AreWeThereYet?OnRPKIDeploymentandSecurity
YossiGiladjointworkwith:AvichaiCohen,
AmirHerzberg,MichaelSchapira,HayaShulman
TheResourcePublicKeyInfrastructure
TheResourcePublicKeyInfrastructure(RPKI)mapsIPpreBixestoorganizationsthatownthem[RFC6480]• IntendedtopreventpreBix/subpreBixhijacks• Laysthefoundationforadvanceddefensesagainstpath-manipulationattacksoninterdomainrouting– BGPsec,SoBGP,…
2
RPKIAllowsRouteOriginValidation
ASX
ASY
AS3320
AS666
91.0.0.0/10Path:Y-3320 91.0.0.0/10
Path:666
BGPAd. Dataflow
AutonomousSystem(AS)XusestheRPKItoissueaRouteOriginAuthoriza8on(ROA)mappingfrom91.0/10toAS3320
3
91.0.0.0/10Max-length=10
AS3320
ROA: RouteOriginValida8on(ROV)
91.0.0.0/10Path:3320 Deutsche
Telekom
3
TalkOutline
• ROV– FirstmeasurementsofROV– How“good”isROVinpartialdeployment?
• ROAs– Mistakes– ImprovingaccuracywithROAlert
4
FilteringBogusAdvertisements
Route-OriginValidation(ROV):useROAstodiscard/deprioritizeroute-
advertisementsfromunauthorizedorigins[RFC6811] Verifysignatures
BGPRouters
91.0.0.0/10:AS=3320,max-length=10
RPKIpub.point
ROAs
AutonomousSystem
5
RPKIcache
MeasuringNon-ROV-FilteringASesASesthatpropagateinvalidBGPadvertisementsdonotperformBiltering
Origin2
E
RVsensor
RVsensor
4.5.6.0/24
D
B C
Origin1 A
1.2.3.0/24
Origins1&2adverZseinBGPRPKI-invalidIPprefixes
F
6
MeasuringNon-ROV-FilteringASesASesthatpropagateinvalidBGPadvertisementsdonotperformBiltering
Origin11.2.3.0/24
Origin2
E
RVsensor
RVsensor
4.5.6.0/24
RouteViewssensorobserves“bad”routeto:1.2.3/24ASpath:C,A,Origin1
D
F
B C
A
RouteViewssensorobserves“bad”routeto:4.5.6.0/24ASpath:F,E,D,Origin2
7
MeasuringNon-ROV-FilteringASesASesthatpropagateinvalidBGPadvertisementsdonotperformBiltering
Origin11.2.3.0/24
Origin2
E
RVsensor
RVsensor
4.5.6.0/24
D
F
B C
A
ASesthatdon’tfilterinvalidadver8sements
8
Wefindthatatleast78of100largestISPsdonotfilter
WhatistheImpactofPartialROVAdoption?
• CollateralbeneBit:– AdoptersprotectASesbehindthembydiscardinginvalidroutes
OriginAS1
AS2
AS666
To:1.1/16ASpath:2-1
To:1.1.1/24ASpath:666
AS3
AS3isonlyofferedagoodroute
9
1.1.0.0/16Max-length=16
AS1
WhatistheImpactofPartialROVAdoption?
• Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Disconnection:Adoptersmightbeofferedonlybadroutes
OriginAS1
AS2
AS666
To:1.1/16ASpath:1
To:1.1/16ASpath:2-666
AS3
AS2preferstoadverZseroutesfromAS666overAS1
AS3receivesonlybadadverZsementanddisconnectsfrom1.1/16
10
1.1.0.0/16Max-length=16
AS1
WhatistheImpactofPartialROVAdoption?
• Collateraldamage:ASesnotdoingROVmightcauseASesthatdoROVtofallvictimtoattacks!– Control-Plane-Data-PlaneMismatch!dataBlowstoattacker,althoughAS3discardedit
OriginAS1
AS2
AS666
AS3
To:1.1/16ASpath:2-1
To:1.1.1/24ASpath:2-666
AS2adverZsesbothprefix&subprefixroutes
AS3discardsbadsubprefixroute
AS2doesnotfilterandusesbadrouteforsubprefix
11
1.1.0.0/16Max-length=16
AS1
QuantifySecurityinPartialAdoption:SimulationFramework
12
B
D
H
J
E
I
G
KL
F
1.1.0.0/16Max-length=16
ASAC
A
• PickvicZm&aeacker• VicZm’sprefixhasaROA• PicksetofASesdoingROV• EvaluatewhichASessend
traffictotheaeacker
Empirically-derivedAS-levelnetworkfromCAIDAIncludinginferredpeeringlinks[Giotsasetal.,SIGCOMM’13]
QuantifySecurityinPartialAdoption
• TopISPadoptswithprobabilityp• SigniBicantbeneBitonlywhenpishigh
Prefixhijacksuccessrate
Subprefixhijacksuccessrate
13
QuantifySecurityinPartialAdoption
Subprefixhijacksuccessrate
AdopZonbythetop100ISPsmakesahugedifference!
• Comparisonbetweentwoscenarios:– today’sstatus,asreBlectedbyourmeasurements– alltop100ISPsperformROV
• EachotherASdoesROVwithBixedprobability
14
SecurityinPartialAdoption
Bottomline:
ROVenforcementbythetopISPsisbothnecessaryandsuf=icientforsubstantialsecuritybeneBitsfromRPKI
15
TalkOutline
• SecurityinpartialROVdeployment– FirstmeasurementsofROV– How“good”isROVinpartialdeployment?
• ROAs– Mistakes– ImprovingaccuracywithROAlert
16
MistakesinROAs
ManymistakesinROAs(seeRPKImonitor)– ``badROAs’’causelegitimatepreBixestoappearinvalid– BilteringbyROAsmaycausedisconnectionfromlegitimatedestinations– extensivemeasurementsin[Iamartinoetal.,PAM’15]
17
BadROAs
Concernfordisconnectionwaspointedoutinoursurvey– anonymoussurveyofover100networkoperators(detailsinpaper)
WhatareyourmainconcernsregardingexecutingRPKI-basedoriginauthenticationinyournetwork?
18
BadROAs
Whoisresponsiblefor“badROAs”?• HundredsoforganizationsareresponsibleforinvalidIPpreBixes,but…
• Goodnews:mosterrorsduetosmallnumberoforganizations
19
ASX
AS666
BGPAd. Dataflow
Longest-prefix-matchPathlengthdoesnotma^er
ASA
InsecureDeployment:LooseROAs
20
1.2.0.0/16Max-length=24
ASA
ROAallowsadverZsingsubprefixesuptolength/24
ASAoriginates1.2.0.0/16butnot1.2.3.0/24ROAis“loose”1.2.0.0/16Path:A
ValidadverZsementsinceASAisthe“origin”
1.2.3.0/24Path:666-A
• LooseROAsarecommon!– almost30%ofIPpreBixesinROAs– manifestseveninlargeproviders
InsecureDeployment:LooseROAs
21
ImprovingAccuracywithROAlert
• roalert.orgallowstocheckwhethernetworksareprotectedbyROAs– …andifnot,whynot
• Online,proactivenotiBicationsystem– constantlymonitoring– notopt-in
• RetrievesROAsfromtheRPKIandcomparesthemagainstBGPadvs.• Alertsnetworkoperatorsabout“looseROAs”&“badROAs”
22
ImprovingAccuracywithROAlert
• Initialresultsarepromising!– notiBicationsreached168operators– 42%oferrorswereBixedwithinamonth
23
Conclusion
• TheRPKIcanbeveryeffectiveinpreventinghijacks– IncentivizeROVadoptionbythetopISPs!– BothsufBicientandnecessaryforsigniBicantsecuritybeneBits
• Informationaccuracyisamajorchallenge– ROAlertinforms&alertsoperatorsabout:• BadROAs• LooseROAs
24
ThankYou!
Questions?J
25