How do we improve the resilience and security of the Internet’s underlying routing infrastructure? While Internet routing has worked well over the years, there have been instances where errors and misconfigurations have caused stability issues. Malicious attackers have also created denial of service attacks and other issues by spoofing IP addresses and manipulating routing tables. What are the best practices we can use to help mitigate these kind of attacks? In this session, our panel of experts will address technologies such as BCP 38, anti-spoofing, and BGP security efforts that can help secure the routing infrastructure. They will also consider the Internet Society’s new Routing Manifesto, which aims to introduce a minimum set of security measures which, if deployed on a wide scale, could result in visible improvements to the security and resilience of the global routing system.

1. The
Need
For
BGP
Path
Valida2on
Wes
Hardaker
<wes.hardaker@parsons.com>

2. Example
RPKI
Origin
Valida2on
Bad Server
X.509 Certificate
AS4
Is
Legal
Server
Client
1
4
3
2
7
8
5
6
AS2 checks the
RPKI for
authorization
AS5 does not have
an RPKI
authorization!
Will be rejected
RPKI Provides Origin Validation:
• Cryptographically signed authorization for AS4 to advertise Routes to Server
l INVALID (Doesn't Go To AS4): AS1 ► AS2 ► AS5
l VALID (Origin is AS4): AS1 ► AS2 ► AS3 ► AS4
l VALID (Origin is AS4): AS1 ► AS2 ► AS6 ► AS7 ► AS3 ► AS4
2
issued
verifies

3. Bad Server
Server
Client
What
If
AS5
Lies?
1
4
3
2
7
8
5
6
AS5 lies and
pretends it has a
direct route to AS4
AS5 can still advertise a route with AS4 at the end:
(even though AS5 isn't connected to AS4)
l VALID (Origin is AS4): AS1 ► AS2 ► AS5 ► AS4
l VALID (Origin is AS4): AS1 ► AS2 ► AS3 ► AS4
l VALID (Origin is AS4): AS1 ► AS2 ► AS6 ► AS7 ► AS3 ► AS4
3

4. Path
Valida2on
Is
Cri2cal
Step
2
in
the
Rou-ng
Security
Solu-on!
l AS4
must
prove
it
started
the
route
– It
must
prove
that
only
AS3
is
next
in
its
path
– No
other
router
can
reuse
or
copy
its
ini2al
route
l ASes
can
be
assured
the
en2re
path
is
valid
l Enter
BGPSEC!
– Lies
can
now
be
detected!
4

5. Bad Server
Server
Client
BGPSEC's
Path
Valida2on
1
4
3
2
7
8
5
6
Will be rejected again.
Each router signs along the way;
the paths can not be spoofed or modified
l INVALID (Origin signed, path is not): AS1 ►AS2 ► AS5 ► AS4
l VALID (Origin and path signed): AS1 ►AS2 ► AS3 ► AS4
l VALID (Origin and path signed): AS1 ►AS2 ► … ► AS3 ► AS4
5

6. RPKI
and
BGPSEC
–
Cer2ficate
Tree
IANA
AFRNIC APNIC LACNIC ARIN RIPE
ISP 1 ISP 2 ISP 3
Client ISP 4
Server l ISPs issue certificates to each router they control
6

7. BGPSEC
–
Router
Cer2ficates
IANA
AFRNIC APNIC ARIN LACNIC RIPE
ISP 1 ISP 2 ISP 3
Client ISP 4
Server
Origin Validation 7
Path Validation