1 / 27

Enhancing Routing Security with IRR Deployment in JP by NTT Communications

Learn about deploying IRR in Japan for improved routing reliability, with insights on detecting hijack routes and enhancing routing security. Discover the significance of IRR and how it contributes to maintaining a safe Internet.

tobyellsworth
Download Presentation

Enhancing Routing Security with IRR Deployment in JP by NTT Communications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deployment of IRR in JP and Routing Securityfor improvement the reliabilityof routing NTT Communications‘OCN’/ JPNIC IRR-Plan Chair Tomoya Yoshida <yoshida@ocn.ad.jp>

  2. Inter-AS • Exchanging by BGP • The route generated in somewhere in the worlds is transmitted all over the world • The Internet is always continuing changing • What flow will come from somewhere in advance, it does not understand in many cases

  3. Hijack Route • Malice • SPAM Send • Site/Network Hijack • Miss Configuration : sometimes bug • Redistribute • type miss

  4. Hijack Route vs. Right Route • Injection place of hijack route • Customer ー>checking of use address and prefix filtering • Peer ー>often found • Upstream ー>often found

  5. Hijack Route vs. Right Route • Prefix length of hijack route • Same ー>Form of connection, as-path etc • Shorter ー>Although influence can be disregarded, it is unpleasant • Longer ー>Inhales

  6. Hijack Route vs. Right Route • AS path length of hijack route • Same ー>Depend on form of connection • Shorter ー>Depend on form of connection but almost lose • Longer ー>Cannot be said that it is OK absolutely

  7. Hijack Route vs. Right Route • origin AS of hijack route • Same ー>May be hard to detect • Different ー>May not be hard to detect

  8. Hijack Route vs. Right Route • MED value of hijack route • SAME ー>Depend on form of connection • Shorter ー>When the AS Path is also same, it will lose • Bigger ー>May not to be safe absolutely

  9. Hijack Route vs. Right Route • bgp community strings of hijack route • Same ー>Depend on the filtering of bgp community • Different ー>Depend on the filtering of bgp community

  10. Pollution condition of router • Hijack Route only • Completely polluted • Hijack Route(best) + Right Route • Regrettably polluted • Hijack Route + Right Route(best) • Safe but dangerous • Right Route only • Beautiful body

  11. As For pollution condition, even the inside of AS is different *>10.0.0.0/8AS666 best * 10.0.0.0/8AS200 Right AS AS200 * 10.0.0.0/8AS666 *>10.0.0.0/8AS200 best AS100 RC hijackAS AS666 RR RR RC RC RC *>10.0.0.0/8AS666 best AS300 AS400 *>10.0.0.0/8AS200 best

  12. It dose now … • The wrong route is detected promptly • What is the right route? • How to detect? • Maintain the information or IR and IRR suitably • Insist the right route

  13. The Scope of which can detect by only IRR Can detect Difficult Different origin AS Different prefix length Same origin AS Same prefix length The location of origin etc... Depend on object AS Path bgp community MED

  14. Reliable Information • Scattered IRR • IRR as a registration place • The justification of data is not checked in many cases • Reliable information? • Assignment/Allocation information • IP Address, AS number • IR knows

  15. Arrangement of opinion here The Route may be hijacked The technique of checking the justification of the route is required Reliable information is required IR do the IRR

  16. Experimental IRR service by JPNIC • Free Service for JP community • Mirroring : APNIC, RIPE NCC, RADB • # of objects (2005/08/01) Mntner : 60 Route :359 Aut-num :36 As-set :34

  17. How to make a reliable information? Why we choose to operate IRR? • It is necessity to cooperate with the database of an IP address, in order to keep the information on IRR healthy • The right validation is not made in IRR which ISP does • In Japan, more reliable information offer of IRR can expect enough by JPNIC operate IRR • By practical use of IRR, danger, such as mistake operation, is reduced and it can contribute to keep the Internet safe JPNIC operate IRR exactly

  18. Future of JPIRR ( part ) • Cooperate with the IP address database • The registration/change range is limited for every user • A certificate authority and an electronic certificate are utilized positively • Checking the mirroring status • Comparison with bgp route information • searching your object Information offer to smooth management of the Internet

  19. Attestation mechanism IP Registry System = WHOIS JPIRR Reference of the changes range JPNIC Whois Web Web Address assignment Resource application Information Registration Certificate management Information reference Resources applicant LIR appointment JPIRRadministrator (operator) Resources administrator

  20. Attestation acquisition example

  21. It uses by WEB browser

  22. JP route information = JPIRR First of all, the right Japan routing databaseis made of course, IPv6 also do from now Routing Information database of BGP is made in JP

  23. BGP Operation using IRR • Domestic AS number and AS-PATH number are increasing, and updating work is serious • Although Japan has performed operation of carrying out mutual exchange of the AS PATH, it does not suit and it has become the present time from ancient times • If the filter is carried out firmly at each entrance of ISP, the route with strange as-path will not flow

  24. Automation by IRR • Using AS-Set object and Route objects as-set: AS-OCN descr: ASes advertised by OCN members: AS4713, AS290, AS2504, AS2526, AS4249, AS4688, AS4710, AS4711, AS4718, AS7502, AS7511, AS7521, AS7522, AS7524, AS7529, AS7668, AS7671, AS7672, AS7674, AS7676, AS7682, AS7684, AS7686, AS9351, AS9353, AS9363, AS9368, AS9370, AS9374, AS9601, AS9602, AS9605, AS9612, AS9614, AS9617, AS9618, : AS-Path filter + Prefix Filter _290$ _2504$ …. + 10.100.0.0/16 10.200.0.0/16 …. route: 10.1.0.0/16 route: 10.2.0.0/16 …. It is important that route object is managed exactly and reliable!

  25. The necessity for international cooperation • It is not the problem solved even if only JPNIC does • Operation based on the hierarchy of the Registry structure • Each registry manages exactly the route/AS information under management of own country or himself • It is also applicable to CRISP CRISP: Cross Registry Information Service Protocol

  26. IR hierarchy model : goal Certificate authority, Internet Resource Management, IRR database management *1 : Inter-RIR Mirror *2 : Inter-IR Mirror *3 : Member Mirror *1 APNIC ARIN RIPE ・・・ *2 Mirroring -> CRISP? JPNIC NIR’s ・・・ *3 LIR’s ・・・ LIR’s LIR’s ・・・

  27. Conclusion / Suggestion • Reliable Information is made • High flexibility BGP operation is realized by using internet routing information database • We want to cooperate in the Asian area not only in Japan but in other countries and other regions

More Related