Securing Your Network From Being Hijacked

Abstract

The Internet routing infrastructure was designed more than a decade ago. The "by default" routing protocol on the Internet is BGP-4, which was defined within the IETF in the period 1989-1995 (and a refinement of BGP-4 in 2006). At that time, security was not such an issue as it is today, and between the relative few participants/networks there was quite some level of trust. Understandably, the BGP protocol relied on this trust between the partners in the routing system, and no security considerations or requirements were formulated. And although BGP did not have security mechanisms, there are many ways for networks to secure their part of the routing system by mechanisms like prefix filtering or network ingress filtering.

The routing security can be approached as two separate problems: route origin validation and route path validation. With route origin validation the originating network for a prefix is asserted such that prefix hijacks can be prevented, think of incidents like the Pakistan-YouTube hijack and China Telecom accidentally announcing 35000 prefixes from other networks. The harder problem of secure route path protects traffic towards a network for, for example, man-in-the-middle attacks with all its consequences.

For route origin validation the Resource PKI (RPKI) infrastructure was defined. This work is in its final phase in the IETF Secure Inter-domain Routing (SIDR) working group. For the RPKI infrastructure both the Regional Internet Registries as the Local Internet Registries and Internet Service Providers have to deploy RPKI software and provision services towards their customers. In the presentation, the speaker(s) will detail on the design (considerations) of the RPKI infrastructure for the different stakeholders, and its current status like the implementation of the protocols, the testbed for RPKI, and real-world deployment.

Biografie

François Kooman werkt sinds het afronden van de studie informatica (Kerckhoffs Security Master) aan de Radboud Universiteit als trainee bij SURFnet aan diverse projecten gerelateerd aan video, identity management, IPv6, HTML5, social web en metingen van energieverbruik.