Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
AreWeThereYet? OnRPKIDeploymentandSecurity YossiGilad jointworkwith:AvichaiCohen, AmirHerzberg,MichaelSchapira,HayaShulman TheResourcePublicKeyInfrastructure TheResourcePublicKeyInfrastructure(RPKI)mapsIP preBixestoorganizationsthatownthem[RFC6480] • IntendedtopreventpreBix/subpreBixhijacks • Laysthefoundationforadvanceddefensesagainst path-manipulationattacksoninterdomainrouting – BGPsec,SoBGP,… 2 RPKIAllowsRouteOriginValidation AutonomousSystem(AS)XusestheRPKItoissueaRouteOrigin Authoriza8on(ROA)mappingfrom91.0/10toAS3320 ROA: 91.0.0.0/10 91.0.0.0/10 Max-length=10 AS3320Path:Y-3320 91.0.0.0/10 Path:3320 RouteOrigin Valida8on(ROV) ASX 91.0.0.0/10 Path:666 AS666 ASY AS 3320 Deutsche Telekom BGPAd. Dataflow 3 3 TalkOutline • ROV – FirstmeasurementsofROV – How“good”isROVinpartialdeployment? • ROAs – Mistakes – ImprovingaccuracywithROAlert 4 FilteringBogusAdvertisements Route-OriginValidation(ROV): useROAstodiscard/deprioritizerouteadvertisementsfromunauthorizedorigins[RFC6811] AutonomousSystem ROAs RPKIcache RPKIpub. point Verifysignatures 91.0.0.0/10: AS=3320,max-length=10 BGPRouters 5 MeasuringNon-ROV-FilteringASes ASesthatpropagateinvalidBGPadvertisementsdo notperformBiltering Origin1 A 1.2.3.0/24 Origins1&2adverZseinBGP RPKI-invalidIPprefixes Origin2 B C RV sensor E F RV sensor D 4.5.6.0/24 6 MeasuringNon-ROV-FilteringASes ASesthatpropagateinvalidBGPadvertisementsdo notperformBiltering Origin1 RouteViewssensorobserves “bad”routeto:1.2.3/24 ASpath:C,A,Origin1 A 1.2.3.0/24 B Origin2 4.5.6.0/24 D C RV sensor RouteViewssensorobserves “bad”routeto:4.5.6.0/24 ASpath:F,E,D,Origin2 E F RV sensor 7 MeasuringNon-ROV-FilteringASes ASesthatpropagateinvalidBGPadvertisementsdo notperformBiltering Origin1 A 1.2.3.0/24 B C RV sensor E F RV sensor Wefindthatatleast78of100largestISPsdonotfilter Origin2 D 4.5.6.0/24 ASesthatdon’tfilter invalidadver8sements 8 WhatistheImpactofPartial ROVAdoption? • CollateralbeneBit: – AdoptersprotectASesbehindthembydiscardinginvalidroutes 1.1.0.0/16 Max-length=16 AS1 AS666 To:1.1.1/24 AS3isonlyoffered ASpath:666 agoodroute AS 2 Origin AS1 AS 3 To:1.1/16 ASpath:2-1 9 WhatistheImpactofPartial ROVAdoption? • Collateraldamage:ASesnotdoingROVmightcauseASes thatdoROVtofallvictimtoattacks! – Disconnection:Adoptersmightbeofferedonlybadroutes 1.1.0.0/16 Max-length=16 AS1 AS666 AS2preferstoadverZse routesfromAS666overAS1 Origin AS1 To:1.1/16 ASpath:2-666 AS 2 AS 3 AS3receivesonlybad adverZsementand disconnectsfrom1.1/16 To:1.1/16 ASpath:1 10 WhatistheImpactofPartial ROVAdoption? • Collateraldamage:ASesnotdoingROVmightcauseASes thatdoROVtofallvictimtoattacks! – Control-Plane-Data-PlaneMismatch!dataBlowsto attacker,althoughAS3discardedit 1.1.0.0/16 Max-length=16 AS1 AS666 AS2adverZsesboth prefix&subprefixroutes AS2doesnotfilteranduses badrouteforsubprefix Origin AS1 To:1.1.1/24 ASpath:2-666 AS 2 AS 3 AS3discardsbad subprefixroute To:1.1/16 ASpath:2-1 11 QuantifySecurityinPartialAdoption: SimulationFramework 1.1.0.0/16 Max-length=16 ASA A • • • • B C D E F PickvicZm&aeacker VicZm’sprefixhasaROA PicksetofASesdoingROV EvaluatewhichASessend traffictotheaeacker G H I J K Empirically-derivedAS-levelnetworkfromCAIDA Includinginferredpeeringlinks[Giotsasetal.,SIGCOMM’13] L 12 QuantifySecurityinPartialAdoption • TopISPadoptswithprobabilityp • SigniBicantbeneBitonlywhenpishigh Subprefixhijack Prefixhijack successrate successrate 13 QuantifySecurityinPartialAdoption • Comparisonbetweentwoscenarios: – today’sstatus,asreBlectedbyourmeasurements – alltop100ISPsperformROV • EachotherASdoesROVwithBixedprobability Subprefixhijack AdopZonbythetop100ISPsmakesahugedifference! successrate 14 SecurityinPartialAdoption Bottomline: ROVenforcementbythetopISPsisbothnecessaryand suf=icientforsubstantialsecuritybeneBitsfromRPKI 15 TalkOutline • SecurityinpartialROVdeployment – FirstmeasurementsofROV – How“good”isROVinpartialdeployment? • ROAs – Mistakes – ImprovingaccuracywithROAlert 16 MistakesinROAs ManymistakesinROAs(seeRPKImonitor) – ``badROAs’’causelegitimatepreBixestoappearinvalid – BilteringbyROAsmaycausedisconnectionfromlegitimatedestinations – extensivemeasurementsin[Iamartinoetal.,PAM’15] 17 BadROAs Concernfordisconnectionwaspointedoutinoursurvey – anonymoussurveyofover100networkoperators(detailsinpaper) WhatareyourmainconcernsregardingexecutingRPKI-based originauthenticationinyournetwork? 18 BadROAs Whoisresponsiblefor“badROAs”? • HundredsoforganizationsareresponsibleforinvalidIP preBixes,but… • Goodnews:mosterrorsduetosmallnumberoforganizations 19 InsecureDeployment:LooseROAs 1.2.0.0/16 Max-length=24 ASA ROAallowsadverZsingsubprefixesuptolength/24 ASAoriginates1.2.0.0/16 butnot1.2.3.0/24 ROAis“loose” 1.2.0.0/16 Path:A BGPAd. ASA Longest-prefix-match Pathlengthdoesnotma^er ASX ValidadverZsement sinceASAisthe“origin” 1.2.3.0/24 Path:666-A AS666 Dataflow 20 InsecureDeployment:LooseROAs • LooseROAsarecommon! – almost30%ofIPpreBixesinROAs – manifestseveninlargeproviders 21 ImprovingAccuracywithROAlert • roalert.orgallowstocheckwhethernetworksareprotectedbyROAs – …andifnot,whynot • Online,proactivenotiBicationsystem – constantlymonitoring – notopt-in • RetrievesROAsfromtheRPKIandcomparesthemagainstBGPadvs. • Alertsnetworkoperatorsabout“looseROAs”&“badROAs” 22 ImprovingAccuracywithROAlert • Initialresultsarepromising! – notiBicationsreached168operators – 42%oferrorswereBixedwithinamonth 23 Conclusion • TheRPKIcanbeveryeffectiveinpreventinghijacks – IncentivizeROVadoptionbythetopISPs! – BothsufBicientandnecessaryforsigniBicantsecuritybeneBits • Informationaccuracyisamajorchallenge – ROAlertinforms&alertsoperatorsabout: • BadROAs • LooseROAs 24 ThankYou! Questions?J 25