Improving Rou-ng Security
with RPKI
Russ Clark
Samuel Norris
Cas D’Angelo, Sco7 Friedrich
Ron Hutchins, Aurore Nguenang
Thank you to the Na-onal Science Founda-on for
their support of this work.
Too Easy To Lie
This Is A Recrui-ng Talk
Standing on Shoulders
•
RPKI and BGPSEC standards efforts
•
Sharon Goldberg – Boston University
•
George Wesley -‐ Time Warner (NANOG Preso)
•
ESNET – Randy Bush et al
•
ARIN -‐
hUps://www.arin.net/resources/rpki/
BGP vulnerabili-es 2/2
And It’s A Common Problem
Resource cer-fica-on to the rescue
S-‐BGP 1997-‐2003 So-‐BGP 2000-‐2003 RPKI 2012-‐today BGPSEC XXX-‐today
RPKI
IETF Standard published 2012
Deployment started in 2011
Cer-fies IP prefix alloca-ons
Crypto done out-‐of-‐band
No change to BGP messages
BGPSEC
Builds on the RPKI
Now being standardized
Cer-fies announced routes
Crypto done online
What is RPKI? -‐ Components
Signed objects
A PKI A distributed repository
§ X.509 PKI
§ CerNficates a7est to
holdings of IP address space and AS numbers
§ Hold the PKI objects and
the signed rouNng objects
§ Make those objects
available for use by ISPs in making rouNng
decisions
§ Digitally signed rouNng
objects to support
rouNng security that are non-‐cerNficate signed objects used by the infrastructure
§ Those objects are:
• Route OriginaNon AuthorizaNon or ROA • Manifests
3 main components
What is RPKI? -‐ ROA
ROA is a digital object forma7ed according to the Cryptographic Message Syntax specificaNon (CMS) [RFC3852] that contains:
• A list of IP address prefixes
• One AS number
• Digest and signature algorithms (currently SHA-‐256 with RSA signature)
• A digital signature
• An RPKI end-‐enNty cerNficate
What is RPKI? – ROA Crea-on
CA
cert cert EE ROA
1. Obtain the RPKI CA cerNficate from a cer-ficate authority
2. Generate the end-‐enNty (EE) cerNficate
3. Create the ROA containing the prefix, the ASN and the EE cert
4. Sign the ROA using the private key corresponding to the EE cert
5. Publish the ROA in the RPKI repository system
What is RPKI? – ROA Valida-on
How to establish the ROA’s validity?
1. Check that the ROA is a syntac-cally valid CMS object indica-ng appropriate
digest and signature algorithms
2. Examine the enclosed EE cer-ficate and check that the IP address extension in
the cert matches the IP address prefix(es) in the ROA
3. Verify the signature on the ROA using the public key in the EE cer-ficate
4. Check that the EE cer-ficate is a valid cer-ficate within the RPKI
Note: A ROA can be revoked by simply revoking its EE cerNficate Procedure for validaNon
How to do the validaNon?
1. Walk the Trust Anchors to find the Cer-ficate Authority repository:
Ø Ingest ROAs (rsync)
Ø Establish the ROAs validity
Ø Push valida-on informa-on to routers via RPKI to Router protocol
2. Configure rou-ng policy, usually increase local preference on valids, drop
What is RPKI? – Router Ac-on
Route validaNon sate
3 route announcement states
Valid Invalid NotFound
if covered by at least one ROA
if a ROA exists for the prefix but with another AS
If the IP address prefix doesn’t exist in ROAs
What is RPKI? – Signing Models
BGP Rou-ng Security 14
Signing prefixes models
Hosted model Delegated model
§ Based on a third party or Cer-ficate Authority (e.g. ARIN)
§ Relying par-es generate key & upload them to CA, use CA portal to manage ROAs
§ ROAs are generated & signed by the CA, published in the CA’s RPKI repository
§ Relying par-es downloaded and validated ROAs to create rou-ng decisions
§ There is some issues with this mode:
Ø Relying par-es have to trust a third party with their private key
Ø Fully rely on the CA’s infrastructure
§ Independency from a third party
§ Install Cer-ficate Authority sojware
§ Generate keys (public and private)
§ Generate ROAs for all resources
§ Publish URI for the CA’s publica-on point through CA’s TA
§ Issues:
Ø Careful where you store your keys (not publicly-‐reachable server)
Ø TA can only publish one URI per publica-on point
Ø S-ll reliant on CA’s TA infrastructure
Gelng it Deployed
•
RPKI gives us some real benefit
•
But you probably aren’t using it yet
•
Some technical hurdles, perhaps some legal
•
We’re trying to help move things forward by
R&E Architecture – Verifica-on level
3 levels of the network hierarchy: § A naNonal-‐based RPKI verificaNon
Project Strategy
Get used to working with the sojware
•
Architecture
•
RPKI server
•
ROA management
•
Router configura-on
Built a test deployment on GENI
Sojware Details
RPKI Server
•
rpki.net/
•
Ubuntu 14.04.1 LTS
Quagga Router – BGP-‐SRx extensions
•
www-‐x.antd.nist.gov/bgpsrx/
•
NIST-‐SRx-‐bundle-‐22-‐0.4.1.3
Let’s do a demo
Conclusion
•
BGP vulnerabili-es are a real threat
•
RPKI is a good first step to solving the problem
•
R&E networks are a good star-ng point
•
We put together a GENI test environment you
can use
Thank You!
Russ Clark
Samuel Norris
Cas D’Angelo, Sco7 Friedrich
Ron Hutchins, Aurore Nguenang
Thank you to the Na-onal Science Founda-on for
their support of this work.
