SlideShare une entreprise Scribd logo
1  sur  30
Télécharger pour lire hors ligne
One Hop At A Time
Securing BGP
Nathalie Trenaman | 21 October | Cybersprint Office
Nathalie Trenaman | Cybersprint | 21 October 2021
RIPE NCC
• Not-for-profit, membership based (vereniging)


• Funded by membership fees


• Based in Amsterdam


• Established in 1992


• ~160 employees
2
Nathalie Trenaman | Cybersprint | 21 October 2021
What We Do
• Distributing IPv6, IPv4, AS numbers to 24.000 members in 76
countries


• Operating the largest internet measurement platform (ATLAS)


• RIPE Database


• RPKI


• K-root
3
Nathalie Trenaman | Cybersprint | 21 October 2021
Interesting Times!
4
Nathalie Trenaman | Cybersprint | 21 October 2021
Administrative Trends…
5
• Source: https://ipv4marketgroup.com/ipv4-pricing/
BGP
A More Technical Part
Nathalie Trenaman | Cybersprint | 21 October 2021
Routing on the Internet
7
“BGP protocol”
Can I
trust B?
Routing table


194.x.x.x = B
Routing table


193.x.x.x = A
Is A
correct?
A


193.x.x.x
B


194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
Nathalie Trenaman | Cybersprint | 21 October 2021
Routing on the Internet
8
Can I
trust B?
Routing table


194.x.x.x = B
Routing table


193.x.x.x = A
Is A
correct?
A


193.x.x.x
B


194.x.x.x
B: “I have 194.x.x.x”
A: “I have 193.x.x.x”
RIPE
Database
“Internet Routing Registry”
Nathalie Trenaman | Cybersprint | 21 October 2021
Accidents Happen
• Fat Fingers


- 2 and 3 are really close on our keyboards….


• Policy Violations (leaks)


- Oops, we did not want this to go on the public Internet


• Incidents attract media attention nowadays


- Facebook, anyone?
9
Nathalie Trenaman | Cybersprint | 21 October 2021
Or Worse….
• April 2018


- BGP and DNS Hijack


- Targeting MyEtherWallet


- Unnoticed for two hours
10
Nathalie Trenaman | Cybersprint | 21 October 2021
Incidents Are Common
• 2020 Routing Security Review


- 2477 BGP hijack events


- 1396 Route Leaks
11
Source: https://www.manrs.org/2021/02/bgp-rpki-and-manrs-2020-in-review/
Nathalie Trenaman | Cybersprint | 21 October 2021
Internet Routing Registry
• Many exist, most widely used


- RIPE Database


- RADB


• Verification of holdership over resources


- RIPE Database for RIPE Region resources only


- RADB allows paying customers to create any object


- Lots of the other IRRs do not formally verify holdership
12
Nathalie Trenaman | Cybersprint | 21 October 2021
Problem Statement
• Some IRR data cannot be fully trusted


- Accuracy


- Incomplete data


- Lack of maintenance


• Not every RIR has an IRR


- Third party databases need to be used (RADB, Operators)


- No verification of who holds IPs/ASNs
13
Nathalie Trenaman | Cybersprint | 21 October 2021
•
14
Nathalie Trenaman | Cybersprint | 21 October 2021
Resource Public Key Infrastructure
• Developed by the IETF, standardised in 2011


• Ties IP addresses and ASNs to public keys


• Follows the hierarchy of the registries


• Authorised statements from resource holders


- “ASN X is authorised to announce my Prefix Y”


- Signed, holder of Y


• X.509 certificates with extensions for IP address and ASN
15
Nathalie Trenaman | Cybersprint | 21 October 2021
What It Does
• Allows IP address holders to create digitally signed (and
verifiable) statements about their BGP routing intentions


• Allows network operators to make more informed (and trusted)
routing decisions
16
Nathalie Trenaman | Cybersprint | 21 October 2021
RPKI Certificate Structure
Certificate hierarchy follows allocation hierarchy
17
Member Member Member
ROA ROA ROA
ARIN APNIC RIPE LACNIC AFRINIC
Nathalie Trenaman | Cybersprint | 21 October 2021
Two elements of RPKI
18
Signing
Create ROAs
Validating
Verifying others
Nathalie Trenaman | Cybersprint | 21 October 2021
RIPE NCC Hosted Solution
19
Nathalie Trenaman | Cybersprint | 21 October 2021
How It Works
20
Repository Repository Repository Repository Repository
List of ROAs
Certi
fi
cates
RIPE NCC ARIN APNIC AFRINIC
LACNIC
Validator
• Location of RIR 

repositorie
s

• Root’s public key
Nathalie Trenaman | Cybersprint | 21 October 2021 21
Nathalie Trenaman | Cybersprint | 21 October 2021 22
Nathalie Trenaman | Cybersprint | 21 October 2021
Two elements of RPKI
23
Signing
Create your ROAs
Validating
Verifying others
Nathalie Trenaman | Cybersprint | 21 October 2021
RPKI Validation
• Verifying the information provided by the others


• Goal is to validate the “origin of BGP announcements”


• Known as Route Origin Validation (ROV)


• :-( : You only can verify the origin


• :-): It does prevent most typos to spread
24
Nathalie Trenaman | Cybersprint | 21 October 2021
Relying Party
25
AS111 10.0.7.30/22
AS222 10.0.6.10/24
AS333 10.4.17.5/20
AS111 10.0.7.30/22
AS111 10.0.7.30/22
AS111 10.0.7.30/22
BGP Announcements
BETTER ROUTING DECISIONS
Repositories
List of ROAs
Certi
fi
cates
Validator
Nathalie Trenaman | Cybersprint | 21 October 2021
Routing on the Internet
26
Is A
correct?
A


192.0.2.0/24
B


193.0.24.0/21
A: “I have 192.0.2.0/24”
1. Create route
authorisation record
(ROA)
2. Validate route
RPKI Repository
A is authorised
to announce
192.0.2.0/24
BGP
Nathalie Trenaman | Cybersprint | 21 October 2021
What’s Next?
• Full AS Path validation!




• All IETF drafts/standards are building blocks on RPKI


- BGPSec


- ASPA


- AS-Cones


- Blockchain (just kidding!)
27
Nathalie Trenaman | Cybersprint | 21 October 2021
Very Useful Tools
• https://rpki-validator.ripe.net/ui/


- A public user interface for a validator (Routinator)


• https://ihr.iijlab.net/ihr/en-us/


- To see RPKI invalid BGP routes per country (and a lot of other cool stuff)


• https://ring.nlnog.net/


- Shell access (ping, trace route) from 479 networks in 55 countries


• https://atlas.ripe.net/


- Largest free internet measurement platform, 11838 vantage points
28
Nathalie Trenaman | Cybersprint | 21 October 2021
How To Get Started?
• Read up! This is a great starting point:


- https://rpki.readthedocs.io/en/latest/


•Tons of help & troubleshooting BGP on IRC (yeah..)


- https://nlnog.net/irc/ #NLNOG on IRCnet


• Global RPKI “helpline” (350+ experts) on Discord


- https://discord.com/invite/WaPgs8vEKy


• Drop me an e-mail :) nathalie@ripe.net


29
Questions ?

Contenu connexe

Tendances

Day 2 - LEI and SWIFTRef update
Day 2 - LEI and SWIFTRef updateDay 2 - LEI and SWIFTRef update
Day 2 - LEI and SWIFTRef updateSWIFT
 
HKNOG 6.1: Maintaining your APNIC Routing Registry Data
HKNOG 6.1: Maintaining your APNIC Routing Registry DataHKNOG 6.1: Maintaining your APNIC Routing Registry Data
HKNOG 6.1: Maintaining your APNIC Routing Registry DataAPNIC
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 
Webinar: How to troubleshoot bandwidth hogs and take action.
Webinar: How to troubleshoot bandwidth hogs and take action.Webinar: How to troubleshoot bandwidth hogs and take action.
Webinar: How to troubleshoot bandwidth hogs and take action.ManageEngine, Zoho Corporation
 
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKIARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKIARIN
 
Improving the IPv4 transfer experience
Improving the IPv4 transfer experienceImproving the IPv4 transfer experience
Improving the IPv4 transfer experienceAPNIC
 
Universal Acceptance of Internationalized Domain Names (IDN), Email Addresses...
Universal Acceptance of Internationalized Domain Names (IDN), Email Addresses...Universal Acceptance of Internationalized Domain Names (IDN), Email Addresses...
Universal Acceptance of Internationalized Domain Names (IDN), Email Addresses...APNIC
 
HKNOG1.1 presentation
HKNOG1.1 presentationHKNOG1.1 presentation
HKNOG1.1 presentationAPNIC
 
Route Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIAPNIC
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approachAPNIC
 
IPv4 Depletion and IPv6 Adoption Today
IPv4 Depletion and IPv6 Adoption TodayIPv4 Depletion and IPv6 Adoption Today
IPv4 Depletion and IPv6 Adoption TodayARIN
 
inSIG 2021: Introduction to core Internet technologies and the APNIC PDP
inSIG 2021: Introduction to core Internet technologies and the APNIC PDPinSIG 2021: Introduction to core Internet technologies and the APNIC PDP
inSIG 2021: Introduction to core Internet technologies and the APNIC PDPAPNIC
 
PLNOG 13: Andrzej Wolski: IPv4 Transfers
PLNOG 13: Andrzej Wolski: IPv4 TransfersPLNOG 13: Andrzej Wolski: IPv4 Transfers
PLNOG 13: Andrzej Wolski: IPv4 TransfersPROIDEA
 
X-Road in Finland & REST Gateway
X-Road in Finland & REST GatewayX-Road in Finland & REST Gateway
X-Road in Finland & REST GatewayPetteri Kivimäki
 
CommuniCast 2014: Connecting your business to the Internet
CommuniCast 2014: Connecting your business to the InternetCommuniCast 2014: Connecting your business to the Internet
CommuniCast 2014: Connecting your business to the InternetAPNIC
 
APNIC Report - APStar retreat
APNIC Report - APStar retreatAPNIC Report - APStar retreat
APNIC Report - APStar retreatAPNIC
 
RIPE NCC Update
RIPE NCC UpdateRIPE NCC Update
RIPE NCC UpdateAPNIC
 
Whois - Addressing the Asia Pacifc
Whois - Addressing the Asia PacifcWhois - Addressing the Asia Pacifc
Whois - Addressing the Asia PacifcAPNIC
 
IPv6 at 6connect, PTC17
IPv6 at 6connect, PTC17IPv6 at 6connect, PTC17
IPv6 at 6connect, PTC17APNIC
 
PLNOG 7: Ferenc Csorba - What’s new at the RIPE NCC?
PLNOG 7: Ferenc Csorba - What’s new at the RIPE NCC?PLNOG 7: Ferenc Csorba - What’s new at the RIPE NCC?
PLNOG 7: Ferenc Csorba - What’s new at the RIPE NCC?PROIDEA
 

Tendances (20)

Day 2 - LEI and SWIFTRef update
Day 2 - LEI and SWIFTRef updateDay 2 - LEI and SWIFTRef update
Day 2 - LEI and SWIFTRef update
 
HKNOG 6.1: Maintaining your APNIC Routing Registry Data
HKNOG 6.1: Maintaining your APNIC Routing Registry DataHKNOG 6.1: Maintaining your APNIC Routing Registry Data
HKNOG 6.1: Maintaining your APNIC Routing Registry Data
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Webinar: How to troubleshoot bandwidth hogs and take action.
Webinar: How to troubleshoot bandwidth hogs and take action.Webinar: How to troubleshoot bandwidth hogs and take action.
Webinar: How to troubleshoot bandwidth hogs and take action.
 
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKIARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
 
Improving the IPv4 transfer experience
Improving the IPv4 transfer experienceImproving the IPv4 transfer experience
Improving the IPv4 transfer experience
 
Universal Acceptance of Internationalized Domain Names (IDN), Email Addresses...
Universal Acceptance of Internationalized Domain Names (IDN), Email Addresses...Universal Acceptance of Internationalized Domain Names (IDN), Email Addresses...
Universal Acceptance of Internationalized Domain Names (IDN), Email Addresses...
 
HKNOG1.1 presentation
HKNOG1.1 presentationHKNOG1.1 presentation
HKNOG1.1 presentation
 
Route Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKI
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approach
 
IPv4 Depletion and IPv6 Adoption Today
IPv4 Depletion and IPv6 Adoption TodayIPv4 Depletion and IPv6 Adoption Today
IPv4 Depletion and IPv6 Adoption Today
 
inSIG 2021: Introduction to core Internet technologies and the APNIC PDP
inSIG 2021: Introduction to core Internet technologies and the APNIC PDPinSIG 2021: Introduction to core Internet technologies and the APNIC PDP
inSIG 2021: Introduction to core Internet technologies and the APNIC PDP
 
PLNOG 13: Andrzej Wolski: IPv4 Transfers
PLNOG 13: Andrzej Wolski: IPv4 TransfersPLNOG 13: Andrzej Wolski: IPv4 Transfers
PLNOG 13: Andrzej Wolski: IPv4 Transfers
 
X-Road in Finland & REST Gateway
X-Road in Finland & REST GatewayX-Road in Finland & REST Gateway
X-Road in Finland & REST Gateway
 
CommuniCast 2014: Connecting your business to the Internet
CommuniCast 2014: Connecting your business to the InternetCommuniCast 2014: Connecting your business to the Internet
CommuniCast 2014: Connecting your business to the Internet
 
APNIC Report - APStar retreat
APNIC Report - APStar retreatAPNIC Report - APStar retreat
APNIC Report - APStar retreat
 
RIPE NCC Update
RIPE NCC UpdateRIPE NCC Update
RIPE NCC Update
 
Whois - Addressing the Asia Pacifc
Whois - Addressing the Asia PacifcWhois - Addressing the Asia Pacifc
Whois - Addressing the Asia Pacifc
 
IPv6 at 6connect, PTC17
IPv6 at 6connect, PTC17IPv6 at 6connect, PTC17
IPv6 at 6connect, PTC17
 
PLNOG 7: Ferenc Csorba - What’s new at the RIPE NCC?
PLNOG 7: Ferenc Csorba - What’s new at the RIPE NCC?PLNOG 7: Ferenc Csorba - What’s new at the RIPE NCC?
PLNOG 7: Ferenc Csorba - What’s new at the RIPE NCC?
 

Similaire à Securing BGP

RPKI - Securing the Internet One Hop at a Time
RPKI - Securing the Internet One Hop at a TimeRPKI - Securing the Internet One Hop at a Time
RPKI - Securing the Internet One Hop at a TimeRIPE NCC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKIAPNIC
 
Myanmar Member Gathering
Myanmar Member GatheringMyanmar Member Gathering
Myanmar Member GatheringAPNIC
 
RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)RIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISRIPE NCC
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTAPNIC
 
Managing the network of networks
Managing the network of networksManaging the network of networks
Managing the network of networksRIPE NCC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
Routing Security, Another Elephant in the Room
Routing Security, Another Elephant in the RoomRouting Security, Another Elephant in the Room
Routing Security, Another Elephant in the RoomRIPE NCC
 
RIPE NCC Data Sets for Researchers
RIPE NCC Data Sets for ResearchersRIPE NCC Data Sets for Researchers
RIPE NCC Data Sets for ResearchersRIPE NCC
 
23rd PITA AGM and Conference: Internet number registry services - the next ge...
23rd PITA AGM and Conference: Internet number registry services - the next ge...23rd PITA AGM and Conference: Internet number registry services - the next ge...
23rd PITA AGM and Conference: Internet number registry services - the next ge...APNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
The impact of an RPKI validator in Bangladesh and Lessons Learned
 The impact of an RPKI validator in Bangladesh and Lessons Learned The impact of an RPKI validator in Bangladesh and Lessons Learned
The impact of an RPKI validator in Bangladesh and Lessons LearnedBangladesh Network Operators Group
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 

Similaire à Securing BGP (20)

RPKI - Securing the Internet One Hop at a Time
RPKI - Securing the Internet One Hop at a TimeRPKI - Securing the Internet One Hop at a Time
RPKI - Securing the Internet One Hop at a Time
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
Myanmar Member Gathering
Myanmar Member GatheringMyanmar Member Gathering
Myanmar Member Gathering
 
RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)RIPE NCC RIS (Routing Information Service)
RIPE NCC RIS (Routing Information Service)
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRT
 
Managing the network of networks
Managing the network of networksManaging the network of networks
Managing the network of networks
 
Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI)
 
Introduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
Routing Security
Routing SecurityRouting Security
Routing Security
 
Routing Security, Another Elephant in the Room
Routing Security, Another Elephant in the RoomRouting Security, Another Elephant in the Room
Routing Security, Another Elephant in the Room
 
RIPE NCC Data Sets for Researchers
RIPE NCC Data Sets for ResearchersRIPE NCC Data Sets for Researchers
RIPE NCC Data Sets for Researchers
 
23rd PITA AGM and Conference: Internet number registry services - the next ge...
23rd PITA AGM and Conference: Internet number registry services - the next ge...23rd PITA AGM and Conference: Internet number registry services - the next ge...
23rd PITA AGM and Conference: Internet number registry services - the next ge...
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
The impact of an RPKI validator in Bangladesh and Lessons Learned
 The impact of an RPKI validator in Bangladesh and Lessons Learned The impact of an RPKI validator in Bangladesh and Lessons Learned
The impact of an RPKI validator in Bangladesh and Lessons Learned
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 

Plus de RIPE NCC

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in TechRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfRIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfRIPE NCC
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsRIPE NCC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing SecurityRIPE NCC
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfRIPE NCC
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasRIPE NCC
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasRIPE NCC
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet InfrastructureRIPE NCC
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenRIPE NCC
 
IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)RIPE NCC
 

Plus de RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 
IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)
 

Dernier

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 

Dernier (20)

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 

Securing BGP

  • 1. One Hop At A Time Securing BGP Nathalie Trenaman | 21 October | Cybersprint Office
  • 2. Nathalie Trenaman | Cybersprint | 21 October 2021 RIPE NCC • Not-for-profit, membership based (vereniging) • Funded by membership fees • Based in Amsterdam • Established in 1992 • ~160 employees 2
  • 3. Nathalie Trenaman | Cybersprint | 21 October 2021 What We Do • Distributing IPv6, IPv4, AS numbers to 24.000 members in 76 countries • Operating the largest internet measurement platform (ATLAS) • RIPE Database • RPKI • K-root 3
  • 4. Nathalie Trenaman | Cybersprint | 21 October 2021 Interesting Times! 4
  • 5. Nathalie Trenaman | Cybersprint | 21 October 2021 Administrative Trends… 5 • Source: https://ipv4marketgroup.com/ipv4-pricing/
  • 7. Nathalie Trenaman | Cybersprint | 21 October 2021 Routing on the Internet 7 “BGP protocol” Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x”
  • 8. Nathalie Trenaman | Cybersprint | 21 October 2021 Routing on the Internet 8 Can I trust B? Routing table 
 194.x.x.x = B Routing table 
 193.x.x.x = A Is A correct? A 
 193.x.x.x B 
 194.x.x.x B: “I have 194.x.x.x” A: “I have 193.x.x.x” RIPE Database “Internet Routing Registry”
  • 9. Nathalie Trenaman | Cybersprint | 21 October 2021 Accidents Happen • Fat Fingers - 2 and 3 are really close on our keyboards…. • Policy Violations (leaks) - Oops, we did not want this to go on the public Internet • Incidents attract media attention nowadays - Facebook, anyone? 9
  • 10. Nathalie Trenaman | Cybersprint | 21 October 2021 Or Worse…. • April 2018 - BGP and DNS Hijack - Targeting MyEtherWallet - Unnoticed for two hours 10
  • 11. Nathalie Trenaman | Cybersprint | 21 October 2021 Incidents Are Common • 2020 Routing Security Review - 2477 BGP hijack events - 1396 Route Leaks 11 Source: https://www.manrs.org/2021/02/bgp-rpki-and-manrs-2020-in-review/
  • 12. Nathalie Trenaman | Cybersprint | 21 October 2021 Internet Routing Registry • Many exist, most widely used - RIPE Database - RADB • Verification of holdership over resources - RIPE Database for RIPE Region resources only - RADB allows paying customers to create any object - Lots of the other IRRs do not formally verify holdership 12
  • 13. Nathalie Trenaman | Cybersprint | 21 October 2021 Problem Statement • Some IRR data cannot be fully trusted - Accuracy - Incomplete data - Lack of maintenance • Not every RIR has an IRR - Third party databases need to be used (RADB, Operators) - No verification of who holds IPs/ASNs 13
  • 14. Nathalie Trenaman | Cybersprint | 21 October 2021 • 14
  • 15. Nathalie Trenaman | Cybersprint | 21 October 2021 Resource Public Key Infrastructure • Developed by the IETF, standardised in 2011 • Ties IP addresses and ASNs to public keys • Follows the hierarchy of the registries • Authorised statements from resource holders - “ASN X is authorised to announce my Prefix Y” - Signed, holder of Y • X.509 certificates with extensions for IP address and ASN 15
  • 16. Nathalie Trenaman | Cybersprint | 21 October 2021 What It Does • Allows IP address holders to create digitally signed (and verifiable) statements about their BGP routing intentions • Allows network operators to make more informed (and trusted) routing decisions 16
  • 17. Nathalie Trenaman | Cybersprint | 21 October 2021 RPKI Certificate Structure Certificate hierarchy follows allocation hierarchy 17 Member Member Member ROA ROA ROA ARIN APNIC RIPE LACNIC AFRINIC
  • 18. Nathalie Trenaman | Cybersprint | 21 October 2021 Two elements of RPKI 18 Signing Create ROAs Validating Verifying others
  • 19. Nathalie Trenaman | Cybersprint | 21 October 2021 RIPE NCC Hosted Solution 19
  • 20. Nathalie Trenaman | Cybersprint | 21 October 2021 How It Works 20 Repository Repository Repository Repository Repository List of ROAs Certi fi cates RIPE NCC ARIN APNIC AFRINIC LACNIC Validator • Location of RIR 
 repositorie s • Root’s public key
  • 21. Nathalie Trenaman | Cybersprint | 21 October 2021 21
  • 22. Nathalie Trenaman | Cybersprint | 21 October 2021 22
  • 23. Nathalie Trenaman | Cybersprint | 21 October 2021 Two elements of RPKI 23 Signing Create your ROAs Validating Verifying others
  • 24. Nathalie Trenaman | Cybersprint | 21 October 2021 RPKI Validation • Verifying the information provided by the others • Goal is to validate the “origin of BGP announcements” • Known as Route Origin Validation (ROV) • :-( : You only can verify the origin • :-): It does prevent most typos to spread 24
  • 25. Nathalie Trenaman | Cybersprint | 21 October 2021 Relying Party 25 AS111 10.0.7.30/22 AS222 10.0.6.10/24 AS333 10.4.17.5/20 AS111 10.0.7.30/22 AS111 10.0.7.30/22 AS111 10.0.7.30/22 BGP Announcements BETTER ROUTING DECISIONS Repositories List of ROAs Certi fi cates Validator
  • 26. Nathalie Trenaman | Cybersprint | 21 October 2021 Routing on the Internet 26 Is A correct? A 
 192.0.2.0/24 B 
 193.0.24.0/21 A: “I have 192.0.2.0/24” 1. Create route authorisation record (ROA) 2. Validate route RPKI Repository A is authorised to announce 192.0.2.0/24 BGP
  • 27. Nathalie Trenaman | Cybersprint | 21 October 2021 What’s Next? • Full AS Path validation! • All IETF drafts/standards are building blocks on RPKI - BGPSec - ASPA - AS-Cones - Blockchain (just kidding!) 27
  • 28. Nathalie Trenaman | Cybersprint | 21 October 2021 Very Useful Tools • https://rpki-validator.ripe.net/ui/ - A public user interface for a validator (Routinator) • https://ihr.iijlab.net/ihr/en-us/ - To see RPKI invalid BGP routes per country (and a lot of other cool stuff) • https://ring.nlnog.net/ - Shell access (ping, trace route) from 479 networks in 55 countries • https://atlas.ripe.net/ - Largest free internet measurement platform, 11838 vantage points 28
  • 29. Nathalie Trenaman | Cybersprint | 21 October 2021 How To Get Started? • Read up! This is a great starting point: - https://rpki.readthedocs.io/en/latest/ •Tons of help & troubleshooting BGP on IRC (yeah..) - https://nlnog.net/irc/ #NLNOG on IRCnet • Global RPKI “helpline” (350+ experts) on Discord - https://discord.com/invite/WaPgs8vEKy • Drop me an e-mail :) nathalie@ripe.net 29