SlideShare a Scribd company logo

Secure Routing

RIPE NCC
RIPE NCC

The document discusses routing security and outlines Daniel Karrenberg's background working to build the Internet in Europe and establish the RIPE NCC. It then covers how Internet routing works through the flow of routing information and autonomous systems, what can go wrong like misconfigurations and hijacking, and approaches to risk mitigation like routing hygiene and resource certification. The key messages are that routing security needs improvement but the industry is addressing problems, and accidental incidents or hijackings occur occasionally but do not generally affect large parts of the Internet.

1 of 43
Download to read offline
Routing Security Daniel Karrenberg RIPE NCC <daniel.karrenberg@ripe.net>
Who is talking: Daniel Karrenberg • 1980s: helped build Internet in Europe - EUnet, Ebone, IXes, ... - RIPE • 1990s: helped build RIPE NCC - 1st CEO: 1992-2000 • 2000s: Chief Scientist & Public Service - Trustee of the Internet Society: IETF, ... - Interests: Internet measurements, stability, trust & identity in the Internet, ... 2
Who is talking: Daniel Karrenberg • RIPE NCC - started in 1992 - first Regional Internet Registry (RIR) - Association of 7000+ ISPs - 70+ countries in “Europe & surrounding areas” - operational coordination - number resource distribution - trusted source of data - Motto: Neutrality & Expertise - not a lobby group! 3
Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Discussion 4
The Internet 5
Part(s) of the Internet 6
“Autonomous Systems” 7
Packet Flow 8
Routing Information Flow (BGP) 9
Both Directions are Needed 10
Choice and Redundancy 11
Questions?
What makes it work 13
Business Relationships 14
Transmission Paths 15
Routing Engineering 16
Routing Engineering Methods • Inbound Traffic - Selectively announce routes. - Very little control over preferences by other ASes. • Outbound Traffic - Decide which of the known routes to use. • Inputs - Cost - Transmission Capacity - Load - Routing State 17
Routing Engineering Principles • Autonomous Decisions by each AS • Local tools • Local strategies • Local knowlege • Business advantages • Autonomous Decisions by each AS • (One of the reasons for rapid growth of the Internet) 18
Questions?
What can go wrong • Misconfiguration - Announcing too many routes (unitentional transit) - Originating wrong routes • Malicious Actions - Originating wrong routes (hijacking) 20
Hijacking 21
Hijacking 22
Hijacking 23
Questions?
Examples • YouTube & Pakistan Telecom (2008) • A number of full table exports • Various route leaks from China (2010) YouTube Movie 25
Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 26
Routing Hygiene • Do not accept customer routes from peers or upstreams • Limit number of prefixes accepted per adjacent AS • Use a routing registry - no global authoritative registry exists • Use own knowledge about topology - topology is constantly changing - distruptions can cause drastic changes 27
Routing Hygiene • Is applied locally / autonomously • Has a cost • Subservient to routing engineering - No obstruction - Maintain Autonomy • Cooperation - Trust - Community - Personal Relations 28
Resource Certification - Motivation • Good practice: - to register routes in an IRR - to filter routes based on IRR data • Problem: - only useful if the registries are complete - many IRRs exist, lacking standardisation • Result: - Less than half of all prefixes are registered in an IRR - Real world filtering is difficult and limited - Accidental leaks happen, route hijacking is possible 29
Resource Certification – Definition “Resource certification is a reliable method for proving the association between resource holders and Internet resources.” 30
Digital Resource Certificates • Based on open IETF standards (sidr-wg) • Issued by the RIPE NCC • The certificate states that an Internet number resource has been registered by the RIPE NCC • The certificate does not give any indication of the identity of the holder • All further information on the resource can be found in the registry 31
What Certification offers • Proof of holdership • Secure Inter-Domain Routing - Route Origin Authorisation - Preferred certified routing • Resource transfers • Validation is the added value! 32
Proof of holdership • Public Key • Resources • Signature 33
Route Origin Authorisation (ROA) • IP Prefixes • AS Numbers • Signature 34
Automated Provisioning using ROAs Please route this part of my network: 192.0.2.0/24 Please sign a ROA for that resource using my AS number OK, I signed and published a ROA OK, that ROA is valid. I can trust this request 35
Who Controls Routing? • Certificates do not create additional powers for the Regional Internet Registries • Certificates reflect the resource registration status - no registration → no certificate - the reverse is not true! • Routing decisions are made by network operators! 36
4 out of 5 Regional Internet Registries have RPKI in production 37
Obstacles • Fear of loosing autonomy • Cost • Low threat perception • Fear of loosing business advantage • Fear of loosing autonomy 38
Questions?
My Messages Today • Routing security needs to be improved - Accidents do happen ... sometimes - Hijackings do happen ... sometimes • The sky is not falling - It does not happen all the time - It does not affect large areas of the Internet 40
My Messages Today • Industryis addressing the problems - Local measures taken autonomously - RPKI being deployed by RIRs - RPKI based routing tools being developed - RPKI based routing protocols being studied in IETF 41
Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Discussion 42
The End! Kрай Y Diwedd Fí Соңы Finis Liðugt Ende Finvezh Kiнець Konec Kraj Ënn Fund Lõpp Beigas Vége Son Kpaj An Críoch ‫הסוף‬ Endir Fine Sfârşit Fin Τέλος Einde Конeц Slut Slutt Pabaiga Amaia Loppu Tmiem Koniec Fim

Recommended

Routing Security
Routing SecurityRouting Security
Routing Security
RIPE NCC
 
Routing Security
Routing SecurityRouting Security
Routing Security
RIPE NCC
 
Facilitating IPv6 Deployment
Facilitating IPv6 DeploymentFacilitating IPv6 Deployment
Facilitating IPv6 Deployment
RIPE NCC
 
Kjell Leknes
Kjell LeknesKjell Leknes
Kjell Leknes
.SE (Stiftelsen för Internetinfrastruktur)
 
Getting IPv6 Address Space
Getting IPv6 Address SpaceGetting IPv6 Address Space
Getting IPv6 Address Space
RIPE NCC
 
IPv6 by APNIC
IPv6 by APNICIPv6 by APNIC
IPv6 by APNIC
Febrian ‎
 
Tutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNICTutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Febrian ‎
 
IPv6 RIPEness
IPv6 RIPEnessIPv6 RIPEness
IPv6 RIPEness
RIPE NCC
 

Recommended

Routing Security
Routing SecurityRouting Security
Routing Security
RIPE NCC
 
Routing Security
Routing SecurityRouting Security
Routing Security
RIPE NCC
 
Facilitating IPv6 Deployment
Facilitating IPv6 DeploymentFacilitating IPv6 Deployment
Facilitating IPv6 Deployment
RIPE NCC
 
Kjell Leknes
Kjell LeknesKjell Leknes
Kjell Leknes
.SE (Stiftelsen för Internetinfrastruktur)
 
Getting IPv6 Address Space
Getting IPv6 Address SpaceGetting IPv6 Address Space
Getting IPv6 Address Space
RIPE NCC
 
IPv6 by APNIC
IPv6 by APNICIPv6 by APNIC
IPv6 by APNIC
Febrian ‎
 
Tutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNICTutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Febrian ‎
 
IPv6 RIPEness
IPv6 RIPEnessIPv6 RIPEness
IPv6 RIPEness
RIPE NCC
 
Asterisk Deployments
Asterisk DeploymentsAsterisk Deployments
Asterisk Deployments
Asterisk Community
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
APNIC
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
APNIC
 
RIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement Network
RIPE NCC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
 
To Infiniband and Beyond
To Infiniband and BeyondTo Infiniband and Beyond
To Infiniband and Beyond
Boston Consulting Group
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC
 
Law Enforcement engagement capacity building
Law Enforcement engagement capacity buildingLaw Enforcement engagement capacity building
Law Enforcement engagement capacity building
APNIC
 
RIPE Atlas
RIPE AtlasRIPE Atlas
RIPE Atlas
RIPE NCC
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific Islands
APNIC
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific Islands
APNIC
 
CANSPY: A platform for auditing CAN devices
CANSPY: A platform for auditing CAN devicesCANSPY: A platform for auditing CAN devices
CANSPY: A platform for auditing CAN devices
Priyanka Aash
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24
APNIC
 
06 selecting an-ixp
06 selecting an-ixp06 selecting an-ixp
06 selecting an-ixp
William Norton
 
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet DropsPapers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Michael Kehoe
 
Duan
DuanDuan
Duan
samuelrajueda
 
Routing Security
Routing SecurityRouting Security
Routing Security
RIPE NCC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
RIPE NCC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
APNIC
 
Play With Streams
Play With StreamsPlay With Streams
Play With Streams
Tianjian Chen
 
Know Your Network: Why every network operator should host a RIPE Atlas probe
Know Your Network: Why every network operator should host a RIPE Atlas probeKnow Your Network: Why every network operator should host a RIPE Atlas probe
Know Your Network: Why every network operator should host a RIPE Atlas probe
RIPE NCC
 
Know Your Network; why every network operator should host a RIPE Atlas probe
Know Your Network; why every network operator should host a RIPE Atlas probeKnow Your Network; why every network operator should host a RIPE Atlas probe
Know Your Network; why every network operator should host a RIPE Atlas probe
RIPE NCC
 

More Related Content

Similar to Secure Routing

Asterisk Deployments
Asterisk DeploymentsAsterisk Deployments
Asterisk Deployments
Asterisk Community
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
APNIC
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
APNIC
 
RIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement Network
RIPE NCC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
 
To Infiniband and Beyond
To Infiniband and BeyondTo Infiniband and Beyond
To Infiniband and Beyond
Boston Consulting Group
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC
 
Law Enforcement engagement capacity building
Law Enforcement engagement capacity buildingLaw Enforcement engagement capacity building
Law Enforcement engagement capacity building
APNIC
 
RIPE Atlas
RIPE AtlasRIPE Atlas
RIPE Atlas
RIPE NCC
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific Islands
APNIC
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific Islands
APNIC
 
CANSPY: A platform for auditing CAN devices
CANSPY: A platform for auditing CAN devicesCANSPY: A platform for auditing CAN devices
CANSPY: A platform for auditing CAN devices
Priyanka Aash
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24
APNIC
 
06 selecting an-ixp
06 selecting an-ixp06 selecting an-ixp
06 selecting an-ixp
William Norton
 
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet DropsPapers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Michael Kehoe
 
Duan
DuanDuan
Duan
samuelrajueda
 
Routing Security
Routing SecurityRouting Security
Routing Security
RIPE NCC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
RIPE NCC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
APNIC
 
Play With Streams
Play With StreamsPlay With Streams
Play With Streams
Tianjian Chen
 

Similar to Secure Routing (20)

Asterisk Deployments
Asterisk DeploymentsAsterisk Deployments
Asterisk Deployments
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
 
RIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement Network
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
To Infiniband and Beyond
To Infiniband and BeyondTo Infiniband and Beyond
To Infiniband and Beyond
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
Law Enforcement engagement capacity building
Law Enforcement engagement capacity buildingLaw Enforcement engagement capacity building
Law Enforcement engagement capacity building
 
RIPE Atlas
RIPE AtlasRIPE Atlas
RIPE Atlas
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific Islands
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific Islands
 
CANSPY: A platform for auditing CAN devices
CANSPY: A platform for auditing CAN devicesCANSPY: A platform for auditing CAN devices
CANSPY: A platform for auditing CAN devices
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24
 
06 selecting an-ixp
06 selecting an-ixp06 selecting an-ixp
06 selecting an-ixp
 
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet DropsPapers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
 
Duan
DuanDuan
Duan
 
Routing Security
Routing SecurityRouting Security
Routing Security
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
Play With Streams
Play With StreamsPlay With Streams
Play With Streams
 

More from RIPE NCC

Know Your Network: Why every network operator should host a RIPE Atlas probe
Know Your Network: Why every network operator should host a RIPE Atlas probeKnow Your Network: Why every network operator should host a RIPE Atlas probe
Know Your Network: Why every network operator should host a RIPE Atlas probe
RIPE NCC
 
Know Your Network; why every network operator should host a RIPE Atlas probe
Know Your Network; why every network operator should host a RIPE Atlas probeKnow Your Network; why every network operator should host a RIPE Atlas probe
Know Your Network; why every network operator should host a RIPE Atlas probe
RIPE NCC
 
Taiwan's Digital Landscape with RIPE NCC Tools
Taiwan's Digital Landscape with RIPE NCC ToolsTaiwan's Digital Landscape with RIPE NCC Tools
Taiwan's Digital Landscape with RIPE NCC Tools
RIPE NCC
 
Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
RIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
RIPE NCC
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
RIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
RIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
RIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
RIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
RIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
RIPE NCC
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
RIPE NCC
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
RIPE NCC
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
RIPE NCC
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
RIPE NCC
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
RIPE NCC
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
RIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
RIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
RIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
RIPE NCC
 

More from RIPE NCC (20)

Know Your Network: Why every network operator should host a RIPE Atlas probe
Know Your Network: Why every network operator should host a RIPE Atlas probeKnow Your Network: Why every network operator should host a RIPE Atlas probe
Know Your Network: Why every network operator should host a RIPE Atlas probe
 
Know Your Network; why every network operator should host a RIPE Atlas probe
Know Your Network; why every network operator should host a RIPE Atlas probeKnow Your Network; why every network operator should host a RIPE Atlas probe
Know Your Network; why every network operator should host a RIPE Atlas probe
 
Taiwan's Digital Landscape with RIPE NCC Tools
Taiwan's Digital Landscape with RIPE NCC ToolsTaiwan's Digital Landscape with RIPE NCC Tools
Taiwan's Digital Landscape with RIPE NCC Tools
 
Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 

Recently uploaded

Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
jpupo2018
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 

Recently uploaded (20)

Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 

Secure Routing

  • 1. Routing Security Daniel Karrenberg RIPE NCC <daniel.karrenberg@ripe.net>
  • 2. Who is talking: Daniel Karrenberg • 1980s: helped build Internet in Europe - EUnet, Ebone, IXes, ... - RIPE • 1990s: helped build RIPE NCC - 1st CEO: 1992-2000 • 2000s: Chief Scientist & Public Service - Trustee of the Internet Society: IETF, ... - Interests: Internet measurements, stability, trust & identity in the Internet, ... 2
  • 3. Who is talking: Daniel Karrenberg • RIPE NCC - started in 1992 - first Regional Internet Registry (RIR) - Association of 7000+ ISPs - 70+ countries in “Europe & surrounding areas” - operational coordination - number resource distribution - trusted source of data - Motto: Neutrality & Expertise - not a lobby group! 3
  • 4. Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Discussion 4
  • 6. Part(s) of the Internet 6
  • 10. Both Directions are Needed 10
  • 13. What makes it work 13
  • 17. Routing Engineering Methods • Inbound Traffic - Selectively announce routes. - Very little control over preferences by other ASes. • Outbound Traffic - Decide which of the known routes to use. • Inputs - Cost - Transmission Capacity - Load - Routing State 17
  • 18. Routing Engineering Principles • Autonomous Decisions by each AS • Local tools • Local strategies • Local knowlege • Business advantages • Autonomous Decisions by each AS • (One of the reasons for rapid growth of the Internet) 18
  • 20. What can go wrong • Misconfiguration - Announcing too many routes (unitentional transit) - Originating wrong routes • Malicious Actions - Originating wrong routes (hijacking) 20
  • 21. Hijacking 21
  • 22. Hijacking 22
  • 23. Hijacking 23
  • 25. Examples • YouTube & Pakistan Telecom (2008) • A number of full table exports • Various route leaks from China (2010) YouTube Movie 25
  • 26. Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 26
  • 27. Routing Hygiene • Do not accept customer routes from peers or upstreams • Limit number of prefixes accepted per adjacent AS • Use a routing registry - no global authoritative registry exists • Use own knowledge about topology - topology is constantly changing - distruptions can cause drastic changes 27
  • 28. Routing Hygiene • Is applied locally / autonomously • Has a cost • Subservient to routing engineering - No obstruction - Maintain Autonomy • Cooperation - Trust - Community - Personal Relations 28
  • 29. Resource Certification - Motivation • Good practice: - to register routes in an IRR - to filter routes based on IRR data • Problem: - only useful if the registries are complete - many IRRs exist, lacking standardisation • Result: - Less than half of all prefixes are registered in an IRR - Real world filtering is difficult and limited - Accidental leaks happen, route hijacking is possible 29
  • 30. Resource Certification – Definition “Resource certification is a reliable method for proving the association between resource holders and Internet resources.” 30
  • 31. Digital Resource Certificates • Based on open IETF standards (sidr-wg) • Issued by the RIPE NCC • The certificate states that an Internet number resource has been registered by the RIPE NCC • The certificate does not give any indication of the identity of the holder • All further information on the resource can be found in the registry 31
  • 32. What Certification offers • Proof of holdership • Secure Inter-Domain Routing - Route Origin Authorisation - Preferred certified routing • Resource transfers • Validation is the added value! 32
  • 33. Proof of holdership • Public Key • Resources • Signature 33
  • 34. Route Origin Authorisation (ROA) • IP Prefixes • AS Numbers • Signature 34
  • 35. Automated Provisioning using ROAs Please route this part of my network: 192.0.2.0/24 Please sign a ROA for that resource using my AS number OK, I signed and published a ROA OK, that ROA is valid. I can trust this request 35
  • 36. Who Controls Routing? • Certificates do not create additional powers for the Regional Internet Registries • Certificates reflect the resource registration status - no registration → no certificate - the reverse is not true! • Routing decisions are made by network operators! 36
  • 37. 4 out of 5 Regional Internet Registries have RPKI in production 37
  • 38. Obstacles • Fear of loosing autonomy • Cost • Low threat perception • Fear of loosing business advantage • Fear of loosing autonomy 38
  • 40. My Messages Today • Routing security needs to be improved - Accidents do happen ... sometimes - Hijackings do happen ... sometimes • The sky is not falling - It does not happen all the time - It does not affect large areas of the Internet 40
  • 41. My Messages Today • Industryis addressing the problems - Local measures taken autonomously - RPKI being deployed by RIRs - RPKI based routing tools being developed - RPKI based routing protocols being studied in IETF 41
  • 42. Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Discussion 42
  • 43. The End! Kрай Y Diwedd Fí Соңы Finis Liðugt Ende Finvezh Kiнець Konec Kraj Ënn Fund Lõpp Beigas Vége Son Kpaj An Críoch ‫הסוף‬ Endir Fine Sfârşit Fin Τέλος Einde Конeц Slut Slutt Pabaiga Amaia Loppu Tmiem Koniec Fim