130 likes | 154 Views
This Working Group focuses on securing the DNS and routing system, leading up to significant protocol extensions deployment like DNSSEC and Secure BGP. It concerns currently deployed feature sets and processes, not future protocol extensions.
E N D
Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4
Working Group #4: Network Security Best Practices • Description: This Working Group will examine and make recommendations to the Council regarding best practices to secure the Domain Name System (DNS) and routing system of the Internet during the period leading up to some significant deployment of protocol extensions such as the Domain Name System Security Extensions (DNSSEC), Secure BGP (Border Gateway Protocol) and the like. The scope and focus is currently deployed and available feature-sets and processes and not future or non-widely deployed protocol extensions. • Duration: September 2011 – March 2013
Working Group #4 – Participants • Co-Chairs • Rod Rasmussen – Internet Identity • Rodney Joffe – Neustar • Participants • 30 Organizations represented • Service Providers • Network Operators • Academia • Government • IT Consultants
Working Group #4 – Deliverables • Domain Name Service (DNS) Security Issues • Reported on in September 2012 • BGP and Inter-Domain Routing Security Issues • Report and vote today
Working Group #4: Network Security Best Practices FINAL Report – Routing Security Best Practices March 6, 2013 Presenter: Tony Tauber, Comcast WG #4
Routing Key Points • Routing security is an environmental good • Unilateral action does not entirely benefit practitioners • Deployment details and scenarios vary • Recommendations should as well • Autonomy is sacrosanct • Key feature of the operational Internet
Report Scope • Capabilities in currently deployed gear • Not commenting on protocol extension work • Handled in WG #6 • ISP Network Operational Practices • Enterprise Network Operational Practices • Administrative Practices
Routing Issues Considered • BGP Session-Level Vulnerability • Session Hijacking • Denial of Service (DoS) Vulnerability • Source-address filtering • BGP Injection and Propagation Vulnerability • BGP Injection and Propagation Countermeasures • BGP Injection and Propagation Recommendations • Other Attacks and Vulnerabilities of Routing Infrastructure • Hacking and unauthorized 3rd party access to routing infrastructure • ISP insiders inserting false entries into routers • Denial-of-Service Attacks against ISP Infrastructure • Attacks against administrative controls of routing identifiers
Deployment Scenarios • Vary according to topology • Stub network vs. Transit network • Vary as a function of scale • Number of BGP routers • Number of BGP sessions • Size of Operational staff
Recommendation Process • Leverage existing security recommendations • Taken together recommendations can be confusing, contradictory • Tailor advice based on deployment scenarios • IETF RFCs and BCPs, ICANN SSAC Papers, NIST Special Reports, ISOC papers, SANS Reports • Over a dozen separate documents referenced
Recommendation Highlights • Perform explicit filtering of BGP prefixes • Customer relationships • Protect against spoofed IP source addresses • Source validation at network edge • Filter internal address space inbound from Internet • Use extra steps to lessen impact of route leaks • Coarse AS-path filters • Maximum-Prefix limits
Working Group #4: Network Security Best Practices March 6, 2013 Questions/Comments Presenter: Tony Tauber, Comcast WG #4 Co-Chair