R P bli KResource Public Key Infrastructure

A pilot for the Internet2 CommunityA pilot for the Internet2 Community to secure

the global route table

Andrew Gallo

The BasicsThe Basics

• The Internet is a self organizing network ofThe Internet is a self organizing network of networks.

• How do you find your way around?

• Over 500k ‘destinations’ in the currentthe current Internet routing table

BGP to the RescueBGP to the Rescue

• The Border Gateway Protocol (BGP) runsThe Border Gateway Protocol (BGP) runs between network operators to share reachability information.

• Wildly successful and stable Internet protocol:• First standardized in 1989• Current version (4) 

standardized in 1994

BGP – a protocol built on trustBGP  a protocol built on trust

• Very few mechanisms in BGP for securityVery few mechanisms in BGP for security– MD5 hash for session passwords– TTL securityy– ACLs

• These mechanisms protect the control planeThese mechanisms protect the control plane but say nothing about the payload.

• About the time of BGP standardization table• About the time of BGP standardization, table size 20k routes and < 1500ASNs(source:http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_4‐1/bgp_routing_table.html)

What about Identity – who is whoWhat about Identity  who is who

• No hierarchical addressing or routing on the g gInternet backbone

• Any address can appear at any location• Opposite of the predecessor mass communications network – PSTN

• Solved the problem of decoupling location and• Solved the problem of decoupling location and identity

• Created the problem table size (different talk) and p ( )topology (identity) integrity – anyone can claim to be any address at any location

How are address blocks assigned?How are address blocks assigned?• In the old days (according to legend), in Jon Postel’s notebook

Today, there is the IANA, the RIRs, LIRs, etc

If that’s how they’re assigned, how are h l d dthey Validated?

• They aren’t.  There is nothing in BGP or its operation that prevents anyone from claiming to be any address.

• There is no relationship between prefix, ASN, p p , ,organization, etc.

• Current state‐ use Internet Routing RegistryCurrent state use Internet Routing Registry (IRR) (eg, RADB), whois data, to filter improper advertisementsadvertisements.

When Things go WrongWhen Things go Wrong• Pakistan claims to be Youtube (2008)

– Mistake or intentional?

• CTBC (Brazilian ISP) leaks full table (2008)• China Telecom claims 37,000 routes (2010)• Bitcoin hijacking (2014)Bitcoin hijacking (2014)

Why does this happen•Mistakes•Mistakes•Clobber target network (blackhole target’s network)•Fun and profit (Bitcoin example)•Observe, capture, sniff, MITM (more advanced)

Hijacking – shortest pathHijacking  shortest pathclient

ASN64515 ASN64818

ASN64717

ASN64612

ASN64616

ASN64919

legit

172.18.0.0/16

bad guy

172.18.0.0/16 - so am I!

BGP Hijacking – more specificBGP Hijacking  more specificclient

ASN64515 ASN64818

ASN64717

ASN64612

ASN64616

ASN64919

legit

172.18.0.0/16

bad guy

172.18.122.0/24 - I'm more specific!

Current State of the ArtCurrent State of the Art• Rely on filtering (whois data, IRR data, LOAs)

– Semi‐automated and error prone• (poor input data)

• DetectDetect– BGP monitoring services

• BGPMon• CyclposCyclpos• Thousand Eyes

• MitigateCall your upstream– Call your upstream

– Post to NANOG– Advertise more specific networks (as done with YouTube)

RPKI is the Answer (to some of the issues)

• Resource Public Key InfrastructureResource Public Key Infrastructure– Relatively new technologyCryptographically assures an ASN is authorized to– Cryptographically assures an ASN is authorized to announce prefixes

• Extension to X 509 to carry IP prefix• Extension to X.509 to carry IP prefix information

R t O i i A th i ti (ROA)– Route Origin Authorization(ROA)

RPKI structureRPKI structure

• The IANA is the source of all addressesThe IANA is the source of all addresses• But rather than being the single root of the trust chain each of the 5 Regionals hold selftrust chain, each of the 5 Regionals hold self‐signed certs for the resources they hold.T d f i• Two modes of operation‐– Hosted (RIRs run the PKI infrastructure)– Delegated (RIRs issue Resource Certificates to orgs that further sub‐delegate IP space)

ROA ContentsROA Contents

• Origin Autonomous System NumberOrigin Autonomous System Number• Prefix (with optional max mask length)• Validity dates• Validity dates

• When a ROA is created it has a cryptographically• When a ROA is created, it has a cryptographically provable chain to the source of authority allowing that IP to be advertised by that ASN.y

• No more outdated, erroneous, or missing whois or IRR data

I’ve signed my routes, now what?I ve signed my routes, now what?

• Go collect ROAs from the TALs process themGo collect ROAs from the TALs, process them, feed digested data to router for policy processingprocessing.– RPKI‐to‐rtr protocol (RFC 6180)

• No crypto processing in the routersNo crypto processing in the routers– Not with origin validation– SIDR (path validation)SIDR (path validation)

• Hop‐by‐hop, with crypto processing on the router

What it looks like‐ block diagTrust Anchor

Locators

APNIC

RIR hosted crypto engine

Afrinic

ARIN*

router

ator

LACNIC

router

router

valid

aDelegated/customer CA

RIPE

Three Route StatesThree Route States

• ValidValid– Prefix is covered by a valid ROA

• UnknownUnknown – No ROA exists for this prefix

• InvalidInvalid– Unauthorized announcement 

• Mismatch between authorized ASN and originating g gASN, split origin 

• More specific announcement than valid ROA allows

What to do with this dataWhat to do with this data

• With 92% of the table in an unknown stateWith 92% of the table in an unknown state, probably nothing1

• In a fully deployed RPKI environment do you• In a fully deployed RPKI environment, do you– Reject unknown, invalid routes?S LOCALPREF l ??– Set LOCALPREF low??

– Set Community, put in a VRF?

• Still under operational development• Study RFC 6483y1Source: https://rpki‐monitor.antd.nist.gov/05‐OCT‐2017

Checking validation ‐ CLIChecking validation  CLIagallo@foghorn:~$ whois -h whois.bgpmon.net " --roa 4901 162.250.136.0/22"

0 - Valid

------------------------

ROA Details

------------------------

Origin ASN: AS4901

Not valid Before: 2015-07-22 04:00:00

Not valid After: 2018-07-22 04:00:00 Expires in 1y154d1h12m27.6000000014901s

Trust Anchor: rpki.arin.netTrust Anchor: rpki.arin.net

Prefixes: 162.250.136.0/22 (max length /24)

***** Wrong origin AS ***** Wrong origin AS

↓↓↓↓↓

agallo@foghorn:~$ whois -h whois.bgpmon.net " --roa 65033 162.250.136.0/22"

2 - Not Valid: Invalid Origin ASN, expected 4901

So, we’ve solved everything, right?So, we ve solved everything, right?

• RPKI provides origin validation onlyRPKI provides origin validation only• See SIDR working group for path validationS ill k b d• Still some work to be done on RPKI– Secure transport of the RPKI data– Operational best practices– And, the best part……

RPKI introduces vulnerabilitiesRPKI introduces vulnerabilities• TALs become valuable targets

– Wasn’t the decentralized design of the Internet a reaction to the PSTN (either explicitly or implicitly)

• How do I trust the prefixes the TALs are using are p gproperly originated?

• Bootstrap problem of using the network itself to validate its own topology (Gödel strikes the Internet?)

• Currently, rsync is used to collect ROAs, is there a better way?

• Also, doesn’t preventAlso, doesn t prevent– Improper advertisement with correct ASN– Reasoning behind not using max mask length in ROA “loose 

ROA”

Slow adoptionSlow adoption• About 10% of the table•Chicken‐and‐egg problem

•but not like IPv6•Europe is kicking our butts!

Don’t Speak BGP? You’re not off the h khook

• Using hosted applications (what the kids callUsing hosted applications (what the kids call The Cloud) – look at the Bitcoin hijacking case

• Your space can still be hijacked or clobbered• Your space can still be hijacked or clobbered by a fat finger, so:

A k id b t RPKI l– Ask your providers about RPKI plans– Demand your resources be protected

N if b h ill h b d• Not if, but when will the be protected

Hosted RPKI with ARINOverview

Step 2• Generate Key pair • Submit 

f

Step 2• Submit ROA 

Step 1Certificate Request

Request

Step 3Step 1 Step 3

Hosted RPKI with ARINHosted RPKI with ARIN

• Basic workflow:Basic workflow:– Initial (one‐time)

• Request hosted RPKI with ARIN provide public key thatRequest hosted RPKI with ARIN, provide public key that matches the private key that will be used to sign requests

– This is NOT the keypair used to create the ROA, just to authenticate communication between you and ARIN

• This take about 24 hours for ARIN to enable RPKI for your resources.

• Once enabled, everything is self‐service.

Hosted RPKI with ARINStep 1: Key generation

• See https://www arin net/resources/rpki/faq html#keypairgeneration• See https://www.arin.net/resources/rpki/faq.html#keypairgeneration

• Generate key

• Extract Public Key 

Hosted RPKI with ARINd dStep 2: Requested Hosted RPKI

• Log into ARIN Online, ‘Ask ARIN’ g ,• Create ticket for ‘Create Hosted Resource Certificate’• Include public key created in previous step• Wait.  During this time ARIN is configuring the RPKI 

infrastructure to allow you to create ROAs

Hosted RPKI with ARIN( b)Step 3: Create ROA (web)

• Log into ARIN online, navigate to the Org owning the resourceg , g g g

• Log into ARIN online• Left menu click Search• Left menu, click Search• In View Your Associated Networks

• Click on a Net HandleClick on a Net Handle

Hosted RPKI with ARIN( b)

• Click on Actions and select 

Step 4: Create ROA (web)

Manage RPKI

• Click on Create ROA

Hosted RPKI with ARIN( b)Step 5: Create ROA (web)

• Fill in Information

• This is the private key that  was created in step 1

Hosted RPKI with ARINStep 5: Manual ROA request (alternate method)Step 5: Manual ROA request (alternate method) 

• There is an option to create the signed request via CLI, and h d i hi f i h ‘Si d’ bpaste the data in this form, in the ‘Signed’ tab.  

• See “Using OpenSSL” athttps://www.arin.net/resources/rpki/faq.htmlp p q

Hosted RPKI with ARIN( b)Step 6: Create ROA (web)

• Last step – review• Once submitted, a ticket is automatically created• Can be viewed under “Tickets”• Usually takes a minute or two to create ROA• May take 24 hours to be available via TAL

ARIN OT&EARIN OT&E

• Operational Test and Evaluation environmentOperational Test and Evaluation environment– Environment for testing various ARIN servicesMonthly refresh of data from production– Monthly refresh of data from production

– See wiki for details setting up RPKI access in the OT&EOT&E

ARIN OT&E – Key DifferencesARIN OT&E  Key Differences

• All ROAs in the OT&E are signed using a key at:All ROAs in the OT&E are signed using a key at:https://www.arin.net/resources/ote.html#rpki

h k i d i h O & f i i• The keypair used in the OT&E for signing requests is public:– https://www.arin.net/resources/ote.html#rpki

ROA Creation – Live DemoROA Creation  Live Demo

• Valid ROAValid ROA• Invalid ROA (should fail)

P fi t id O ’ i t ll ti– Prefix outside Org’s assignment or allocation

Route ValidationRoute Validation

• Second ‘half’ of RPKI:Second  half  of RPKI:– Collect ROAs from Trust AnchorsCryptographic processing– Cryptographic processing

– Feed digested route list to router

Th lid t• Three common validators– RIPE’s Validator*D R h L b i V lid t– Dragon Research Labs: rcynic Validator

– Raytheon BBN RPSTIR Project (current??)

Route Validation – Validator DemoRoute Validation  Validator Demo

• RIPE ValidatorRIPE Validator– Java, requires JRE 8– ARIN Trust Anchor Locator (TAL) must be manually added

• (We can hold the discussion about the legal ramifications of RPKI for another time!)

Junos ConfigurationJunos Configuration

• Two areas to configureTwo areas to configure– Validation session (connection to the validating cache)cache)

• Under routing-options validation

– Import policy to trigger database lookupImport policy to trigger database lookup• Under policy-options policy-statement

Junos Configurationl dValidation Session

• Basic configuration to establish session withBasic configuration to establish session with validator

• There are other options (time outs, etc)

Junos ConfigurationlPolicy

• This is a simple policy to trigger validation database lookup• This is a simple policy to trigger validation database lookup• Policy is open to operational need

– Accept?Accept?– Reject?– LocalPref?– Send to VRF?

Junos Operationh dShow commands

• Useful show commandsUseful show commands– show route validation‐state

S D i i MState Description Means

invalid Invalid route validation stateMismatch in ASN/prefix mapping; more specific not covered by valid ROA

unknown Unknown route validation state No ROA found

valid Valid route validation state Matching ROA found

unverified Unverified route validation state*Junos specific; no policy triggers database lookup

– show validation session

Barriers to AdoptionBarriers to Adoption

• Lack of familiarityLack of familiarity– Hopefully we’ve at least started to address that todaytoday

• RPKI doesn’t address a high risk problemLow priority– Low priority

• Legal– No (L)RSA with ARIN– RPA

THANK YOUTHANK YOU

• Contact infoContact info– Andrew Galloagallo@gwu edu– agallo@gwu.edu

– Pilot WikiSl k Ch l i2 kid l k– Slack Channel: i2rpkidemo.slack.com