SlideShare a Scribd company logo

ION Santiago: The Need for BGP Path Validation (Wes Hardaker)

Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)

How do we improve the resilience and security of the Internet’s underlying routing infrastructure? While Internet routing has worked well over the years, there have been instances where errors and misconfigurations have caused stability issues. Malicious attackers have also created denial of service attacks and other issues by spoofing IP addresses and manipulating routing tables. What are the best practices we can use to help mitigate these kind of attacks? In this session, our panel of experts will address technologies such as BCP 38, anti-spoofing, and BGP security efforts that can help secure the routing infrastructure. They will also consider the Internet Society’s new Routing Manifesto, which aims to introduce a minimum set of security measures which, if deployed on a wide scale, could result in visible improvements to the security and resilience of the global routing system.

Technology
1 of 7
Download to read offline
The Need For BGP Path Valida2on Wes Hardaker <wes.hardaker@parsons.com>
Example RPKI Origin Valida2on Bad Server X.509 Certificate AS4 Is Legal Server Client 1 4 3 2 7 8 5 6 AS2 checks the RPKI for authorization AS5 does not have an RPKI authorization! Will be rejected RPKI Provides Origin Validation: • Cryptographically signed authorization for AS4 to advertise Routes to Server l INVALID (Doesn't Go To AS4): AS1 ► AS2 ► AS5 l VALID (Origin is AS4): AS1 ► AS2 ► AS3 ► AS4 l VALID (Origin is AS4): AS1 ► AS2 ► AS6 ► AS7 ► AS3 ► AS4 2 issued verifies
Bad Server Server Client What If AS5 Lies? 1 4 3 2 7 8 5 6 AS5 lies and pretends it has a direct route to AS4 AS5 can still advertise a route with AS4 at the end: (even though AS5 isn't connected to AS4) l VALID (Origin is AS4): AS1 ► AS2 ► AS5 ► AS4 l VALID (Origin is AS4): AS1 ► AS2 ► AS3 ► AS4 l VALID (Origin is AS4): AS1 ► AS2 ► AS6 ► AS7 ► AS3 ► AS4 3
Path Valida2on Is Cri2cal Step 2 in the Rou-ng Security Solu-on! l AS4 must prove it started the route – It must prove that only AS3 is next in its path – No other router can reuse or copy its ini2al route l ASes can be assured the en2re path is valid l Enter BGPSEC! – Lies can now be detected! 4
Bad Server Server Client BGPSEC's Path Valida2on 1 4 3 2 7 8 5 6 Will be rejected again. Each router signs along the way; the paths can not be spoofed or modified l INVALID (Origin signed, path is not): AS1 ►AS2 ► AS5 ► AS4 l VALID (Origin and path signed): AS1 ►AS2 ► AS3 ► AS4 l VALID (Origin and path signed): AS1 ►AS2 ► … ► AS3 ► AS4 5
RPKI and BGPSEC – Cer2ficate Tree IANA AFRNIC APNIC LACNIC ARIN RIPE ISP 1 ISP 2 ISP 3 Client ISP 4 Server l ISPs issue certificates to each router they control 6
BGPSEC – Router Cer2ficates IANA AFRNIC APNIC ARIN LACNIC RIPE ISP 1 ISP 2 ISP 3 Client ISP 4 Server Origin Validation 7 Path Validation

Recommended

ION Ljubljana - Daniel Federer: DNSSEC
ION Ljubljana - Daniel Federer: DNSSECION Ljubljana - Daniel Federer: DNSSEC
ION Ljubljana - Daniel Federer: DNSSECDeploy360 Programme (Internet Society)
 
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesDeploy360 Programme (Internet Society)
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationDeploy360 Programme (Internet Society)
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF UpdateDeploy360 Programme (Internet Society)
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening SlidesDeploy360 Programme (Internet Society)
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)Deploy360 Programme (Internet Society)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing SlidesDeploy360 Programme (Internet Society)
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSDeploy360 Programme (Internet Society)
 

Recommended

ION Ljubljana - Daniel Federer: DNSSEC
ION Ljubljana - Daniel Federer: DNSSECION Ljubljana - Daniel Federer: DNSSEC
ION Ljubljana - Daniel Federer: DNSSECDeploy360 Programme (Internet Society)
 
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesDeploy360 Programme (Internet Society)
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationDeploy360 Programme (Internet Society)
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF UpdateDeploy360 Programme (Internet Society)
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening SlidesDeploy360 Programme (Internet Society)
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)Deploy360 Programme (Internet Society)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing SlidesDeploy360 Programme (Internet Society)
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSDeploy360 Programme (Internet Society)
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF UpdateDeploy360 Programme (Internet Society)
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS IntroductionDeploy360 Programme (Internet Society)
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECDeploy360 Programme (Internet Society)
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSDeploy360 Programme (Internet Society)
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityDeploy360 Programme (Internet Society)
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandDeploy360 Programme (Internet Society)
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionDeploy360 Programme (Internet Society)
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youDeploy360 Programme (Internet Society)
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening SlidesDeploy360 Programme (Internet Society)
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing SlidesDeploy360 Programme (Internet Society)
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetDeploy360 Programme (Internet Society)
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterDeploy360 Programme (Internet Society)
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?Deploy360 Programme (Internet Society)
 
ION Durban - NAT64/DNS64 Experiments and the NAT64Check Tool
ION Durban - NAT64/DNS64 Experiments and the NAT64Check ToolION Durban - NAT64/DNS64 Experiments and the NAT64Check Tool
ION Durban - NAT64/DNS64 Experiments and the NAT64Check ToolDeploy360 Programme (Internet Society)
 
ION Durban - MANRS Introduction
ION Durban - MANRS IntroductionION Durban - MANRS Introduction
ION Durban - MANRS IntroductionDeploy360 Programme (Internet Society)
 
ION Durban - Closing Slides
ION Durban - Closing SlidesION Durban - Closing Slides
ION Durban - Closing SlidesDeploy360 Programme (Internet Society)
 
ION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid ItION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid ItDeploy360 Programme (Internet Society)
 
ION Durban - IPv6 Case Study (Liquid Telecom)
ION Durban - IPv6 Case Study (Liquid Telecom)ION Durban - IPv6 Case Study (Liquid Telecom)
ION Durban - IPv6 Case Study (Liquid Telecom)Deploy360 Programme (Internet Society)
 
ION Durban - Opening Slides
ION Durban - Opening SlidesION Durban - Opening Slides
ION Durban - Opening SlidesDeploy360 Programme (Internet Society)
 
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...Deploy360 Programme (Internet Society)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

More Related Content

More from Deploy360 Programme (Internet Society)

ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...Deploy360 Programme (Internet Society)
 

More from Deploy360 Programme (Internet Society) (20)

ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 
ION Durban - NAT64/DNS64 Experiments and the NAT64Check Tool
ION Durban - NAT64/DNS64 Experiments and the NAT64Check ToolION Durban - NAT64/DNS64 Experiments and the NAT64Check Tool
ION Durban - NAT64/DNS64 Experiments and the NAT64Check Tool
 
ION Durban - MANRS Introduction
ION Durban - MANRS IntroductionION Durban - MANRS Introduction
ION Durban - MANRS Introduction
 
ION Durban - Closing Slides
ION Durban - Closing SlidesION Durban - Closing Slides
ION Durban - Closing Slides
 
ION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid ItION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid It
 
ION Durban - IPv6 Case Study (Liquid Telecom)
ION Durban - IPv6 Case Study (Liquid Telecom)ION Durban - IPv6 Case Study (Liquid Telecom)
ION Durban - IPv6 Case Study (Liquid Telecom)
 
ION Durban - Opening Slides
ION Durban - Opening SlidesION Durban - Opening Slides
ION Durban - Opening Slides
 
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
 

Recently uploaded

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Recently uploaded (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

ION Santiago: The Need for BGP Path Validation (Wes Hardaker)

  • 1. The Need For BGP Path Valida2on Wes Hardaker <wes.hardaker@parsons.com>
  • 2. Example RPKI Origin Valida2on Bad Server X.509 Certificate AS4 Is Legal Server Client 1 4 3 2 7 8 5 6 AS2 checks the RPKI for authorization AS5 does not have an RPKI authorization! Will be rejected RPKI Provides Origin Validation: • Cryptographically signed authorization for AS4 to advertise Routes to Server l INVALID (Doesn't Go To AS4): AS1 ► AS2 ► AS5 l VALID (Origin is AS4): AS1 ► AS2 ► AS3 ► AS4 l VALID (Origin is AS4): AS1 ► AS2 ► AS6 ► AS7 ► AS3 ► AS4 2 issued verifies
  • 3. Bad Server Server Client What If AS5 Lies? 1 4 3 2 7 8 5 6 AS5 lies and pretends it has a direct route to AS4 AS5 can still advertise a route with AS4 at the end: (even though AS5 isn't connected to AS4) l VALID (Origin is AS4): AS1 ► AS2 ► AS5 ► AS4 l VALID (Origin is AS4): AS1 ► AS2 ► AS3 ► AS4 l VALID (Origin is AS4): AS1 ► AS2 ► AS6 ► AS7 ► AS3 ► AS4 3
  • 4. Path Valida2on Is Cri2cal Step 2 in the Rou-ng Security Solu-on! l AS4 must prove it started the route – It must prove that only AS3 is next in its path – No other router can reuse or copy its ini2al route l ASes can be assured the en2re path is valid l Enter BGPSEC! – Lies can now be detected! 4
  • 5. Bad Server Server Client BGPSEC's Path Valida2on 1 4 3 2 7 8 5 6 Will be rejected again. Each router signs along the way; the paths can not be spoofed or modified l INVALID (Origin signed, path is not): AS1 ►AS2 ► AS5 ► AS4 l VALID (Origin and path signed): AS1 ►AS2 ► AS3 ► AS4 l VALID (Origin and path signed): AS1 ►AS2 ► … ► AS3 ► AS4 5
  • 6. RPKI and BGPSEC – Cer2ficate Tree IANA AFRNIC APNIC LACNIC ARIN RIPE ISP 1 ISP 2 ISP 3 Client ISP 4 Server l ISPs issue certificates to each router they control 6
  • 7. BGPSEC – Router Cer2ficates IANA AFRNIC APNIC ARIN LACNIC RIPE ISP 1 ISP 2 ISP 3 Client ISP 4 Server Origin Validation 7 Path Validation