AreWeThereYet?OnRPKIDeploymentandSecurity

YossiGiladjointworkwith:AvichaiCohen,

AmirHerzberg,MichaelSchapira,HayaShulman

TheResourcePublicKeyInfrastructure

•  Intendedtopreventpre@ix/subpre@ixhijacks

•  Laysthefoundationforprotectionagainstmoresophisticatedattacksoninterdomainrouting–  BGPsec,SoBGP,…

2

Pre@ixHijacking

ASX

ASY

AS3320

AS666

91.0.0.0/10Path:3320

91.0.0.0/10Path:Y-3320 91.0.0.0/10

Path:666

BGPAd. Dataflow

prefersshorterroute

3

Subpre@ixHijacking

ASX

AS3320

AS666

91.0.0.0/10Path:3320 91.0.0.0/16

Path:Y-666

BGPAd. Dataflow

LongestprefixmatchPathlengthdoesnotma5er

ASY

91.0.0.0/16Path:666

4

CertifyingOwnershipwithRPKI

•  RPKIassignsanIPpre@ixtoapublickeyviaaResourceCerti@icate(RC)

•  OwnerscanusetheirprivatekeytoissueaRouteOriginAuthorization(ROA)

•  ROAsidentifyASesauthorizedtoadvertiseanIPpre@ixinBGP

5

Example:CertifyingOwnership

DeutscheTelekomcerti@iedbyRIPEforaddressspace91.0.0.0/10

6

91.0.0.0/10Max-length=10

AS3320

RIPERéseauxIPEuropéens

NetworkCoordinaYonCentre

ROA

Legend:OrgwithRC

DeutscheTelekom91.0.0.0/10

RPKICanPreventPre@ixHijacks

ASX

ASY

AS3320

AS666

91.0.0.0/10Path:Y-3320

91.0.0.0/10Path:666

BGPAd. Dataflow

ASXusestheauthenYcatedmapping(ROA)from91.0/10toAS3320todiscardthea_acker’sroute-adverYsement

7

91.0.0.0/10Max-length=10

AS3320

TalkOutline

•  Challengesfacingdeployment•  Routeoriginvalidationinpartialdeployment

8

AS666

ASX

BGPAd. Dataflow

ASA

InsecureDeployment:LooseROAs1.2.0.0/16

Max-length=16ASA

ROAallowsadverYsingonlyone/16prefix

1.2.0.0/16Path:A

ValidadverYsementsinceASAisthe“origin”

9

1.2.0.0/16Path:666-A

Picksshorterpath

Lychevetal.showthatthisa_ackismuchlesseffecYvethanprefixhijack

ASX

AS666

BGPAd. Dataflow

Longest-prefix-matchPathlengthdoesnotma5er

ASA

InsecureDeployment:LooseROAs1.2.0.0/16

Max-length=24ASA

ROAallowsadverYsingsubprefixesuptolength/24

ASAoriginates1.2.0.0/16butnot1.2.3.0/24ROAis“loose”1.2.0.0/16Path:A

ValidadverYsementsinceASAisthe“origin”

1.2.3.0/24Path:666-A

10

RFC7115menYonsthisa_ack

•  LooseROAsarecommon!–  almost30%ofIPpre@ixesinROAs–  89%ofpre@ixeswithmaxLen>pre@ixLen– manifestseveninlargeproviders!

•  Attackercanhijackalltraf@ictonon-advertisedsubpre@ixescoveredbyalooseROA

•  VulnerabilitywillbesolvedonlywhenBGPsecisfullydeployed,butalongwaytogountilthen…–  betternottoissuelooseROAs!

InsecureDeployment:LooseROAs

11

ChallengestoDeployment:HumanError

ManyothermistakesinROAs(seeRPKImonitor)–  ``badROAs’’causelegitimatepre@ixestoappearinvalid–  @ilteringbyROAsmaycausedisconnectionfromlegitimatedestinations– extensivemeasurementsin[Iamartinoetal.,PAM’15]

12

•  roalert.orgallowsyoutocheckwhetheryournetworkisproperlyprotectedbyROAs

•  …andifnot,whynot

ImprovingAccuracywithROAlert

13

ImprovingAccuracywithROAlert

•  Online,proactivenoti@icationsystem•  RetrievesROAsfromtheRPKIandcomparesthemagainstBGPadvertisements

•  Alertsnetworkoperatorsabout“looseROAs”&“badROAs”

14

ImprovingAccuracywithROAlert

•  Initialresultsarepromising!–  noti@icationsreached168operators–  42%oferrorswere@ixedwithinamonth

•  ROAlertis:–  constantlymonitoring(notonlyatregistration)–  notopt-in

•  WeadvocatethatROAlertbeadoptedandadaptedbyRIRs!

15

TalkOutline

•  Challengesfacingdeployment•  Routeoriginvalidationinpartialdeployment

16

FilteringBogusAdvertisements

Route-OriginValidation(ROV):useROAstodiscard/deprioritizeroute-

advertisementsfromunauthorizedorigins[RFC6811]

Verify:•  signerauthorizedfor

subjectprefix•  signatureisvalid

BGPRouters

91.0.0.0/10:AS=3320,max-length=10

RPKIpub.point

RCsandROAs

AutonomousSystem

17

RPKIcache

WhatistheImpactofPartialROVAdoption?

•  Collateralbene@it:– AdoptersprotectASesbehindthembydiscardinginvalidroutes

OriginAS1

AS2

AS666

To:1.1/16ASpath:2-1

To:1.1.1/24ASpath:666

AS3

AS3isonlyofferedagoodroute

18

1.1.0.0/16Max-length=16

AS1

WhatistheImpactofPartialROVAdoption?

•  Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Disconnection:Adoptersmightbeofferedonlybadroutes

OriginAS1

AS2

AS666

To:1.1/16ASpath:1

To:1.1/16ASpath:2-666

AS3

AS2preferstoadverYseroutesfromAS666overAS1

AS3receivesonlybadadverYsementanddisconnectsfrom1.1/16

19

1.1.0.0/16Max-length=16

AS1

WhatistheImpactofPartialROVAdoption?

•  Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Control-Plane-Data-PlaneMismatch!data@lowstoattacker,althoughAS3discardedit

OriginAS1

AS2

AS666

AS3

To:1.1/16ASpath:2-1

To:1.1.1/24ASpath:2-666

AS2adverYsesbothprefix&subprefixroutes

AS3discardsbadsubprefixroute

AS2doesnotfilterandusesbadrouteforsubprefix

20

1.1.0.0/16Max-length=16

AS1

QuantifySecurityinPartialAdoption:SimulationFramework

21

B

D

H

J

E

I

G

KL

F

1.1.0.0/16Max-length=16

ASAC

A

•  PickvicYm&a_acker•  VicYm’sprefixhasaROA•  PicksetofASesdoingROV•  EvaluatewhichASessend

traffictothea_acker

Empirically-derivedAS-levelnetworkfromCAIDAIncludinginferredpeeringlinks[Giotsasetal.,SIGCOMM’13]

QuantifySecurityinPartialAdoption

•  TopISPadoptswithprobabilityp•  Signi@icantbene@itonlywhenpishigh

Prefixhijacksuccessrate

Subprefixhijacksuccessrate

22

Conclusion:WhatCanWeImprove?

•  Informationaccuracy– ROAlertinforms&alertsoperatorsabout:•  BadROAs•  LooseROAs

•  Preventinghijacks–  IncentivizeROVadoptionbythetopISPs!

23

ThankYou!

ThisworkappearedatNDSS’17Techreportathttps://eprint.iacr.org/2016/1010.pdf

Questions?J

24