190 likes | 317 Views
Securing the Routing Infrastructure. Sandra Murphy Sparta, Inc sandy@tislabs.com, sandy@sparta.com. BGP Operation. AS 10. ASPATH= 10 , NLRI=12/8. AS 20. ASPATH= 20 , 10 , NLRI=12/8. Net 12/8. ASPATH= 30 , 20 , 10 , NLRI=12/8. AS 30. ASPATH= 20 , 10 , NLRI=12/8. AS 22.
E N D
Securing the Routing Infrastructure Sandra Murphy Sparta, Inc sandy@tislabs.com, sandy@sparta.com Internet2
BGP Operation AS 10 ASPATH=10, NLRI=12/8 AS 20 ASPATH=20,10, NLRI=12/8 Net 12/8 ASPATH=30,20,10, NLRI=12/8 AS 30 ASPATH=20,10, NLRI=12/8 AS 22 ASPATH=22,20,10, NLRI=12/8 Internet2
BGP Operation – More specific prefixes AS 10 ASPATH=10, NLRI=12/8 AS 20 ASPATH=20,10, NLRI=12/8 Net 12/8 ASPATH=30,20,10, NLRI=12/8 ASPATH=22, NLRI=12.12/16 AS 30 ASPATH=20,10, NLRI=12/8 AS 22 Net 12.12/16 ASPATH=22,20,10, NLRI=12/8 ASPATH=22, NLRI=12.12/16 Internet2
Misconfiguration (we hope) Attacks • Apr 1997 AS7007 announces classful addresses for the whole world • Feb/Apr/Aug 2001 Abovenet/Quest/Digex announces routes with private AS numbers in them • Typical consequences: • Dec 1999 a mis-origination by a downstream takes out ATT’s dial-up net – WSJ notices • Apr/May 2003 Trafalgar House/LA County space hijacked by registry spoof • Side effect on operation • Covad does not aggregate their prefix announcements because they tried it and someone announced more specific prefixes Internet2
Think we’re past all that? • Dec 24, 2004 – AS9121 (TTNet) announced 100K+ routes for 1hr20min (shorter event later) • According to May 2005 NANOG presentation, 1/3 of Rensys’s 100 peers saw the bad routes within 3 min • The bad routes spread far and wide • Affected networks included (from NANOG slide): • Blue Cross Blue Shield of Iowa - Thomson Financial Services - Citicorp Global Information Network -MetLife Capital Corp - Pitney Bowes Credit Corporation - Brown Brothers Harriman & Company - LaSalle Partners - Kuwait Fund for Arab Economic Development Internet2
And recently… • Sep 9, 9:29-10:47, 26210, a Bolivian ISP, announced 12/8, 64/8 and 65/8. • 12/8, 3549 1239 12956 26210 • GX-Sprint-Telefonica-AES Comm (Bolivia) • On Sep 10, another anomaly • 12/8, 3549 1299 12676 (GX-TeliaNet-NCORE) • “FYI, happened again this morning for (at least) 12/8 duration approx 30 minutes starting at 5:45 AM PDT. Notice that AT&T is no longer taking chances, and is announcing 2 /9s. Internet2
Consequences • Note to NANOG Sep 9: “And wouldn't you know it, we have an application that needs to reach servers in 12/8 and 65/8, and someone just came over to me asking for help in figuring out why that application isn't working. I guess I should have checked my NANOG mail before I told them I had no idea what was going on. :)” Internet2
Moral of the Story • Your network operation may be an inspiration to us all, but: • The other parts of the Internet hold your fate: • Your users may not be able to reach the sites they want to reach • Your users’s remote users may not be able to reach your users • Need more than effective local operation Internet2
A Sequence of Solutions Increasingly stringent – increasing cost: • Peer-peer Connection Protection • Filters – prefix filters and AS-path filters • Origination Protection • Origination and AS_PATH Adjacency Protection • Origination and AS_PATH Route Protection • Origination, Transit and Policy Protection • “Freshness” Internet2
In Common Use • Peer-Peer protection methods • TCP MD5, IPSEC, TLS, GTSM, (BTNS?) • For crypto techniques, management the biggest problem • Managing keys for many, many peers, key rollover, hash algorithm rollover • Performance scale comes up frequently as well Internet2
In Common Use (2) • Filters – prefix filters and AS-PATH filters • Requires transitive trust • “Transitively trusting all peers’ on-net customers: fundamentally unsafe” (NANOG Renesys presentation) • Management hard (particularly at large AS’s) – keeping filter lists current • Manual configuration • Authority based • Team Cymru Bogon Route Server Project for VIP, bogon and martians; IRR based filter generators • OTOH: Mar 2003 - 69/8 allocated; Jan 2004 – 83/8 and 84/8 allocated – installed filters did not keep up • For large ISP’s – filter lists stress hardware Internet2
Requirements for Authorities • Must scale to Internet size and routing dynamics • Design issues: • Non-hierarchical, singly rooted, multiply rooted? • Centralized, replicated, or distributed? • Client/server vs peer-peer? • Query/response vs wholesale download? • Event based vs periodic download? • ISP distaste for relying on external info for configuration of their routing; chicken and egg Internet2
Origination Protection • Authorization only (AS is authorized address) • Authorization and Authentication (AS is also currently announcing address) protects that “17%” unannounced but allocated • Need authority (not necessarily central) that: • Stores info completely, accurately and securely • Accepts changes securely – model for authorization • Need architecture and mechanisms for communication with “authority” • Need procedures and tools for putting info into use Internet2
Origination and AS_PATH Adjacency Protection • Checks that adjacent AS’s in AS_PATH have peering • SoBGP, Garcia-Lunes-Aceves/Smith • Need way to securely transmit adjacency – inline or query/download from database • Processing demands (crypto stuff) • Residual vulnerabilities • existence of peering adjacency gives no assurance AS’s will transit traffic • does not assure loop freedom Internet2
Origination and AS_PATH Route Protection • Protection to show update propagating through AS’s AS_PATH • indicates each AS in path has willingness and capability to forward traffic toward the stated route • SBGP; SPV • Protection may or may not be passed inline • Processing demands – crypto and storage • Residual vulnerabilities • Freshness; policy compliance Internet2
Origination, Route and Policy Protection • Policy protection – e.g., AS A has a peering relationship with B, not transit – B should not announce A’s addresses • Need to express and communicate policy • That means expose policy – anathema to many • Policy is specific to one AS • But may target remote AS • No current mechanisms to express, communicate or ensure policies (caveat: SoBGP) Internet2
Freshness • Receive replacement route, send replacement route – then send original route again • BGP has no features that would facilitate discerning maintenance of update ordering Internet2
Current Activity • Concerned community working on this • ISP’s, Registry, Security, Router Vendor folk • Consensus is that the most pressing need is: • Registration database integrity improved • Authenticated list of AS-prefix origination authorizations • Useful in many ways: • Operational debugging • Customer care • Security protection • Fundamental basis for ANY security solution Internet2
Query • Anyone interested in participating in discussion? • In putting this to a trial? • Start with AS->prefix mapping for Internet2 • See how difficult it is to include in operational procedures • Sponsor - DHS S&T, SPRI program (Secure Protocols for the Routing Infrastructure) Internet2