2016 | Cyber Security DivisionR&D SHOWCASE AND TECHNICAL WORKSHOP

Ensuring and Accelerating Routing SecurityPARSONS, IncSandra Murphy

18 Feb 2016

1DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

Team Profile

2DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

DRAGON RESEARCH LABS

Sub-contractornetwork operations

Sub-contractorsecurity; public key infrastructures

Primesecure infrastructure protocols

� Routing is a critical core-infrastructure protocol � With an Achilles heel

� Routing protocol (BGP)� A global, cooperative, distributed system� That’s powerful, but also its weakness

� World-wide threat source� World-wide impact

� Blackholes, MITM, outages

� Everybody’s problem� Nobody’s responsibility

Customer Need

3DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

� Proactive: block bogus routing information� Technical Solution:

� Step 1: Certify Right to Use Addresses� Step 2: Origin Validation (protect creation of initial route)� Step 3: Path Validation (protect record of the route’s path)

� Project Team and Strategy� Project team of experts in key areas� Engage with key stakeholders and gatekeepers:

� Router vendors, operators, Internet resource registries� Work on all solution phases:

standardization, implementation, and deployment� Parallel existing systems and operations

Approach (Part 1)

4DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

Approach (continued, Part 2)

DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop 5

HOME USERS

COMMERCIAL SERVICES

FINANCIAL SERVICES

PUBLIC UTILITIES

DEFENSE SERVICES

GOVERNMENT SERVICES

Preferred Path to

Destination

Hijacked Path

UNINTENDED DESTINATION

ENHANCING AND ACCELERATING ROUTING SECURITY (EARS)Parsons Corp.

Dragon Research Labs | Raytheon BBN Technologies

THE IMPACT

THE PROBLEM

THE SOLUTION

Example of a Large-Scale Routing Incident - China Telecom, 2010

Proac&ve�solu&on:�BLOCK�bogus�rou&ng�

STEP�1:�Cer+fy�the�right�to�use�addresses�

Parallel�exis&ng�address�alloca&on�system�

IANA

AFRNIC APNIC ARIN LACNIC RIPE

ISP ISP

Customer Customer ISP

Customer

Enterprise Each suballocation is represented in a certificate

Legacy Regional Internet Registries

Resource Public Key Infrastructure - RPKI

Globally�Distributed�CA�Repositories�

Local�repository�cache�

PoP�

PoP�

PoP�ISP�

• �RPKI�route�authoriza&on�object:�prefix�holder�����authorizes�ISP�to�originate�route�• �Routers�use�RPKI�authoriza&on�to�validate�the����route�origin�

Cache-to-router�protocol�delivers�list�of�authorized��prefix�origins�to�routers�in�real�8me.�Routers�do�NO�crypto�

STEP�2:�Origin�Valida+on��(protect�crea+on�of�ini+al�route)�

ISP A ISP B ISP C Net 2/8

STEP�3:�Path�Valida+on�(protect�build�up�of�the�route)�

Net 2/8 A� Net

2/8 A� B�

2/8� A� 2/8� A�

2/8� A� B�

Net 2/8 A� B� C�

2/8� A�

2/8� A� B�

2/8� A� B� C�

Protec&ons�parallel�legi&mate�behavior�

Sign�everything�you�receive�to�prove�you�didn’t�invent�the�path�• Originators,�ISP�A,�sign�what�they�originate�• Propagators,�ISP�B�and�ISP�C,�sign�what�they�propagate�• Routes�collect�signatures�as�they�travel�through�the�network�• Recipients�validate�signatures�to�determine�path�validity�

}�Signatures�for�path�valida&on�

PROGRESSING STARTING PLANNNING

Packets may be intercepted or modified in transit

▪ Routing is an essential part of Internet Communication.▪ Routing protocols are subject to attack at and from

arbitrary points in the network. ▪ Attacks on the routing infrastructure can result in data

packets being captured, modified, or re-routed to unauthorized destinations, without the user's knowledge.

▪ Attacks may be intentional or unintentional.▪ There have been a number of widely publicized routing

incidents in the past that have resulted in real operational issues. Some routing incidents may go undetected.

▪ Routing Attacks can impact ALL Critical Infrastructure Sectors.

http://securerouting.net

Excerpted Incident Timeline

▪ On 8 April 2010 China Telecom announced itself as the originator for a large number of the Internet's address blocks.

▪ The incident was most likely due to an operator error, but during this incident a large proportion of the Internet's traffic was re-directed to China Telecom.

▪ Among the mis-originated routes were address blocks that belonged to the DoD, USG, various private sector firms, and Service Providers. .MIL - Roughly 35 assigned prefixes

affected.GOV - Roughly 185 prefixes associated with various Internet Services affected

.EDU - Roughly 165 prefixes associated with various Internet Services affected

VoIP Providers - Roughly 90 prefixes associated with various Internet Services

affectedA number of ISPs propagated the mis-originated routes, so the impact of the attack

was felt widely (albeit briefly).

Alternative Path

HOME USERS

COMMERCIAL SERVICES

FINANCIAL SERVICES

PUBLIC UTILITIES

DEFENSE SERVICES

GOVERNMENT SERVICES

Preferred Path to

Destination

Hijacked Path

UNINTENDED DESTINATION

ENHANCING AND ACCELERATING ROUTING SECURITY (EARS)Parsons Corp.

Dragon Research Labs | Raytheon BBN Technologies

THE IMPACT

THE PROBLEM

THE SOLUTION

Example of a Large-Scale Routing Incident - China Telecom, 2010

Proac&ve�solu&on:�BLOCK�bogus�rou&ng�

STEP�1:�Cer+fy�the�right�to�use�addresses�

Parallel�exis&ng�address�alloca&on�system�

IANA

AFRNIC APNIC ARIN LACNIC RIPE

ISP ISP

Customer Customer ISP

Customer

Enterprise Each suballocation is represented in a certificate

Legacy Regional Internet Registries

Resource Public Key Infrastructure - RPKI

Globally�Distributed�CA�Repositories�

Local�repository�cache�

PoP�

PoP�

PoP�ISP�

• �RPKI�route�authoriza&on�object:�prefix�holder�����authorizes�ISP�to�originate�route�• �Routers�use�RPKI�authoriza&on�to�validate�the����route�origin�

Cache-to-router�protocol�delivers�list�of�authorized��prefix�origins�to�routers�in�real�8me.�Routers�do�NO�crypto�

STEP�2:�Origin�Valida+on��(protect�crea+on�of�ini+al�route)�

ISP A ISP B ISP C Net 2/8

STEP�3:�Path�Valida+on�(protect�build�up�of�the�route)�

Net 2/8 A� Net

2/8 A� B�

2/8� A� 2/8� A�

2/8� A� B�

Net 2/8 A� B� C�

2/8� A�

2/8� A� B�

2/8� A� B� C�

Protec&ons�parallel�legi&mate�behavior�

Sign�everything�you�receive�to�prove�you�didn’t�invent�the�path�• Originators,�ISP�A,�sign�what�they�originate�• Propagators,�ISP�B�and�ISP�C,�sign�what�they�propagate�• Routes�collect�signatures�as�they�travel�through�the�network�• Recipients�validate�signatures�to�determine�path�validity�

}�Signatures�for�path�valida&on�

PROGRESSING STARTING PLANNNING

Packets may be intercepted or modified in transit

▪ Routing is an essential part of Internet Communication.▪ Routing protocols are subject to attack at and from

arbitrary points in the network. ▪ Attacks on the routing infrastructure can result in data

packets being captured, modified, or re-routed to unauthorized destinations, without the user's knowledge.

▪ Attacks may be intentional or unintentional.▪ There have been a number of widely publicized routing

incidents in the past that have resulted in real operational issues. Some routing incidents may go undetected.

▪ Routing Attacks can impact ALL Critical Infrastructure Sectors.

http://securerouting.net

Excerpted Incident Timeline

▪ On 8 April 2010 China Telecom announced itself as the originator for a large number of the Internet's address blocks.

▪ The incident was most likely due to an operator error, but during this incident a large proportion of the Internet's traffic was re-directed to China Telecom.

▪ Among the mis-originated routes were address blocks that belonged to the DoD, USG, various private sector firms, and Service Providers. .MIL - Roughly 35 assigned prefixes

affected.GOV - Roughly 185 prefixes associated with various Internet Services affected

.EDU - Roughly 165 prefixes associated with various Internet Services affected

VoIP Providers - Roughly 90 prefixes associated with various Internet Services

affectedA number of ISPs propagated the mis-originated routes, so the impact of the attack

was felt widely (albeit briefly).

Alternative Path

DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

ISP A ISP B ISP C

• • •

STEP�3:�Path�Valida/ on�(protect�build�up�of�the�route’s�path)�

Approach (continued, Part 3)

6DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

Standards

• Start solution • FormalizeSolution

• Obtain feedback

• Revise as needed

• Document BCPs • Define needed extensions

Outreach

• Recruit Core Experts• Explain need to other

Experts

• Explain path• Widen Publicity• Tutorials

• Coordinate policy

• Find early adopters

• Hold tutorials• Technical & Policy

Conferences

• Widen outreach• Articles &

Workshops

Technical

• Analyze• Measure Risk

• Predict needs• Start tools

• Interop. tests• Deploy tools

• Monitoring• Scaling• Performance tweaks

• Measure growth• Fix slow areas

Stages of ISP Deployment

Reluctance Planning Beginning to Move

ProgressingSteadily

Doubting

Culture change: explain the need, create the tools, find a leader, publish use cases

Choose activities to facilitate deployment in each stage

� Reactive systems� Routing-history-based anomaly detectors

� BGP-route collectors and alert services� Collectors: RouteViews, RIPE RIS, PacketClearingHouse� Alert services: research and commercial: e.g., Cyclops, Dyn Research, BGPMON

� Proactive systems� Best current practice is BGP route filters

� Based on customer input or Internet Routing Registry (IRR) data� Issues with best current practice

� AUTHORIZATION: Input (customer & IRR) authorization is weak� EFFECTIVENESS: Most effective close to error� COVERAGE: Mostly for origin validation, not path validation� PERFORMANCE: Filters (475K lines) challenge memory; filters must be

rebuilt and reloaded periodically; loading new filters seriously impacts operations

Competition

7DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

� Proactive: Block bogus routing, rather than detect and alert

� Authorization: Routing information is certified with high assurance

� Effectiveness: Validation effective anywhere in the Internet

� Coverage: Path validation as well as origin validation

� Performance: Incremental update, no need to rebuild full set� Updated information can arrive in real time without

disrupting operations

Benefits

8DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

Current Status (Part 1)

9DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

Specification Implementation Deployment

Step 1: Certification

Step 2: Origin Validation

Step 3: Path Validation

� Certification: � All global registries certifying member resources � 2.3M address blocks certified, world-wide

� Origin Validation:� Three top router vendors support in shipping code� Top US companies with deployment in progress

� using DHS funded implementations� Path Validation:

� specifications mature but not yet published

Current Status (continued, Part 2)

10DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

Reluctance Planning Beginning to Move

Doubting/ Inertia

ProgressingSteadily

� Building tools to aid deployment:� Workshop in a Box – training and planning� RPKI Visualization – certification monitor� Router-RPKI Monitor – origin validation in operation� Emulation and Operation Monitor – planning and operations� Rpki.net and RPSTIR – standards and operation

� Participating in policy development

Deployment – Origin Validation - Current Stage

� FROM NOW TO COMPLETION: Ensure and accelerate deployment:• Tools

• Ease barriers, monitor, diagnosis, performance• Community

• Training, workshops, tutorials, outreach, community building• Working with major providers (ISP, data center, cloud) • Working with major address holders to encourage deployment

• Policy• Work with principal policy bodies – registries, government, sector • Work with policy bodies’ clients and members

• Specification• Complete path validation standardization!• As needed, address specification issues

Next Steps

11DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

• TECHNOLOGY TRANSITION:• Transition to commercial products in place• Transition to critical gateholders in place

• MAJOR CULTURE CHANGE FOR OPERATIONS:• Ensure community understands need

• (outreach; status monitors)• Ensure community has the means to make the change

• (OAM tools for internal operations)• Find a leader

• (working with major networks for use cases, experiments, etc.)

Potential Transition Activities

12DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

Contact Information

Sandra MurphyPARSONS, Inc.Sandra.Murphy@parsons.com+1 443-430-8065

EARS informationwww.securerouting.netwww.rpki.nethttp://sourceforge.net/projects/rpstir/

13DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop

2016 | Cyber Security DivisionR&D SHOWCASE AND TECHNICAL WORKSHOP

14DHS S&T Cyber Security Division | 2016 R&D Showcase & Technical Workshop