Ensuring and Accelerating Routing Security · Ensuring and Accelerating Routing Security PARSONS,...
Transcript of Ensuring and Accelerating Routing Security · Ensuring and Accelerating Routing Security PARSONS,...
2016 | Cyber Security DivisionR&D SHOWCASE AND TECHNICAL WORKSHOP
Ensuring and Accelerating Routing SecurityPARSONS, IncSandra Murphy
18 Feb 2016
1DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
Team Profile
2DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
DRAGON RESEARCH LABS
Sub-contractornetwork operations
Sub-contractorsecurity; public key infrastructures
Primesecure infrastructure protocols
� Routing is a critical core-infrastructure protocol � With an Achilles heel
� Routing protocol (BGP)� A global, cooperative, distributed system� That’s powerful, but also its weakness
� World-wide threat source� World-wide impact
� Blackholes, MITM, outages
� Everybody’s problem� Nobody’s responsibility
Customer Need
3DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
� Proactive: block bogus routing information� Technical Solution:
� Step 1: Certify Right to Use Addresses� Step 2: Origin Validation (protect creation of initial route)� Step 3: Path Validation (protect record of the route’s path)
� Project Team and Strategy� Project team of experts in key areas� Engage with key stakeholders and gatekeepers:
� Router vendors, operators, Internet resource registries� Work on all solution phases:
standardization, implementation, and deployment� Parallel existing systems and operations
Approach (Part 1)
4DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
Approach (continued, Part 2)
DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop 5
HOME USERS
COMMERCIAL SERVICES
FINANCIAL SERVICES
PUBLIC UTILITIES
DEFENSE SERVICES
GOVERNMENT SERVICES
Preferred Path to
Destination
Hijacked Path
UNINTENDED DESTINATION
ENHANCING AND ACCELERATING ROUTING SECURITY (EARS)Parsons Corp.
Dragon Research Labs | Raytheon BBN Technologies
THE IMPACT
THE PROBLEM
THE SOLUTION
Example of a Large-Scale Routing Incident - China Telecom, 2010
Proac&ve�solu&on:�BLOCK�bogus�rou&ng�
STEP�1:�Cer+fy�the�right�to�use�addresses�
Parallel�exis&ng�address�alloca&on�system�
IANA
AFRNIC APNIC ARIN LACNIC RIPE
ISP ISP
Customer Customer ISP
Customer
Enterprise Each suballocation is represented in a certificate
Legacy Regional Internet Registries
Resource Public Key Infrastructure - RPKI
Globally�Distributed�CA�Repositories�
Local�repository�cache�
PoP�
PoP�
PoP�ISP�
• �RPKI�route�authoriza&on�object:�prefix�holder�����authorizes�ISP�to�originate�route�• �Routers�use�RPKI�authoriza&on�to�validate�the����route�origin�
Cache-to-router�protocol�delivers�list�of�authorized��prefix�origins�to�routers�in�real�8me.�Routers�do�NO�crypto�
STEP�2:�Origin�Valida+on��(protect�crea+on�of�ini+al�route)�
ISP A ISP B ISP C Net 2/8
STEP�3:�Path�Valida+on�(protect�build�up�of�the�route)�
Net 2/8 A� Net
2/8 A� B�
2/8� A� 2/8� A�
2/8� A� B�
Net 2/8 A� B� C�
2/8� A�
2/8� A� B�
2/8� A� B� C�
Protec&ons�parallel�legi&mate�behavior�
Sign�everything�you�receive�to�prove�you�didn’t�invent�the�path�• Originators,�ISP�A,�sign�what�they�originate�• Propagators,�ISP�B�and�ISP�C,�sign�what�they�propagate�• Routes�collect�signatures�as�they�travel�through�the�network�• Recipients�validate�signatures�to�determine�path�validity�
}�Signatures�for�path�valida&on�
PROGRESSING STARTING PLANNNING
Packets may be intercepted or modified in transit
▪ Routing is an essential part of Internet Communication.▪ Routing protocols are subject to attack at and from
arbitrary points in the network. ▪ Attacks on the routing infrastructure can result in data
packets being captured, modified, or re-routed to unauthorized destinations, without the user's knowledge.
▪ Attacks may be intentional or unintentional.▪ There have been a number of widely publicized routing
incidents in the past that have resulted in real operational issues. Some routing incidents may go undetected.
▪ Routing Attacks can impact ALL Critical Infrastructure Sectors.
http://securerouting.net
Excerpted Incident Timeline
▪ On 8 April 2010 China Telecom announced itself as the originator for a large number of the Internet's address blocks.
▪ The incident was most likely due to an operator error, but during this incident a large proportion of the Internet's traffic was re-directed to China Telecom.
▪ Among the mis-originated routes were address blocks that belonged to the DoD, USG, various private sector firms, and Service Providers. .MIL - Roughly 35 assigned prefixes
affected.GOV - Roughly 185 prefixes associated with various Internet Services affected
.EDU - Roughly 165 prefixes associated with various Internet Services affected
VoIP Providers - Roughly 90 prefixes associated with various Internet Services
affectedA number of ISPs propagated the mis-originated routes, so the impact of the attack
was felt widely (albeit briefly).
Alternative Path
HOME USERS
COMMERCIAL SERVICES
FINANCIAL SERVICES
PUBLIC UTILITIES
DEFENSE SERVICES
GOVERNMENT SERVICES
Preferred Path to
Destination
Hijacked Path
UNINTENDED DESTINATION
ENHANCING AND ACCELERATING ROUTING SECURITY (EARS)Parsons Corp.
Dragon Research Labs | Raytheon BBN Technologies
THE IMPACT
THE PROBLEM
THE SOLUTION
Example of a Large-Scale Routing Incident - China Telecom, 2010
Proac&ve�solu&on:�BLOCK�bogus�rou&ng�
STEP�1:�Cer+fy�the�right�to�use�addresses�
Parallel�exis&ng�address�alloca&on�system�
IANA
AFRNIC APNIC ARIN LACNIC RIPE
ISP ISP
Customer Customer ISP
Customer
Enterprise Each suballocation is represented in a certificate
Legacy Regional Internet Registries
Resource Public Key Infrastructure - RPKI
Globally�Distributed�CA�Repositories�
Local�repository�cache�
PoP�
PoP�
PoP�ISP�
• �RPKI�route�authoriza&on�object:�prefix�holder�����authorizes�ISP�to�originate�route�• �Routers�use�RPKI�authoriza&on�to�validate�the����route�origin�
Cache-to-router�protocol�delivers�list�of�authorized��prefix�origins�to�routers�in�real�8me.�Routers�do�NO�crypto�
STEP�2:�Origin�Valida+on��(protect�crea+on�of�ini+al�route)�
ISP A ISP B ISP C Net 2/8
STEP�3:�Path�Valida+on�(protect�build�up�of�the�route)�
Net 2/8 A� Net
2/8 A� B�
2/8� A� 2/8� A�
2/8� A� B�
Net 2/8 A� B� C�
2/8� A�
2/8� A� B�
2/8� A� B� C�
Protec&ons�parallel�legi&mate�behavior�
Sign�everything�you�receive�to�prove�you�didn’t�invent�the�path�• Originators,�ISP�A,�sign�what�they�originate�• Propagators,�ISP�B�and�ISP�C,�sign�what�they�propagate�• Routes�collect�signatures�as�they�travel�through�the�network�• Recipients�validate�signatures�to�determine�path�validity�
}�Signatures�for�path�valida&on�
PROGRESSING STARTING PLANNNING
Packets may be intercepted or modified in transit
▪ Routing is an essential part of Internet Communication.▪ Routing protocols are subject to attack at and from
arbitrary points in the network. ▪ Attacks on the routing infrastructure can result in data
packets being captured, modified, or re-routed to unauthorized destinations, without the user's knowledge.
▪ Attacks may be intentional or unintentional.▪ There have been a number of widely publicized routing
incidents in the past that have resulted in real operational issues. Some routing incidents may go undetected.
▪ Routing Attacks can impact ALL Critical Infrastructure Sectors.
http://securerouting.net
Excerpted Incident Timeline
▪ On 8 April 2010 China Telecom announced itself as the originator for a large number of the Internet's address blocks.
▪ The incident was most likely due to an operator error, but during this incident a large proportion of the Internet's traffic was re-directed to China Telecom.
▪ Among the mis-originated routes were address blocks that belonged to the DoD, USG, various private sector firms, and Service Providers. .MIL - Roughly 35 assigned prefixes
affected.GOV - Roughly 185 prefixes associated with various Internet Services affected
.EDU - Roughly 165 prefixes associated with various Internet Services affected
VoIP Providers - Roughly 90 prefixes associated with various Internet Services
affectedA number of ISPs propagated the mis-originated routes, so the impact of the attack
was felt widely (albeit briefly).
Alternative Path
DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
ISP A ISP B ISP C
• • •
STEP�3:�Path�Valida/ on�(protect�build�up�of�the�route’s�path)�
Approach (continued, Part 3)
6DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
Standards
• Start solution • FormalizeSolution
• Obtain feedback
• Revise as needed
• Document BCPs • Define needed extensions
Outreach
• Recruit Core Experts• Explain need to other
Experts
• Explain path• Widen Publicity• Tutorials
• Coordinate policy
• Find early adopters
• Hold tutorials• Technical & Policy
Conferences
• Widen outreach• Articles &
Workshops
Technical
• Analyze• Measure Risk
• Predict needs• Start tools
• Interop. tests• Deploy tools
• Monitoring• Scaling• Performance tweaks
• Measure growth• Fix slow areas
Stages of ISP Deployment
Reluctance Planning Beginning to Move
ProgressingSteadily
Doubting
Culture change: explain the need, create the tools, find a leader, publish use cases
Choose activities to facilitate deployment in each stage
� Reactive systems� Routing-history-based anomaly detectors
� BGP-route collectors and alert services� Collectors: RouteViews, RIPE RIS, PacketClearingHouse� Alert services: research and commercial: e.g., Cyclops, Dyn Research, BGPMON
� Proactive systems� Best current practice is BGP route filters
� Based on customer input or Internet Routing Registry (IRR) data� Issues with best current practice
� AUTHORIZATION: Input (customer & IRR) authorization is weak� EFFECTIVENESS: Most effective close to error� COVERAGE: Mostly for origin validation, not path validation� PERFORMANCE: Filters (475K lines) challenge memory; filters must be
rebuilt and reloaded periodically; loading new filters seriously impacts operations
Competition
7DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
� Proactive: Block bogus routing, rather than detect and alert
� Authorization: Routing information is certified with high assurance
� Effectiveness: Validation effective anywhere in the Internet
� Coverage: Path validation as well as origin validation
� Performance: Incremental update, no need to rebuild full set� Updated information can arrive in real time without
disrupting operations
Benefits
8DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
Current Status (Part 1)
9DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
Specification Implementation Deployment
Step 1: Certification
Step 2: Origin Validation
Step 3: Path Validation
� Certification: � All global registries certifying member resources � 2.3M address blocks certified, world-wide
� Origin Validation:� Three top router vendors support in shipping code� Top US companies with deployment in progress
� using DHS funded implementations� Path Validation:
� specifications mature but not yet published
Current Status (continued, Part 2)
10DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
Reluctance Planning Beginning to Move
Doubting/ Inertia
ProgressingSteadily
� Building tools to aid deployment:� Workshop in a Box – training and planning� RPKI Visualization – certification monitor� Router-RPKI Monitor – origin validation in operation� Emulation and Operation Monitor – planning and operations� Rpki.net and RPSTIR – standards and operation
� Participating in policy development
Deployment – Origin Validation - Current Stage
� FROM NOW TO COMPLETION: Ensure and accelerate deployment:• Tools
• Ease barriers, monitor, diagnosis, performance• Community
• Training, workshops, tutorials, outreach, community building• Working with major providers (ISP, data center, cloud) • Working with major address holders to encourage deployment
• Policy• Work with principal policy bodies – registries, government, sector • Work with policy bodies’ clients and members
• Specification• Complete path validation standardization!• As needed, address specification issues
Next Steps
11DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
• TECHNOLOGY TRANSITION:• Transition to commercial products in place• Transition to critical gateholders in place
• MAJOR CULTURE CHANGE FOR OPERATIONS:• Ensure community understands need
• (outreach; status monitors)• Ensure community has the means to make the change
• (OAM tools for internal operations)• Find a leader
• (working with major networks for use cases, experiments, etc.)
Potential Transition Activities
12DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop
Contact Information
Sandra MurphyPARSONS, [email protected]+1 443-430-8065
EARS informationwww.securerouting.netwww.rpki.nethttp://sourceforge.net/projects/rpstir/
13DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop