+ All Categories
Home > Documents > Routing Security Roadmap - LACNIC

Routing Security Roadmap - LACNIC

Date post: 12-Jan-2022
Category:

Documents
Upload: others
View: 10 times
Download: 0 times
Download Report this document
Share this document with a friend
28
Routing Security Roadmap Job Snijders NTT Communications [email protected] This presentation contains projections and other forward-looking statements regarding future events or our future routing performance. All statements other than present and historical facts and conditions contained in this release, including any statements regarding our future results of operations and routing positions, business strategy, plans and our objectives for future operations, are forward-looking statements (within the meaning of the Private Securities Litigation Reform Act of 1995, Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended). These statements are only predictions and reflect our current beliefs and expectations with respect to future events and are based on assumptions and subject to risk
Transcript
Page 1: Routing Security Roadmap - LACNIC

Routing Security Roadmap

JobSnijdersNTTCommunications

job@ntt.netThispresentationcontainsprojectionsandotherforward-lookingstatementsregardingfutureeventsorourfutureroutingperformance.Allstatementsotherthanpresentandhistoricalfactsandconditionscontainedinthisrelease,includinganystatementsregardingourfutureresultsofoperationsandroutingpositions,businessstrategy,plansandourobjectivesforfutureoperations,areforward-lookingstatements(withinthemeaningofthePrivateSecuritiesLitigationReformActof1995,Section27AoftheSecuritiesActof1933,asamended,andSection21EoftheSecuritiesExchangeActof1934,asamended).Thesestatementsareonlypredictionsandreflectourcurrentbeliefsandexpectationswithrespecttofutureeventsandarebasedonassumptionsandsubjecttoriskanduncertaintiesandsubjecttochangeatanytime.Weoperateinaverycompetitiveandrapidlychangingenvironment.Newrisksemergefromtimetotime.Giventheserisksanduncertainties,youshouldnotplaceunduerelianceontheseforward-lookingstatements.Actualeventsorresultsmaydiffermateriallyfromthosecontainedintheprojectionsorforward-lookingstatements.Someofthefactorsthatcouldcauseactualresultstodiffermateriallyfromtheforward-lookingstatementscontainedhereininclude,withoutlimitation:(i)thecontractionorlackofgrowthofmarketsinwhichwecompeteandinwhichourproductsaresold(ii)unexpectedincreasesinourexpenses,includingmanufacturingexpenses,(iii)ourinabilitytoadjustspendingquicklyenoughtooffsetanyunexpectedrevenueshortfall,(iv)delaysorcancellationsinspendingbyourcustomers,(v)unexpectedaveragesellingpricereductions,(vi)thesignificantfluctuationtowhichourquarterlyrevenueandoperatingresultsaresubjectduetocyclicalityinthewirelesscommunicationsindustryandtransitionstonewprocesstechnologies,(vii)ourinabilitytoanticipatethefuturemarketdemandsandfutureneedsofourcustomers,(viii)ourinabilitytoachievenewdesignwinsorfordesignwinstoresultinshipmentsofourproductsatlevelsandinthetimeframeswecurrentlyexpect,(ix)ourinabilitytoexecuteonstrategicalliances,(x)theimpactofnaturaldisastersonoursourcingoperationsandsupplychain,and(xi)otherfactorsdetailedindocumentswefilefromtimetotimewiththeSecuritiesandExchangeCommission.Forward-lookingstatementsinthisreleasearemadepursuanttothesafeharborprovisionscontainedinthePrivateSecuritiesLitigationReformActof1995.

Page 2: Routing Security Roadmap - LACNIC

Why are we doing any of this?

• Creatingfiltersbasedonpublicdata,forcesmaliciousactorstoleaveatrailinIRR,WHOISorotherdatasources:auditability

• Bugshappen!–yourroutermaysuddenlyignorepartsofyourconfiguration,you’llthenrelyonyourEBGPpeer’sfilters

• Everyonemakesmistakes–atypoiseasilymade

Page 3: Routing Security Roadmap - LACNIC

Average view on routing security

Page 4: Routing Security Roadmap - LACNIC

Perception: it is hopeless, too many holes…

Page 5: Routing Security Roadmap - LACNIC
Page 6: Routing Security Roadmap - LACNIC

Exhaustive list of issues in the current ecosystem •  IRRdb/databaseinaccuracy(stale,autopiloted,non-validated)•  IXPsnotfiltering•  LackofPathValidation•  Lackofsufficientandgoodenoughsoftware

Page 7: Routing Security Roadmap - LACNIC

IRR – what is broken what can be fixed?

•  SomeIRRdbsdonotperformvalidation•  Meaningthatvirtuallyanyonecancreatevirtuallyanyroute/route6objectandsneakthoseintotheprefix-filters

•  ElevenrelevantIRRsnotvalidating:RIPE,NTTCOM,RADB,ALTDB,ARINIRR,BBOI,BELL,LEVEL3,RGNET,TC,CANARIE

•  Twosolutions:•  Lockthedatabasedown(RIPE/RIPE-NONAUTH)•  Filteronthemirrorlevel

Page 8: Routing Security Roadmap - LACNIC

RIPE NWI-5 proposal & implementation

• RIPENCC’sIRRpreviouslyallowedanyonetoregisteranynon-RIPE-managedspaceifithadnotyetbeenregistered.*DANGER*

•  The“RPSL”password&maintainerwasusedforthis

Threestepsweretaken:• Cannotregisternon-RIPE-managedspaceanymore• Allnon-RIPEspacemovedtoseparate“RIPE-NONAUTH”database• Route/route6ASNauthorizationruleshavebeenimproved

Moreinfo:https://www.ripe.net/manage-ips-and-asns/db/impact-analysis-for-nwi-5-implementation

Page 9: Routing Security Roadmap - LACNIC

OK – so current status

•  TenrelevantIRRsnotvalidating:NTTCOM,RADB,ALTDB,ARINIRR,BBOI,BELL,LEVEL3,RGNET,TC,CANARIE

• Done:RIPE

Page 10: Routing Security Roadmap - LACNIC

ARIN community also recognized this is an issue • ConsultationatNANOGandthroughARIN-Consultmailinglist• https://www.arin.net/vault/resources/routing/2018_roadmap.html• https://teamarin.net/2018/07/12/the-path-forward/

“Improve,orkillit”

Page 11: Routing Security Roadmap - LACNIC

OK – so current status

• NinerelevantIRRsnotvalidating:NTTCOM,RADB,ALTDB,BBOI,BELL,LEVEL3,RGNET,TC,CANARIE

• Done:RIPE,ARINIRR

• Howtodealwiththeremainingnine….?• Notallofthesearesoeasilycommunicatedwith,notallarereallyactivelymanaged

Page 12: Routing Security Roadmap - LACNIC

The “IRR” system access

•  TheIRRisaccessthroughpredominantlytwo“gateways”•  whois.radb.net (thebgpq3andpevaldefault)•  rr.ntt.net

• Allmirroringisessentiallydonewithonesoftware:IRRdSolution:Let’susethehegemonicduopolyforgood!

Page 13: Routing Security Roadmap - LACNIC

Improving security at the ”aggregator”?

RIPEIRR

NTTCOM

RADB

APNIC

whois.radb.net

rr.ntt.net

bgpq3

DatasourcesAggregators

Clients

Page 14: Routing Security Roadmap - LACNIC

Proposal: Let RPKI “drown out” conflicting IRR • RPKIcanbeusedforBGPOriginValidation–butalsoforotherthings!• ARPKIROAissortofaroute-object

•  Ithasa“prefix”,“origin”and“source”(theroot)• WecanuseRPKIROAsforprovisioningBGPprefix-filters

•  ExtendIRRdsothatwhenIRRinformationisindirectconflictwithaRPKIROA–theconflictinginformationissuppressed(Github)

Page 15: Routing Security Roadmap - LACNIC

RPKI filter at the aggregators

RIPEIRR

NTTCOM

RADB

APNIC

whois.radb.net

rr.ntt.net

bgpq3

DatasourcesAggregators

Clients

Page 16: Routing Security Roadmap - LACNIC

RPKI suppressing conflicting IRR advantages • Industry-widecommonmethodtogetridofstaleproxyrouteobjects–bycreatingaROAyouhideoldgarbageinIRRs

• BycreatingaROA–youwillsignificantlydecreasethechancesofpeoplebeingabletouseIRRtohijackyourresource

Page 17: Routing Security Roadmap - LACNIC

OK – so current status

•  IRRsnotvalidating:nolongerrelevant

• Done:RIPE,ARINIRR,NTTCOM,RADB,ALTDB,BBOI,BELL,LEVEL3,RGNET,TC,CANARIE

NTT&DashcarehavestartedafullrewriteofIRRdtomakethispossible:https://github.com/irrdnet/irrd4

Page 18: Routing Security Roadmap - LACNIC

”Filtering at IXPs is hard”

• ManyIXPshavecometorealizetheirresponsibilitiestotheInternetecosystemandthecommercialbenefitsofamoresecureproduct.

• http://peering.exposed/•  9outoftop10IXPsarefiltering,tenthwilllaterthisyear.IX.brmakinggoodprogtress

•  IXPfilteringhasbecomemucheasier,therearemultiplefullyfeaturedconfigurationgenerators:

•  https://www.ixpmanager.org/•  http://arouteserver.readthedocs.io/

• BIRD’shegemonyintherouteserversoftwareisbeingchallenged:OpenBGPDisfundedtobeabletocompete

Page 19: Routing Security Roadmap - LACNIC

Route servers must begin dropping RPKI Invalids • RouteserversbydefinitionprovidepartialInternettables• NoguaranteeswhatsoeverthatagivenroutewillbeavailableviaRS• Whenarouteserverdropsaprefix,worstcasescenarioisrerouting–notanoutage.

NetworkA

NetworkB

ISP

InternetExchange

Page 20: Routing Security Roadmap - LACNIC

Not everyone needs to do RPKI

• Becauseofthecentralizationoftheweb,ifaselectfewcompaniesdeployRPKIOriginValidation–millionsofpeoplebenefit

•  (google,cloudflare,amazon,pch/quad9,facebook,akamai,fastly,libertyglobal,comcast,etc…)

•  Ithinkonly20companiesorsoneedtodoOriginValidationfortheretobebigbenefits…

• https://dyn.com/blog/bgp-dns-hijacks-target-payment-systems/

Page 21: Routing Security Roadmap - LACNIC

“RPKI Origin Validation is useless without Path Validation aka BGPSEC” • Thelackofpathvalidationcanberesolvedthroughtwomethods:• Denselypeerwitheachother(Example:Google&Akamaihave126+facilitiesincommonwitheachother)

• AnAS_PATHblockingmechanismslike“peerlock”• Botheffectivelyare“pathvalidationfor1hop”• Perhaps“1hop”alreadyisgoodenoughJ

Page 22: Routing Security Roadmap - LACNIC

“There is no healthy software ecosystem”

• RIPENCCValidatorv3isworksandactivelymaintained• NLNetlabsiswritingaRPKICacheValidator(Routinator3000)• AcompanyIcan’tnameissecretlywritingonetoo

• AlmostallseriousroutingvendorshaveRPKIsupport(Cisco,Juniper,BIRD,Nokia,FRR–andmoreareontheway)

•  Solution:moreusersresultsinbettersoftware,startusing!

Page 23: Routing Security Roadmap - LACNIC

Timeline

• IXPs–startdoingRPKIOriginValidationonyourrouteserversnow

• ISPs/CDNs• ifyouarepointingdefaultsomewhere,doitnow• Ifyouaretransit-free,waitabit

Page 24: Routing Security Roadmap - LACNIC

We aren’t done yet - Future work

• UsetheRPKItopublish“peerlock”rulesaboutwhoareauthorizedupstreamsandwhoaren’t

•  https://tools.ietf.org/html/draft-azimov-sidrops-aspa-verification•  https://tools.ietf.org/html/draft-azimov-sidrops-aspa-profile

•  ExtendtheRPKItoreplaceIRRAS-SETs(IRR/RPKIfeatureparity)•  https://tools.ietf.org/html/draft-ss-grow-rpki-as-cones

• ARINTALissueneedsaddressing

Page 25: Routing Security Roadmap - LACNIC

LACNIC RPKI invalids

Source:https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c

Page 26: Routing Security Roadmap - LACNIC

Double check your RPKI ROAs!

Source:https://medium.com/@nusenu/where-are-rpki-unreachable-networks-located-65c7a0bae0f8

Page 27: Routing Security Roadmap - LACNIC

Conclusion

Page 28: Routing Security Roadmap - LACNIC

Recommended
BGP Border Gateway Protocol - LACNIC - SLIDESslides.lacnic.net/.../slides/docs/lacnic26/lunes/01-bgp-bcp-cr.pdf · – RIP – Routing Information Protocol – OSPF – Open Shortest

BGP Border Gateway Protocol - LACNIC - SLIDESslides.lacnic.net/.../slides/docs/lacnic26/lunes/01-bgp-bcp-cr.pdf · – RIP – Routing Information Protocol – OSPF – Open Shortest

Documents

LACNIC Policy Update Roque Gagliano LACNIC. Current Policies Proposals - LACNIC As a result of the Open Policy Forum at LACNIC XI four policy proposals.

LACNIC Policy Update Roque Gagliano LACNIC. Current Policies Proposals - LACNIC As a result of the Open Policy Forum at LACNIC XI four policy proposals.

Documents

APNIC 16 LACNIC REPORT Germán Valdez LACNIC Policy Liaison APNIC 16 – Seoul, Korea.

APNIC 16 LACNIC REPORT Germán Valdez LACNIC Policy Liaison APNIC 16 – Seoul, Korea.

Documents

lacnic-V-seguridad-bgp (1)

lacnic-V-seguridad-bgp (1)

Documents

APNIC Update - LACNIC 22 (Spanish)

APNIC Update - LACNIC 22 (Spanish)

Internet

LACNIC&Update& - ripe63.ripe.net · 1! LACNIC&Update& November&4th,&2011.&Vienna,&Austria& LuisaVillay&Baenberg& Customer&Manager&

LACNIC&Update& - ripe63.ripe.net · 1! LACNIC&Update& November&4th,&2011.&Vienna,&Austria& LuisaVillay&Baenberg& Customer&Manager&

Documents

A business case for routing security - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/09/business-case-v3.pdf · • Prefix and AS-PATH filtering, RPKI, IRR, … • BGPSEC

A business case for routing security - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/09/business-case-v3.pdf · • Prefix and AS-PATH filtering, RPKI, IRR, … • BGPSEC

Documents

SR SRTE PCE Hands On - LACNIC...Segment Routing Configuration Example –OSPF 27 router ospf1 router-id 1.1.1.1 segment-routing mpls area 0 interface Loopback0 passive enable prefix-sidindex

SR SRTE PCE Hands On - LACNIC...Segment Routing Configuration Example –OSPF 27 router ospf1 router-id 1.1.1.1 segment-routing mpls area 0 interface Loopback0 passive enable prefix-sidindex

Documents

LACNIC XIII - cu.ipv6tf.org

LACNIC XIII - cu.ipv6tf.org

Documents

LACNIC UPDATE

LACNIC UPDATE

Documents

Identity Management Project Roadmap - hitachi-id.com · Identity Management Project Roadmap ... • Requesting, routing, ... • Formulate a global password policy, ...

Identity Management Project Roadmap - hitachi-id.com · Identity Management Project Roadmap ... • Requesting, routing, ... • Formulate a global password policy, ...

Documents

The$Reputaon$of$Networks$– LACNIC$Region$ · The$Reputaon$of$Networks$– LACNIC$Region$ Manish$Karir,$Kyle$Creyts$ (MeritNetwork$Inc)$ Arturo$Servin$ (LACNIC)$

The$Reputaon$of$Networks$– LACNIC$Region$ · The$Reputaon$of$Networks$– LACNIC$Region$ Manish$Karir,$Kyle$Creyts$ (MeritNetwork$Inc)$ Arturo$Servin$ (LACNIC)$

Documents

Segment Routing with IPv6 - LACNIC · Segment Routing with IPv6 Hernán Contreras G. Consulting Systems Engineer – Cisco Systems May 2015 Gianpietro Lavado glch@cisco.com @gianpietro_lc

Segment Routing with IPv6 - LACNIC · Segment Routing with IPv6 Hernán Contreras G. Consulting Systems Engineer – Cisco Systems May 2015 Gianpietro Lavado [email protected] @gianpietro_lc

Documents

Tutorial de enrutamientoseguro - LACNIC

Tutorial de enrutamientoseguro - LACNIC

Documents

Internet Routing How It Works Prepared and Presented by the NRO On Behalf of the RIRs AfriNIC, APNIC, ARIN, LACNIC, RIPE NCC.

Internet Routing How It Works Prepared and Presented by the NRO On Behalf of the RIRs AfriNIC, APNIC, ARIN, LACNIC, RIPE NCC.

Documents

Global Routing Security - LACNIC

Global Routing Security - LACNIC

Documents

Roque Gagliano LACNIC

Roque Gagliano LACNIC

Documents

September 20th, 2017 - LACNIC

September 20th, 2017 - LACNIC

Documents