bgp origin validation - apnic• rpki – resource public key infrastructure, the certificate...
TRANSCRIPT
![Page 1: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/1.jpg)
BGP Origin Validation
APNIC / Phnom Penh 2012.08.27
Randy Bush <[email protected]> Rob Austein <[email protected]>
Steve Bellovin <[email protected]> And a cast of thousands! Well, dozens :)
2012.08.27 APNIC RtgSec 1
![Page 2: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/2.jpg)
Agenda • This Presentation o Some Technical Background
o Mis-Origination - YouTube Incident
o The RPKI – Needed Infrastructure
o BGP Origin Validation
o BGP Path Validation (briefly)
2012.08.27 APNIC RtgSec 2
![Page 3: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/3.jpg)
This is Not New • 1986 – Bellovin & Perlman identify the
vulnerability • 1999 - National Academies study called it out • 2000 – S-BGP – X.509 PKI to support Secure
BGP - Kent, Lynn, et al. • 2003 – NANOG S-BGP Workshop • 2006 – ARIN & APNIC start work on RPKI.
RIPE starts in 2008. • 2009 – RPKI Open Testbed and running code
in test routers 2012.08.27 APNIC RtgSec 3
![Page 4: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/4.jpg)
What is an AS? An ISP or End Site
2012.08.27 APNIC RtgSec 4
Verizon AS 701
Sprint AS
1239 IIJ AS
2497 Big ISPs ‘Peering’
![Page 5: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/5.jpg)
What is an AS? An ISP or End Site
2012.08.27 APNIC RtgSec 5
Verizon AS 701
Sprint AS
1239 IIJ AS
2497 Big ISPs ‘Peering’
GoJ AS 234
Amazon AS
16509 Customers buy ‘Transit’
Sakura AS
9370
![Page 6: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/6.jpg)
An IP Prefix is Announced & Propagated
2012.08.27 APNIC RtgSec 6
Verizon AS 701
Sprint AS
1239 IIJ AS
2497 Big ISPs ‘Peering’
GoJ AS 234
Amazon AS
16509 Customers buy ‘Transit’
147.28.0.0/16 Sakura
AS 9370
![Page 7: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/7.jpg)
From Inside a Router
BGP routing table entry for 147.28.0.0/16 16509 1239 2497 234
2012.08.27 APNIC RtgSec 7
The AS-Path
Origin AS
![Page 8: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/8.jpg)
Of Course it’s Uglier J r1.iad#sh ip bgp 147.28.0.0/16 BGP routing table entry for 147.28.0.0/16, version 21440610 Paths: (2 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 16509 1239 2497 234 144.232.18.81 from 144.232.18.81 (144.228.241.254) Origin IGP, metric 841, localpref 100, valid, external, best Community: 3297:100 3927:380 path 67E8FFCC RPKI State valid Refresh Epoch 1 16509 701 2497 234 129.250.10.157 (metric 11) from 198.180.150.253 (198.180.150.253) Origin IGP, metric 95, localpref 100, valid, internal Community: 2914:410 2914:1007 2914:2000 2914:3000 3927:380 path 699A867C RPKI State valid
8 2012.08.27 APNIC RtgSec 8
![Page 9: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/9.jpg)
The YouTube Incident
2012.08.27 APNIC RtgSec 9
Pakistan Telekom
PCCW
Pakistan Internet
Poison Pakistan Internal Routing
The Plan
YouTube
Global Internet
![Page 10: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/10.jpg)
YouTube
The YouTube Incident
2012.08.27 APNIC RtgSec 10
Pakistan Telekom
PCCW
Pakistan Internet
Poisoned the Global Internet
What Happened
Oops!
Global Internet
![Page 11: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/11.jpg)
We Call this Mis-Origination
a Prefix is Originated by an AS Which Does
Not Own It 2012.08.27 APNIC RtgSec 11
![Page 12: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/12.jpg)
I Do Not Call it Hijacking
Because that Assumes
Negative Intent 2012.08.27 APNIC RtgSec 12
![Page 13: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/13.jpg)
And These Accidents Happen Every Day
Usually to Small Folk Sometimes to Large
2012.08.27 APNIC RtgSec 13
![Page 14: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/14.jpg)
So,
What’s the Plan?
2012.08.27 APNIC RtgSec 14
![Page 15: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/15.jpg)
Three Pieces • RPKI – Resource Public Key Infrastructure,
the Certificate Infrastructure to Support the other Pieces (starting last year)
• Origin Validation – Using the RPKI to detect and prevent mis-originations of someone else’s prefixes (early 2012)
• AS-Path Validation AKA BGPsec – Prevent Attacks on BGP (future work)
2012.08.27 APNIC RtgSec 15
![Page 16: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/16.jpg)
Why Origin Validation? • Prevent YouTube accident & Far Worse
• Prevent 7007 accident, UU/Sprint 2 days!
• Prevents most accidental announcements
• Does not prevent malicious path attacks such as the Kapela/Pilosov DefCon attack
• That requires ‘Path Validation’, the third step, a few years away
2012.08.27 APNIC RtgSec 16
![Page 17: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/17.jpg)
We Need to be Able to Authoritatively Prove
Who Owns an IP Prefix And What AS(s) May
Announce It 2012.08.27 APNIC RtgSec 17
![Page 18: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/18.jpg)
Prefix Ownership Follows the Allocation
Hierarchy IANA, RIRs, ISPs, …
2012.08.27 APNIC RtgSec 18
![Page 19: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/19.jpg)
Resource Public Key
Infrastructure (RPKI)
2012.08.27 APNIC RtgSec 19
![Page 20: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/20.jpg)
X.509 RPKI Being Developed & Deployed
by IANA, RIRs, and
Operators 2012.08.27 APNIC RtgSec 20
![Page 21: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/21.jpg)
RFC 3779 Extension
Describes IP
Resources (Addr & ASN)
X.509 Cert
Owner’s Public Key
X.509 Certificate w/ 3779 Ext CA
SIA – URI for where this Publishes
2012.08.27 APNIC RtgSec 21
Signed by
Parent’s Private Key
![Page 22: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/22.jpg)
98.128.0.0/16
Public Key
98.128.0.0/20
Public Key
98.128.16.0/20
Public Key
98.128.32.0/19
Public Key
98.128.16.0/24
Public Key
98.128.17.0/24
Public Key
Cert/RGnet
Cert/Rob Cert/Randy
Cert/ISC Cert/PSGnet
Cert/ARIN CA
CA CA CA
CA CA
Certificate Hierarchy follows
Allocation Hierarchy
SIA
2012.08.27 APNIC RtgSec 22
![Page 23: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/23.jpg)
That’s Who Owns It but
Who May Route It?
2012.08.27 APNIC RtgSec 23
![Page 24: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/24.jpg)
98.128.0.0/16
Public Key
98.128.0.0/16
AS 42
EE Cert
ROA
Route Origin Authorization (ROA)
98.128.0.0/16 147.28.0.0/16
Public Key
Owning Cert CA
End Entity Cert can not sign certs. can sign other things e.g. ROAs
This is not a Cert It is a signed blob
2012.08.27 APNIC RtgSec 24
![Page 25: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/25.jpg)
98.128.0.0/16
AS 42
98.128.0.0/16
Public Key
EE Cert
ROA
Multiple ROAs Make Before Break
98.128.0.0/16 147.28.0.0/16
Public Key
Owning Cert CA
2012.08.27 APNIC RtgSec 25
98.128.0.0/16
AS 3130
ROA I Plan to Switch
Providers
98.128.0.0/16
Public Key
EE Cert
![Page 26: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/26.jpg)
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
PSGnet
ARIN
IANA
98.128.0.0/16-24
AS 3130
ROA
ROA Aggregation Using Max Length 98.128.0.0/16
Public Key
EE Cert
CA
CA
CA
2012.08.27 APNIC RtgSec 26 26
![Page 27: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/27.jpg)
RPKI-Based
Origin Validation
2012.08.27 APNIC RtgSec 27
![Page 28: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/28.jpg)
2012.08.27 APNIC RtgSec
RPKI Certificate
Engine
Resource PKI
IP Resource Certs ASN Resource Certs
Route Origin Attestations
Publication Protocol
Up / Down to Parent
Up / Down to Child
28
GUI
![Page 29: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/29.jpg)
2012.08.27 APNIC RtgSec 29
Warning What ROA Will Do
![Page 30: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/30.jpg)
2012.08.27 APNIC RtgSec
Mac
Publication Point
Registry Internal GUI &
Management
Contract Out To
Google? J
A Usage Scenario
Resources [OrgID]
My RightsToRoute
Delegations to Custs
User Web GUI
98% of an RIR’s Users 10% of an RIR’s IP Space
Up / Down Protocol
2% of an RIR’s Users 90% of an RIR’s IP Space
Publication Protocol
Registry’s Database(s)
Internal
Protocol
30
RPKI Certificate
Engine
30
![Page 31: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/31.jpg)
2012.08.27 APNIC RtgSec
IANA
Resource PKI
Publication Protocol
APNIC
Resource
PKI Publication
Protocol
IIJ
Resource PKI
Publication Protocol
31
GUI
GUI
GUI
Please Issue My Cert Up/ Down
Please Issue My Cert Up/ Down
Please Issue My Cert Up/ Down Cert Issuance
Issuing Parties
Cert Issuance
Cert Issuance
![Page 32: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/32.jpg)
2012.08.27 APNIC RtgSec 32
Issuing Parties
IANA
Resource PKI
Publication Protocol
Up Down
APNIC
Resource PKI
Publication Protocol
Up Down
IIJ
Resource
PKI Publication
Protocol
SIA Pointers
SIA Pointers
GUI
GUI
GUI
![Page 33: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/33.jpg)
RCynic Cache Gatherer
RCynic Gatherer Validated
Cache
Trust Anchor
(cynical rsync)
IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
SIA
SIA
SIA
SIA
2012.08.27 APNIC RtgSec 33
![Page 34: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/34.jpg)
2012.08.27 APNIC RtgSec 34
IANA
Resource PKI
Publication Protocol
Up Down
APNIC
Resource PKI
Publication Protocol
Up Down
IIJ
Resource
PKI Publication
Protocol
RCynic Gatherer
BGP Decision Process
Validated Cache
SIA Pointers
SIA Pointers
Trust Anchor
GUI
GUI
GUI
Issuing Parties Relying Parties
route: 147.28.0.0/16!descr: 147.28.0.0/16-16!origin: AS3130!notify: [email protected]!mnt-by: MAINT-RPKI!changed: [email protected] 20110606!source: RPKI!
Pseudo IRR
NOC Tools
![Page 35: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/35.jpg)
RPSL Your WorkFLow? route: 147.28.0.0/16!
descr: 147.28.0.0/16-16!
origin: AS3130!
notify: [email protected]!
mnt-by: MAINT-RPKI!
changed: [email protected] 20110606!
source: RPKI!2012.08.27 APNIC RtgSec 35
![Page 36: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/36.jpg)
CSV Your WorkFlow? 67.21.36.0/24 3970!
192.169.0.0/23 3970!
207.34.0.0/24 3970!
216.21.0.0/24 3970!
216.21.14.0/24 3970!
216.21.16.0/24 3970!
216.151.34.0/24 3970!
147.28.0.0/16 3130!
192.83.230.0/24 3130!
2012.08.27 APNIC RtgSec 36
![Page 37: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/37.jpg)
RPKI-Rtr Protocol
2012.08.27 APNIC RtgSec
RPKI Engine
Repository Mgt RPKI Repo
RCynic Gatherer
RPKI to Rtr Protocol
BGP Decision Process
Cache django
Publication Protocol
37
![Page 38: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/38.jpg)
2012.08.27 APNIC RtgSec
Global RPKI
Asia Cache
NoAm Cache
Euro Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
in-PoP Cache
Cust Facing
Cust Facing
Cust Facing
Cust Facing
Cust Facing
High Priority
Lower Priority
Possible Large ISP Deployment
38
Caches Feed
Caches
![Page 39: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/39.jpg)
How Do ROAs Affect BGP Updates?
2012.08.27 APNIC RtgSec 39
![Page 40: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/40.jpg)
In NOC 2012.08.27 APNIC RtgSec
IANA
Resource PKI
Publication Protocol
Up Down
APNIC
Resource PKI
Publication Protocol
Up Down
IIJ
Resource PKI
Publication Protocol
RCynic Gatherer
RPKI to Rtr
Protocol
Crypto Check
Crypto Stripped
In PoP
BGP Decision Process
Validated Cache
SIA Pointers
SIA Pointers
Trust Anchor
40
GUI
GUI
GUI
![Page 41: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/41.jpg)
Typical Exchange Cache Router | <----- Reset Query -------- | R requests data | | | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial ~ ~ | -------- Notify ----------> | (optional) | | | <----- Serial Query ------- | R requests data | | | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial ~ ~
2012.08.27 APNIC RtgSec 41
![Page 42: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/42.jpg)
IPv4 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 4 | | +-------------------------------------------+ | | | Length=20 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..32 | 0..32 | | +-------------------------------------------+ | | | IPv4 prefix | | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
2012.08.27 APNIC RtgSec 42
![Page 43: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/43.jpg)
IPv6 Prefix 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | reserved = zero | | 0 | 6 | | +-------------------------------------------+ | | | Length=40 | | | +-------------------------------------------+ | | Prefix | Max | | | Flags | Length | Length | zero | | | 0..128 | 0..128 | | +-------------------------------------------+ | | +--- ---+ | | +--- IPv6 prefix ---+ | | +--- ---+ | | +-------------------------------------------+ | | | Autonomous System Number | | | `-------------------------------------------'
2012.08.27 APNIC RtgSec 43
![Page 44: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/44.jpg)
2012.08.27 APNIC RtgSec 44
BGP Updates are compared with
ROA Data loaded from the RPKI
![Page 45: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/45.jpg)
2012.08.27 APNIC RtgSec 45
BGP Peer
BGP Data
RPKI Cache
RPKI-Rtr Protocol
BGP Updates
RPKI ROAs
mark
Valid
Invalid
NotFound
Marking BGP Updates
![Page 46: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/46.jpg)
Configure Router to Get ROAs
router bgp 3130
…
bgp rpki server tcp 198.180.150.1 port 42420 refresh 3600
bgp rpki server tcp 147.28.0.35 port 93920 refresh 3600
…
2012.08.27 APNIC RtgSec 46
![Page 47: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/47.jpg)
Check Server r0.sea#show ip bgp rpki servers
BGP SOVC neighbor is 198.180.150.1/42420 connected to port 42420
Flags 0, Refresh time is 120, Serial number is 1304239609
InQ has 0 messages, OutQ has 0 messages, formatted msg 345
Session IO flags 3, Session flags 4008
Neighbor Statistics:
Nets Processed 624
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled
Mininum incoming TTL 0, Outgoing TTL 255
Local host: 199.238.113.10, Local port: 57932
Foreign host: 198.180.150.1, Foreign port: 42420
Connection tableid (VRF): 0 2012.08.27 APNIC RtgSec 47 47
![Page 48: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/48.jpg)
Look at Table r0.sea#sh ip bgp rpki table
80 BGP sovc network entries using 7040 bytes of memory
86 BGP sovc record entries using 1720 bytes of memory
Network Maxlen Origin-AS Neighbor
67.21.36.0/24 24 3970 198.180.150.1/42420
98.128.0.0/24 24 3130 198.180.150.1/42420
98.128.0.0/24 24 666 198.180.150.1/42420
98.128.0.0/16 16 3130 198.180.150.1/42420
98.128.3.0/24 24 3130 198.180.150.1/42420
98.128.4.0/24 24 3130 198.180.150.1/42420
98.128.5.0/24 24 3130 198.180.150.1/42420
98.128.6.0/24 24 3130 198.180.150.1/42420
98.128.7.0/24 24 65107 198.180.150.1/42420
98.128.9.0/24 24 3130 198.180.150.1/42420
98.128.10.0/24 24 3130 198.180.150.1/42420
2012.08.27 APNIC RtgSec 48
![Page 49: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/49.jpg)
Look at BGP Table r0.sea#sh ip bgp
Network Next Hop Metric LocPrf Weight Path
V*> 98.128.28.0/24 0.0.0.0 0 32768 i
V*> 98.128.29.0/24 0.0.0.0 0 32768 i
V*> 98.128.30.0/24 0.0.0.0 0 32768 i
V*> 98.128.31.0/24 0.0.0.0 0 32768 i
N*> 98.129.0.0/16 199.238.113.9 62 0 2914 12179 33070 33070 i
N* 129.250.11.41 67 0 2914 12179 33070 33070 i
V*>i 98.130.0.0/16 206.81.80.40 789 90 0 6939 32392 i
N* 199.238.113.9 65 0 2914 4436 32392 i
N* 129.250.11.41 70 0 2914 4436 32392 i
I*>i 98.130.0.0/15 206.81.80.40 789 90 0 6939 32392 i
N* 199.238.113.9 65 0 2914 4436 32392 i
2012.08.27 APNIC RtgSec 49 49
![Page 50: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/50.jpg)
Look at a Prefix R3#show ip bgp 98.128.0.0/24
BGP routing table entry for 98.128.0.0/24, version 360
Paths: (2 available, best #1, table default)
65000 3130
10.0.0.1 from 10.0.0.1 (193.0.24.64)
Origin IGP, localpref 100, valid, external, best
path 680D859C RPKI State valid
65001 4128
10.0.1.1 from 10.0.1.1 (193.0.24.65)
Origin IGP, localpref 100, valid, external
path 680D914C RPKI State invalid
2012.08.27 APNIC RtgSec 50 50
![Page 51: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/51.jpg)
Result of Check • Valid – A matching/covering ROA was
found with a matching AS number • Invalid – A matching or covering ROA
was found, but AS number did not match, and there was no valid one
• Not Found – No matching or covering ROA was found, same as today
2012.08.27 APNIC RtgSec 51
![Page 52: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/52.jpg)
Valid! r0.sea#show bgp 192.158.248.0/24 BGP routing table entry for 192.158.248.0/24, version 3043542 Paths: (3 available, best #1, table default) 6939 27318 206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 319, localpref 100, valid, internal, best Community: 3130:391 path 0F6D8B74 RPKI State valid 2914 4459 27318 199.238.113.9 from 199.238.113.9 (129.250.0.19) Origin IGP, metric 43, localpref 100, valid, external Community: 2914:410 2914:1005 2914:3000 3130:380 path 09AF35CC RPKI State valid
2012.08.27 APNIC RtgSec 52
![Page 53: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/53.jpg)
Invalid! r0.sea#show bgp 198.180.150.0 BGP routing table entry for 198.180.150.0/24, version 2546236 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 8 Refresh Epoch 1 1239 3927 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 759, localpref 100, valid, internal Community: 3130:370 path 1312CA90 RPKI State invalid
2012.08.27 APNIC RtgSec 53
![Page 54: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/54.jpg)
NotFound r0.sea#show bgp 64.9.224.0 BGP routing table entry for 64.9.224.0/20, version 35201 Paths: (3 available, best #2, table default) Advertised to update-groups: 2 5 6 Refresh Epoch 1 1239 3356 36492 144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2) Origin IGP, metric 4, localpref 100, valid, internal Community: 3130:370 path 11861AA4 RPKI State not found
2012.08.27 APNIC RtgSec 54
![Page 55: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/55.jpg)
What are the BGP / VRP1
Matching Rules?
1 Validated ROA Payload 2012.08.27 APNIC RtgSec 55
![Page 56: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/56.jpg)
2012.08.27 APNIC RtgSec 56
A Prefix is Covered by a VRP when the VRP prefix length is less than or equal to the Route prefix length
98.128.0.0/16
98.128.0.0/12-16
98.128.0.0/16-24
98.128.0.0/20-24
Covers
Covers
No. It’s Longer
BGP
VRP
VRP
VRP
![Page 57: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/57.jpg)
2012.08.27 APNIC RtgSec 57
Prefix is Matched by a VRP when the Prefix is Covered by that VRP , prefix length is less than or equal to the VRP max-len, and the Route Origin AS is equal to the VRP’s AS
98.128.0.0/16 AS 42
98.128.0.0/12-16 AS 42
98.128.0.0/16-24 AS 666
98.128.0.0/20-24 AS 42
Matched
No. AS Mismatch
No. VRP Longer
BGP
VRP
VRP
VRP
![Page 58: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/58.jpg)
2012.08.27 APNIC RtgSec 58
98.128.0.0/16-24 AS 6
BGP
VRP0
98.128.0.0/16-20 AS 42 VRP1
98.128.0.0/12 AS 42 NotFound, shorter than VRPs
BGP 98.128.0.0/16 AS 42 Valid, Matches VRP1
BGP 98.128.0.0/20 AS 42 Valid, Matches VRP1
BGP 98.128.0.0/24 AS 42 Invalid, longer than VRP with AS 42
BGP 98.128.0.0/24 AS 6 Valid, Matches VRP0
Matching and Validity
![Page 59: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/59.jpg)
iBGP Hides Validity State
2012.08.27 APNIC RtgSec
iBGP Full Mesh
p p
p
valid invalid
unknown
which do i choose? why do i choose it? 59
![Page 60: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/60.jpg)
The Solution is to
Allow Operator to Test and then Set Local Policy
2012.08.27 APNIC RtgSec 60
![Page 61: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/61.jpg)
Fairly Secure route-map validity permit 10
match rpki valid
set local-preference 100
route-map validity permit 20
match rpki not-found
set local-preference 50
! invalid is dropped
2012.08.27 APNIC RtgSec 61
![Page 62: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/62.jpg)
Paranoid
route-map validity permit 42
match rpki valid
set local-preference 110
! everything else dropped
2012.08.27 APNIC RtgSec 62
![Page 63: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/63.jpg)
Set a Community route-map validity permit 10
match rpki valid
set community 3130:400
route-map validity permit 20
match rpki invalid
set community 3130:200
route-map validity permit 30
set community 3130:300 2012.08.27 APNIC RtgSec 63
![Page 64: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/64.jpg)
2012.08.27 APNIC RtgSec 64
BGP Data
RPKI-Rtr Protocol
BGP Updates
RPKI VRPs
mark
Valid
Invalid
NotFound
And it is All Monitored
SNMP
syslog
NOC
![Page 65: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/65.jpg)
The Big Speedbump
2012.08.27 APNIC RtgSec 65
![Page 66: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/66.jpg)
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
RGnet
ARIN
IANA
98.128.0.0/1724
AS 3130
ROA
98.128.0.0/17
Public Key
EE Cert
CA
CA
CA
2012.08.27 APNIC RtgSec
Up-Chain Expiration
98.128.0.0/17
Public Key
PSGnet CA
Sloppy Admin, Cert Soon to Expire!
These are not Identity Certs
So My ROA will become
Invalid! 66
![Page 67: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/67.jpg)
ROA Invalid but I Can Route • The ROA will become Invalid
• My announcement will just become NotFound, not Invalid
• Unless my upstream has a ROA for the covering prefix, which is likely
2012.08.27 APNIC RtgSec 67
![Page 68: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/68.jpg)
2012.08.27 APNIC RtgSec
So Who You Gonna Call?
68
![Page 69: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/69.jpg)
2012.08.27 APNIC RtgSec 69
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
RGnet
ARIN
IANA
98.128.0.0/17-24
AS 3130
ROA
98.128.0.0/17
Public Key
EE Cert
CA
CA
CA
Ghostbusters!
98.128.0.0/17
Public Key
PSGnet CA
BEGIN:vCard VERSION:3.0 FN:Human's Name N:Name;Human's;Ms.;Dr.;OCD;ADD ORG:Organizational Entity ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern; WA; 98666;U.S.A. TEL;TYPE=VOICE,MSG,WORK:+1-666-555-1212 TEL;TYPE=FAX,WORK:+1-666-555-1213 EMAIL;TYPE=INTERNET:[email protected] END:vCard
Ghostbusters Record
draft-ietf-sidr-ghostbusters
![Page 70: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/70.jpg)
But in the End, You Control Your Policy “Announcements with Invalid origins MAY be used, but SHOULD be less preferred than those with Valid or NotFound.” -- draft-ietf-sidr-origin-ops But if I do not reject Invalid, what is all this for?
2012.08.27 APNIC RtgSec 70
![Page 71: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/71.jpg)
Open Source (BSD Lisc) Running Code https://rpki.net/
Shipping Router Code Talk to C & J
2012.08.27 APNIC RtgSec 71
![Page 72: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/72.jpg)
2012.08.27 APNIC RtgSec
BGPsec AS-Path Validation
Future Work
72
![Page 73: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/73.jpg)
Origin Validation is Weak
• RPKI-Based Origin Validation only stops accidental misconfiguration, which is very useful. But ...
• A malicious router may announce as any AS, i.e. forge the ROAed origin AS.
• This would pass Origin ROA Validation.
2012.08.27 APNIC RtgSec 73
![Page 74: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/74.jpg)
Full Path Validation
• Rigorous per-prefix AS path validation is the goal
• Protect against origin forgery and AS-Path monkey in the middle attacks
• Not merely showing that a received AS path is not impossible
2012.08.27 APNIC RtgSec 74
![Page 75: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/75.jpg)
Protocol Not Policy • We can not know intent, should Mary have announced
the prefix to Bob
• But Joe can formally validate that Mary did announce the prefix to Bob
• Policy on the global Internet changes every 36ms, new peers, new customers, new circuits, etc.
• We already have a protocol to distribute policy or its effects, it is called BGP
• BGPsec validates that the protocol has not been violated, and is not about intent or business policy
2012.08.27 APNIC RtgSec 75
![Page 76: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/76.jpg)
Our Parents’ Internet
2012.08.27 APNIC RtgSec 76
X
Z
W $ $ $
A B
XWB WB B
Routing Announcements Packet Data Flows
![Page 77: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/77.jpg)
Path Shortening Attack
2012.08.27 APNIC RtgSec 77
X
Z
W $ $ $
A B
$
$
Expected Path – A->X->W->B Diverted Path - A->X->Z->W->B There Are Many Many Other Attacks
ZB
XZB WB B
![Page 78: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/78.jpg)
Forward Path Signing
AS hop N signing (among other things) that it is sending the announcement to AS hop N+1 by AS number, is believed to be fundamental to protecting against monkey in the middle attacks
2012.08.27 APNIC RtgSec 78
![Page 79: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/79.jpg)
Forward Path Signing
2012.08.27 APNIC RtgSec 79
AS2 AS3 ^RtrCert
Signed Forward
Reference
^RtrCert NLRI AS1 AS2
Hash Signed by Router Key AS1.rtr-xx
Sig1
Hash Signed by Router Key AS2-rtr-yy
Sig2
![Page 80: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/80.jpg)
Forward-Signing
2012.08.27 APNIC RtgSec 80
B cryptographically signs the message to W Sb(B->W) W signs messages to X and Z encapsulating B’s message
Sw(W->X (Sb(B->W))) and Sw(W->Z (Sb(B->W)))
X signs the message to A Sx(X->A (Sw(W->X (Sb(B->W))))
Z can only sign Sz(Z->X (Sw(W->Z (Sb(B->W))))
X
Z
W $ $ $
A B
ZB
XWB WB B
X
![Page 81: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/81.jpg)
Capability Negotiation • It is assumed that consenting routers
will use BGP capability exchange to agree to run BGPsec between them
• The capability will, among other things remove the 4096 PDU limit for updates
• If BGPsec capability is not agreed, then only traditional BGP data are sent
2012.08.27 APNIC RtgSec 81
![Page 82: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/82.jpg)
Per-Router Keys • Needed to deal with compromise of one router
exposing an AS’s private key • Implies a more complex certificate and key
distribution mechanism • A router could generate key pair and send
certificate request to RPKI for signing • Certificate, or reference to it, must be in each
signed path element • If you want one per-AS key, share a router key
2012.08.27 APNIC RtgSec 82
![Page 83: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/83.jpg)
2012.08.27 APNIC RtgSec 83
0/0 AS0-65535
Public Key
98.0.0.0/8 AS3000-4000
Public Key
98.128.0.0/16 AS3130 AS3970
Public Key
PSGnet
ARIN
IANA
98.128.0.0/16-24
AS 3130
ROA
98.128.0.0/16
Public Key
Prefix EE Cert
CA
CA
CA
AS3130
Public Key
AS Cert
Cert / Key Structure for an ISP
Encodes ASN and Router ID
CA
AS3130 rtr-00
Router EE Cert
Public Key AS3130 rtr-00
Router EE Cert
Public Key AS3130 rtr-00
Router EE Cert
Public Key AS3130 rtr-00
Router EE Cert
Public Key AS3130 rtr-00
Router EE Cert
Public Key
![Page 84: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/84.jpg)
Only at Provider Edges • This design protects only inter-domain
routing, not IGPs, not even iBGP • BGPsec will be used inter-provider, only
at the providers' edges • Of course, the provider’s iBGP will have
to carry the BGPsec information • Providers and inter-provider peerings
might be heterogeneous 2012.08.27 APNIC RtgSec 84
![Page 85: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/85.jpg)
Simplex End Site
2012.08.27 APNIC RtgSec 85
Receives Unsigned & Trusts Up-streams
to Validate
Only Signs Own Prefix(es)
Only Signs Own Prefix(es) Very few signatures! No verification Only Needs to Have Own Private Key
No Other Crypto or RPKI Data No Hardware Upgrade!!
![Page 86: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/86.jpg)
Incremental Deployment
Incrementally deployable in today's Internet, and does not require global deployment, a flag day, etc.
2012.08.27 APNIC RtgSec 86
![Page 87: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/87.jpg)
No Increase of Operator Data Exposure
• Operators wish to minimize any increase in visibility of information about peering and customer relationships etc.
• No IRR-style publication of customer or peering relationships is needed
2012.08.27 APNIC RtgSec 87
![Page 88: BGP Origin Validation - APNIC• RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (starting last year) • Origin Validation](https://reader034.vdocument.in/reader034/viewer/2022050612/5fb2d82a58d45447d522e551/html5/thumbnails/88.jpg)
Work Supported By
• US Government
THIS PROJECT IS SPONSORED BY THE DEPARTMENT OF HOMELAND SECURITY UNDER AN INTERAGENCY AGREEMENT WITH THE AIR FORCE RESEARCH LABORATORY (AFRL). [0]
[0] – they Take your Scissors Away and we turn them into plowshares
• ARIN
• Internet Initiative Japan & ISC
• Cisco, Juniper, Google, NTT, Equinix 2012.08.27 APNIC RtgSec 88