Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Routing Security - its importance and status in South Asia

76 vues

Publié le

Routing Security - its importance and status in South Asia

Publié dans : Internet
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Routing Security - its importance and status in South Asia

  1. 1. Internet Society © 1992–2019 What is the problem? And what are we trying to fix? Routing Security – Its importance and status in South Asia Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Presentation title – Client name 1
  2. 2. The Routing Problem 2
  3. 3. 2/3 Napkin Protocol 3 https://computerhistory.org/blog/the-two-napkin-protocol/ 1989
  4. 4. 2/3 Napkin Protocol In 1989. Kirk Lougheed and Len Bosack of Cisco and Yakov Rekhter of IBM were having lunch in a meeting hall cafeteria at an Internet Engineering Task Force (IETF) conference. They wrote a new routing protocol that became RFC 1105, the Border Gateway Protocol (BGP), known to many as the “two—napkin protocol” — in reference to the napkins they used to capture their thoughts. 4 • BGP-1 – RFC 1105, June 1989 • BGP-3 – RFC1267, October 1991 • BGP-4 – RFC 1654, July 1994
  5. 5. The Routing Problem Caption 10/12pt Caption body copy 5 Border Gateway Protocol (BGP) is based entirely on unverified trust between networks • No built-in validation that updates are legitimate • Anyone can announce anything • Lack of reliable resource data
  6. 6. Routing Security You must be thinking that building a “Global Network” on the assumption of TRUST, that everyone who uses it is ”Trustworthy” was not a really bad idea? May be or May be not – I can’t make the judgement call… But Lets hear from Geoff Huston… "The internet is now busted, and to be perfectly frank, it's totally unclear how we can fix it. We can't make it better," "I actually want to apologise for my small part in this mess we find ourselves in, because it all turned out so horrendously badly." 6
  7. 7. The routing system is constantly under attack – incidents every day 7 http://bgpstream.com/
  8. 8. The routing system is constantly under attack – incidents every day 8 http://bgpstream.com/ 0 2 4 6 8 10 12 14 16 10/1/20 10/2/20 10/3/20 10/4/20 10/5/20 10/6/20 10/7/20 10/8/20 10/9/20 10/10/20 10/11/20 Possible BGP Hijacks
  9. 9. Routing Security Global routing system is a complex, decentralized system consist of ~70,000 individual networks that have implemented BGP to communicate with each other. Despite its strengths, its prone to incidents. Just as water main breaks, broken pipes, and sewage mix-up can disrupt life in a city, routing incidents like route leaks, route hijacks, and IP-address spoofing each have the potential to slow down Internet speeds or even to make parts of the Internet unreachable. 9
  10. 10. Common Problems 1 0 Prefix/Route Hijacking Route Leaks IP address spoofing
  11. 11. Common Problems Finding out after the fact that • Big chunk of your internet traffic has been incorrectly routed through a hostile network operator. • Some of your internet traffic has been going to another network operator. None of the above 2 options are great news to anyone! 11
  12. 12. Routing Incidents Cause Real World Problems 1 2 Prefix/Route Hijacking Route Leaks IP address spoofing Filtering Source Address Validation
  13. 13. BGP Operations and Security February 2015 BCP 194 – RFC7454 13 Filtering
  14. 14. Why Filtering • Your first line of defence • You can [MUST] control what you are announcing • You have no control over what other networks announce • To avoid issues, you have to decide what to accept from other networks [ahem ahem RPKI] 14
  15. 15. BCP 194 – Filtering Inbound and Outbound Filtering filters SHOULD be applied to make sure advertisements strictly conform to what is declared in routing registries. This varies across the registries and regions of the Internet. Max Prefix Filtering It is RECOMMENDED to configure a limit on the number of routes to be accepted from a peer AS Path Filtering Network administrators SHOULD accept from customers only 2-byte or 4-byte AS paths containing ASNs belonging to (or authorized to transit through) the customer. 15
  16. 16. BCP 194 – Filtering Data Sources The biggest issue in filtering is to find out the best/cleanest/workable/scalable aka MAGICAL data source. • IRRs (Internet Routing Registry) • Bogons lists (IPv6 & IPv4) • PeeringDB (For AS-Sets) • RPKI 16
  17. 17. Status of South Asia and Bangladesh 17
  18. 18. South Asia (as per APNIC) 18 https://stats.apnic.net/delegations/Southern%20Asia
  19. 19. South Asia (UN region) 19 https://observatory.manrs.org/#/overview
  20. 20. Bangladesh 20
  21. 21. Why Filtering is Important? Example 1 Network Next Hop Metric LocPrf Weight Path 103.209.80.0/24 203.202.143.33 0 7474 7473 2914 132602 137491 135100 135100 i 103.209.81.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 i 103.209.82.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 135100 135100 i 103.209.83.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 135100 135100 i 203.96.178.0 203.202.143.33 0 7474 7473 2914 132602 137491 135100 135100 i 21 aut-num: AS135100 as-name: MOL-AS-AP descr: Maxnet Online Limited country: BD org: ORG-MOL1-AP
  22. 22. Why Filtering is Important? Example 1 22
  23. 23. Why Filtering is Important? Example 2 23 AS: 59365 BD-NETWORKS-AS-AP BD Networks, BD AS: 59356 - VMCENTRAL-AS-AP VMCENTRAL Cloud Services, AU
  24. 24. Why Routing Security? • Your Cyber Security Strategy is incomplete without Routing Security • Build Threat intelligence, improve your network’s situational awareness • Create a Audit Checklist for infrastructure security • Align infrastructure security across divisions • Prevent reputational damage (Google PTCL + Youtube) 24
  25. 25. Questions ? 25 Email: siddiqui@isoc.org Twitter: @aftabsiddiqui

×