ION Hangzhou - RPKI At CNNIC
-
Upload
deploy360-programme-internet-society -
Category
Technology
-
view
230 -
download
0
Transcript of ION Hangzhou - RPKI At CNNIC
![Page 1: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/1.jpg)
RPKIat CNNIC
Zhiwei Yan
![Page 2: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/2.jpg)
WhydoweneedRPKI?
Feb,2014HackerRedirectsTrafficFrom19InternetProviderstoStealBitcoins
Feb2008PakistanTelecom broughtdown YouTubeworldwide
Jan,2015AnISPinUSAhijackanIPprefixofIIJfromJapan
Nov,2015,AnISPinIndiaasBhartiAirtel hijackalotofIPprefix
Prefixhijackingisoneof thelarge-scaleBGPspecificroutinganomaliesthatareabletoparalyzetheInternet.
RPKI(ResourcePublicKeyInfrastructure) isdesigned topreventroutehijackingandotherattacksonBGP.
![Page 3: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/3.jpg)
Prefixhijacking:AttackerscanusebogusBGPUPDATE(NLRIandPathAttributes)messagestodisruptroutingwithoutbreakingthepeer-peerconnection.
BGP UPDATE Message Format :
NLRI:NetworkLayerReachabilityInformation
WhydoweneedRPKI?
![Page 4: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/4.jpg)
Bogus BGP UPDATE Message
According to“preferthe path withthe shortest AS_PATH”rule, AS4prefersmessagefromAS5to messagefromAS1.
AS3
AS2 AS4
AS1 AS5
218.241.0.0/16AS_PATH:21
NLRI:218.241.0.0/16AS_PATH:321
AS1wasauthorizedtooriginateprefix218.241.0.0/16
NLRI:218.241.0.0/16AS_PATH:1
AS3
AS2 AS4
AS1 AS5
218.241.0.0/16AS_PATH:21
NLRI:218.241.0.0/16AS_PATH:321
NLRI:218.241.0.0/20AS_PATH:5
NLRI:218.241.0.0/16AS_PATH:1
AS5forgesBGPUPDATEMessage
WhydoweneedRPKI?
![Page 5: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/5.jpg)
Actually,BGPprotocolacceptsanyroutestheylearnfromtheirneighbors.
Obviously, thismayresultinRouteHijackingontheInternet.
Authorization
Ownership
Unable to verify who is the legitimate holder of the INRs (Internet Number Resources).
Unable to verify who has the authorization to originate specific IP prefixes
WhydoweneedRPKI?
![Page 6: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/6.jpg)
BGPisvulnerabletoavarietyofroutingattacksbecauseof thelackofaverificationmechanismtoensure thelegitimacyofBGPmessages(especiallytheorigin information).
RPKI isproposed inIETFtooffers averificationmechanismtoprotecttheownershipandauthorizationoftheINRs(InternetNumberResources).
WhydoweneedRPKI?
![Page 7: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/7.jpg)
CertificateAuthority,CAAnyresourceholderwhoisauthorized tosub-allocatetheseresourcesmustbeabletoissueresourcecertificatestocorrespond tothesesub-allocations.Thus,forexample,CAcertificateswillbeassociatedwithIANAandeachoftheRIRs,NIRs,andLIRs/ISPs.Also,aCAcertificateisrequired toenablearesourceholder toissueROAs,becauseitmustissuethecorresponding end-entitycertificateusedtovalidateeachROA.
End-entity,EETheprivatekeycorresponding toapublickeycontainedinanEEcertificateisnotusedtosignothercertificatesinaPKI.Theprimaryfunctionofend-entitycertificatesinthisPKIistheverificationofsignedobjectsthatrelatetotheusageoftheresourcesdescribed inthecertificate,e.g.,ROAsandmanifests.
TrustAnchor,TAAtrustanchorintheRPKIisrepresentedbyaself-signedX.509CertificationAuthority(CA)certificate,aformatcommonlyusedinPKIsandwidelysupportedbyRPsoftware
TheArchitectureof RPKI
![Page 8: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/8.jpg)
TheArchitectureof RPKI-the relationofrolesanddata
Resource Holders
CA
LIR/ISP
Subscribers
IANA
RIR
NIR
CRL
CA certificate
EE certificate
ROA
manifest
Repository
INR(Internet Number Resources)
Entity PKI
Resources
Signed Objects
![Page 9: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/9.jpg)
ROAProfile–RFC6482
![Page 10: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/10.jpg)
Challenges NOW:
BGPSEC
RPKI-Safegurad
RFC6480 AnInfrastructuretoSupportSecureInternetRouting
RFC6487 AProfileforX.509PKIXResourceCertificates
RFC6481 ResourceCertificateRepositoryStructure
RFC6489 Key Rollover
RFC6490 RPKITrustAnchorLocator
RFC6484 CertificatePolicyfortheRPKI
RFC6485 TheProfileforAlgorithmsandKeySizesforUseinRPKI
RFC6482 AProfileforROAs
RFC6486 ManifestsfortheRPKI
RFC6488 SignedObjectTemplateforRPKI
RFC6483 ValidationofRouteOriginationUsingRPKIandROAs
ThestandardizationprocessofRPKI
![Page 11: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/11.jpg)
IndustrialproductsofRPKI
CiscoBGProutersSupporting BGPCommand(matchRPKI)
JuniperroutersConfiguringOriginValidationforBGP
Alcatel-LucentServiceRouter (Release12.0R4)TryingtosupportRPKI
![Page 12: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/12.jpg)
Deploymentsituation
5RIRshavefinished thedeploymentofRPKI.AnumberofcountrieshavealsostartedtodeployRPKIinteriorly,Ecuador,Japan,Bangladesh,China,etc.
![Page 13: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/13.jpg)
RPKIatCNNIC• StandardizationworkinIETF
• X.Lee,X.Liu,Z.YanandY.Fu,RPKIDeploymentConsiderations:ProblemAnalysisandAlternative Solutions,draft-lee-sidr-rpki-deployment-01,Jan,2016.• RPKIDeploymentProblems:Existing andPotentialProblems,suchasTechnical,EconomicandPolitical
• AlternativeSolutions• Y.Fu,Z.Yan,X.LiuandC.Wang,ScenariosofunexpectedresourceassignmentinRPKI,draft-fu-sidr-unexpected-scenarios-01,March2016.• Problem:Unbelonged resourceallocation,Duplicatedallocation,Resourcetransfer• Solution:SafeguardofCAfunction
• Z.Yan,Y.Fu,X.Liu,G.Geng,ProblemStatementandConsiderationsforROAMergence,draft-yan-sidr-roa-mergence-00,May2016
• analyzesandpresentssomeoperational• ProblemscausedbythemisconfigurationsofROAscontainingmultiple IPprefixes.• Suggestionsandconsiderations
![Page 14: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/14.jpg)
RPKIatCNNIC• StandardizationworkinCCSA• InchargeofthestandardizationofRPKIinChina
![Page 15: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/15.jpg)
RPKIatCNNIC• Publishedtwowhite-paperstoguidethetestofRPKIandBGPSEC
![Page 16: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/16.jpg)
RPKIatCNNIC• PublishedthefirstRPKI-PilotsysteminChina
![Page 17: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/17.jpg)
RPKIatCNNIC• Publishedseveralacademicpapers
• CuicuiWang,Zhiwei YanandAnlei Hu.AnEfficientDataManagementArchitecturefortheLarge-scaleDeploymentofResourcePublicKeyInfrastructure
• Xiaowei Liu,Zhiwei Yan,GuanggangGeng,Xiaodong Lee,Shian-ShyongTsengandChing-Heng Ku.RPKIDeployment:RisksandAlternativeSolutions
• Xiaowei Liu,Zhiwei Yan,GuanggangGeng andXiaodongLee.Research of ResourceAllocation Risks by CAs in RPKI and Feasible Solutions
• Zhiwei Yan,Xiaowei Liu,GuanggangGeng andSherali Zeadally.SecureandScalableDeploymentofResourcePublicKeyInfrastructure(RPKI)
![Page 18: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/18.jpg)
WhatisthefutureofRPKI?
• WillRPKIbeSECUREenough?• Weshouldavoidadditionalriskscausedbyasecurityenhancement
• MorethanOneTA
• OperationalErrors• UnilateralResourceRevocation• MirrorWorldAttacks• ……
• DataSynchronization
• ProblemsofStagedandIncompleteDeployment
• CombiningwithBGP
Production
Synchronization
Usage
![Page 19: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/19.jpg)
WhatisthefutureofRPKI?• WillRPKIbedeployedwidely?
• Let’shaveaglimpseofDNSSEC
• 2010-12~2013-03
Experimental
• 2013-04
Announced• 2013-08
Partial
• 2013-11
DSinRoot• Keepgoing…
Operational
Experimental:ü Riskanalysisü Softwaredevelopment
Announced:ü Hardware&softwaredeploymentü Traininganddrills
Partial:ü Signing &rollerü Observations&verification
DSinRoot:ü Generation&submissionü Observations&verification
Operational:ü Upgradesandimprovementsü Debugging
Over 800 days 120 days
![Page 20: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/20.jpg)
WhatisthefutureofRPKI?• WillRPKIbedeployedwidely?
• Let’shaveaglimpseofDNSSEC
DNSSECCOVERAGERATEOF
ALEXATOP1MILLIONWEBSITES:
1.6%
![Page 21: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/21.jpg)
WhatisthefutureofRPKI?
• Analyzethechallengesfordeployment:
• Up-bottommodelhasdifficultyintheInternetworld
• PKIhastoohighrequirementsforthemanagers
• Securityisahugeinvestmentfortheenterprises
![Page 22: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/22.jpg)
• IamnotNEGATIVEorUNCONFIDENTtoRPKI
• ButIamsureithasalongwaytogofor:
• Protocolimprovement
• Deploymentenlargement
![Page 23: ION Hangzhou - RPKI At CNNIC](https://reader031.fdocuments.us/reader031/viewer/2022021922/58ab765c1a28abb54e8b650b/html5/thumbnails/23.jpg)
Thankyouforyourattention~
Zhiwei Yan@CNNIC