WIXLIB

RTRlibAn Open-Source Library in C forRPKI-based Prefix Origin ValidationMatthias Wählisch, Fabian Holler,Thomas C. Schmidt, Jochen H. .haw-hamburg.deCSET'13@USENIX Security, Washington DC, 20131

Harming the Internet Backbone10.20.0.0/16AS 123BGPUpdate10AS 20AS 567BGP Update10.20.10.0/24Prefix HijackAS 9Problem BGP is based on trust Originally, no mechanism for cryptographically strongverification of AS-to-prefix mappingCSET'13@USENIX Security, Washington DC, 20132

Prefix Hijacking – Reality?Prominent ExamplesCaveat:Reasons may also bemisconfiguration ;-)CSET'13@USENIX Security, Washington DC, 20133

Countermeasure: RPKI-basedPrefix Origin ValidationRPKI RTRProtocolDeploymentstarted inJanuary 2011Research Questions1. What is the performance overhead for prefix origin validation atrouters?2. Does prefix origin validation introduce new attacks that harm thelocal router system?3. What is the current state of deployment? We need a flexible and efficient open-source implementation of theRPKI RTR protocol RTRlibCSET'13@USENIX Security, Washington DC, 20134

What is the RTRlib?General objective Implementation of the RPKI-RTR client protocol in CDetails Fetch validated prefixes origin ASes from RPKI cache Keep the routers validation database in sync Provide an interface between local database and routingdaemon to access validated objects Allow also for validation of BGP updates Conforms to relevant IETF RFCs/draftsIt’s open-source: http://rpki.realmv6.orgCSET'13@USENIX Security, Washington DC, 20135

Memory ConsumptionCSET'13@USENIX Security, Washington DC, 20136

Processing Time to Load DataInto RouterMotivation Startup Cache server sessionresetEvaluation Approach Load data directlyfrom fileResult Delay will bedominated bydistance to cacheserverCSET'13@USENIX Security, Washington DC, 20137

CPU Load Based onDeployment StateMotivation Does deployment stateinfluence performance? Complexity attacksEvaluation Approach Creation of predefinedmixture of validationoutcomeResult Almost no dependencyCSET'13@USENIX Security, Washington DC, 20138

RPKI in the Wild – CPU Load Test on commodity hardware AMD Athlon 64 X2 CPU 4200 and 2 GB RAM Live BGP update stream over several monthsCSET'13@USENIX Security, Washington DC, 20139

Applications Extension of BGP daemons In discussions with BIRD developers Beta version for Quagga is available Monitoring of the RPKI deployment Integrate the library in your Python/Perl scripts Particularly suitable for real-time monitoring Testing purposes Evaluate performance of your RPKI/RTR cache server Play around with BGP update validationCSET'13@USENIX Security, Washington DC, 201310

RTRlib: Architectural Design Layered architecture to support flexibilityCSET'13@USENIX Security, Washington DC, 201311

Using RTRlib for MonitoringObjective: Emulate update validation of your BGP peerSetup – No Firmware Change at Your Router: Tools: RTRlib Python Script BGPmon Establish peering between router and BGPmonBGPRouterBGP SessionBGPmonXML StreamRTRlib PythonReal-timeAnalysesCSET'13@USENIX Security, Washington DC, 201312

Validation of Web Server Prefix inFirefox Map URL to IP addressand IP prefix Check IP prefix Origin AS againstRPKI Based on real-timeBGP and RPKI dataCSET'13@USENIX Security, Washington DC, 201313

Current # IP prefixes in ET'13@USENIX Security, Washington DC, 201314

Attacking the Local RouterSystem – One Example? Attacker misuses the creation of AS to prefix mapping (ROA)Any owner of an IP prefix can create arbitrary ROAs forthis prefix Example: Operators own 10.20.30.0/24 Create 10.20.30.1/32 AS10; 10.20.30.2/32 AS10; lead to255 entries Easily to handle in IPv4 due to limited address space Getting worse in IPv6 Limit the creation of ROAsCSET'13@USENIX Security, Washington DC, 201315

Conclusion & OutlookConclusion Prefix origin validation can start Load at routers is relatively negligible Monitoring of prefix origin validation: Use RTRlibOutlook Continue the long-term study More extensive analysis of RPKI-based complexity attacks Development of approach to distinguish invalid updatesfrom misconfigurations and real prefix hijacksCSET'13@USENIX Security, Washington DC, 201316

Thanks!Interested in Testing RPKI/RTR? Download: http://rpki.realmv6.orgFirefox Add-on RPKI Validator tHub https://github.com/rtrlibCSET'13@USENIX Security, Washington DC, 201317

BACKUPCSET'13@USENIX Security, Washington DC, 201318

Example – Establish Transporttr socket* ssh socket;tr ssh config config {"123.321.123.321",22,"rpki t.priv","/etc/rpki-rtr/server.pub"};tr ssh init(&config, &ssh socket);//create a SSH connection//IP//Port//SSH User//Server hostkey//Authentication private key//Authentication public keytr socket* tcp socket;//create unprotected TCP conn.tr tcp config tcp config {"123.321.123.321",//IP"1234"//Port};tr tcp init(&tcp config, &tcp socket);CSET'13@USENIX Security, Washington DC, 201319

Create Connection Manager andPerform Origin Validation//init all rtr sockets with the same settings//srv.pool,polling period,cache timeout,update fp,conn frtr mgr init(&p0, 60, 120, NULL, 0, NULL, 0);//create and start the connection managerrtr mgr socket mgr sock;rtr mgr start(&mgr sock, &p0);//validate the BGP origin ASN 12345 for 10.10.0.0/24ip addr prefix;prefix.ver IPV4;prefix.u.addr4.addr 0x0A0A0000;pfxv state result;rtr mgr validate(mgr sock, 12345, &prefix, 24, &result);CSET'13@USENIX Security, Washington DC, 201320

Prefix Origin Verification & RPKIValidation process consists of two steps1. Validation of ROAs Performed at externalcache2. Validation of BGP updates Performed at BGP router No additional cryptographicoperations necessary IETF “RPKI/RTR protocol” manages push of valid ROAs fromcache to BGP router Implementations for Cisco and Juniper available Open-source BGP daemons on the way Evaluation result of BGP update: VALID, INVALID, NOT FOUND Combine this with BGP policiesCSET'13@USENIX Security, Washington DC, 201321

Protection Concepts1. Prefix Origin Validation Mapping of IP prefixes and origin AS necessary Including cryptographic proof Prefix owner should be able to authenticate Origin AS(es) BGP router compares BGP update with mapping2. Path Validation BGP path information are cryptographically secured Paths will be signedChallenges Cryptographic operations are complex Minimal additional load at routersIn the following we concentrate on 1.CSET'13@USENIX Security, Washington DC, 201322

Resource Public KeyInfrastructure (RPKI) System that allows to attest the usage of IP addresses and ASNs (i.e., Internet resources)RPKI includes cryptographically provable certificates Certificate hierarchyreflects IP-/AS-allocationin the Internet Currently, each RIR createsa self-signed root certificateSource: Cisco Implementation of the RPKI started January 2011 All RIRs participateCSET'13@USENIX Security, Washington DC, 201323

Routing Origination Authorization(ROA) Content of an ROA Set of IP prefixes with minimal and maximal (optional)length An AS number allowed to announce the prefixes End-Entity-Certificate ROA will be signed with the certificate of the RPKI Note: Multiple ROAs per IP prefix possibleExample:ROAValid from01/10/2012to01/10/2013 E2E Cert10.20.0.0/16-24 - AS 12380.90.0.0/16-16 - AS 123AS 123 is allowed to announce network range 10.20.0.0/16 to10.20.0.0/24 and 80.90.0.0/16 from 1st Oct. 2012 until 1st Oct. 2013CSET'13@USENIX Security, Washington DC, 201324

RPKI & ROA All certificates including ROAs will be published in RPKIrepositories Each RIR operates one You could maintain your own repository Information of all repositories describe the overall picture Check if AS is allowed to announce IP prefix check the corresponding ROA Corresponding ROA will be determined based on CIDR ROA needs cryptographic verification ROAs implements a positive attestation If a ROA for a prefix exists, announcements of all origin ASesthat are not included will be considered INVALIDCSET'13@USENIX Security, Washington DC, 201325

Implementations for Cisco and Juniper available Open-source BGP daemons on the way Evaluation result of BGP update: VALID, INVALID, NOT_FOUND Combine this with BGP policies CSET'13@USENIX Security, Washington DC, 2013 1. Validation of ROAs Performed at external cache 2. Validation of BGP updates Performed at BGP router