Top Banner
Are We There Yet? On RPKI Deployment and Security Yossi Gilad joint work with: Avichai Cohen, Amir Herzberg, Michael Schapira, Haya Shulman
25

Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

Aug 14, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

AreWeThereYet?OnRPKIDeploymentandSecurity

YossiGiladjointworkwith:AvichaiCohen,

AmirHerzberg,MichaelSchapira,HayaShulman

Page 2: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

TheResourcePublicKeyInfrastructure

TheResourcePublicKeyInfrastructure(RPKI)mapsIPpreBixestoorganizationsthatownthem[RFC6480]•  IntendedtopreventpreBix/subpreBixhijacks•  Laysthefoundationforadvanceddefensesagainstpath-manipulationattacksoninterdomainrouting–  BGPsec,SoBGP,…

2

Page 3: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

RPKIAllowsRouteOriginValidation

ASX

ASY

AS3320

AS666

91.0.0.0/10Path:Y-3320 91.0.0.0/10

Path:666

BGPAd. Dataflow

AutonomousSystem(AS)XusestheRPKItoissueaRouteOriginAuthoriza8on(ROA)mappingfrom91.0/10toAS3320

3

91.0.0.0/10Max-length=10

AS3320

ROA: RouteOriginValida8on(ROV)

91.0.0.0/10Path:3320 Deutsche

Telekom

3

Page 4: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

TalkOutline

•  ROV– FirstmeasurementsofROV– How“good”isROVinpartialdeployment?

•  ROAs– Mistakes–  ImprovingaccuracywithROAlert

4

Page 5: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

FilteringBogusAdvertisements

Route-OriginValidation(ROV):useROAstodiscard/deprioritizeroute-

advertisementsfromunauthorizedorigins[RFC6811] Verifysignatures

BGPRouters

91.0.0.0/10:AS=3320,max-length=10

RPKIpub.point

ROAs

AutonomousSystem

5

RPKIcache

Page 6: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

MeasuringNon-ROV-FilteringASesASesthatpropagateinvalidBGPadvertisementsdonotperformBiltering

Origin2

E

RVsensor

RVsensor

4.5.6.0/24

D

B C

Origin1 A

1.2.3.0/24

Origins1&2adverZseinBGPRPKI-invalidIPprefixes

F

6

Page 7: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

MeasuringNon-ROV-FilteringASesASesthatpropagateinvalidBGPadvertisementsdonotperformBiltering

Origin11.2.3.0/24

Origin2

E

RVsensor

RVsensor

4.5.6.0/24

RouteViewssensorobserves“bad”routeto:1.2.3/24ASpath:C,A,Origin1

D

F

B C

A

RouteViewssensorobserves“bad”routeto:4.5.6.0/24ASpath:F,E,D,Origin2

7

Page 8: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

MeasuringNon-ROV-FilteringASesASesthatpropagateinvalidBGPadvertisementsdonotperformBiltering

Origin11.2.3.0/24

Origin2

E

RVsensor

RVsensor

4.5.6.0/24

D

F

B C

A

ASesthatdon’tfilterinvalidadver8sements

8

Wefindthatatleast78of100largestISPsdonotfilter

Page 9: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

WhatistheImpactofPartialROVAdoption?

•  CollateralbeneBit:– AdoptersprotectASesbehindthembydiscardinginvalidroutes

OriginAS1

AS2

AS666

To:1.1/16ASpath:2-1

To:1.1.1/24ASpath:666

AS3

AS3isonlyofferedagoodroute

9

1.1.0.0/16Max-length=16

AS1

Page 10: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

WhatistheImpactofPartialROVAdoption?

•  Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Disconnection:Adoptersmightbeofferedonlybadroutes

OriginAS1

AS2

AS666

To:1.1/16ASpath:1

To:1.1/16ASpath:2-666

AS3

AS2preferstoadverZseroutesfromAS666overAS1

AS3receivesonlybadadverZsementanddisconnectsfrom1.1/16

10

1.1.0.0/16Max-length=16

AS1

Page 11: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

WhatistheImpactofPartialROVAdoption?

•  Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Control-Plane-Data-PlaneMismatch!dataBlowstoattacker,althoughAS3discardedit

OriginAS1

AS2

AS666

AS3

To:1.1/16ASpath:2-1

To:1.1.1/24ASpath:2-666

AS2adverZsesbothprefix&subprefixroutes

AS3discardsbadsubprefixroute

AS2doesnotfilterandusesbadrouteforsubprefix

11

1.1.0.0/16Max-length=16

AS1

Page 12: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

QuantifySecurityinPartialAdoption:SimulationFramework

12

B

D

H

J

E

I

G

KL

F

1.1.0.0/16Max-length=16

ASAC

A

•  PickvicZm&aeacker•  VicZm’sprefixhasaROA•  PicksetofASesdoingROV•  EvaluatewhichASessend

traffictotheaeacker

Empirically-derivedAS-levelnetworkfromCAIDAIncludinginferredpeeringlinks[Giotsasetal.,SIGCOMM’13]

Page 13: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

QuantifySecurityinPartialAdoption

•  TopISPadoptswithprobabilityp•  SigniBicantbeneBitonlywhenpishigh

Prefixhijacksuccessrate

Subprefixhijacksuccessrate

13

Page 14: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

QuantifySecurityinPartialAdoption

Subprefixhijacksuccessrate

AdopZonbythetop100ISPsmakesahugedifference!

•  Comparisonbetweentwoscenarios:–  today’sstatus,asreBlectedbyourmeasurements– alltop100ISPsperformROV

•  EachotherASdoesROVwithBixedprobability

14

Page 15: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

SecurityinPartialAdoption

Bottomline:

ROVenforcementbythetopISPsisbothnecessaryandsuf=icientforsubstantialsecuritybeneBitsfromRPKI

15

Page 16: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

TalkOutline

•  SecurityinpartialROVdeployment– FirstmeasurementsofROV– How“good”isROVinpartialdeployment?

•  ROAs– Mistakes–  ImprovingaccuracywithROAlert

16

Page 17: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

MistakesinROAs

ManymistakesinROAs(seeRPKImonitor)–  ``badROAs’’causelegitimatepreBixestoappearinvalid–  BilteringbyROAsmaycausedisconnectionfromlegitimatedestinations– extensivemeasurementsin[Iamartinoetal.,PAM’15]

17

Page 18: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

BadROAs

Concernfordisconnectionwaspointedoutinoursurvey–  anonymoussurveyofover100networkoperators(detailsinpaper)

WhatareyourmainconcernsregardingexecutingRPKI-basedoriginauthenticationinyournetwork?

18

Page 19: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

BadROAs

Whoisresponsiblefor“badROAs”?•  HundredsoforganizationsareresponsibleforinvalidIPpreBixes,but…

•  Goodnews:mosterrorsduetosmallnumberoforganizations

19

Page 20: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

ASX

AS666

BGPAd. Dataflow

Longest-prefix-matchPathlengthdoesnotma^er

ASA

InsecureDeployment:LooseROAs

20

1.2.0.0/16Max-length=24

ASA

ROAallowsadverZsingsubprefixesuptolength/24

ASAoriginates1.2.0.0/16butnot1.2.3.0/24ROAis“loose”1.2.0.0/16Path:A

ValidadverZsementsinceASAisthe“origin”

1.2.3.0/24Path:666-A

Page 21: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

•  LooseROAsarecommon!– almost30%ofIPpreBixesinROAs– manifestseveninlargeproviders

InsecureDeployment:LooseROAs

21

Page 22: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

ImprovingAccuracywithROAlert

•  roalert.orgallowstocheckwhethernetworksareprotectedbyROAs–  …andifnot,whynot

•  Online,proactivenotiBicationsystem–  constantlymonitoring–  notopt-in

•  RetrievesROAsfromtheRPKIandcomparesthemagainstBGPadvs.•  Alertsnetworkoperatorsabout“looseROAs”&“badROAs”

22

Page 23: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

ImprovingAccuracywithROAlert

•  Initialresultsarepromising!–  notiBicationsreached168operators–  42%oferrorswereBixedwithinamonth

23

Page 24: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

Conclusion

•  TheRPKIcanbeveryeffectiveinpreventinghijacks–  IncentivizeROVadoptionbythetopISPs!– BothsufBicientandnecessaryforsigniBicantsecuritybeneBits

•  Informationaccuracyisamajorchallenge– ROAlertinforms&alertsoperatorsabout:•  BadROAs•  LooseROAs

24

Page 25: Are We There Yet? On RPKI Deployment and Security · 2019-01-22 · The Resource Public Key Infrastructure The Resource Public Key Infrastructure (RPKI) maps IP preBixes to organizations

ThankYou!

Questions?J

25