Robachevsky Better Routing Security v1 - NANOG · 2019-02-26 · •Most of them would like to have...
34
Transcript of Robachevsky Better Routing Security v1 - NANOG · 2019-02-26 · •Most of them would like to have...
BGP is unsecure – what’s missing?
2
Tools
Data
Incentives
There is a problem
3
• 12,600 total incidents (either outages or attacks, like route leaks and hijacks)
• About 4.4% of all Autonomous Systems on the Internet were affected
• 2,737 Autonomous Systems were a victim of at least one routing incident
• 1,294 networks were responsible for 4739 routing incidents
Source: https://www.bgpstream.com/
7864, 62%
4739, 38%
Twelve months of routing incidents (2018)
Outage Routing incident
Statistics of routing incidents generated from BGPStream data
Caveats:
• Sometimes it is impossible to distinguish an attack from a legitimate (or consented) routing change
• CC attribution is based on geolocation MaxMind's GeoLite City data set
But:
• Using the same methodology we should get a pretty accurate picture of the dynamics
4
2 years in review (2017, 2018)
There is a problem (comp. 2017)
5
• 12,600 ( 9.6%) total incidents (either outages or attacks, like route leaks and hijacks)
• About 4.4% ( 1%) of all Autonomous Systems on the Internet were affected
• 2,737 (. 12%) Autonomous Systems were a victim of at least one routing incident
• 1,294 ( 17%) networks were responsible for 4739 routing incidents
Source: https://www.bgpstream.com/
16495, 62%
10043, 38%
Routing incidents (2017-2018)
Outage Routing incident
Potential victims
6
Source: https://www.bgpstream.com/
1244
397
239
339
157
141
116
168106
Incidents with a victim in a country, Top 10
US BR RU BD IN GB DE CN HK
3.74.2
3.4
29.1
6.94.4
4.3
16.2
12.1
% of networks affected by an incident
US BR RU BD IN GB DE CN HK
Potential victims: 2017 2018
7
0
5
10
15
20
25
30
35
US BR IN RU BD IR GB DE HK CN
Changes in % of victimized network in country
2017 2018
Potential culprits 2018
8
Source: https://www.bgpstream.com/
1.13.1
1.8
2.6
2.7
2.1
7.5
3.3
1.4
5.5
Percent of AS's in a country responsible for a routing incident (a route leak or hijack)
US
BR
RU
DE
IN
GB
HK
NL
UA
CN
1.1%
2.1%
5.0%
0.0%
3.4%
2.8%
3.0%
2.8%3.3%
1.6%
1.6%
2.4%
1.6%
3.3%
1.2%1.9%
4.5%
Percent of AS's in a country responsible for a routing incident
Australia and New ZealandMelanesiaMicronesiaPolynesiaEastern AsiaSouth-eastern AsiaCentral AsiaWestern AsiaSouthern AsiaEastern EuropeSouthern EuropeWestern EuropeNorthern EuropeLatin America and the CaribbeanNorthern AmericaNorthern AfricaSub-Saharan Africa
Positive dynamics
9
0
1
2
3
4
5
6
7
8
9
10
US BR RU IN BD ID DE IR GB HK
% of AS's in a country responsible for a routing incident
2017 2018
BGP is unsecure – what’s missing?
10
Tools
Data
Incentives
Action
Action – who can make an impact?
• edge and access networks• transit providers• content and cloud• IXPs IX
Content Cloud
Transit
EDGE
IX
Content Cloud
Transit
The Edge
12
Impact• Implement egress controls (reduce risk of leaking routes)• Register routing information (enable RP to validate, reduce the risk of the
hijack)• Demand security standard from the upstream (reduce risks of incidents)
EDGE
The Transit
13
IX
Content Cloud
Transit
EDGE
Impact• Implement ingress controls (customer cone, avoid leaks and hijacks)• Ensure correctness of routing information (AS-SET, also semantically)
The Content/Cloud
14
IX
Content Cloud
Transit
EDGE
Impact• Implement egress controls• Implement ingress controls
• Register routing information (enable RP to validate, reduce the risk of the hijack)
The eXchange
15
IX
Content Cloud
Transit
EDGE
Impact• Implement ingress controls on RS (multilateral peering)• Promote culture of routing hygiene in their communities
The playing field
16
• Each player can contribute to routing security (and big time to its insecurity)
• Most of them would like to have a more secure routing system
• Most of them have little incentive• One’s network security is in the hands of others
We have a typical collective action problem
Two neighbours may agree to drain a meadow, which they possess in common; because it is easy for them to know each others mind; and each must perceive, that the immediate consequence of his failing in his part, is, the abandoning the whole project. But it is very difficult, and indeed impossible, that a thousand persons should agree in any such action; it being difficult for them to concert so complicated a design, and still more difficult for them to execute it; while each seeks a pretext to free himself of the trouble and expense, and would lay the whole burden on others.[Hume, David. A Treatise of Human Nature]
17
Can this problem be solved without regulation?
18
Norms may provide a solution in some cases• Need to agree on values. And behaviors that support these values
Common Value• Resilient and secure global routing system
Behaviors• Do not accept and propagate others mistakes (Validate what you accept from the neighbors)• Protect your neighbors from your own mistakes (avoid policy violations)
• Do not hijack
• Do not leak
• Enable others to validate
From Behaviors to Norms
19
Widely accepted as a good practice
Not exactly a least common denominator, but not too high either
Visible and Measurable
CoordinationFacilitate global
operational communication and
coordination between network operators
Maintain globally accessible up-to-date contact information in
common routing databases
Anti-spoofingPrevent traffic with spoofed source IP
addresses
Enable source address validation for at least single-homed stub
customer networks, their own end-users, and
infrastructure
Network operators
FilteringPrevent propagation of
incorrect routing information
Ensure the correctness of your own announcements and announcements from
your customers to adjacent networks with prefix and
AS-path granularity
Global Validation
Facilitate validation of routing information on a
global scale
Publish your data, so others can validate
20
IXPs
Action 1Prevent
propagation of incorrect routing
information
This mandatory action requires
IXPs to implement filtering of route
announcements at the Route Server based on routing information data
(IRR and/or RPKI).
21
Action 2Promote
MANRS to the IXP membership
IXPs joining MANRS are expected to
provide encouragement or assistance for their
members to implement
MANRS actions.
Action 3Protect the
peering platform
This action requires that the
IXP has a published policy of traffic not allowed
on the peering fabric and
performs filtering of such traffic.
Action 4Facilitate global
operational communication
and coordination
The IXP facilitates communication
among members by providing
necessary mailing lists and member
directories.
Action 5Provide
monitoring and debugging tools to the members.
The IXP provides a looking glass for
its members.
Content (work in progress)
Action 1Prevent
propagation of incorrect routing
information
Ingress and egress filtering
22
Action 2Prevent traffic with spoofed
source IP addresses
Action 3Facilitate global
operational communication
and coordination
Action 4Facilitate
validation of routing
information on a global scale
Action 5Promote MANRS
Action 6Provide
monitoring and debugging tools
to peering partners
23
Mutually Agreed Norms for Routing Security
MANRS provides baseline recommendations in the form of Actions• Distilled from common behaviors – BCPs, optimized for low cost and low risk of deployment• With high potential of becoming norms
MANRS builds a visible community of security minded operators• Social acceptance and peer pressure
Why join MANRS?• Improve your security posture and reduce the
number and impact of routing incidents
• Demonstrate that these practices are reality
• Join a community of security-minded operators working together to make the Internet better
• Use MANRS as a competitive differentiator 24
25
Is MANRS taking off?
1015 17
2023 24 25
28 3033
3740 41
43 45 46 47 48 49 5054 55
60
6570
75
80
90
97
106
112
120
130
6-Nov-1
4
6-Dec-1
4
6-Jan-1
5
6-Feb-1
5
6-Mar-1
5
6-Apr-1
5
6-May-1
5
6-Jun-1
5
6-Jul-1
5
6-Aug-1
5
6-Sep-1
5
6-Oct-
15
6-Nov-1
5
6-Dec-1
5
6-Jan-1
6
6-Feb-1
6
6-Mar-1
6
6-Apr-1
6
6-May-1
6
6-Jun-1
6
6-Jul-1
6
6-Aug-1
6
6-Sep-1
6
6-Oct-
16
6-Nov-1
6
6-Dec-1
6
6-Jan-1
7
6-Feb-1
7
6-Mar-1
7
6-Apr-1
7
6-May-1
7
6-Jun-1
7
6-Jul-1
7
6-Aug-1
7
6-Sep-1
7
6-Oct-
17
6-Nov-1
7
6-Dec-1
7
6-Jan-1
8
6-Feb-1
8
6-Mar-1
8
6-Apr-1
8
6-May-1
8
6-Jun-1
8
6-Jul-1
8
6-Aug-1
8
6-Sep-1
8
6-Oct-
18
6-Nov-1
8
6-Dec-1
8
6-Jan-1
9
MANRS – increasing adoption
26
MANRS Implementation Guide
27
A resource to help Operators implement MANRS Actions.
• Based on Best Current Operational Practices deployed by network operators around the world
• https://www.manrs.org/bcop/
• Has received recognition from the RIPE community by being published as RIPE-706
MANRS Training Tutorials
28
6 training tutorials based on information in the Implementation Guide. A test at the end of each tutorial. https://www.manrs.org/tutorials
About to begin training moderators for online classes (43 applications received!)
MANRS Hands-on Lab
29
The prototype lab is ready, finalizing the production version.
• Cisco
• Juniper
• Mikrotik
Can be used as a
standalone lab or as
an end-exam
MANRS Member Report and MANRS Observatory
30
MANRS Member Report and MANRS Observatory
31
MANRS Member Report and MANRS Observatory
32
33
• Open a browser on any laptop, tablet or smartphone• Go to slido.com• Enter the event code #L206
Is there a path to Norms?: a poll
only togethermanrs.org
#ProtectTheCore
MANRS Video: https://www.youtube.com/embed/nJINk5p-HEE
34
