SlideShare uma empresa Scribd logo

Routing Security

RIPE NCC
RIPE NCC

Presentation given by Daniel Karenberg in Brussels in February 2011

Tecnologia
1 de 46
Baixar para ler offline
Routing Security Daniel Karrenberg RIPE NCC <daniel.karrenberg@ripe.net>
Who is talking: Daniel Karrenberg • 1980s: helped build Internet in Europe - EUnet, Ebone, IXes, ... - RIPE • 1990s: helped build RIPE NCC - 1st CEO: 1992-2000 • 2000s: Chief Scientist & Public Service - Trustee of the Internet Society: IETF, ... - Interests: Internet measurements, stability, trust & identity in the Internet, ... 2
Who is talking: Daniel Karrenberg • RIPE NCC - started in 1992 - first Regional Internet Registry (RIR) - Association of 7000+ ISPs - 70+ countries in “Europe & surrounding areas” - operational coordination - number resource distribution - trusted source of data - Motto: Neutrality & Expertise - not a lobby group! 3
My Messages Today • Routing security needs to be improved • The sky is not falling • Industry is moving 4
Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 5
The Internet 6
Part(s) of the Internet 7
“Autonomous Systems” 8
Packet Flow 9
Routing Information Flow (BGP) 10
Both Directions are Needed 11
Choice and Redundancy 12
Questions?
What makes it work 14
Business Relationships 15
Transmission Paths 16
Routing Engineering 17
Routing Engineering Methods • Inbound Traffic - Selectively announce routes. - Very little control over preferences by other ASes. • Outbound Traffic - Decide which of the known routes to use. • Inputs - Cost - Transmission Capacity - Load - Routing State 18
Routing Engineering Principles • Autonomous Decisions by each AS • Local tools • Local strategies • Local knowlege • Business advantages • Autonomous Decisions by each AS • (One of the reasons for rapid growth of the Internet) 19
Questions?
What can go wrong • Misconfiguration - Announcing too many routes (unitentional transit) - Originating wrong routes • Malicious Actions - Originating wrong routes (hijacking) 21
Hijacking 22
Hijacking 23
Hijacking 24
Questions?
Examples • YouTube & Pakistan Telecom (2008) • A number of full table exports • Various route leaks from China (2010) YouTube Movie 26
Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 27
Routing Hygiene • Do not accept customer routes from peers or upstreams • Limit number of prefixes accepted per adjacent AS • Use a routing registry - no global authoritative registry exists • Use own knowledge about topology - topology is constantly changing - distruptions can cause drastic changes 28
Routing Hygiene • Is applied locally / autonomously • Has a cost • Subservient to routing engineering - No obstruction - Maintain Autonomy • Cooperation - Trust - Community - Personal Relations 29
Resource Certification - Motivation • Good practice: - to register routes in an IRR - to filter routes based on IRR data • Problem: - only useful if the registries are complete - many IRRs exist, lacking standardisation • Result: - Less than half of all prefixes is registered in an IRR - Real world filtering is difficult and limited - Accidental leaks happen, route hijacking is possible 30
Resource Certification – Definition “Resource certification is a reliable method for proving the association between resource holders and Internet resources.” 31
Digital Resource Certificates • Based on open IETF standards (sidr) • Issued by the RIPE NCC • The certificate states that an Internet number resource has been registered by the RIPE NCC • The certificate does not give any indication of the identity of the holder • All further information on the resource can be found in the registry 32
What Certification offers • Proof of holdership • Secure Inter-Domain Routing - Route Origin Authorisation - Preferred certified routing • Resource transfers • Validation is the added value! 33
Proof of holdership • Public Key • Resources • Signature 34
Route Origin Authorisation (ROA) • IP Prefixes • AS Numbers • Signature 35
Automated Provisioning using ROAs Please route this part of my network: 192.0.2.0/24 Please sign a ROA for that resource using my AS number OK, I signed and published a ROA OK, that ROA is valid. I can trust this request 36
Who Controls Routing? • Certificates do not create additional powers for the Regional Internet Registries • Certificates reflect the resource registration status - no registration → no certificate - the reverse is not true! • Routing decisions are made by network operators! 37
All five Regional Internet Registries will launch production system on 1 January 2011 38
Obstacles • Fear of loosing autonomy • Cost • Low threat perception • Fear of loosing business advantage • Fear of loosing autonomy 39
Questions?
Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 41
My Messages Today • Routing security needs to be improved - Accidents do happen ... sometimes - Hijackings do happen ... sometimes • The sky is not falling - It does not happen all the time - It does not affect large areas of the Internet 42
My Messages Today • Industryis addressing the problems - Local measures taken autonomously - RPKI being deployed by RIRs - RPKI based routing tools being developed - RPKI based routing protocols being studied in IETF 43
My Messages Today • No need for public policies at this point - Not a strucutral problem endangering Internet - Mitigation works - Mitigation being improved - Global coordination is working 44
Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 45
The End! Kрай Y Diwedd Fí Соңы Finis Liðugt Ende Finvezh Kiнець Konec Kraj Ënn Fund Lõpp Beigas Vége Son Kpaj An Críoch ‫הסוף‬ Endir Fine Sfârşit Fin Τέλος Einde Конeц Slut Slutt Pabaiga Amaia Loppu Tmiem Koniec Fim

Recomendados

Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
Secure Routing
Secure RoutingSecure Routing
Secure RoutingRIPE NCC
 
Facilitating IPv6 Deployment
Facilitating IPv6 DeploymentFacilitating IPv6 Deployment
Facilitating IPv6 DeploymentRIPE NCC
 
IPv6 by APNIC
IPv6 by APNICIPv6 by APNIC
IPv6 by APNICFebrian ‎
 
Tutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNICTutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNICFebrian ‎
 
Sorabh_Sharma_RHCSS
Sorabh_Sharma_RHCSSSorabh_Sharma_RHCSS
Sorabh_Sharma_RHCSSsorabhsharmadsc
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification TutorialRIPE NCC
 
Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 

Recomendados

Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
Secure Routing
Secure RoutingSecure Routing
Secure RoutingRIPE NCC
 
Facilitating IPv6 Deployment
Facilitating IPv6 DeploymentFacilitating IPv6 Deployment
Facilitating IPv6 DeploymentRIPE NCC
 
IPv6 by APNIC
IPv6 by APNICIPv6 by APNIC
IPv6 by APNICFebrian ‎
 
Tutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNICTutorial: Internet Resource Management by Champika Wijayatunga, APNIC
Tutorial: Internet Resource Management by Champika Wijayatunga, APNICFebrian ‎
 
Sorabh_Sharma_RHCSS
Sorabh_Sharma_RHCSSSorabh_Sharma_RHCSS
Sorabh_Sharma_RHCSSsorabhsharmadsc
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification TutorialRIPE NCC
 
Routing Security
Routing SecurityRouting Security
Routing SecurityRIPE NCC
 
Asterisk Deployments
Asterisk DeploymentsAsterisk Deployments
Asterisk DeploymentsAsterisk Community
 
RIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE NCC
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security RoadmapAPNIC
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsAPNIC
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsAPNIC
 
RIPE Atlas
RIPE AtlasRIPE Atlas
RIPE AtlasRIPE NCC
 
Cloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim WilloughbyCloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim WilloughbyTim Willoughby
 
BuildingIXPs
BuildingIXPsBuildingIXPs
BuildingIXPsShahab Vahabzadeh
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24APNIC
 
Law Enforcement engagement capacity building
Law Enforcement engagement capacity buildingLaw Enforcement engagement capacity building
Law Enforcement engagement capacity buildingAPNIC
 
06 selecting an-ixp
06 selecting an-ixp06 selecting an-ixp
06 selecting an-ixpWilliam Norton
 
SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure APNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challengesAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
Smart Roadside Initiative
Smart Roadside InitiativeSmart Roadside Initiative
Smart Roadside InitiativeUGPTI
 
UN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsUN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsAPNIC
 
Navigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with IstioNavigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with IstioGary Arora
 
4G World CFN Presentation Mobile Backhaul
4G World CFN Presentation Mobile Backhaul4G World CFN Presentation Mobile Backhaul
4G World CFN Presentation Mobile BackhaulCFN Services
 
Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 

Mais conteúdo relacionado

Semelhante a Routing Security

RIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE NCC
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security RoadmapAPNIC
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsAPNIC
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsAPNIC
 
RIPE Atlas
RIPE AtlasRIPE Atlas
RIPE AtlasRIPE NCC
 
Cloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim WilloughbyCloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim WilloughbyTim Willoughby
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24APNIC
 
Law Enforcement engagement capacity building
Law Enforcement engagement capacity buildingLaw Enforcement engagement capacity building
Law Enforcement engagement capacity buildingAPNIC
 
SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure APNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challengesAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
Smart Roadside Initiative
Smart Roadside InitiativeSmart Roadside Initiative
Smart Roadside InitiativeUGPTI
 
UN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsUN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsAPNIC
 
Navigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with IstioNavigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with IstioGary Arora
 
4G World CFN Presentation Mobile Backhaul
4G World CFN Presentation Mobile Backhaul4G World CFN Presentation Mobile Backhaul
4G World CFN Presentation Mobile BackhaulCFN Services
 

Semelhante a Routing Security (20)

Asterisk Deployments
Asterisk DeploymentsAsterisk Deployments
Asterisk Deployments
 
RIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement NetworkRIPE Atlas - A Real Big Measurement Network
RIPE Atlas - A Real Big Measurement Network
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific Islands
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific Islands
 
RIPE Atlas
RIPE AtlasRIPE Atlas
RIPE Atlas
 
Cloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim WilloughbyCloud Security - Cloud Arena - Tim Willoughby
Cloud Security - Cloud Arena - Tim Willoughby
 
BuildingIXPs
BuildingIXPsBuildingIXPs
BuildingIXPs
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24
 
Law Enforcement engagement capacity building
Law Enforcement engagement capacity buildingLaw Enforcement engagement capacity building
Law Enforcement engagement capacity building
 
06 selecting an-ixp
06 selecting an-ixp06 selecting an-ixp
06 selecting an-ixp
 
SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure SEA IGF 2021: Some thoughts on Internet infrastructure
SEA IGF 2021: Some thoughts on Internet infrastructure
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
Smart Roadside Initiative
Smart Roadside InitiativeSmart Roadside Initiative
Smart Roadside Initiative
 
UN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsUN INCB: RIRs and LEAs
UN INCB: RIRs and LEAs
 
Navigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with IstioNavigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with Istio
 
4G World CFN Presentation Mobile Backhaul
4G World CFN Presentation Mobile Backhaul4G World CFN Presentation Mobile Backhaul
4G World CFN Presentation Mobile Backhaul
 

Mais de RIPE NCC

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in TechRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfRIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfRIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfRIPE NCC
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsRIPE NCC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing SecurityRIPE NCC
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfRIPE NCC
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasRIPE NCC
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasRIPE NCC
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet InfrastructureRIPE NCC
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenRIPE NCC
 

Mais de RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

Routing Security

  • 1. Routing Security Daniel Karrenberg RIPE NCC <daniel.karrenberg@ripe.net>
  • 2. Who is talking: Daniel Karrenberg • 1980s: helped build Internet in Europe - EUnet, Ebone, IXes, ... - RIPE • 1990s: helped build RIPE NCC - 1st CEO: 1992-2000 • 2000s: Chief Scientist & Public Service - Trustee of the Internet Society: IETF, ... - Interests: Internet measurements, stability, trust & identity in the Internet, ... 2
  • 3. Who is talking: Daniel Karrenberg • RIPE NCC - started in 1992 - first Regional Internet Registry (RIR) - Association of 7000+ ISPs - 70+ countries in “Europe & surrounding areas” - operational coordination - number resource distribution - trusted source of data - Motto: Neutrality & Expertise - not a lobby group! 3
  • 4. My Messages Today • Routing security needs to be improved • The sky is not falling • Industry is moving 4
  • 5. Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 5
  • 7. Part(s) of the Internet 7
  • 11. Both Directions are Needed 11
  • 14. What makes it work 14
  • 18. Routing Engineering Methods • Inbound Traffic - Selectively announce routes. - Very little control over preferences by other ASes. • Outbound Traffic - Decide which of the known routes to use. • Inputs - Cost - Transmission Capacity - Load - Routing State 18
  • 19. Routing Engineering Principles • Autonomous Decisions by each AS • Local tools • Local strategies • Local knowlege • Business advantages • Autonomous Decisions by each AS • (One of the reasons for rapid growth of the Internet) 19
  • 21. What can go wrong • Misconfiguration - Announcing too many routes (unitentional transit) - Originating wrong routes • Malicious Actions - Originating wrong routes (hijacking) 21
  • 22. Hijacking 22
  • 23. Hijacking 23
  • 24. Hijacking 24
  • 26. Examples • YouTube & Pakistan Telecom (2008) • A number of full table exports • Various route leaks from China (2010) YouTube Movie 26
  • 27. Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 27
  • 28. Routing Hygiene • Do not accept customer routes from peers or upstreams • Limit number of prefixes accepted per adjacent AS • Use a routing registry - no global authoritative registry exists • Use own knowledge about topology - topology is constantly changing - distruptions can cause drastic changes 28
  • 29. Routing Hygiene • Is applied locally / autonomously • Has a cost • Subservient to routing engineering - No obstruction - Maintain Autonomy • Cooperation - Trust - Community - Personal Relations 29
  • 30. Resource Certification - Motivation • Good practice: - to register routes in an IRR - to filter routes based on IRR data • Problem: - only useful if the registries are complete - many IRRs exist, lacking standardisation • Result: - Less than half of all prefixes is registered in an IRR - Real world filtering is difficult and limited - Accidental leaks happen, route hijacking is possible 30
  • 31. Resource Certification – Definition “Resource certification is a reliable method for proving the association between resource holders and Internet resources.” 31
  • 32. Digital Resource Certificates • Based on open IETF standards (sidr) • Issued by the RIPE NCC • The certificate states that an Internet number resource has been registered by the RIPE NCC • The certificate does not give any indication of the identity of the holder • All further information on the resource can be found in the registry 32
  • 33. What Certification offers • Proof of holdership • Secure Inter-Domain Routing - Route Origin Authorisation - Preferred certified routing • Resource transfers • Validation is the added value! 33
  • 34. Proof of holdership • Public Key • Resources • Signature 34
  • 35. Route Origin Authorisation (ROA) • IP Prefixes • AS Numbers • Signature 35
  • 36. Automated Provisioning using ROAs Please route this part of my network: 192.0.2.0/24 Please sign a ROA for that resource using my AS number OK, I signed and published a ROA OK, that ROA is valid. I can trust this request 36
  • 37. Who Controls Routing? • Certificates do not create additional powers for the Regional Internet Registries • Certificates reflect the resource registration status - no registration → no certificate - the reverse is not true! • Routing decisions are made by network operators! 37
  • 38. All five Regional Internet Registries will launch production system on 1 January 2011 38
  • 39. Obstacles • Fear of loosing autonomy • Cost • Low threat perception • Fear of loosing business advantage • Fear of loosing autonomy 39
  • 41. Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 41
  • 42. My Messages Today • Routing security needs to be improved - Accidents do happen ... sometimes - Hijackings do happen ... sometimes • The sky is not falling - It does not happen all the time - It does not affect large areas of the Internet 42
  • 43. My Messages Today • Industryis addressing the problems - Local measures taken autonomously - RPKI being deployed by RIRs - RPKI based routing tools being developed - RPKI based routing protocols being studied in IETF 43
  • 44. My Messages Today • No need for public policies at this point - Not a strucutral problem endangering Internet - Mitigation works - Mitigation being improved - Global coordination is working 44
  • 45. Outline • Internet Routing - How it works - What makes it work in practice - What can go wrong today • Risk Mitigation - Routing Hygiene - Resource certification & checks - Obstacles • Public Policy Considerations • Discussion 45
  • 46. The End! Kрай Y Diwedd Fí Соңы Finis Liðugt Ende Finvezh Kiнець Konec Kraj Ënn Fund Lõpp Beigas Vége Son Kpaj An Críoch ‫הסוף‬ Endir Fine Sfârşit Fin Τέλος Einde Конeц Slut Slutt Pabaiga Amaia Loppu Tmiem Koniec Fim