1 / 8

S-BGP Workshop Topology

AS runs S-BGP. Compromised S-BGP AS. AS does not run S-BGP. S-BGP Workshop Topology. ISP A. ISP B. ISP C. AS 64710. AS 64720. AS 64730. 172.16.16 / 22. 172.16.32 / 22. 172.16.52 / 22. Private peering inter-AS link. ISP H. DSP D. AS 64780. AS 64740. 172.16. 128/ 21. 172.16.50/ 24.

brier
Download Presentation

S-BGP Workshop Topology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AS runs S-BGP Compromised S-BGP AS AS does not run S-BGP S-BGP Workshop Topology ISP A ISP B ISP C AS 64710 AS 64720 AS 64730 172.16.16 / 22 172.16.32 / 22 172.16.52 / 22 Private peering inter-AS link ISP H DSP D AS 64780 AS 64740 172.16. 128/ 21 172.16.50/ 24 Autonomous System (AS) number AS 64770 AS 64760 AS 64750 Subscriber networks 172.16.112 / 22 172.16.96 / 21 172.16.84 / 22 ISP G ISP F ISP E

  2. AS runs S-BGP Compromised S-BGP AS AS does not run S-BGP All link addresses begin with 192.168.x.x All subscriber addresses are 172.16.X / Y Scenario 1 – Two clients access a server Legitimate server 172.16.32.1 ISP A ISP B ISP C AS 64710 9.1 AS 64720 18.2 AS 64730 16 / 22 32 / 22 52 / 22 9.2 18.3 10.7 29.5 Subscriber traffic ISP H Adversary server AS 64780 128 / 21 57.7 Adversary 48.5 10.1 57.8 29.3 48.8 AS 64770 AS 64750 112 / 21 84 / 22 ISP G ISP E Client E Client G

  3. AS runs S-BGP Compromised S-BGP AS AS does not run S-BGP Scenario 1 – Misconfiguration by BGP AS Legitimate server 172.16.32.1 ISP A ISP B ISP C AS 64710 9.1 AS 64720 18.2 AS 64730 16 / 22 32 / 22 52 / 22 9.2 18.3 10.7 29.5 Subscriber traffic ISP H Adversary server AS 64780 128 / 21 57.7 Adversary Unauthorized Routing UPDATE 48.5 10.1 57.8 29.3 48.8 Unauthorized Routing UPDATE Traffic rerouted from AS not running S-BGP AS 64770 AS 64750 112 / 21 84 / 22 ISP G ISP E

  4. AS runs S-BGP Compromised S-BGP AS AS does not run S-BGP Scenario 2 – Two clients access a server Legitimate server 172.16.32.1 ISP A ISP B ISP C AS 64710 9.1 AS 64720 18.2 AS 64730 16 / 22 32 / 22 52 / 22 9.2 18.3 10.7 29.5 Subscriber traffic 10.1 29.3 AS 64770 54.7 AS 64760 46.6 AS 64750 112 / 21 96 / 21 84 / 22 54.6 46.5 ISP G ISP F ISP E

  5. AS runs S-BGP Compromised S-BGP AS AS does not run S-BGP Scenario 2 – Compromised S-BGP AS advertises another AS’s Prefix Legitimate server 172.16.32.1 ISP A ISP B ISP C AS 64710 9.1 AS 64720 18.2 AS 64730 16 / 22 32 / 22 52 / 22 9.2 18.3 10.7 29.5 Subscriber traffic Traffic rerouted from AS not running S-BGP 10.1 29.3 AS 64770 54.7 AS 64760 46.6 AS 64750 112 / 21 32 / 22 84 / 22 54.6 46.5 ISP G ISP F ISP E Routing UPDATE Unauthorized prefix rejected by S-BGP router Unauthorized Prefix

  6. AS runs S-BGP Compromised S-BGP AS AS does not run S-BGP Scenario 3 – Active Wiretapping between S-BGP ASes to Redirect Subscriber Traffic to Attacker Legitimate server 172.16.16.1 ISP A ISP B ISP C AS 64710 9.1 AS 64720 18.2 AS 64730 16 / 22 32 / 22 52 / 22 9.2 18.3 22.6 29.5 DSP D Subscriber traffic Valid Routing UPDATE AS 64740 172.16.50/ 24 47.5 22.2 29.3 AS 64760 46.6 AS 64750 47.4 Illegitimate server 172.16.16.1 96 / 21 84 / 22 46.5 ISP F ISP E

  7. AS runs S-BGP Compromised S-BGP AS AS does not run S-BGP Scenario 3 – Modified UPDATE rejected by S-BGP Legitimate server 172.16.16.1 ISP A ISP B ISP C AS 64710 9.1 AS 64720 18.2 AS 64730 16 / 22 32 / 22 52 / 22 9.2 18.3 22.6 29.5 DSP D Subscriber traffic Valid Routing UPDATE AS 64740 172.16.50/ 24 47.5 22.2 29.3 AS 64760 46.6 AS 64750 47.4 Illegitimate server 172.16.16.1 96 / 21 84 / 22 46.5 ISP F ISP E Modified UPDATE rejected by S-BGP router Routing UPDATE modified by attacker

  8. Routers Distributed Cert/CRL/AA Repository S-BGP Operations at an ISP or Subscriber Organization Registry or ISP [1] CA Cert Req CA Cert ISP/Org ISP’s/Org’s CA Certs,CRLs, AAs from this ISP/Org Certs,CRLs, AAs from all ISPs/Orgs [6] Policies & Extracts [2b] [2a] End Entity Cert Reqs [7b] NOC Tools GUI EE Certs CRLs CA Cert Generate Cert Reqs Upload to Routers [4] Create, Sign & Upload List of Transactions AAs, Certs, CRLs [5a] [3] Generate & Sign AAs signed files 1 per rtr signed files 1 per rtr S-BGP Policies Extract File (Public Keys & AA data) [5b] reconciliation Download from Repository Certs,CRLs,AAs downloaded from Repository Validate, Extract, & Sign File [7a] Manage Policies

More Related