internet resource certification (rpki)slides.lacnic.net/wp-content/themes/slides/docs/...rpki...
TRANSCRIPT
Sint-MaartenInternetWeekCarlosMar2nezCagnazzo
Internet Resource Certification (RPKI) Building a More Secure Internet
A9acksonrou;ng:IPhijacks
HowInternetnumberresourcesaremanaged
IANA
ARIN
ISP
Endusers
LACNIC
NIC.br NIC.MX
ISPmx
ISP#1
APNIC
LIRs/ISPs
RIPENCC
LIRs/ISPs
AfriNIC
HowInternetnumberresourcesaremanaged(ii)
• Whatdowemeanbyresources– IPv4Addresses– IPv6Addresses– AutonomousSystemNumbers
• Both16and32bits
• Founda;onaldocument:RFC2050– “IPRegistryAlloca1onGuidelines”
• EachRIRistheauthorita(vesourceontherela;onshipbetweenusers/holdersandresources– EachRIRoperatesaregistrydatabase
ASN 10 ASN 20ASN1
ASN 2
ASN 3
Rou;ngintheInternet
ASN20announces10.1.0.0/16
The10.1.0.016prefix
propagatesacrossASs(viaBGPsessions)
ASN10receivestheprefix10.1.0.0/16 A9ributes:
10.1.0.0/16AS_PATHASN1ASN3ASN20
Rou;ngintheInternet(ii)
• BGPchoosesroutesusingadecisionalgorithmandthevaluesoftheavailablea=ributes
• AS_PATHisalistoftheautonomoussystemsagivenUPDATEhastraversed– ThefirstentryistheASorigina;ngtheroute("origin-as")
InthiscaseASN20isthe"origin-as"for
10.1/16
ASN 10 ASN 20ASN1
ASN 2
ASN 3
Whohasthe"right"touseresources?
• WhenanISPobtainsresourcesfromitsRIR(IPv6/IPv4/ASN):– TheISPhastono;fyitsupstreamASNswhichprefixesaregoingtobeannouncedviaBGP
– Thisisusuallydoneviae-mail,webformsorbyupda;nganIRR(InternetRou1ngRegistry)
• Upstreamsverify(oratleasttheyshould)therightofusefortheannouncedresources– RIRWHOISText-basedandnotreallysuitableforautoma;cusage
– IRRWHOISNon-signedinforma;on,li9leaddi;onaltoolsprovidedforverifica;onofusagerightsexceptfornames,phonenumbersandemailPOCs
• Thisverifica;onprocessissome;mesnotasthoroughasitshouldbe
Checkingusagerightsforaresource
• Networkadministrators– Localchecksinrou;nginfrastructure
• Requirepreviousstep(registeringtherouteobjectwithanIRR)– Routerprotec;on– Rou;ngprotocolintegrity
• Peerauthen;ca;on
• Filteringknown-invalidroutes– RFC1918prefixfiltering– Bogonfiltering
• Intheendtheintegrityoftherou;ngsystemdependsonad-hoctrustrela(onshipsbetweenpeers
RouteHijacking
• Whenanen;typar;cipa;nginInternetrou;ngannouncesaprefixwithoutauthoriza;onwefacearoutehijack
• Itcanbeeithermaliciousorduetoopera;onalmistakes
• Somewell-knowncases:– PakistanTelecomvs.YouTube(2008)– ChinaTelecom(2010)– GoogleinEasternEurope(variousASs,2010)– Someocurrencesinourregion(January/February2011)
RouteHijacking(ii)
AS15358announces200.40/24
AS8158gets200.40.0.0/16
and200.40.235.0/24 200.40.0.0/16AS_PATHASN1ASN3ASN6057
200.40.235.0/24AS_PATHASN1ASN3ASN6057
AS6057
announces200.40/16
AS8158gets200.40.0.0/16
RouteHijacking(iii)• RIPENCCVideo– h9p://www.youtube.com/watch?v=IzLPKuAOe50
ResourcePKI
• ResourcePublicKeyInfraestructure– Goal:createasystemthatallowsthecer;fica;onofusagerightsforInternetnumberingresources
– High-leveloverview• UseofX.509v3cer;ficates• ApplyRFC3779extensionstothesecer;ficates.TheseextensionsallowInternetresources(IPv4/IPv6/ASNs)fieldswithincer;ficates
• Awaytoautoma;callyvalidatetheorigin-asofaBGPUPDATE– Standardiza;onAc;vi;es
• IETFSIDRworkinggroup– Implementa;onAc;vi;es
• RIRs
ResourcePKI(ii)
• Automatedoriginvalida(onforrouteannouncements
• Theen;tywithusagerightsforaresourcesignstheorigin-asfieldofaPKIobject
• ThefollowingproceduresareappliedtovalidateRPKIcer;ficatesandrou;nginforma;onobjects:– ThecryptographicvalidityoftheRPKIcer;ficatechain(justlikeanyotherPKI)
– TheCIDRinclusionproper;esofIPaddresses• Inthiswayitbecomesmoredifficultforathirdpartytoinjectinvaliddataintotherou;ngsystem
ResourcePKI(iii)
Cache
RPKIManagement
System
Repository
ResourcePKI(iv)• AllRPKIsignedobjectsarelistedinpublicrepositories
• Aqerverifica;on,theseobjectscanbeusedtoconfigurefilteringinrouters
• Valida;onProcess– Signedobjectshavereferencestothecer;ficateusedtosignthem
– Eachcer;ficatehasapointertoanupperlevelcer;ficate– Theresourceslistedinacer;ficateMUSTbevalidsubsetsoftheresourceslistedinitsparent'scer;ficate
– Inthiswayatrustchaincanbetracedtoa"trustanchor"bothcryptographicallyaswellasinCIDRterms
RPKIStructure
LACNICRTALACNICresources
LACNICProduc;on
<<INHERITED>>
ISP#2ISP#2Resources
ROAEndEn;tycert.
ROAEndEn;tycert.
ISP#1ISP#1Resources
EndUserCA#1
(EU#1Resources)
ROAEndEn;tycert.
ROAEndEn;tycert.
RTAistheself-signedcer;ficateinthehierarchy
Signaturechain
RPKIStructure(ii)• CAs– Cer;ficate-signingen;ty(CAbit=1)
• ISPscanusethiscer;ficatetosigntheirclient'scer;ficates
• Cer;ficateRepository– Therepositorycontainscer;ficates,CRLs,ROAsandmanifests
– Accesiblevia“rsync”• ManagementInterface– Webinterfaceforthosewhoprefer"hosted"mode
RPKIManagementforUsers• "Hosted"mode
– LACNICemitstheresourcecer;ficateforanorganiza;onandguardsbothprivateandpublickeys• Cer;ficatesareemi9edwhenrequestedbyLACNICmemberorganiza;ons
– UserscanmanagetheirRPKIobjectsusingauser-friendlywebinterfaceprovidedbyLACNIC
• "Delegated"mode– Anorganiza;oncreatesitsownresourcecer;ficate– Thiscer;ficateissubmi9edtoLACNICforsigning.LACNICreturnsthesignedcer;ficate.• "Up-down"protocol
ServicesprovidedbytheRPKICA• Emiungchildresourcecer;ficateswhenchangestotheregistrydatabaseoccurorwhensolicitedbyaresourceholder
• Childcer;ficaterevoca;onwhensolicitedbyaresourceholder
• CRLperiodicupdate• Publishingchildcer;ficates,trustanchorandauxiliaryobjectsinapublicrepository(rsync)
ResourceCer;ficate
ROAs• ROAs:Rou;ngOriginAuthoriza;on– ROAscontaindataontheallowedorigin-asforasetofprefixes
– ROAsaresignedusingthecer;ficatesgeneratedbytheRPKI
– SignedROAsarecopiedtotherepository
ROAs(ii)
• AsimplifiedROAcontainsthefollowinginforma;on:
• TheseROAsstatesthat:– "Theprefix200.40.0.0/17willbeoriginatedbyASN6057andcouldbede-aggregatedupto/20""Thisstatementisvalidstar1ngonJan2,2011un1lJan1,2012"
• OtherROAcontent– ROAscontaincryptographicmaterialthatallowsvalida(onoftheROAscontent
ROAs(iii)• ContentsofaROA– Anend-en;tycer;ficatewithresources– Alistof"routeorigina9esta;ons"
ROAEndEn;tyCer;ficate200/8172.17/16
200.40.0.0/20-24->AS100172.17.0.0/16-19->AS100
ROAs(iii)-Valida;on• InordertovalidateaROAthreestepshavetobeperformed– Cryptovalida;onofthepublickeysandsignaturesincludedintheEEcer;ficatesinsideeachROA
– CIDRinclusioncheckingofresourceslistedintheEEcer;ficate
– CIDRinclusioncheckingofresourcesintherouteorigina9esta;ons.TheseresourceshavetobeincludedintheresourceslistedintheEEcer;ficate
RPKIinAc;on
UPDATE
Routersassigna"validitystatus"totherouteincludedinan
UPDATE
Cacheperiodicallyupdatestherouter
withalistofvalidatedprefixes
RPKIinAc;on(ii)
• Thevalida;onprocessissplitintwoparts– CryptoandCIDRvalida;onofROAsandcer;ficates
• Performedbythevalida;ncache
– Valida;onofroutesinBGPUPDATEs• PerformedbytheBGPspeakersinthenetwork
• AspecialprotocolcalledRTRisbeingworkedonbytheIETFforRouter-Cachecommunica;on
RPKIinAc;on(iii)• Cache– RepositorycontentisdownloadedviaRSYNC– Cer;ficatesandROAsarevalidated
• Cryptographically(signaturechain)• CorrectCIDRresourceinclusion
• Intherouters– Adatabaseofprefix<->origin-asrela;onshipsisbuilt
BGPinterac;on• Routersbuildadatabasewiththeinforma;ontheyreceivefromthecaches
• Thistablecontains– Prefix– Minlength– Maxlength– Origin-AS
• ByapplyingasetofrulesavaliditystatusisassignedtoeachUPDATEprefix
BGPinterac;on(ii)
IPprefix/[min_len–max_len] OriginAS
172.16.0.0/[16-20] 10
200.0.0.0/[8-21] 20
• Ifthe"UPDATEpfx"isnotcoveredbyanyentryintheDB->"notfound"
• Ifthe"UPDATEpfx"iscoveredbyatleastoneentryintheDB,andtheorigin-ASmatchestheASNsintheDB->"valid"
• Iftheorigin-ASdoesNOTmatch->"invalid"
UPDATE200.0.0.0/9ORIGIN-AS20
VALID
twi9er.com/LACNICfacebook.com/LACNICyoutube.com/user/lacnicstaffgplusme.at/LACNIC
CASADEINTERNETDELATINOAMÉRICAYELCARIBE
Thankyou!