are we there yet? on rpki deployment and security
TRANSCRIPT
![Page 1: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/1.jpg)
AreWeThereYet?OnRPKIDeploymentandSecurity
YossiGiladjointworkwith:AvichaiCohen,
AmirHerzberg,MichaelSchapira,HayaShulman
![Page 2: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/2.jpg)
TheResourcePublicKeyInfrastructure
• Intendedtopreventpre@ix/subpre@ixhijacks
• Laysthefoundationforprotectionagainstmoresophisticatedattacksoninterdomainrouting– BGPsec,SoBGP,…
2
![Page 3: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/3.jpg)
Pre@ixHijacking
ASX
ASY
AS3320
AS666
91.0.0.0/10Path:3320
91.0.0.0/10Path:Y-3320 91.0.0.0/10
Path:666
BGPAd. Dataflow
prefersshorterroute
3
![Page 4: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/4.jpg)
Subpre@ixHijacking
ASX
AS3320
AS666
91.0.0.0/10Path:3320 91.0.0.0/16
Path:Y-666
BGPAd. Dataflow
LongestprefixmatchPathlengthdoesnotma5er
ASY
91.0.0.0/16Path:666
4
![Page 5: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/5.jpg)
CertifyingOwnershipwithRPKI
• RPKIassignsanIPpre@ixtoapublickeyviaaResourceCerti@icate(RC)
• OwnerscanusetheirprivatekeytoissueaRouteOriginAuthorization(ROA)
• ROAsidentifyASesauthorizedtoadvertiseanIPpre@ixinBGP
5
![Page 6: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/6.jpg)
Example:CertifyingOwnership
6
91.0.0.0/10Max-length=10
AS3320
RIPERéseauxIPEuropéens
NetworkCoordinaYonCentre
ROA
Legend:OrgwithRC
DeutscheTelekom91.0.0.0/10
![Page 7: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/7.jpg)
RPKICanPreventPre@ixHijacks
ASX
ASY
AS3320
AS666
91.0.0.0/10Path:Y-3320
91.0.0.0/10Path:666
BGPAd. Dataflow
ASXusestheauthenYcatedmapping(ROA)from91.0/10toAS3320todiscardthea_acker’sroute-adverYsement
7
91.0.0.0/10Max-length=10
AS3320
![Page 8: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/8.jpg)
TalkOutline
• Challengesfacingdeployment• Routeoriginvalidationinpartialdeployment
8
![Page 9: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/9.jpg)
AS666
ASX
BGPAd. Dataflow
ASA
InsecureDeployment:LooseROAs1.2.0.0/16
Max-length=16ASA
ROAallowsadverYsingonlyone/16prefix
1.2.0.0/16Path:A
ValidadverYsementsinceASAisthe“origin”
9
1.2.0.0/16Path:666-A
Picksshorterpath
Lychevetal.showthatthisa_ackismuchlesseffecYvethanprefixhijack
![Page 10: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/10.jpg)
ASX
AS666
BGPAd. Dataflow
Longest-prefix-matchPathlengthdoesnotma5er
ASA
InsecureDeployment:LooseROAs1.2.0.0/16
Max-length=24ASA
ROAallowsadverYsingsubprefixesuptolength/24
ASAoriginates1.2.0.0/16butnot1.2.3.0/24ROAis“loose”1.2.0.0/16Path:A
ValidadverYsementsinceASAisthe“origin”
1.2.3.0/24Path:666-A
10
RFC7115menYonsthisa_ack
![Page 11: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/11.jpg)
• LooseROAsarecommon!– almost30%ofIPpre@ixesinROAs– 89%ofpre@ixeswithmaxLen>pre@ixLen– manifestseveninlargeproviders!
• Attackercanhijackalltraf@ictonon-advertisedsubpre@ixescoveredbyalooseROA
• VulnerabilitywillbesolvedonlywhenBGPsecisfullydeployed,butalongwaytogountilthen…– betternottoissuelooseROAs!
InsecureDeployment:LooseROAs
11
![Page 12: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/12.jpg)
ChallengestoDeployment:HumanError
ManyothermistakesinROAs(seeRPKImonitor)– ``badROAs’’causelegitimatepre@ixestoappearinvalid– @ilteringbyROAsmaycausedisconnectionfromlegitimatedestinations– extensivemeasurementsin[Iamartinoetal.,PAM’15]
12
![Page 13: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/13.jpg)
• roalert.orgallowsyoutocheckwhetheryournetworkisproperlyprotectedbyROAs
• …andifnot,whynot
ImprovingAccuracywithROAlert
13
![Page 14: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/14.jpg)
ImprovingAccuracywithROAlert
• Online,proactivenoti@icationsystem• RetrievesROAsfromtheRPKIandcomparesthemagainstBGPadvertisements
• Alertsnetworkoperatorsabout“looseROAs”&“badROAs”
14
![Page 15: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/15.jpg)
ImprovingAccuracywithROAlert
• Initialresultsarepromising!– noti@icationsreached168operators– 42%oferrorswere@ixedwithinamonth
• ROAlertis:– constantlymonitoring(notonlyatregistration)– notopt-in
• WeadvocatethatROAlertbeadoptedandadaptedbyRIRs!
15
![Page 16: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/16.jpg)
TalkOutline
• Challengesfacingdeployment• Routeoriginvalidationinpartialdeployment
16
![Page 17: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/17.jpg)
FilteringBogusAdvertisements
Route-OriginValidation(ROV):useROAstodiscard/deprioritizeroute-
advertisementsfromunauthorizedorigins[RFC6811]
Verify:• signerauthorizedfor
subjectprefix• signatureisvalid
BGPRouters
91.0.0.0/10:AS=3320,max-length=10
RPKIpub.point
RCsandROAs
AutonomousSystem
17
RPKIcache
![Page 18: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/18.jpg)
WhatistheImpactofPartialROVAdoption?
• Collateralbene@it:– AdoptersprotectASesbehindthembydiscardinginvalidroutes
OriginAS1
AS2
AS666
To:1.1/16ASpath:2-1
To:1.1.1/24ASpath:666
AS3
AS3isonlyofferedagoodroute
18
1.1.0.0/16Max-length=16
AS1
![Page 19: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/19.jpg)
WhatistheImpactofPartialROVAdoption?
• Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Disconnection:Adoptersmightbeofferedonlybadroutes
OriginAS1
AS2
AS666
To:1.1/16ASpath:1
To:1.1/16ASpath:2-666
AS3
AS2preferstoadverYseroutesfromAS666overAS1
AS3receivesonlybadadverYsementanddisconnectsfrom1.1/16
19
1.1.0.0/16Max-length=16
AS1
![Page 20: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/20.jpg)
WhatistheImpactofPartialROVAdoption?
• Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Control-Plane-Data-PlaneMismatch!data@lowstoattacker,althoughAS3discardedit
OriginAS1
AS2
AS666
AS3
To:1.1/16ASpath:2-1
To:1.1.1/24ASpath:2-666
AS2adverYsesbothprefix&subprefixroutes
AS3discardsbadsubprefixroute
AS2doesnotfilterandusesbadrouteforsubprefix
20
1.1.0.0/16Max-length=16
AS1
![Page 21: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/21.jpg)
QuantifySecurityinPartialAdoption:SimulationFramework
21
B
D
H
J
E
I
G
KL
F
1.1.0.0/16Max-length=16
ASAC
A
• PickvicYm&a_acker• VicYm’sprefixhasaROA• PicksetofASesdoingROV• EvaluatewhichASessend
traffictothea_acker
Empirically-derivedAS-levelnetworkfromCAIDAIncludinginferredpeeringlinks[Giotsasetal.,SIGCOMM’13]
![Page 22: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/22.jpg)
QuantifySecurityinPartialAdoption
• TopISPadoptswithprobabilityp• Signi@icantbene@itonlywhenpishigh
Prefixhijacksuccessrate
Subprefixhijacksuccessrate
22
![Page 23: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/23.jpg)
Conclusion:WhatCanWeImprove?
• Informationaccuracy– ROAlertinforms&alertsoperatorsabout:• BadROAs• LooseROAs
• Preventinghijacks– IncentivizeROVadoptionbythetopISPs!
23
![Page 24: Are We There Yet? On RPKI Deployment and Security](https://reader031.vdocument.in/reader031/viewer/2022012509/61860ae2fd016e6b85457e22/html5/thumbnails/24.jpg)
ThankYou!
ThisworkappearedatNDSS’17Techreportathttps://eprint.iacr.org/2016/1010.pdf
Questions?J
24