are we there yet? on rpki deployment and security
TRANSCRIPT
AreWeThereYet?OnRPKIDeploymentandSecurity
YossiGiladjointworkwith:AvichaiCohen,
AmirHerzberg,MichaelSchapira,HayaShulman
TheResourcePublicKeyInfrastructure
• Intendedtopreventpre@ix/subpre@ixhijacks
• Laysthefoundationforprotectionagainstmoresophisticatedattacksoninterdomainrouting– BGPsec,SoBGP,…
2
Pre@ixHijacking
ASX
ASY
AS3320
AS666
91.0.0.0/10Path:3320
91.0.0.0/10Path:Y-3320 91.0.0.0/10
Path:666
BGPAd. Dataflow
prefersshorterroute
3
Subpre@ixHijacking
ASX
AS3320
AS666
91.0.0.0/10Path:3320 91.0.0.0/16
Path:Y-666
BGPAd. Dataflow
LongestprefixmatchPathlengthdoesnotma5er
ASY
91.0.0.0/16Path:666
4
CertifyingOwnershipwithRPKI
• RPKIassignsanIPpre@ixtoapublickeyviaaResourceCerti@icate(RC)
• OwnerscanusetheirprivatekeytoissueaRouteOriginAuthorization(ROA)
• ROAsidentifyASesauthorizedtoadvertiseanIPpre@ixinBGP
5
Example:CertifyingOwnership
6
91.0.0.0/10Max-length=10
AS3320
RIPERéseauxIPEuropéens
NetworkCoordinaYonCentre
ROA
Legend:OrgwithRC
DeutscheTelekom91.0.0.0/10
RPKICanPreventPre@ixHijacks
ASX
ASY
AS3320
AS666
91.0.0.0/10Path:Y-3320
91.0.0.0/10Path:666
BGPAd. Dataflow
ASXusestheauthenYcatedmapping(ROA)from91.0/10toAS3320todiscardthea_acker’sroute-adverYsement
7
91.0.0.0/10Max-length=10
AS3320
TalkOutline
• Challengesfacingdeployment• Routeoriginvalidationinpartialdeployment
8
AS666
ASX
BGPAd. Dataflow
ASA
InsecureDeployment:LooseROAs1.2.0.0/16
Max-length=16ASA
ROAallowsadverYsingonlyone/16prefix
1.2.0.0/16Path:A
ValidadverYsementsinceASAisthe“origin”
9
1.2.0.0/16Path:666-A
Picksshorterpath
Lychevetal.showthatthisa_ackismuchlesseffecYvethanprefixhijack
ASX
AS666
BGPAd. Dataflow
Longest-prefix-matchPathlengthdoesnotma5er
ASA
InsecureDeployment:LooseROAs1.2.0.0/16
Max-length=24ASA
ROAallowsadverYsingsubprefixesuptolength/24
ASAoriginates1.2.0.0/16butnot1.2.3.0/24ROAis“loose”1.2.0.0/16Path:A
ValidadverYsementsinceASAisthe“origin”
1.2.3.0/24Path:666-A
10
RFC7115menYonsthisa_ack
• LooseROAsarecommon!– almost30%ofIPpre@ixesinROAs– 89%ofpre@ixeswithmaxLen>pre@ixLen– manifestseveninlargeproviders!
• Attackercanhijackalltraf@ictonon-advertisedsubpre@ixescoveredbyalooseROA
• VulnerabilitywillbesolvedonlywhenBGPsecisfullydeployed,butalongwaytogountilthen…– betternottoissuelooseROAs!
InsecureDeployment:LooseROAs
11
ChallengestoDeployment:HumanError
ManyothermistakesinROAs(seeRPKImonitor)– ``badROAs’’causelegitimatepre@ixestoappearinvalid– @ilteringbyROAsmaycausedisconnectionfromlegitimatedestinations– extensivemeasurementsin[Iamartinoetal.,PAM’15]
12
• roalert.orgallowsyoutocheckwhetheryournetworkisproperlyprotectedbyROAs
• …andifnot,whynot
ImprovingAccuracywithROAlert
13
ImprovingAccuracywithROAlert
• Online,proactivenoti@icationsystem• RetrievesROAsfromtheRPKIandcomparesthemagainstBGPadvertisements
• Alertsnetworkoperatorsabout“looseROAs”&“badROAs”
14
ImprovingAccuracywithROAlert
• Initialresultsarepromising!– noti@icationsreached168operators– 42%oferrorswere@ixedwithinamonth
• ROAlertis:– constantlymonitoring(notonlyatregistration)– notopt-in
• WeadvocatethatROAlertbeadoptedandadaptedbyRIRs!
15
TalkOutline
• Challengesfacingdeployment• Routeoriginvalidationinpartialdeployment
16
FilteringBogusAdvertisements
Route-OriginValidation(ROV):useROAstodiscard/deprioritizeroute-
advertisementsfromunauthorizedorigins[RFC6811]
Verify:• signerauthorizedfor
subjectprefix• signatureisvalid
BGPRouters
91.0.0.0/10:AS=3320,max-length=10
RPKIpub.point
RCsandROAs
AutonomousSystem
17
RPKIcache
WhatistheImpactofPartialROVAdoption?
• Collateralbene@it:– AdoptersprotectASesbehindthembydiscardinginvalidroutes
OriginAS1
AS2
AS666
To:1.1/16ASpath:2-1
To:1.1.1/24ASpath:666
AS3
AS3isonlyofferedagoodroute
18
1.1.0.0/16Max-length=16
AS1
WhatistheImpactofPartialROVAdoption?
• Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Disconnection:Adoptersmightbeofferedonlybadroutes
OriginAS1
AS2
AS666
To:1.1/16ASpath:1
To:1.1/16ASpath:2-666
AS3
AS2preferstoadverYseroutesfromAS666overAS1
AS3receivesonlybadadverYsementanddisconnectsfrom1.1/16
19
1.1.0.0/16Max-length=16
AS1
WhatistheImpactofPartialROVAdoption?
• Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Control-Plane-Data-PlaneMismatch!data@lowstoattacker,althoughAS3discardedit
OriginAS1
AS2
AS666
AS3
To:1.1/16ASpath:2-1
To:1.1.1/24ASpath:2-666
AS2adverYsesbothprefix&subprefixroutes
AS3discardsbadsubprefixroute
AS2doesnotfilterandusesbadrouteforsubprefix
20
1.1.0.0/16Max-length=16
AS1
QuantifySecurityinPartialAdoption:SimulationFramework
21
B
D
H
J
E
I
G
KL
F
1.1.0.0/16Max-length=16
ASAC
A
• PickvicYm&a_acker• VicYm’sprefixhasaROA• PicksetofASesdoingROV• EvaluatewhichASessend
traffictothea_acker
Empirically-derivedAS-levelnetworkfromCAIDAIncludinginferredpeeringlinks[Giotsasetal.,SIGCOMM’13]
QuantifySecurityinPartialAdoption
• TopISPadoptswithprobabilityp• Signi@icantbene@itonlywhenpishigh
Prefixhijacksuccessrate
Subprefixhijacksuccessrate
22
Conclusion:WhatCanWeImprove?
• Informationaccuracy– ROAlertinforms&alertsoperatorsabout:• BadROAs• LooseROAs
• Preventinghijacks– IncentivizeROVadoptionbythetopISPs!
23
ThankYou!
ThisworkappearedatNDSS’17Techreportathttps://eprint.iacr.org/2016/1010.pdf
Questions?J
24