+ All Categories
Home > Technology > ION Hangzhou - RPKI At CNNIC

ION Hangzhou - RPKI At CNNIC

Date post: 12-Apr-2017
Category:
Upload: deploy360-programme-internet-society
View: 230 times
Download: 0 times
Share this document with a friend
23
RPKI at CNNIC Zhiwei Yan
Transcript
Page 1: ION Hangzhou - RPKI At CNNIC

RPKIat CNNIC

Zhiwei Yan

Page 2: ION Hangzhou - RPKI At CNNIC

WhydoweneedRPKI?

Feb,2014HackerRedirectsTrafficFrom19InternetProviderstoStealBitcoins

Feb2008PakistanTelecom broughtdown YouTubeworldwide

Jan,2015AnISPinUSAhijackanIPprefixofIIJfromJapan

Nov,2015,AnISPinIndiaasBhartiAirtel hijackalotofIPprefix

Prefixhijackingisoneof thelarge-scaleBGPspecificroutinganomaliesthatareabletoparalyzetheInternet.

RPKI(ResourcePublicKeyInfrastructure) isdesigned topreventroutehijackingandotherattacksonBGP.

Page 3: ION Hangzhou - RPKI At CNNIC

Prefixhijacking:AttackerscanusebogusBGPUPDATE(NLRIandPathAttributes)messagestodisruptroutingwithoutbreakingthepeer-peerconnection.

BGP UPDATE Message Format :

NLRI:NetworkLayerReachabilityInformation

WhydoweneedRPKI?

Page 4: ION Hangzhou - RPKI At CNNIC

Bogus BGP UPDATE Message

According to“preferthe path withthe shortest AS_PATH”rule, AS4prefersmessagefromAS5to messagefromAS1.

AS3

AS2 AS4

AS1 AS5

218.241.0.0/16AS_PATH:21

NLRI:218.241.0.0/16AS_PATH:321

AS1wasauthorizedtooriginateprefix218.241.0.0/16

NLRI:218.241.0.0/16AS_PATH:1

AS3

AS2 AS4

AS1 AS5

218.241.0.0/16AS_PATH:21

NLRI:218.241.0.0/16AS_PATH:321

NLRI:218.241.0.0/20AS_PATH:5

NLRI:218.241.0.0/16AS_PATH:1

AS5forgesBGPUPDATEMessage

WhydoweneedRPKI?

Page 5: ION Hangzhou - RPKI At CNNIC

Actually,BGPprotocolacceptsanyroutestheylearnfromtheirneighbors.

Obviously, thismayresultinRouteHijackingontheInternet.

Authorization

Ownership

Unable to verify who is the legitimate holder of the INRs (Internet Number Resources).

Unable to verify who has the authorization to originate specific IP prefixes

WhydoweneedRPKI?

Page 6: ION Hangzhou - RPKI At CNNIC

BGPisvulnerabletoavarietyofroutingattacksbecauseof thelackofaverificationmechanismtoensure thelegitimacyofBGPmessages(especiallytheorigin information).

RPKI isproposed inIETFtooffers averificationmechanismtoprotecttheownershipandauthorizationoftheINRs(InternetNumberResources).

WhydoweneedRPKI?

Page 7: ION Hangzhou - RPKI At CNNIC

CertificateAuthority,CAAnyresourceholderwhoisauthorized tosub-allocatetheseresourcesmustbeabletoissueresourcecertificatestocorrespond tothesesub-allocations.Thus,forexample,CAcertificateswillbeassociatedwithIANAandeachoftheRIRs,NIRs,andLIRs/ISPs.Also,aCAcertificateisrequired toenablearesourceholder toissueROAs,becauseitmustissuethecorresponding end-entitycertificateusedtovalidateeachROA.

End-entity,EETheprivatekeycorresponding toapublickeycontainedinanEEcertificateisnotusedtosignothercertificatesinaPKI.Theprimaryfunctionofend-entitycertificatesinthisPKIistheverificationofsignedobjectsthatrelatetotheusageoftheresourcesdescribed inthecertificate,e.g.,ROAsandmanifests.

TrustAnchor,TAAtrustanchorintheRPKIisrepresentedbyaself-signedX.509CertificationAuthority(CA)certificate,aformatcommonlyusedinPKIsandwidelysupportedbyRPsoftware

TheArchitectureof RPKI

Page 8: ION Hangzhou - RPKI At CNNIC

TheArchitectureof RPKI-the relationofrolesanddata

Resource Holders

CA

LIR/ISP

Subscribers

IANA

RIR

NIR

CRL

CA certificate

EE certificate

ROA

manifest

Repository

INR(Internet Number Resources)

Entity PKI

Resources

Signed Objects

Page 9: ION Hangzhou - RPKI At CNNIC

ROAProfile–RFC6482

Page 10: ION Hangzhou - RPKI At CNNIC

Challenges NOW:

BGPSEC

RPKI-Safegurad

RFC6480 AnInfrastructuretoSupportSecureInternetRouting

RFC6487 AProfileforX.509PKIXResourceCertificates

RFC6481 ResourceCertificateRepositoryStructure

RFC6489 Key Rollover

RFC6490 RPKITrustAnchorLocator

RFC6484 CertificatePolicyfortheRPKI

RFC6485 TheProfileforAlgorithmsandKeySizesforUseinRPKI

RFC6482 AProfileforROAs

RFC6486 ManifestsfortheRPKI

RFC6488 SignedObjectTemplateforRPKI

RFC6483 ValidationofRouteOriginationUsingRPKIandROAs

ThestandardizationprocessofRPKI

Page 11: ION Hangzhou - RPKI At CNNIC

IndustrialproductsofRPKI

CiscoBGProutersSupporting BGPCommand(matchRPKI)

JuniperroutersConfiguringOriginValidationforBGP

Alcatel-LucentServiceRouter (Release12.0R4)TryingtosupportRPKI

Page 12: ION Hangzhou - RPKI At CNNIC

Deploymentsituation

5RIRshavefinished thedeploymentofRPKI.AnumberofcountrieshavealsostartedtodeployRPKIinteriorly,Ecuador,Japan,Bangladesh,China,etc.

Page 13: ION Hangzhou - RPKI At CNNIC

RPKIatCNNIC• StandardizationworkinIETF

• X.Lee,X.Liu,Z.YanandY.Fu,RPKIDeploymentConsiderations:ProblemAnalysisandAlternative Solutions,draft-lee-sidr-rpki-deployment-01,Jan,2016.• RPKIDeploymentProblems:Existing andPotentialProblems,suchasTechnical,EconomicandPolitical

• AlternativeSolutions• Y.Fu,Z.Yan,X.LiuandC.Wang,ScenariosofunexpectedresourceassignmentinRPKI,draft-fu-sidr-unexpected-scenarios-01,March2016.• Problem:Unbelonged resourceallocation,Duplicatedallocation,Resourcetransfer• Solution:SafeguardofCAfunction

• Z.Yan,Y.Fu,X.Liu,G.Geng,ProblemStatementandConsiderationsforROAMergence,draft-yan-sidr-roa-mergence-00,May2016

• analyzesandpresentssomeoperational• ProblemscausedbythemisconfigurationsofROAscontainingmultiple IPprefixes.• Suggestionsandconsiderations

Page 14: ION Hangzhou - RPKI At CNNIC

RPKIatCNNIC• StandardizationworkinCCSA• InchargeofthestandardizationofRPKIinChina

Page 15: ION Hangzhou - RPKI At CNNIC

RPKIatCNNIC• Publishedtwowhite-paperstoguidethetestofRPKIandBGPSEC

Page 16: ION Hangzhou - RPKI At CNNIC

RPKIatCNNIC• PublishedthefirstRPKI-PilotsysteminChina

Page 17: ION Hangzhou - RPKI At CNNIC

RPKIatCNNIC• Publishedseveralacademicpapers

• CuicuiWang,Zhiwei YanandAnlei Hu.AnEfficientDataManagementArchitecturefortheLarge-scaleDeploymentofResourcePublicKeyInfrastructure

• Xiaowei Liu,Zhiwei Yan,GuanggangGeng,Xiaodong Lee,Shian-ShyongTsengandChing-Heng Ku.RPKIDeployment:RisksandAlternativeSolutions

• Xiaowei Liu,Zhiwei Yan,GuanggangGeng andXiaodongLee.Research of ResourceAllocation Risks by CAs in RPKI and Feasible Solutions

• Zhiwei Yan,Xiaowei Liu,GuanggangGeng andSherali Zeadally.SecureandScalableDeploymentofResourcePublicKeyInfrastructure(RPKI)

Page 18: ION Hangzhou - RPKI At CNNIC

WhatisthefutureofRPKI?

• WillRPKIbeSECUREenough?• Weshouldavoidadditionalriskscausedbyasecurityenhancement

• MorethanOneTA

• OperationalErrors• UnilateralResourceRevocation• MirrorWorldAttacks• ……

• DataSynchronization

• ProblemsofStagedandIncompleteDeployment

• CombiningwithBGP

Production

Synchronization

Usage

Page 19: ION Hangzhou - RPKI At CNNIC

WhatisthefutureofRPKI?• WillRPKIbedeployedwidely?

• Let’shaveaglimpseofDNSSEC

• 2010-12~2013-03

Experimental

• 2013-04

Announced• 2013-08

Partial

• 2013-11

DSinRoot• Keepgoing…

Operational

Experimental:ü Riskanalysisü Softwaredevelopment

Announced:ü Hardware&softwaredeploymentü Traininganddrills

Partial:ü Signing &rollerü Observations&verification

DSinRoot:ü Generation&submissionü Observations&verification

Operational:ü Upgradesandimprovementsü Debugging

Over 800 days 120 days

Page 20: ION Hangzhou - RPKI At CNNIC

WhatisthefutureofRPKI?• WillRPKIbedeployedwidely?

• Let’shaveaglimpseofDNSSEC

DNSSECCOVERAGERATEOF

ALEXATOP1MILLIONWEBSITES:

1.6%

Page 21: ION Hangzhou - RPKI At CNNIC

WhatisthefutureofRPKI?

• Analyzethechallengesfordeployment:

• Up-bottommodelhasdifficultyintheInternetworld

• PKIhastoohighrequirementsforthemanagers

• Securityisahugeinvestmentfortheenterprises

Page 22: ION Hangzhou - RPKI At CNNIC

• IamnotNEGATIVEorUNCONFIDENTtoRPKI

• ButIamsureithasalongwaytogofor:

• Protocolimprovement

• Deploymentenlargement

Page 23: ION Hangzhou - RPKI At CNNIC

Thankyouforyourattention~

Zhiwei Yan@CNNIC


Recommended