Impacting IP Address Reachability via RPKI Manipulations Kyle - - PowerPoint PPT Presentation

impacting ip address reachability via rpki manipulations
SMART_READER_LITE
LIVE PREVIEW

Impacting IP Address Reachability via RPKI Manipulations Kyle - - PowerPoint PPT Presentation

Aug 20, 2022 219 likes •375 views

BFOC13. Boston University Impacting IP Address Reachability via RPKI Manipulations Kyle Brogle Danny Cooper Sharon Goldberg Leonid Reyzin Princeton University Boston University How Secure is Internet Routing Today? (1) I am

slide-1
SLIDE 1

Princeton University

Impacting IP Address Reachability via RPKI Manipulations

BFOC’13. Boston University

Kyle Brogle Danny Cooper Sharon Goldberg Leonid Reyzin Boston University

slide-2
SLIDE 2

How Secure is Internet Routing Today? (1)

“The Internet” China Telecom UK ISP Verizon

I am Verizon

69.82.0.0/15

London Internet Exchange

slide-3
SLIDE 3

How Secure is Internet Routing Today? (2)

April 2010 : China Telecom intercepts traffic “The Internet” China telecom UK ISP

I am Verizon

69.82.0.0/15 (and 50k other networks)

Verizon

I am Verizon

69.82.0.0/15

This packet is destined for Verizon.

London Internet Exchange

slide-4
SLIDE 4

How Secure is Routing on the Internet Today? (3)

February 2008 : Pakistan Telecom hijacks Youtube YouTube Pakistan Telecom “The Internet” Telnor Pakistan Aga Khan University Multinet Pakistan

I’m YouTube: IP 208.65.153.0 / 22

slide-5
SLIDE 5

How Secure is Routing on the Internet Today? (3)

February 2008 : Pakistan Telecom hijacks Youtube YouTube Pakistan Telecom “The Internet” Telnor Pakistan Aga Khan University Multinet Pakistan

I’m YouTube: IP 208.65.153.0 / 22

slide-6
SLIDE 6

How Secure is Routing on the Internet Today? (4)

Here’s what should have happened…. YouTube Pakistan Telecom “The Internet” Telnor Pakistan Aga Khan University Multinet Pakistan

I’m YouTube: IP 208.65.153.0 / 22

Drop packets going to YouTube Block your own customers.

slide-7
SLIDE 7

How Secure is Routing on the Internet Today? (5)

But here’s what Pakistan ended up doing… YouTube Pakistan Telecom “The Internet” Telnor Pakistan Aga Khan University Multinet Pakistan

I’m YouTube: IP 208.65.153.0 / 22

Pakistan Telecom

No, I’m YouTube! IP 208.65.153.0 / 24

Draw traffic from the entire Internet!

slide-8
SLIDE 8

the IP address allocation hierarchy (1)

8.0.0.0/8 Level 3 ARIN

American Registry of Internet Numbers

1

aka 8.*.*.*

8 * * *

1 8 16 24 32

slide-9
SLIDE 9

the IP address allocation hierarchy (2)

8.0.0.0/8 Level 3 8.23.195.0/24 ChinaCache 8.3.210.0/24 Xeex Comm ARIN

American Registry of Internet Numbers

aka 8.3.210.*

1 1 1 1 1

8 3 210 *

1 8 16 24 32

slide-10
SLIDE 10

Xeex AS 27524

Internet routing security

China Telecom AS 23724 “The Internet”

A prefix hijack: Traffic for 8.3.210.0/24 splits between Xeex and China Telecom

China Telecom AS 23724

(Real events from April 8, 2010) see [Hiran, Carlsson, Gill’12] AS 23724

8.3.210.0/24

AS 27524

8.3.210.0/24

slide-11
SLIDE 11

Xeex AS 27524

the fix: use RPKI as part of routing policies

Pakistan Telecom “The Internet” China Telecom AS 23724

RPKI

ROA: “AS 27524 is authorized to announce 8.3.210.0/24”

AS 23724

8.3.210.0/24

AS 27524

8.3.210.0/24

RPKI Invalid! RPKI Valid! Importantly, RPKI validity must impact routing decisions.

slide-12
SLIDE 12

the RPKI: a cryptographic certificate hierarchy

8.0.0.0/8 Level 3 8.23.195.0/24 ChinaCache 8.3.210.0/24 Xeex Comm ARIN

American Registry of Internet Numbers

8.3.210.0/24

AS27524

8.21.37.0/24

AS40470

8.23.195.0/24

AS38958

8.23.195.0/24

AS37958 Resource cert: IP prefix to org ROA: IP prefix to ASN

slide-13
SLIDE 13

RIRs (routing info registries)

Image source: http://www.iana.org/numbers

Is there a single root of trust? Unclear; maybe run by IANA.

slide-14
SLIDE 14

Who runs the IANA?

New IANA contract solicitation, posted November 10, 2011:

“The United States Department of Commerce (DoC), National Telecommunications and Information Administration (NTIA) intends to award a contract to maintain the continuity and stability of services related to certain interdependent Internet technical management functions, known collectively as the Internet Assigned Numbers Authority (IANA).”

A successful bidder … must be a wholly U.S. owned and

  • perated firm or university … and organized under the laws of
  • ne of the 50 U.S. states. … Any operations and activities can be

inspected by U.S. government officials at any time. …the "Internet user community" is included as an "interested and affected party" in section C.1.3. This means that the Contractor … must develop a "close and constructive working relationship" with it, and that Internet users are given standing in regards to commenting … on certain things…

http://blog.internetgovernance.org/blog/_archives/2011/11/16/4940638.html