110 likes | 125 Views
This working group aims to recommend a framework for the industry to adopt secure routing procedures and protocols in a market-driven, cost-effective manner. The framework includes technical procedures and protocols to address the vulnerabilities of the Border Gateway Protocol (BGP) and ensure the integrity of the Internet routing infrastructure.
E N D
Working Group 6: Secure BGP Deployment March 22, 2012 Andy Ogielski, Renesys Jennifer Rexford, Princeton U. WG 6 Co-Chairs Communications Security, Reliability and Interoperability Council CSR C
WG 6: Mission Statement • Short description: The Border Gateway Protocol (BGP) controls inter-domain packet traffic routing on the entire global Internet. BGP relies on trust among operators of gateway routers to ensure the integrity of the Internet routing infrastructure. Over the years, this trust has been compromised on a number of occasions, both accidentally and maliciously, revealing fundamental weaknesses of this critical infrastructure. This Working Group willrecommend the framework for industry regarding incremental adoption of secure routing procedures and protocols based on existing work in industry and research. The framework will include specific technical procedures and protocols. The framework will be proposed in a way suitable for opt-in by large Internet Service Providers (ISPs) in order to create incentives for a wider scale, incremental ISP deployment of secure BGP protocols and practices in a market-driven, cost-effective manner. • Duration: August 2011 – March 2013 Communications Security, Reliability and Interoperability Council CSR C
WG 6 – Participants Communications Security, Reliability and Interoperability Council CSR C
WG 6 – Problem Statement • Interdomain routing isfundamental for operation of the Internet (the “Inter” in Internet) • BGP protocol is simple • BGP router may relay messages to neighbors about routes • Every route is constructed hop-by-hop, with NO global authority • BGP policy is complex • Networks apply local policies for accepting & propagating routes • This is good: Great flexibility to support networking business, availability, robustness and disaster recovery • This is bad: Vulnerability to propagating false routes that were maliciously or inadvertently generated
WG 6 – Problem Statement Cont’d How to secure such a system? • BGP was built on trust that routes received are legitimate • Trust but Verify! All BGP security solutions offer some form of validation of routes • First do no harm! Any tinkering with BGP must avoid damaging reachability of end users, or compromising scalability • Since the many Internet’s constituent networks have different objectives and business concerns, any viable security solution must preserve the local autonomy of Network Operators
WG 6 - Methodology • Document known threats • Real BGP security incidents, and known vulnerabilities • Identify a suite of BGP security solutions • Current best common practices • Origin certification • Cryptographic path validation • Identify dimensions for comparing solutions • Technical maturity, and cost to deploy and operate • Trust models and governance • Security benefits, residual threats and new attack surfaces • Feasibility of incremental deployment • Impact on autonomy of network operators and nations • Derive preliminary recommendations
WG 6 – Initial recommendations • Ground truth through resource registration and certification • Network Operators should ensure their Internet Routing Registry records are public, complete, and up-to-date • Network Operators should encourage the American Registry for Internet Numbers (ARIN) to deliver a hosted Resource Public Key Infrastructure (RPKI) service • Network Operators should encourage a single global “root of trust” for the RPKI
WG 6 – Initial recommendations • Phased deployment of techniques to detect and prevent route hijackings • Network Operators should track the developments in the BGP security community • Network Operators should consider phased deployment strategies for using certified routing data in ways that are consistent with their own internal policies • The BGP security community should investigate new risks introduced by resource certification
WG 6 – Initial recommendations • Apply metrics for continuous evaluation of security solutions • The BGP security community should evaluate existing BGP security metrics, and extend them where necessary • The BGP security community should perform continuous monitoring and analysis of BGP security incidents
WG 6 – Ongoing Work for Future Reports • Evaluation of risks associated with deployment and use of a hierarchical resource certification system for Internet network addresses and their bindings. • Recommendations for security metrics and measurement methodologies for calibrating the current levels of BGP security incidents and evaluating effectiveness of proposed solutions. • Editorial improvements: Glossary of technical terms and concepts.
WG 6 – Conclusions • There is consensus among WG 6 members that Internet number resource allocation, trustworthy certification, operational procedures and related externalities have very considerable implications for security • While unanimity in recommendations was an objective from the outset, each of the views expressed herein is not necessarily shared by all WG 6 members • We note that the recommendations are strictly advisory in nature • We will keep refining the recommendations and continue to explore ways to improve the security of inter-domain routing