The document provides an introduction to internet routing, BGP hijacking, and the Resource Public Key Infrastructure (RPKI) system for securing internet routing. It discusses how BGP works and how hijacks can occur when more specific routes are announced. The document then summarizes the RPKI framework for validating route origins using Route Origin Authorizations (ROAs) and filtering routes based on their validation state. It provides examples of implementing RPKI on routers to help secure internet routing.
3. 3
v1.03
Agenda
An introduction to the following:
• Internet Routing System
• Border Gateway Protocol(BGP) Hijacks
• Resource Public Key Infrastructure (RPKI)
7. 7
v1.07
Forwarding Information
Base (FIB)
Routing Information
Base (RIB)
BGP 4 Routing Table
IS-IS - Link State
Database
Connected Routes
Static Routes
Routing Table
Image by Stephan Fuchs from Pixabay
8. 8
v1.08
Based on destination IP address - “longest match”
routing
More specific prefix preferred over less specific prefix
Which address would you choose for locating this venue:
1.Brisbane, Queensland
2.George Street, Brisbane, Queensland
3.Z4 Atrium 2 George St, Brisbane, Queensland
IP Route Lookup
11. 11
v1.011
BGP Hijack 101
• Announce a more specific
path
• Announce an IP address
space that is owned by
someone else
Williams, R. (2015). street signs being stolen [Image].
Retrieved from https://media.apnarm.net.au/media/images/2015/02/06/IQT_06-02-2015_NEWS_05_STOLENSIGNS1_t1880.jpg
12. 12
v1.012
Hijacks and Leaks in 2019
0
50
100
150
200
250
300
350
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
2019
BGP leak Possible Hijack
https://bgpstream.com
http://blog.catchpoint.com/2020/04/09/one-year-bgp-security
13. 13
v1.013
Hijacks and Leaks in 2020 (so far)
https://bgpstream.com
0
50
100
150
200
250
300
350
Jan Feb Mar Apr
2020
BGP leak Possible Hijack
22. 2222
Why do we keep seeing these?
• Because NO ONE is in charge?
– No single authority model for the Internet
• No reference point for what’s right in routing
• Routing is VARIABLE
– The view of the network depends on where you are
• Different routing outcomes at different locations
– ~ no reference view to compare the local view
23. 2323
Why do we keep seeing these?
• Routing works by RUMOUR
– Tell what you know to your neighbors, and Learn what your
neighbors know
– Assume everyone is correct (and honest)
• Is the originating network the rightful owner?
24. 2424
Why do we keep seeing these?
• Routing works in REVERSE
– Outbound advertisement affects inbound traffic
– Inbound (Accepted) advertisement influence outbound traffic
25. 2525
Why do we keep seeing these?
• No evil (E) bit (RFC3514)
– a bad routing update does not identify itself as BAD
29. 2929
Tools & Techniques
• Look up/ask to enter
details in IRR
– describes route origination
and inter-AS routing policies
30. 3030
Tools & Techniques
• IRR
– Helps generate network (prefix & as-path) filters using RPSL
tools
• Filter out route advertisements not described in the registry
31. 31
IRR Issues
• No single authority model
• How do I know an RR entry is
genuine/correct?
• Too many RRs
• If two RRs have conflicting data, which
one do I trust?
• Incomplete data
– If a route is not in a RR, is the
route
• Invalid, or
• Is the RR just missing data?
32. 3232
Enter the RPKI framework
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
RPKI
Repo
RPKI-to-Router (RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator
34. 3434
Implementation
• Run your own RPKI validator:
– Dragon Research RPKI toolkit - https://github.com/dragonresearch/rpki.net
– **RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3/releases/tag/3.2-2020.10.28.23.06
(will be deprecated in 2021)
– Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.8.2
– OctoRPKI/GoRTR (Cloudflare’s toolkit) https://github.com/cloudflare/cfrpki/releases/tag/v1.2.2
– Fort (NIC Mexico’s Validator) - https://github.com/NICMx/FORT-validator/releases/tag/v1.4.2
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/
35. 3535
Implementation
• Enable RPKI/RTR on your routers
• eBGP speakers (border/peering/transit)
– Know your platform defaults and knobs
• Example: IOS-XE wont use Invalids for best path selection
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>
36. 3636
Validation States
• Acting on the Validation states
– Tag & do nothing~ You have downstream/route server @IXPs
– RFC7115 – preference
– Drop Invalids
[Valid (ASN:65XX0), Not Found (ASN:65XX1), Invalid (ASN:65XX2)]
[Valid > Not Found > Invalid]
IPv4 ~ 6K
IPv6 ~ 1K
37. 3737
So, what should we do?
• Basic BGP OpSec hygiene – RFC7454/RFC8212
– RFC8212: BGP default reject or something similar
– Filter your customers and peers
• Prefix filters, Prefix limit
• AS-PATH filters, AS-PATH limit
• Use IRR objects (source option) or ROA-to-IRR
– Filter your upstream(s)
– Create ROAs for your resources
– Filter inbound routes based on ROAs → ROV
• Join industry initiatives like MANRS
• https://www.manrs.org/