BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation...

7
BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery ([email protected]) 1 IETF 80 08/27/22

Transcript of BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation...

Page 1: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014.

BGP-SRx BGP - Secure Routing Extension

BRITE BGP Security / RPKI Interoperability Test & Evaluation

Doug Montgomery ([email protected])

1IETF 8004/10/23

Page 2: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014.

BGP SRx Overview BGP SRx Overview • BGP Secure Routing Extension (SRx)

– Software router with extensions for: RPKI Rtr cache maintenance, validation of updates, new BGP route policies.

– SRx – implemented as extension for Quagga routing platform. Designed to support other platforms (e.g., XORP, etc).

– Designed to support experimentation with different architectural configurations of SRx and RPKI components.

• Status– BGP SRx frame work with RPKI cache and ROA processing implemented.

• draft-ietf-sidr-rpki-rtr-11• draft-ietf-sidr-roa-validation-10.txt, draft-ietf-sidr-pfx-validate-01

– TBD• draft-ietf-sidr-origin-validation-signaling-00

RPKI Validating Cache

BGP SRx

BGP Router

RPKI Validating Cache

BGP SRx

BGP Router

RPKI Validating Cache

BGP SRx

BGP Router

2IETF 8004/10/23

Page 3: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014.

BGP SRx ImplementationBGP SRx Implementation• SRx Server

– Independent process – through proxy shim in router.– Supports asynchronous validation (lazy or blocking).– Supports multiple caches …. and multiple routers.

• Policies– Ignore Invalid– Ignore Unknown– Modify LocPref– Tie Break

04/10/23 IETF 80 3

Page 4: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014.

SRx Deployment OptionsSRx Deployment Options

AS 1

SRx SupportingMultiple Routers

BGP SRx

RPKIValidation

Cache

AS 2

BGP SRx

RPKIValidation

Cache

BGP SRx

BGP Protocol

SRx Router Prot.

RPKI/RTR Prot.

4IETF 8004/10/23

Page 5: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014.

BRITE Design OverviewBRITE Design Overview

Collector

Traffic G

enerator

IUT

RPKIValidation

Cache

BRITETest

Controller

White ListCollector /Generator

WEB Interface

BGP Protocol

RPKI/RTR Protocol

RSYNC

5IETF 8004/10/23

Page 6: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014.

BRITE OverviewBRITE Overview• BGPSEC / RPKI Interoperability Test & Evaluation

– Distributed test and evaluation framework for: • RPKI / BGP Security implementation testing, • Configuration and deployment testing.

– Flexible XML based test / scenario scripting language.– Can test all components / interfaces of BGP security system.

• RPKI Validating Caches.• Cache to Router Protocol.• ROA Processing in BGP Router.

• Online Testing Service.– WWW interface to BRITE.– Multi-user infrastructure.– Real time test monitoring & reporting.– Other diagnostics – log files, traffic traces available for

download.

6IETF 8004/10/23

Page 7: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014.

BRITE Web InterfaceBRITE Web Interface

Test Timeline

Test Progress

Events: M=Multiple A =Activation B =BGP W=Whitelist

Experiment Log

Goal Tree Finishedsuccessful

Wait to be activated

Currently processing

7IETF 8004/10/23


The RPKI & Origin Validation - American Registry for ... · The RPKI & Origin Validation ARIN / San Juan ... to Smart Customer ... router bgp 4128 bgp router-id 198.180.152.251

The RPKI & Origin Validation - American Registry for ... · The RPKI & Origin Validation ARIN / San Juan ... to Smart Customer ... router bgp 4128 bgp router-id 198.180.152.251

Resource(PublicKeyInfrastructure((RPKI) · set routing-options validation group RPKI session 202.4.96.221 hold-time 180 set routing-options validation group RPKI session 202.4.96.221

Resource(PublicKeyInfrastructure((RPKI) · set routing-options validation group RPKI session 202.4.96.221 hold-time 180 set routing-options validation group RPKI session 202.4.96.221

Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

RESOURCE PUBLIC KEY INFRASTRUCTURE EXTENSION · Resource Public Key Infrastructure (RPKI). Objects in the RPKI are intended to improve the security of the BGP system by providing

RESOURCE PUBLIC KEY INFRASTRUCTURE EXTENSION · Resource Public Key Infrastructure (RPKI). Objects in the RPKI are intended to improve the security of the BGP system by providing

RPKI Validation - Internet2 · 2017. 10. 27. · bgp rpki server tcp 163.253.39.165 port 8282 refresh 600 bgp bestpath prefix-validate allow-invalid neighbor 163.253.39.165 remote-as

RPKI Validation - Internet2 · 2017. 10. 27. · bgp rpki server tcp 163.253.39.165 port 8282 refresh 600 bgp bestpath prefix-validate allow-invalid neighbor 163.253.39.165 remote-as

RPKI->RTR Protocol

RPKI->RTR Protocol

Introduction to RPKI

Introduction to RPKI

RPKI with rpki.net ToolS · 2 RPKI: Introduction Tutorial Target audience Knowledge of Internet Routing(specially BGP) Familiar with any IRR Database No need to know Cryptography

RPKI with rpki.net ToolS · 2 RPKI: Introduction Tutorial Target audience Knowledge of Internet Routing(specially BGP) Familiar with any IRR Database No need to know Cryptography

RPKI Deployment - APNIC · • Route53 hijack (contd…) q Resolvers querying any Route53 managed names, would ask the authoritative servers controlled through the BGP hijack § Possibly,

RPKI Deployment - APNIC · • Route53 hijack (contd…) q Resolvers querying any Route53 managed names, would ask the authoritative servers controlled through the BGP hijack § Possibly,

PSCR Security - nist.gov

PSCR Security - nist.gov

Internet Infrastructure Security · Message to Take Away • Security requires an integral approach: • not BGP filtering, RPKI or DNS security, but all of them • Security requires

Internet Infrastructure Security · Message to Take Away • Security requires an integral approach: • not BGP filtering, RPKI or DNS security, but all of them • Security requires

RPKI Tutorial and hands-on - APNIC · 2018. 1. 23. · –BGPSEC –security mechanism for BGP routing is being implemented ... What’s up in Japan •JANOG RPKI routing WG –RPKI

RPKI Tutorial and hands-on - APNIC · 2018. 1. 23. · –BGPSEC –security mechanism for BGP routing is being implemented ... What’s up in Japan •JANOG RPKI routing WG –RPKI

Internet Number Registry Services the Next Generation · 5/8/2019  · RPKI •RPKIis a public key infrastructure (PKI) framework, designed to secure BGP routing ⎯Based on X.509

Internet Number Registry Services the Next Generation · 5/8/2019  · RPKI •RPKIis a public key infrastructure (PKI) framework, designed to secure BGP routing ⎯Based on X.509

Securing BGP - RPKI · Amazon (AS16509) Route53 hijack – April2018 ... DNS servers in the hijacked range only responded to queries for myetherwallet.com • Responded with addresses

Securing BGP - RPKI · Amazon (AS16509) Route53 hijack – April2018 ... DNS servers in the hijacked range only responded to queries for myetherwallet.com • Responded with addresses

Securing your resources with RPKI and IRT Securing your...RPKI: ROA •Resource Public Key Infrastructure (RPKI) is the infrastructure framework designed to secure the BGP table •ROA

Securing your resources with RPKI and IRT Securing your...RPKI: ROA •Resource Public Key Infrastructure (RPKI) is the infrastructure framework designed to secure the BGP table •ROA

APNIC RPKI Report

APNIC RPKI Report

The RPKI Documentation

The RPKI Documentation

BGP Resource Public Key Infrastructure (RPKI) … Resource Public Key Infrastructure (RPKI) Origin Validation . ... Overview of RPKI ... Figure 5 shows the high-level network diagram

BGP Resource Public Key Infrastructure (RPKI) … Resource Public Key Infrastructure (RPKI) Origin Validation . ... Overview of RPKI ... Figure 5 shows the high-level network diagram

RPKI Deployment Panel

RPKI Deployment Panel

Practical RPKI Deployment at FPT TELECOM...BGP & Internet o The Border Gateway Protocol (BGP) is the protocol used throughout the global Internet to exchange routing information between

Practical RPKI Deployment at FPT TELECOM...BGP & Internet o The Border Gateway Protocol (BGP) is the protocol used throughout the global Internet to exchange routing information between