IAA Life in Lockdown series: Securing Internet Routing
0 likes265 views
The document discusses the challenges of securing internet routing, particularly focusing on issues like route leaks and the need for robust validation methods. It introduces the RPKI framework as a solution for signing route origins and proposes various tools and best practices for implementing and managing these security measures. The text emphasizes the importance of filtering and validating routes to enhance the overall security and reliability of internet routing infrastructures.
![2323
Implementation
• Acting on the Validation states
– Tag & do nothing~ You have downstream/route server @IXPs
[Valid (ASN:65XX1), Not Found (ASN:65XX2), Invalid (ASN:65XX3)]
– RFC7115
• Prefer “Valid > Not Found > Invalid”
– Drop Invalids
• ~6K IPv4 and ~3K IPv6 routes](https://image.slidesharecdn.com/tashiiaarpki-200804042627/85/IAA-Life-in-Lockdown-series-Securing-Internet-Routing-23-320.jpg)
IAA Life in Lockdown series: Securing Internet Routing
- 1. 1 (the trouble with) Securing the Internet Routing Tashi Phuntsho (tashi@apnic.net) Senior Network Analyst/Technical Trainer
- 6. 66 Headlines
- 7. 77 Why do we keep seeing these? • As always, there is no Evil bit (RFC3514) – a bad routing update does not identify itself as BAD
- 8. 88 Current Practice Peering/Transit Request LOA Check Filters (in/out) LOA Check Whois (manual) Letter of Authority IRR (RPSL)
- 9. 99 Tools & Techniques • Look up whois – verify holder of a resource
- 10. 1010 Tools & Techniques • Ask for a Letter of Authority – Absolve from any liabilities
- 11. 1111 Tools & Techniques • Look up/ask to enter details in IRR – describes route origination and inter-AS routing policies
- 12. 1212 Tools & Techniques • IRR – Helps generate network (prefix & as-path) filters using RPSL tools • Filter out route advertisements not described in the registry
- 13. 13 IRR Issues • No single authority model • How do I know an RR entry is genuine/correct? • Too many RRs • If two RRs have conflicting data, which one do I trust? • Incomplete data – If a route is not in a RR, is the route • Invalid, or • Is the RR just missing data?
- 14. 1414 Enter the RPKI framework 1782165550 2406:6400::/48 65551 2406:6400::/48 65551 65550 17821 i 6555265553 2406:6400::/48 2406:6400::/48 65553 65552 i rsync/RRDP RPKI Repo RPKI-to-Router (RTR) 2406:6400::/32-48 17821 ROA 2406:6400::/32-48 17821 Invalid Valid Validator
- 15. 1515 Implementation • Sign your route origins (create your ROAs) Prefix 2406:6400::/32 Max-length /36 Origin ASN AS45192
- 16. 1616 ROA considerations • Max length attribute – Minimal ROA • ROAs to cover only those prefixes announced in BGP • https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-03 – Reduces spoofed origin-AS attack surface 0 500 1000 1500 2000 2500 3000 3500 4000 Dec'19 Jan'20 Feb'20 May'20 July'20 Invalids (Max Length) IPv4 IPv6
- 17. 1717 ROA considerations • Know your network (origin AS) – Do you have multiple ASes? • Are they independent ASes? or • Transit AS + multiple Access ASes? https://blog.apnic.net/2020/04/10/rise-of-the-invalids/ 0 500 1000 1500 2000 2500 Dec'19 Jan'20 Feb'20 May'20 July'20 Invalids (Orgin AS) IPv4 IPv6
- 18. 1818 Implementation • Run your own RPKI validator: – Dragon Research RPKI toolkit - https://github.com/dragonresearch/rpki.net – RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3 – Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.7.1 – OctoRPKI/GoRTR (Cloudflare’s toolkit) - https://github.com/cloudflare/cfrpki – Fort (NIC Mexico’s Validator) - https://nicmx.github.io/FORT-validator/ https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/
- 19. 1919 Validator considerations • Securing the RTR session – Plain text (TCP) • run within your routing domain – Other auth options • SSH (v2) • MD5 auth • IPsec • TLS • TCP-AO
- 20. 2020 Validator considerations • When RTR session fails – Based on the expire interval of ROA cache • JunOS/SR-OS: 3600s, IOS-XE: 300s (RFC min ~ 600secs) – Defaults to NOT FOUND • Including Invalids – Hence, at least 2 x Validators (RTR sessions)
- 21. 2121 Validator considerations • VRP output
- 22. 2222 Implementation • Enable RTR on your routers • eBGP speakers (border/peering/transit) – Know your platform defaults and knobs • Example: IOS-XE wont use Invalids for best path selection router bgp 131107 bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs> routing-options { autonomous-system 131107; validation { group rpki-validator { session <validatorIP> { refresh-time <secs>; port <323/3323/8282>; local-address X.X.X.X; } } } } router bgp 131107 rpki server <validatorIP> transport tcp port <323/3323/8282> refresh-time <secs>
- 23. 2323 Implementation • Acting on the Validation states – Tag & do nothing~ You have downstream/route server @IXPs [Valid (ASN:65XX1), Not Found (ASN:65XX2), Invalid (ASN:65XX3)] – RFC7115 • Prefer “Valid > Not Found > Invalid” – Drop Invalids • ~6K IPv4 and ~3K IPv6 routes
- 24. 2424 Operational Considerations • Default routes? – Will match anything ~ Invalids
- 25. 2525 Other developments • ROA with AS-0 origin (RFC6483/RFC7607) – Negative attestation • No valid ASN has been granted authority • Not to be routed (Ex - IXP LAN prefixes) – Overridden by another ROA • with an origin AS other than AS-0 – Prop-132: unallocated/unassigned APNIC space • Similar to RFC6491 for special-use/reserved/unallocated
- 26. 2626 So, what can we all do? • Basic BGP OpSec hygiene – RFC7454/RFC8212 – RFC8212: BGP default reject or something similar – Filter your customers and peers • Prefix filters, Prefix limit • AS-PATH filters, AS-PATH limit • Use IRR objects (source option) or ROA-to-IRR – Filter your upstream(s) – Create ROAs for your resources – Filter inbound routes based on ROAs à ROV • Join industry initiatives like MANRS • https://www.manrs.org/
- 27. 2727 AU focus NOT FOUND AFRINIC APNIC ARIN RIPE IRINN JPNIC IPv4 44 17106 379 104 13 7 IPv6 1561 8 8 ~18K ~1.5K INVALIDS APNIC Validity JPNIC Validity IPv4 20 16(ML), 3(AS), 1(ASML) 1 1xAS IPv6 6 4(ML), 2(AS)
- 28. 2828 AU focus Network Routed (v4) ROA (AS, Prefix, ML) Validity AS132405 (Summit Internet) 4x/24s 132405,43.250.92.0/22,22 Invalid ML AS134090 (XIntegration) 2x/24s 134090,103.106.88.0/22,22 134090,103.106.90.0/23,23 Invalid ML AS10214 (Pentanet) 2x/24s 10214,121.200.32.0/23,23 132458, 121.200.32.0/23,23 Invalid ML AS17918 (AC3) 2x24s 14168,122.252.148.0/22,22 16509, 122.252.148.0/22,22 Invalid ASML AS4739 (Internode) 1x16 4713,118.0.0.0/12,24 Invalid AS AS1221 (Telstra AU) 1x24 4637,192.74.139.0/24,24 Invalid AS Network Routed (v6) ROA (AS, Prefix, ML) Validity AS59256(Ausnet Servers) 2x/48s 59256,2401:9CC0::/32,32 Invalid ML AS64098 (IP Transit) 1x/48 64098,2403:780::/32,40 Invalid ML AS134409 (Public DNS/Host Link) 1x48 24322,2407:C820::/32,32 24322,2407:C280:FFFF::/48,48 Invalid AS AS38220 (Amaze) 1x36 45177,2403:CC00:4000::/36,36 Invalid AS
- 29. 2929 Acknowledgement • Geoff Huston, APNIC • Randy Bush, IIJ Labs/Arrcus
- 30. 30 THANK YOU