Trusted CI Webinar Series Today’s webinar topic is "Deployable Internet Routing Security" with Amir Herzberg. Our host is Jeannette Dopheide. The meeting will begin shortly. Participants are muted. Click the Chat button to open the chat view and ask a question. This meeting will be recorded. The Trusted CI Webinar Series is supported by National Science Foundation grant #1547272. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the NSF.
38
Embed
Our host is Jeannette Dopheide. Trusted CI Webinar Series
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Trusted CI Webinar Series
Today’s webinar topic is "Deployable Internet Routing Security" with Amir
Herzberg.
Our host is Jeannette Dopheide.
The meeting will begin shortly. Participants are muted. Click the Chat button to
open the chat view and ask a question.
This meeting will be recorded.
The Trusted CI Webinar Series is supported by National Science Foundation grant #1547272.
The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the NSF.
• Background: internet routing (in)security• ROV and RPKI to the rescue ? • Deployment challenges, impact• Our efforts to improve RPKI (and its deployment)• Background: (DNS) amplification DDoS attacks• uRPF to the rescue ? • Our efforts to improve, deploy uRPF• Summary
• For simplicity, ignore signing details: assume no forgeries• Also ignored: max-length option• Convention: Origin = AS 0 è no origin
• Facilitates Route Origin Validation (ROV) by BGP (border) Routers: • Drop BGP announcements of prefixes within 1.2/16• Where Origin AS is not 333• Unless allowed by another (valid) ROA…• è prevents prefix & subprefix hijacks (false origin domain)
Domain 1 uses the (longer but correct) route 22-333, since only domain 333 is authorized origin for prefix
1.2.0.0/16 (and no sub-prefixes w/o ROA)
17
ROA: 1.2.0.0/16Origin 333
Route Origin Validation (ROV)
666
• Background: internet routing (in)security• ROV and RPKI to the rescue ? • Deployment challenges, impact• Our efforts to improve RPKI (and its deployment)• Background: (DNS) amplification DDoS attacks• uRPF to the rescue ? • Our efforts to improve, deploy uRPF• Summary
Deployable Internet Routing Security
RPKI Adoption ChallengesRequires both authorizations (RCsàROAs) and
Must Orange issue ROA only after all customers issued ??
RPKI Adoption ChallengesRequires both authorizations (RCs, ROAs) and validation (ROV)
Risk: (many!) `False’ announcement-ROA conflict- ROA changes from default-allow to default-deny
- No ROA over prefix: any BGP announcement is Ok - ROV validation returns `unknown’ (can’t validate)
- ROA over prefix: only announcements allowed by ROA- ROV returns either `valid’ or `invalid’…
- No noticeable impact… until ROV is widely applied- How common are announcement-ROA conflicts?
- Vs. `good’ (no conflict) ROAs…
BGP Announcements vs. ROAs: HistoryAnnouncements without ROA:702,079 (86.4%)
With valid ROAs:104,402 (12.85%)
With invalid ROAs:6,117 (0.75%)
~6% of announcements conflict with ROAs!!… slow improvement… too slow?
Dropping ‘invalid’ announcements may cause loss of traffic…
How many ISPs apply ROV (drop invalid)?
Measurements of ROV deployment
DSN’18Can’t directly measureThree methods:
Infer from RouteViewannouncements
Trace-route to RIPE-Atlas probes
Trace-route to TCP`reflectors’
è Disappointing !Only 0.03% possibly protectedLater improvement, e.g.,
AT&T [Feb’19]Why so few deploy ROV?
Why isn’t ROV (more) deployed?
§ Deploying ROV: even harder than other standards§ Transit ASes get paid for Traffic, connectivity§ What’s impact of adopting ROV ? § More traffic? better security attracts customers§ Less traffic? Filtering (ROV) drops announcements
§ Less traffic, less customers ? § Surely bad: dropping legitimate BGP announcements
§ What’s the impact of partial ROV deployment?
Security with Partial ROV Adoption
Subprefix hijack
success rate
Comparison between two scenarios:today’s status, as reflected by our measurements all top 100 ISPs perform Route Origin Validation (ROV)
Domain 2 uses invalid route for subprefix è traffic to 1.1.1.0/24 still hijacked! 27
ROA: 1.1.0.0/16Origin 1
• Background: internet routing (in)security• ROV and RPKI to the rescue ? • Deployment challenges, impact• Our RPKI/ROV efforts• Background: (DNS) amplification DDoS attacks• uRPF to the rescue ? • Our efforts to improve, deploy uRPF• Summary
DeployableInternetRoutingSecurity
Our RPKI/ROV efforts• With community: Education, peer-pressure, publicity, ….
• The ROV Forecast web-service: https://sidr.engr.uconn.edu• Estimate impact of deploying ROV by any given AS
• Based on extrapolation of Internet-wide BGP paths from collector data• Measure accuracy against real hijacks• Compare different ROV variants/policies
2019 Cybersecurity Technology Transition to Practice (TTP) workshop - June 19th, ChicagoFor more info and to request an invitation, go to our TTP page: https://trustedci.org/ttp
Trusted CI at PEARC19July 28 - August 1, Chicago
https://www.pearc19.pearc.org/
Save the Date: NSF Cybersecurity Summit Oct. 15 - 17 in San Diego
https://trustedci.org/summit
About the Trusted CI Webinar series
To view presentations, join the announcements mailing list, or submit requests
to present, visit: https://trustedci.org/webinars
The next webinar is June 24th at 11am Eastern.
Topic: The Trusted CI Framework: An Architecture for Cybersecurity Programs
Speakers: Craig Jackson, Kay Avila, and Bob Cowles