AreWeThereYet?OnRPKIDeploymentandSecurity

YossiGiladjointworkwith:AvichaiCohen,

AmirHerzberg,MichaelSchapira,HayaShulman

TheResourcePublicKeyInfrastructure

TheResourcePublicKeyInfrastructure(RPKI)mapsIPpreBixestoorganizationsthatownthem[RFC6480]•  IntendedtopreventpreBix/subpreBixhijacks•  Laysthefoundationforadvanceddefensesagainstpath-manipulationattacksoninterdomainrouting–  BGPsec,SoBGP,…

2

RPKIAllowsRouteOriginValidation

ASX

ASY

AS3320

AS666

91.0.0.0/10Path:Y-3320 91.0.0.0/10

Path:666

BGPAd. Dataflow

AutonomousSystem(AS)XusestheRPKItoissueaRouteOriginAuthoriza8on(ROA)mappingfrom91.0/10toAS3320

3

91.0.0.0/10Max-length=10

AS3320

ROA: RouteOriginValida8on(ROV)

91.0.0.0/10Path:3320 Deutsche

Telekom

3

TalkOutline

•  ROV– FirstmeasurementsofROV– How“good”isROVinpartialdeployment?

•  ROAs– Mistakes–  ImprovingaccuracywithROAlert

4

FilteringBogusAdvertisements

Route-OriginValidation(ROV):useROAstodiscard/deprioritizeroute-

advertisementsfromunauthorizedorigins[RFC6811] Verifysignatures

BGPRouters

91.0.0.0/10:AS=3320,max-length=10

RPKIpub.point

ROAs

AutonomousSystem

5

RPKIcache

MeasuringNon-ROV-FilteringASesASesthatpropagateinvalidBGPadvertisementsdonotperformBiltering

Origin2

E

RVsensor

RVsensor

4.5.6.0/24

D

B C

Origin1 A

1.2.3.0/24

Origins1&2adverZseinBGPRPKI-invalidIPprefixes

F

6

MeasuringNon-ROV-FilteringASesASesthatpropagateinvalidBGPadvertisementsdonotperformBiltering

Origin11.2.3.0/24

Origin2

E

RVsensor

RVsensor

4.5.6.0/24

RouteViewssensorobserves“bad”routeto:1.2.3/24ASpath:C,A,Origin1

D

F

B C

A

RouteViewssensorobserves“bad”routeto:4.5.6.0/24ASpath:F,E,D,Origin2

7

MeasuringNon-ROV-FilteringASesASesthatpropagateinvalidBGPadvertisementsdonotperformBiltering

Origin11.2.3.0/24

Origin2

E

RVsensor

RVsensor

4.5.6.0/24

D

F

B C

A

ASesthatdon’tfilterinvalidadver8sements

8

Wefindthatatleast78of100largestISPsdonotfilter

WhatistheImpactofPartialROVAdoption?

•  CollateralbeneBit:– AdoptersprotectASesbehindthembydiscardinginvalidroutes

OriginAS1

AS2

AS666

To:1.1/16ASpath:2-1

To:1.1.1/24ASpath:666

AS3

AS3isonlyofferedagoodroute

9

1.1.0.0/16Max-length=16

AS1

WhatistheImpactofPartialROVAdoption?

•  Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Disconnection:Adoptersmightbeofferedonlybadroutes

OriginAS1

AS2

AS666

To:1.1/16ASpath:1

To:1.1/16ASpath:2-666

AS3

AS2preferstoadverZseroutesfromAS666overAS1

AS3receivesonlybadadverZsementanddisconnectsfrom1.1/16

10

1.1.0.0/16Max-length=16

AS1

WhatistheImpactofPartialROVAdoption?

•  Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Control-Plane-Data-PlaneMismatch!dataBlowstoattacker,althoughAS3discardedit

OriginAS1

AS2

AS666

AS3

To:1.1/16ASpath:2-1

To:1.1.1/24ASpath:2-666

AS2adverZsesbothprefix&subprefixroutes

AS3discardsbadsubprefixroute

AS2doesnotfilterandusesbadrouteforsubprefix

11

1.1.0.0/16Max-length=16

AS1

QuantifySecurityinPartialAdoption:SimulationFramework

12

B

D

H

J

E

I

G

KL

F

1.1.0.0/16Max-length=16

ASAC

A

•  PickvicZm&aeacker•  VicZm’sprefixhasaROA•  PicksetofASesdoingROV•  EvaluatewhichASessend

traffictotheaeacker

Empirically-derivedAS-levelnetworkfromCAIDAIncludinginferredpeeringlinks[Giotsasetal.,SIGCOMM’13]

QuantifySecurityinPartialAdoption

•  TopISPadoptswithprobabilityp•  SigniBicantbeneBitonlywhenpishigh

Prefixhijacksuccessrate

Subprefixhijacksuccessrate

13

QuantifySecurityinPartialAdoption

Subprefixhijacksuccessrate

AdopZonbythetop100ISPsmakesahugedifference!

•  Comparisonbetweentwoscenarios:–  today’sstatus,asreBlectedbyourmeasurements– alltop100ISPsperformROV

•  EachotherASdoesROVwithBixedprobability

14

SecurityinPartialAdoption

Bottomline:

ROVenforcementbythetopISPsisbothnecessaryandsuf=icientforsubstantialsecuritybeneBitsfromRPKI

15

TalkOutline

•  SecurityinpartialROVdeployment– FirstmeasurementsofROV– How“good”isROVinpartialdeployment?

•  ROAs– Mistakes–  ImprovingaccuracywithROAlert

16

MistakesinROAs

ManymistakesinROAs(seeRPKImonitor)–  ``badROAs’’causelegitimatepreBixestoappearinvalid–  BilteringbyROAsmaycausedisconnectionfromlegitimatedestinations– extensivemeasurementsin[Iamartinoetal.,PAM’15]

17

BadROAs

Concernfordisconnectionwaspointedoutinoursurvey–  anonymoussurveyofover100networkoperators(detailsinpaper)

WhatareyourmainconcernsregardingexecutingRPKI-basedoriginauthenticationinyournetwork?

18

BadROAs

Whoisresponsiblefor“badROAs”?•  HundredsoforganizationsareresponsibleforinvalidIPpreBixes,but…

•  Goodnews:mosterrorsduetosmallnumberoforganizations

19

ASX

AS666

BGPAd. Dataflow

Longest-prefix-matchPathlengthdoesnotma^er

ASA

InsecureDeployment:LooseROAs

20

1.2.0.0/16Max-length=24

ASA

ROAallowsadverZsingsubprefixesuptolength/24

ASAoriginates1.2.0.0/16butnot1.2.3.0/24ROAis“loose”1.2.0.0/16Path:A

ValidadverZsementsinceASAisthe“origin”

1.2.3.0/24Path:666-A

•  LooseROAsarecommon!– almost30%ofIPpreBixesinROAs– manifestseveninlargeproviders

InsecureDeployment:LooseROAs

21

ImprovingAccuracywithROAlert

•  roalert.orgallowstocheckwhethernetworksareprotectedbyROAs–  …andifnot,whynot

•  Online,proactivenotiBicationsystem–  constantlymonitoring–  notopt-in

•  RetrievesROAsfromtheRPKIandcomparesthemagainstBGPadvs.•  Alertsnetworkoperatorsabout“looseROAs”&“badROAs”

22

ImprovingAccuracywithROAlert

•  Initialresultsarepromising!–  notiBicationsreached168operators–  42%oferrorswereBixedwithinamonth

23

Conclusion

•  TheRPKIcanbeveryeffectiveinpreventinghijacks–  IncentivizeROVadoptionbythetopISPs!– BothsufBicientandnecessaryforsigniBicantsecuritybeneBits

•  Informationaccuracyisamajorchallenge– ROAlertinforms&alertsoperatorsabout:•  BadROAs•  LooseROAs

24

ThankYou!

Questions?J

25