (think HTTPS) Authorised statements from resource holders • “ASN X” is authorised to announce my prefix Y • Signed, holder of Y
Alex Semenyaka | BHNOG | March 22, 2023 How does ROA help with routing security? • Used to validate the origin of BGP announcements - Is the originating ASN authorised to originate this particular pre fi x? • Has two parts: - Signing own pre fi xes - Veri fi cation of others' announcements • Not a silver bullet - Helps address a limited set of violation scenarios 19
Alex Semenyaka | BHNOG | March 22, 2023 ASPA (AS Path Authorization) • Still a draft (current state: draft-ietf-sidrops-aspa-verification-05) • New element of the RPKI Framework • Uses the same technique to tie adjacencies in the AS PATH using security certificates - Holders of autonomous systems describe links with their neighbors and sign this information with their keys - Thus, it is possible to validate the AS PATH attribute (fully or partially) • Being combined with ROA and BGP roles covers the vast majority of the violation scenarios - 925 sterling silver bullet 🙂 20
Alex Semenyaka | BHNOG | March 22, 2023 BGPSEC • RFC Since 2017: RFC8205 • Uses RPKI certificates but is not a part of the RPKI framework • Uses a new, signed PATH attribute and verifies the signatures in each UPDATE message • There is a fallback to plain BGP if a peer along the way does not support BGPSEC • However, the real effect could be achieved only if all BGP speakers support BGPSEC 21
Alex Semenyaka | BHNOG | March 22, 2023 BGPSEC issues • It is a silver bullet, but at the moment, it is a really, really slow bullet • Today it takes many hours to establish a BGP session - The double fault probability is too high now - The risk is unacceptable, and had to be mitigated 22 More uplinks => extra $$ While one session is being re-established, the second session is switched to plain BGP Incorrect routing information can now be injected without checks Implementation: volumetric DDoS to the first interface + later injecting malicious routes through the second one
Alex Semenyaka | BHNOG | March 22, 2023 BGPSEC issues • It is a silver bullet, but at the moment, it is a really, really slow bullet • Today it takes many hours to establish a BGP session - The double fault probability is too high now - The risk is unacceptable, and had to be mitigated 23 More uplinks => extra $$ While one session is being re-established, the second session is switched to plain BGP Incorrect routing information can now be injected without checks Implementation: volumetric DDoS to the first interface + later injecting malicious routes through the second one In future, it can change When equipment is fast enough, BGPSEC is going to jump in.
Alex Semenyaka | BHNOG | March 22, 2023 BGP Roles • A fresh RFC: RFC 9234 • Defines roles of the BGP session participants: - Provider, Customer, RS, RS-Client, Peer • BGP Only to Customer (OTC) Attribute • Easy to implement and to deploy • Also not a silver bullet: - Demonstrates the nature of the relationship between companies ‣ Their disclosure may be highly undesirable from a commercial point of view - Helps address a limited set of violation scenarios 24
Alex Semenyaka | BHNOG | March 22, 2023 Incidents detection • So far, reliable measures to prevent routing incidents are not implemented in the equipment • Therefore, it is still important to be able to identify such events and work them out manually • There are different tools to address that, and their usage must be integrated into network operation processes - RIPE RIS, RIPEStat - A.R.T.E.M.I.S as a stand-alone product - Qrator Radar - … • More algorithms to come - draft-ietf-grow-route-leak-detection-mitigation-00 as an example 25
Alex Semenyaka | BHNOG | March 22, 2023 Intermediate conclusion • RPKI is really important now • Although it does not currently cover all scenarios, experience is being gained in its operation • Robust approaches of the future will use RPKI in one way or another 26
Alex Semenyaka | BHNOG | March 22, 2023 The global overview (NIST data) 27 IPv4 IPv6
Alex Semenyaka | BHNOG | March 22, 2023 ROA Signing in Bosnia i Herzegovina 28 IPv4 IPv6
Alex Semenyaka | BHNOG | March 22, 2023 Some observations • The ratio of signed IPv4 prefixes in Bosnia i Herzegovina is not bad at all! • However, for IPv6 it is below the world average - Do IPv6 enthusiasts and RPKI enthusiasts have little overlap? - Signing IPv4 networks is no different from signing IPv6 networks! 29
Alex Semenyaka | BHNOG | March 22, 2023 Last but not least • If you want to know how to deal with routing security, contact us! • We have our educational programs - Face-to-face training courses - https://learning.ripe.net/w/courses/cat-16-training-courses/ - Webinars - https://learning.ripe.net/w/webinars/ - RIPE Academy - https://academy.ripe.net/ 30
Alex Semenyaka | BHNOG | March 22, 2023 The dark side of the Moon • Signing your prefixes is only half the battle: It is also necessary to check other people's signatures • Unfortunately, it is not possible to determine this fact from the outside, so there is no relevant statistics 31 Questions ? asemenyaka@ripe.net

Recommended

BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC
 
PLNOG 31 Alena Muravska 2023.pdf
PLNOG 31 Alena Muravska 2023.pdfPLNOG 31 Alena Muravska 2023.pdf
PLNOG 31 Alena Muravska 2023.pdfRIPE NCC
 
RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)RIPE NCC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
Managing the network of networks
Managing the network of networksManaging the network of networks
Managing the network of networksRIPE NCC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 

Recommended

BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC
 
PLNOG 31 Alena Muravska 2023.pdf
PLNOG 31 Alena Muravska 2023.pdfPLNOG 31 Alena Muravska 2023.pdf
PLNOG 31 Alena Muravska 2023.pdfRIPE NCC
 
RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)RIPE NCC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
Managing the network of networks
Managing the network of networksManaging the network of networks
Managing the network of networksRIPE NCC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Tracking network evolution process with netTransformer & Bulgarian Internet B...
Tracking network evolution process with netTransformer & Bulgarian Internet B...Tracking network evolution process with netTransformer & Bulgarian Internet B...
Tracking network evolution process with netTransformer & Bulgarian Internet B...iTransformers
 
Securing BGP
Securing BGPSecuring BGP
Securing BGPRIPE NCC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net ToolsBangladesh Network Operators Group
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial Bangladesh Network Operators Group
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
BGP hijacks and leaks
BGP hijacks and leaksBGP hijacks and leaks
BGP hijacks and leaksRedge Technologies
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC
 
RIPE NCC Operations and Analysis Tools
RIPE NCC Operations and Analysis ToolsRIPE NCC Operations and Analysis Tools
RIPE NCC Operations and Analysis ToolsRIPE NCC
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoSFakrul Alam
 
Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS Bangladesh Network Operators Group
 
Forensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateForensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateAPNIC
 
2017 03-01-forensics 1488330715
2017 03-01-forensics 14883307152017 03-01-forensics 1488330715
2017 03-01-forensics 1488330715APNIC
 
Recent Developments in RPKI
Recent Developments in RPKIRecent Developments in RPKI
Recent Developments in RPKIRIPE NCC
 
npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing APNIC
 
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case StudyConnecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case StudyKittinan Sriprasert
 
Rapid Detection of BGP Anomalies
Rapid Detection of BGP AnomaliesRapid Detection of BGP Anomalies
Rapid Detection of BGP AnomaliesAPNIC
 
Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 

More Related Content

Similar to Routing Security, Another Elephant in the Room

Tracking network evolution process with netTransformer & Bulgarian Internet B...
Tracking network evolution process with netTransformer & Bulgarian Internet B...Tracking network evolution process with netTransformer & Bulgarian Internet B...
Tracking network evolution process with netTransformer & Bulgarian Internet B...iTransformers
 
Securing BGP
Securing BGPSecuring BGP
Securing BGPRIPE NCC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC
 
RIPE NCC Operations and Analysis Tools
RIPE NCC Operations and Analysis ToolsRIPE NCC Operations and Analysis Tools
RIPE NCC Operations and Analysis ToolsRIPE NCC
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoSFakrul Alam
 
Forensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateForensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateAPNIC
 
2017 03-01-forensics 1488330715
2017 03-01-forensics 14883307152017 03-01-forensics 1488330715
2017 03-01-forensics 1488330715APNIC
 
Recent Developments in RPKI
Recent Developments in RPKIRecent Developments in RPKI
Recent Developments in RPKIRIPE NCC
 
npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing APNIC
 
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case StudyConnecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case StudyKittinan Sriprasert
 
Rapid Detection of BGP Anomalies
Rapid Detection of BGP AnomaliesRapid Detection of BGP Anomalies
Rapid Detection of BGP AnomaliesAPNIC
 

Similar to Routing Security, Another Elephant in the Room (20)

Tracking network evolution process with netTransformer & Bulgarian Internet B...
Tracking network evolution process with netTransformer & Bulgarian Internet B...Tracking network evolution process with netTransformer & Bulgarian Internet B...
Tracking network evolution process with netTransformer & Bulgarian Internet B...
 
Securing BGP
Securing BGPSecuring BGP
Securing BGP
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesia
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
 
BGP hijacks and leaks
BGP hijacks and leaksBGP hijacks and leaks
BGP hijacks and leaks
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
RIPE NCC Operations and Analysis Tools
RIPE NCC Operations and Analysis ToolsRIPE NCC Operations and Analysis Tools
RIPE NCC Operations and Analysis Tools
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
 
Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS
 
Forensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateForensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An Update
 
2017 03-01-forensics 1488330715
2017 03-01-forensics 14883307152017 03-01-forensics 1488330715
2017 03-01-forensics 1488330715
 
Recent Developments in RPKI
Recent Developments in RPKIRecent Developments in RPKI
Recent Developments in RPKI
 
npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing npNOG 5: Securing Internet Routing
npNOG 5: Securing Internet Routing
 
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case StudyConnecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
Connecting Last Mile ISPs to Internet Exchange Points- BKNIX Case Study
 
Rapid Detection of BGP Anomalies
Rapid Detection of BGP AnomaliesRapid Detection of BGP Anomalies
Rapid Detection of BGP Anomalies
 

More from RIPE NCC

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in TechRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfRIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfRIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfRIPE NCC
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsRIPE NCC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing SecurityRIPE NCC
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfRIPE NCC
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasRIPE NCC
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet InfrastructureRIPE NCC
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenRIPE NCC
 
IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)RIPE NCC
 
Finland Internet Country Report
Finland Internet Country ReportFinland Internet Country Report
Finland Internet Country ReportRIPE NCC
 

More from RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 
IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)
 
Finland Internet Country Report
Finland Internet Country ReportFinland Internet Country Report
Finland Internet Country Report
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Routing Security, Another Elephant in the Room

  • 1. Routing security, another elephant in the room Alex Semenyaka | BHNOG | March 22, 2023
  • 2. Alex Semenyaka | BHNOG | March 22, 2023 Border Gateway Protocol • To reveal routes in the Internet, the Border Gateway Protocol (BGP) was invented • Created in 1989 (RFC 1105) • Current BGP version (BGPv4) was released in 1994 • BGP was never created with the security in mind - The first major incident (AS 7007 incident): April 25, 1997 2
  • 3. Alex Semenyaka | BHNOG | March 22, 2023 Border Gateway Protocol • To reveal routes in the Internet, the Border Gateway Protocol (BGP) was invented • Created in 1989 (RFC 1105) • Current BGP version (BGPv4) was released in 1994 • BGP was never created with the security in mind - The first major incident (AS 7007 incident): April 25, 1997 3 just 3 years
  • 4. Alex Semenyaka | BHNOG | March 22, 2023 BGP Security • Alas, BGP was never created with the security in mind • BGP runs on a huge number of different devices, so it is difficult to quickly implement changes to the protocol • Improvements to the BGP security model have been going on for a long time - …but the legacy design problems are still many 4
  • 5. Alex Semenyaka | BHNOG | March 22, 2023 Basic scenarios: prefix hijack 5 • “Ideal Denial-of- Service attack”: - no victim's resources are exhausted - all systems appear to be functioning normally - no accessibility from the world. • Maybe not the victim itself is attacked, but the infrastructure part (e.g., DNS server)
  • 6. Alex Semenyaka | BHNOG | March 22, 2023 Basic scenarios: intentional route leak 6 • Ability to inspect the victim's traffic • Significant deterioration in the quality of service • Even harder to detect
  • 7. Alex Semenyaka | BHNOG | March 22, 2023 The problem overview • Any AS can announce any pre fi x • Anyone can prepend any ASN to the BGP path • BGP announcements are accepted without validation • BGP packets are transmitted without any encryption or authentication mechanisms • No single authoritative source for who should be doing what 7
  • 8. Alex Semenyaka | BHNOG | March 22, 2023 Sometimes it happens accidentally! • Typing errors - Also known as “fat fi ngers syndrome” - May cause mis-origination • Con fi guration errors - Faulty BGP fi lter con fi guration - AS path prepending mistakes - Cause routing policy violations and unintentional route leaks/pre fi x hijacks • Equipment malfunctioning 8
  • 9. Alex Semenyaka | BHNOG | March 22, 2023 Malicious opportunities • The perfect DDoS - The victim has plenty of resources, but nothing works • Traffic surveillance - Encryption only protects data, but metadata can often be recovered or even surveilled • Identity theft - As an example, an attacker issues new TLS certificates, which can then be used for MitM attacks with full traffic disclosure • Digital Assets Theft • Etc. 9
  • 10. Alex Semenyaka | BHNOG | March 22, 2023 Some examples • 2003,2008 - hijacking DoD USA address space to send spam • 2005 - hijacking the address space of Google blocked their services for 1 hour • 2007 - use of BGP to create fake root DNS servers • 2013 - DDoS attack by hosting company Cyberbunker on Spamhaus using BGP • 2014, 2018 - Theft of mined cryptocurrency through fake BGP announcements • 2017 - A BGP configuration error on the Google network caused the whole of Japan to lose connectivity with the rest of the world for about 30 minutes • 2019 - an attack on the national DNS of several countries led to the interception of the traffic of many organizations, obtaining logins and passwords to their systems 10
  • 11. Alex Semenyaka | BHNOG | March 22, 2023 Statistics from Qrator Labs 11
  • 13. Alex Semenyaka | BHNOG | March 22, 2023 Existing approaches • Internet Routing Registries (IRR) Data • RPKI Framework - ROA - ASPA • BGPSEC • BGP Roles • Incidents detection 13
  • 14. Alex Semenyaka | BHNOG | March 22, 2023 Can Internet Routing Registries help? 14 (From RPKI RIPE Training Course)
  • 15. Alex Semenyaka | BHNOG | March 22, 2023 Can Internet Routing Registries help? 15 (From RPKI RIPE Training Course) That is, not really
  • 16. Alex Semenyaka | BHNOG | March 22, 2023 Can Internet Routing Registries help? 16 (From RPKI RIPE Training Course) That is, not really •However, IRR data are important for other purposes •And in any case, the defense must be echeloned. Please, do use IRR!
  • 17. Alex Semenyaka | BHNOG | March 22, 2023 That’s why RPKI was invented • RPKI is… - A resource certification (well familiar X.509 PKI certificates) - A security framework (extendable and flexible) • The currently implemented part of the RPKI is ROA - ROA = Route Origin Authorisation - verifying the right of an autonomous system to announce that it has a certain prefix • Next step: ASPA - verifying the sequence of ASes along the path 17
  • 18. Alex Semenyaka | BHNOG | March 22, 2023 How does ROA work? 18 Ties IP addresses and ASNs to public keys Follow the RIR hierarchy, forming chains of trust (think HTTPS) Authorised statements from resource holders • “ASN X” is authorised to announce my prefix Y • Signed, holder of Y
  • 19. Alex Semenyaka | BHNOG | March 22, 2023 How does ROA help with routing security? • Used to validate the origin of BGP announcements - Is the originating ASN authorised to originate this particular pre fi x? • Has two parts: - Signing own pre fi xes - Veri fi cation of others' announcements • Not a silver bullet - Helps address a limited set of violation scenarios 19
  • 20. Alex Semenyaka | BHNOG | March 22, 2023 ASPA (AS Path Authorization) • Still a draft (current state: draft-ietf-sidrops-aspa-verification-05) • New element of the RPKI Framework • Uses the same technique to tie adjacencies in the AS PATH using security certificates - Holders of autonomous systems describe links with their neighbors and sign this information with their keys - Thus, it is possible to validate the AS PATH attribute (fully or partially) • Being combined with ROA and BGP roles covers the vast majority of the violation scenarios - 925 sterling silver bullet 🙂 20
  • 21. Alex Semenyaka | BHNOG | March 22, 2023 BGPSEC • RFC Since 2017: RFC8205 • Uses RPKI certificates but is not a part of the RPKI framework • Uses a new, signed PATH attribute and verifies the signatures in each UPDATE message • There is a fallback to plain BGP if a peer along the way does not support BGPSEC • However, the real effect could be achieved only if all BGP speakers support BGPSEC 21
  • 22. Alex Semenyaka | BHNOG | March 22, 2023 BGPSEC issues • It is a silver bullet, but at the moment, it is a really, really slow bullet • Today it takes many hours to establish a BGP session - The double fault probability is too high now - The risk is unacceptable, and had to be mitigated 22 More uplinks => extra $$ While one session is being re-established, the second session is switched to plain BGP Incorrect routing information can now be injected without checks Implementation: volumetric DDoS to the first interface + later injecting malicious routes through the second one
  • 23. Alex Semenyaka | BHNOG | March 22, 2023 BGPSEC issues • It is a silver bullet, but at the moment, it is a really, really slow bullet • Today it takes many hours to establish a BGP session - The double fault probability is too high now - The risk is unacceptable, and had to be mitigated 23 More uplinks => extra $$ While one session is being re-established, the second session is switched to plain BGP Incorrect routing information can now be injected without checks Implementation: volumetric DDoS to the first interface + later injecting malicious routes through the second one In future, it can change When equipment is fast enough, BGPSEC is going to jump in.
  • 24. Alex Semenyaka | BHNOG | March 22, 2023 BGP Roles • A fresh RFC: RFC 9234 • Defines roles of the BGP session participants: - Provider, Customer, RS, RS-Client, Peer • BGP Only to Customer (OTC) Attribute • Easy to implement and to deploy • Also not a silver bullet: - Demonstrates the nature of the relationship between companies ‣ Their disclosure may be highly undesirable from a commercial point of view - Helps address a limited set of violation scenarios 24
  • 25. Alex Semenyaka | BHNOG | March 22, 2023 Incidents detection • So far, reliable measures to prevent routing incidents are not implemented in the equipment • Therefore, it is still important to be able to identify such events and work them out manually • There are different tools to address that, and their usage must be integrated into network operation processes - RIPE RIS, RIPEStat - A.R.T.E.M.I.S as a stand-alone product - Qrator Radar - … • More algorithms to come - draft-ietf-grow-route-leak-detection-mitigation-00 as an example 25
  • 26. Alex Semenyaka | BHNOG | March 22, 2023 Intermediate conclusion • RPKI is really important now • Although it does not currently cover all scenarios, experience is being gained in its operation • Robust approaches of the future will use RPKI in one way or another 26
  • 27. Alex Semenyaka | BHNOG | March 22, 2023 The global overview (NIST data) 27 IPv4 IPv6
  • 28. Alex Semenyaka | BHNOG | March 22, 2023 ROA Signing in Bosnia i Herzegovina 28 IPv4 IPv6
  • 29. Alex Semenyaka | BHNOG | March 22, 2023 Some observations • The ratio of signed IPv4 prefixes in Bosnia i Herzegovina is not bad at all! • However, for IPv6 it is below the world average - Do IPv6 enthusiasts and RPKI enthusiasts have little overlap? - Signing IPv4 networks is no different from signing IPv6 networks! 29
  • 30. Alex Semenyaka | BHNOG | March 22, 2023 Last but not least • If you want to know how to deal with routing security, contact us! • We have our educational programs - Face-to-face training courses - https://learning.ripe.net/w/courses/cat-16-training-courses/ - Webinars - https://learning.ripe.net/w/webinars/ - RIPE Academy - https://academy.ripe.net/ 30
  • 31. Alex Semenyaka | BHNOG | March 22, 2023 The dark side of the Moon • Signing your prefixes is only half the battle: It is also necessary to check other people's signatures • Unfortunately, it is not possible to determine this fact from the outside, so there is no relevant statistics 31 Questions ? asemenyaka@ripe.net