SlideShare ist ein Scribd-Unternehmen logo

Routing Security

RIPE NCC
RIPE NCC
Technologie
1 von 46
Downloaden Sie, um offline zu lesen
Routing Security Daniel Karrenberg RIPE NCC <daniel.karrenberg@ripe.net>
Who is talking: Daniel Karrenberg • 1980s: helped build Internet in Europe - EUnet, Ebone, IXes, ... - RIPE • 1990s: helped build RIPE NCC - 1st CEO: 1992-2000 • 2000s: Chief Scientist & Public Service - Trustee of the Internet Society: IETF, ... - Interests: Internet measurements, stability, trust & identity in the Internet, ... 2
Who is talking: Daniel Karrenberg • RIPE NCC - started in 1992 - first Regional Internet Registry (RIR) - Association of 6000+ ISPs - 70+ countries in “Europe & surrounding areas” - operational coordination - number resource distribution - trusted source of data - Motto: Neutrality & Expertise - not a lobby group! 3
My Messages Today • Routing security needs to be improved • The sky is not falling • Industry is moving • No need for public policies at this point 4
Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 5
The Internet 6
Part(s) of the Internet 7
“Autonomous Systems” 8
Packet Flow 9
Routing Information Flow (BGP) 10
Both Directions are Needed 11
Choice and Redundancy 12
Questions?
What makes it work 14
Business Relationships 15
Transmission Paths 16
Routing Engineering 17
Routing Engineering Methods • Inbound Traffic - Selectively announce routes. - Very little control over preferences by other ASes. • Outbound Traffic - Decide which of the known routes to use. • Inputs - Cost - Transmission Capacity - Load - Routing State 18
Routing Engineering Principles • Autonomous Decisions by each AS • Local tools • Local strategies • Local knowlege • Business advantages • Autonomous Decisions by each AS • (One of the reasons for rapid growth of the Internet) 19
Questions?
What can go wrong • Misconfiguration - Announcing too many routes (unitentional transit) - Originating wrong routes • Malicious Actions - Originating wrong routes (hijacking) 21
Hijacking 22
Hijacking 23
Hijacking 24
Questions?
Examples • YouTube & Pakistan Telecom (2008) • A number of full table exports • Various route leaks from China (2010) YouTube Movie 26
Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 27
Routing Hygiene • Do not accept customer routes from peers or upstreams • Limit number of prefixes accepted per adjacent AS • Use a routing registry - no global authoritative registry exists • Use own knowledge about topology - topology is constantly changing - distruptions can cause drastic changes 28
Routing Hygiene • Is applied locally / autonomously • Has a cost • Subservient to routing engineering - No obstruction - Maintain Autonomy • Cooperation - Trust - Community - Personal Relations 29
Resource Certification - Motivation • Good practice: - to register routes in an IRR - to filter routes based on IRR data • Problem: - only useful if the registries are complete - many IRRs exist, lacking standardisation • Result: - Less than half of all prefixes is registered in an IRR - Real world filtering is difficult and limited - Accidental leaks happen, route hijacking is possible 30
Resource Certification - Definition “Resource certification is a reliable method for proving the association between resource holders and Internet resources.” 31
Between who and what? • Resource Holders - Regional Internet Registries - Local Internet Registries - End Users • Internet Resources - IPv4 Address Blocks - IPv6 Address Blocks - AS Numbers 32
What Certification offers • Proof of holdership • Secure Inter-Domain Routing - Route Origin Authorisation - Preferred certified routing • Resource transfers • Validation is the added value! 33
The system 34
Proof of holdership • Public Key • Resources • Signature 35
Route Origin Authorisation (ROA) • IP Prefixes • AS Numbers • Signature 36
Automated Provisioning using ROAs Please route this part of my network: 192.0.2.0/24 Please sign a ROA for that resource using my AS number OK, I signed and published a ROA OK, that ROA is valid. I can trust this request 37
The road ahead • Production launch for all RIRs on 1 January 2011 • Beta programme available in the LIR Portal now - You can create certificates and ROAs - Test key will be rolled over at launch date Feedback and input actively encouraged Mailing list: ca-tf@ripe.net 38
Obstacles • Fear of loosing autonomy • Cost • Low threat perception • Fear of loosing business advantage • Fear of loosing autonomy 39
Questions?
Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 41
My Messages Today • Routing security needs to be improved - Accidents do happen ... sometimes - Hijackings do happen ... sometimes • The sky is not falling - It does not happen all the time - It does not affect large areas of the Internet 42
My Messages Today • Industryis addressing the problems - Local measures taken autonomously - RPKI being deployed by RIRs - RPKI based routing tools being developed - RPKI based routing protocols being studied in IETF 43
My Messages Today • No need for public policies at this point - Not a strucutral problem endangering Internet - Mitigation works - Mitigation being improved - Global coordination is working 44
Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 45
The End! Kрай Y Diwedd Fí Соңы Finis Liðugt Ende Finvezh Kiнець Konec Kraj Ënn Fund Lõpp Beigas Vége Son Kpaj An Críoch ‫הסוף‬ Endir Fine Sfârşit Fin Τέλος Einde Конeц Slut Slutt Pabaiga Amaia Loppu Tmiem Koniec Fim

Empfohlen

Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
Secure Routing
Secure RoutingSecure Routing
Secure RoutingRIPE NCC
 
IPv6 by APNIC
IPv6 by APNICIPv6 by APNIC
IPv6 by APNICFebrian ‎
 
Tutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNICTutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNICFebrian ‎
 
Kjell Leknes
Kjell LeknesKjell Leknes
Kjell Leknes.SE (Stiftelsen för Internetinfrastruktur)
 
Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
Asterisk Deployments
Asterisk DeploymentsAsterisk Deployments
Asterisk DeploymentsAsterisk Community
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security RoadmapAPNIC
 

Empfohlen

Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
Secure Routing
Secure RoutingSecure Routing
Secure RoutingRIPE NCC
 
IPv6 by APNIC
IPv6 by APNICIPv6 by APNIC
IPv6 by APNICFebrian ‎
 
Tutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNICTutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNICFebrian ‎
 
Kjell Leknes
Kjell LeknesKjell Leknes
Kjell Leknes.SE (Stiftelsen för Internetinfrastruktur)
 
Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
Asterisk Deployments
Asterisk DeploymentsAsterisk Deployments
Asterisk DeploymentsAsterisk Community
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security RoadmapAPNIC
 
RIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE NCC
 
Cloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim WilloughbyCloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim WilloughbyTim Willoughby
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsAPNIC
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsAPNIC
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure APNIC
 
RIPE Atlas
RIPE AtlasRIPE Atlas
RIPE AtlasRIPE NCC
 
BuildingIXPs
BuildingIXPsBuildingIXPs
BuildingIXPsShahab Vahabzadeh
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24APNIC
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challengesAPNIC
 
Law Enforcement engagement capacity building
Law Enforcement engagement capacity buildingLaw Enforcement engagement capacity building
Law Enforcement engagement capacity buildingAPNIC
 
06 selecting an-ixp
06 selecting an-ixp06 selecting an-ixp
06 selecting an-ixpWilliam Norton
 
UN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsUN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsAPNIC
 
Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018
Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018
Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018Gilbert Verdian
 
Asia Pacific Internet Leadership Program
Asia Pacific Internet Leadership ProgramAsia Pacific Internet Leadership Program
Asia Pacific Internet Leadership ProgramAPNIC
 
Regional Internet Registry and Whois
Regional Internet Registry and WhoisRegional Internet Registry and Whois
Regional Internet Registry and WhoisAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
1-7 P2PMS P2P-Next
1-7 P2PMS P2P-Next1-7 P2PMS P2P-Next
1-7 P2PMS P2P-Nextskame
 
Internet Governance
Internet GovernanceInternet Governance
Internet GovernanceARIN
 
Navigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with IstioNavigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with IstioGary Arora
 
Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 

Weitere ähnliche Inhalte

Ähnlich wie Routing Security

RIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE NCC
 
Cloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim WilloughbyCloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim WilloughbyTim Willoughby
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsAPNIC
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsAPNIC
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure APNIC
 
RIPE Atlas
RIPE AtlasRIPE Atlas
RIPE AtlasRIPE NCC
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24APNIC
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challengesAPNIC
 
Law Enforcement engagement capacity building
Law Enforcement engagement capacity buildingLaw Enforcement engagement capacity building
Law Enforcement engagement capacity buildingAPNIC
 
UN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsUN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsAPNIC
 
Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018
Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018
Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018Gilbert Verdian
 
Asia Pacific Internet Leadership Program
Asia Pacific Internet Leadership ProgramAsia Pacific Internet Leadership Program
Asia Pacific Internet Leadership ProgramAPNIC
 
Regional Internet Registry and Whois
Regional Internet Registry and WhoisRegional Internet Registry and Whois
Regional Internet Registry and WhoisAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
1-7 P2PMS P2P-Next
1-7 P2PMS P2P-Next1-7 P2PMS P2P-Next
1-7 P2PMS P2P-Nextskame
 
Internet Governance
Internet GovernanceInternet Governance
Internet GovernanceARIN
 
Navigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with IstioNavigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with IstioGary Arora
 

Ähnlich wie Routing Security (20)

RIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement Network
 
Cloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim WilloughbyCloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim Willoughby
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific Islands
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific Islands
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
 
SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure
 
RIPE Atlas
RIPE AtlasRIPE Atlas
RIPE Atlas
 
BuildingIXPs
BuildingIXPsBuildingIXPs
BuildingIXPs
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges
 
Law Enforcement engagement capacity building
Law Enforcement engagement capacity buildingLaw Enforcement engagement capacity building
Law Enforcement engagement capacity building
 
06 selecting an-ixp
06 selecting an-ixp06 selecting an-ixp
06 selecting an-ixp
 
UN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsUN INCB: RIRs and LEAs
UN INCB: RIRs and LEAs
 
Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018
Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018
Quant - Interchain Development And Cross-Chain Protocols. BlockchainLive 2018
 
Asia Pacific Internet Leadership Program
Asia Pacific Internet Leadership ProgramAsia Pacific Internet Leadership Program
Asia Pacific Internet Leadership Program
 
Regional Internet Registry and Whois
Regional Internet Registry and WhoisRegional Internet Registry and Whois
Regional Internet Registry and Whois
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
1-7 P2PMS P2P-Next
1-7 P2PMS P2P-Next1-7 P2PMS P2P-Next
1-7 P2PMS P2P-Next
 
Internet Governance
Internet GovernanceInternet Governance
Internet Governance
 
Navigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with IstioNavigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with Istio
 

Mehr von RIPE NCC

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in TechRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfRIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfRIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfRIPE NCC
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsRIPE NCC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing SecurityRIPE NCC
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfRIPE NCC
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasRIPE NCC
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasRIPE NCC
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet InfrastructureRIPE NCC
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenRIPE NCC
 

Mehr von RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 

Kürzlich hochgeladen

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Routing Security

  • 1. Routing Security Daniel Karrenberg RIPE NCC <daniel.karrenberg@ripe.net>
  • 2. Who is talking: Daniel Karrenberg • 1980s: helped build Internet in Europe - EUnet, Ebone, IXes, ... - RIPE • 1990s: helped build RIPE NCC - 1st CEO: 1992-2000 • 2000s: Chief Scientist & Public Service - Trustee of the Internet Society: IETF, ... - Interests: Internet measurements, stability, trust & identity in the Internet, ... 2
  • 3. Who is talking: Daniel Karrenberg • RIPE NCC - started in 1992 - first Regional Internet Registry (RIR) - Association of 6000+ ISPs - 70+ countries in “Europe & surrounding areas” - operational coordination - number resource distribution - trusted source of data - Motto: Neutrality & Expertise - not a lobby group! 3
  • 4. My Messages Today • Routing security needs to be improved • The sky is not falling • Industry is moving • No need for public policies at this point 4
  • 5. Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 5
  • 7. Part(s) of the Internet 7
  • 11. Both Directions are Needed 11
  • 14. What makes it work 14
  • 18. Routing Engineering Methods • Inbound Traffic - Selectively announce routes. - Very little control over preferences by other ASes. • Outbound Traffic - Decide which of the known routes to use. • Inputs - Cost - Transmission Capacity - Load - Routing State 18
  • 19. Routing Engineering Principles • Autonomous Decisions by each AS • Local tools • Local strategies • Local knowlege • Business advantages • Autonomous Decisions by each AS • (One of the reasons for rapid growth of the Internet) 19
  • 21. What can go wrong • Misconfiguration - Announcing too many routes (unitentional transit) - Originating wrong routes • Malicious Actions - Originating wrong routes (hijacking) 21
  • 22. Hijacking 22
  • 23. Hijacking 23
  • 24. Hijacking 24
  • 26. Examples • YouTube & Pakistan Telecom (2008) • A number of full table exports • Various route leaks from China (2010) YouTube Movie 26
  • 27. Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 27
  • 28. Routing Hygiene • Do not accept customer routes from peers or upstreams • Limit number of prefixes accepted per adjacent AS • Use a routing registry - no global authoritative registry exists • Use own knowledge about topology - topology is constantly changing - distruptions can cause drastic changes 28
  • 29. Routing Hygiene • Is applied locally / autonomously • Has a cost • Subservient to routing engineering - No obstruction - Maintain Autonomy • Cooperation - Trust - Community - Personal Relations 29
  • 30. Resource Certification - Motivation • Good practice: - to register routes in an IRR - to filter routes based on IRR data • Problem: - only useful if the registries are complete - many IRRs exist, lacking standardisation • Result: - Less than half of all prefixes is registered in an IRR - Real world filtering is difficult and limited - Accidental leaks happen, route hijacking is possible 30
  • 31. Resource Certification - Definition “Resource certification is a reliable method for proving the association between resource holders and Internet resources.” 31
  • 32. Between who and what? • Resource Holders - Regional Internet Registries - Local Internet Registries - End Users • Internet Resources - IPv4 Address Blocks - IPv6 Address Blocks - AS Numbers 32
  • 33. What Certification offers • Proof of holdership • Secure Inter-Domain Routing - Route Origin Authorisation - Preferred certified routing • Resource transfers • Validation is the added value! 33
  • 35. Proof of holdership • Public Key • Resources • Signature 35
  • 36. Route Origin Authorisation (ROA) • IP Prefixes • AS Numbers • Signature 36
  • 37. Automated Provisioning using ROAs Please route this part of my network: 192.0.2.0/24 Please sign a ROA for that resource using my AS number OK, I signed and published a ROA OK, that ROA is valid. I can trust this request 37
  • 38. The road ahead • Production launch for all RIRs on 1 January 2011 • Beta programme available in the LIR Portal now - You can create certificates and ROAs - Test key will be rolled over at launch date Feedback and input actively encouraged Mailing list: ca-tf@ripe.net 38
  • 39. Obstacles • Fear of loosing autonomy • Cost • Low threat perception • Fear of loosing business advantage • Fear of loosing autonomy 39
  • 41. Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 41
  • 42. My Messages Today • Routing security needs to be improved - Accidents do happen ... sometimes - Hijackings do happen ... sometimes • The sky is not falling - It does not happen all the time - It does not affect large areas of the Internet 42
  • 43. My Messages Today • Industryis addressing the problems - Local measures taken autonomously - RPKI being deployed by RIRs - RPKI based routing tools being developed - RPKI based routing protocols being studied in IETF 43
  • 44. My Messages Today • No need for public policies at this point - Not a strucutral problem endangering Internet - Mitigation works - Mitigation being improved - Global coordination is working 44
  • 45. Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 45
  • 46. The End! Kрай Y Diwedd Fí Соңы Finis Liðugt Ende Finvezh Kiнець Konec Kraj Ënn Fund Lõpp Beigas Vége Son Kpaj An Críoch ‫הסוף‬ Endir Fine Sfârşit Fin Τέλος Einde Конeц Slut Slutt Pabaiga Amaia Loppu Tmiem Koniec Fim