Deployment of IRR in JP and Routing Security for improvement the reliability of routing
description
Transcript of Deployment of IRR in JP and Routing Security for improvement the reliability of routing
![Page 1: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/1.jpg)
Deployment of IRR in JP and Routing Securityfor improvement the reliability
of routing
NTT Communications‘OCN’/ JPNIC IRR-Plan Chair
Tomoya Yoshida <[email protected]>
![Page 2: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/2.jpg)
2
Inter-AS
• Exchanging by BGP
• The route generated in somewhere in the worlds is transmitted all over the world
• The Internet is always continuing changing
– What flow will come from somewhere in advance, it does not understand in many cases
![Page 3: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/3.jpg)
3
Hijack Route
• Malice
– SPAM Send
– Site/Network Hijack
• Miss Configuration : sometimes bug
– Redistribute
– type miss
![Page 4: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/4.jpg)
4
Hijack Route vs. Right Route
• Injection place of hijack route
– Customer
ー> checking of use address and prefix filtering
– Peer
ー> often found
– Upstream
ー> often found
![Page 5: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/5.jpg)
5
Hijack Route vs. Right Route
• Prefix length of hijack route– Same
ー> Form of connection, as-path etc
– Shorterー> Although influence can be disregarded, it is
unpleasant
– Longerー> Inhales
![Page 6: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/6.jpg)
6
Hijack Route vs. Right Route
• AS path length of hijack route
– Sameー> Depend on form of connection
– Shorterー> Depend on form of connection but almost lose
– Longerー> Cannot be said that it is OK absolutely
![Page 7: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/7.jpg)
7
Hijack Route vs. Right Route
• origin AS of hijack route
– Sameー> May be hard to detect
– Differentー> May not be hard to detect
![Page 8: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/8.jpg)
8
Hijack Route vs. Right Route
• MED value of hijack route
– SAME
ー> Depend on form of connection
– Shorter
ー> When the AS Path is also same, it will lose
– Bigger
ー> May not to be safe absolutely
![Page 9: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/9.jpg)
9
Hijack Route vs. Right Route
• bgp community strings of hijack route
– Same
ー> Depend on the filtering of bgp community
– Different
ー> Depend on the filtering of bgp community
![Page 10: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/10.jpg)
10
Pollution condition of router• Hijack Route only
– Completely polluted
• Hijack Route ( best ) + Right Route– Regrettably polluted
• Hijack Route + Right Route(best)– Safe but dangerous
• Right Route only– Beautiful body
![Page 11: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/11.jpg)
11
As For pollution condition, even the inside of AS is different
AS400
hijackASAS666
AS300
*>10.0.0.0/8 AS666 best * 10.0.0.0/8 AS200 Right AS
AS200
*>10.0.0.0/8 AS666 best
*>10.0.0.0/8 AS200 best
* 10.0.0.0/8 AS666*>10.0.0.0/8 AS200 best
RR
RC
RR
RC
RCRC
AS100
![Page 12: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/12.jpg)
12
It dose now …
• The wrong route is detected promptly
– What is the right route?
– How to detect?
• Maintain the information or IR and IRR suitably
– Insist the right route
![Page 13: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/13.jpg)
13
The Scope of which can detect by only IRR
Same origin ASSame prefix lengthThe location oforigin etc...
AS Pathbgp communityMED
Different origin ASDifferent prefix length
Can detect
Depend on object
Difficult
![Page 14: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/14.jpg)
14
Reliable Information
• Scattered IRR
– IRR as a registration place
– The justification of data is not checked in many cases
• Reliable information?
– Assignment/Allocation information
• IP Address, AS number
– IR knows
![Page 15: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/15.jpg)
15
Arrangement of opinion here
The Route may be hijacked
The technique of checking thejustification of the route is required
Reliable information is required
IR do the IRR
![Page 16: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/16.jpg)
16
Experimental IRR service by JPNIC
0
10
20
30
40
50
60
70
03/ 1
003
/ 12
04/ 0
204
/ 04
04/ 0
604
/ 08
04/ 1
004
/ 12
05/ 0
205
/ 04
05/ 0
605
/ 08
Mai
ntai
ner
Obj
ect
0
50
100
150
200
250
300
350
400
Rou
te O
bjec
t
Maintainer Object Route Object
• Free Service for JP community• Mirroring : APNIC, RIPE NCC, RADB• # of objects
(2005/08/01)Mntner : 60Route :359 Aut-num :36As-set :34
![Page 17: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/17.jpg)
17
– It is necessity to cooperate with the database of an IP address, in order to keep the information on IRR healthy
• The right validation is not made in IRR which ISP does
• In Japan, more reliable information offer of IRR can expect enough by JPNIC operate IRR
– By practical use of IRR, danger, such as mistake operation, is reduced and it can contribute to keep the Internet safe
How to make a reliable information? Why we choose to operate IRR?
JPNIC operate IRR exactly
![Page 18: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/18.jpg)
18
Future of JPIRR ( part ) – Cooperate with the IP address database
• The registration/change range is limited for every user
• A certificate authority and an electronic certificate are utilized positively
– Checking the mirroring status
– Comparison with bgp route information
– searching your object
Information offer to smooth managementof the Internet
![Page 19: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/19.jpg)
19
Attestation mechanism
Web
IP Registry System= WHOIS
Reference of the changes range
Resourcesadministrator
LIR
Whois
appointment
Web
JPNIC
InformationRegistration
Informationreference
JPIRR
Resourcesapplicant
JPIRRadministrator(operator)
Certificatemanagement
Resource application
Addressassignment
![Page 20: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/20.jpg)
20
Attestation acquisition example
![Page 21: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/21.jpg)
21
It uses by WEB browser
![Page 22: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/22.jpg)
22
JP route information = JPIRR
First of all, the right Japan routing databaseis made
of course, IPv6 also do from now
Routing Information database of BGP is made in JP
![Page 23: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/23.jpg)
23
BGP Operation using IRR
• Domestic AS number and AS-PATH number are increasing, and updating work is serious
• Although Japan has performed operation of carrying out mutual exchange of the AS PATH, it does not suit and it has become the present time from ancient times
• If the filter is carried out firmly at each entrance of ISP, the route with strange as-path will not flow
![Page 24: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/24.jpg)
24
Automation by IRR• Using AS-Set object and Route objects
as-set: AS-OCNdescr: ASes advertised by OCN
members: AS4713,
AS290, AS2504, AS2526, AS4249, AS4688,
AS4710, AS4711, AS4718, AS7502, AS7511,
AS7521, AS7522, AS7524, AS7529, AS7668,
AS7671, AS7672, AS7674, AS7676, AS7682,
AS7684, AS7686, AS9351, AS9353, AS9363,
AS9368, AS9370, AS9374, AS9601, AS9602,
AS9605, AS9612, AS9614, AS9617, AS9618,
:
_290$
_2504$
…. +
10.100.0.0/16
10.200.0.0/16
….route: 10.1.0.0/16route: 10.2.0.0/16….
AS-Path filter + Prefix Filter
It is important that route objectis managed exactly and reliable!
![Page 25: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/25.jpg)
25
The necessity for international cooperation
• It is not the problem solved even if only JPNIC does
• Operation based on the hierarchy of the Registry structure
– Each registry manages exactly the route/AS information under management of own country or himself
– It is also applicable to CRISP
CRISP: Cross Registry Information Service Protocol
![Page 26: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/26.jpg)
26
IR hierarchy model : goal
APNIC ARIN RIPE
JPNIC NIR’s
LIR’s LIR’sLIR’s
*1
*2
*3
*1 : Inter-RIR Mirror*2 : Inter-IR Mirror*3 : Member Mirror
・・・
・・・・・・
・・・
Certificate authority, Internet ResourceManagement, IRR database management
Mirroring -> CRISP?
![Page 27: Deployment of IRR in JP and Routing Security for improvement the reliability of routing](https://reader036.fdocuments.us/reader036/viewer/2022062410/56815b0e550346895dc8b8d3/html5/thumbnails/27.jpg)
27
• Reliable Information is made
• High flexibility BGP operation is realized by using internet routing information database
• We want to cooperate in the Asian area not only in Japan but in other countries and other regions
Conclusion / Suggestion