Randy's Work Blog

        BCP 211        
        RFC 8207

        Title:      BGPsec Operational Considerations 
        Author:     R. Bush
        Status:     Best Current Practice
        Stream:     IETF
        Date:       September 2017
        Mailbox:    randy@psg.com
        Pages:      10
        Characters: 21086
        See Also:   BCP 211

        I-D Tag:    draft-ietf-sidr-bgpsec-ops-16.txt

        URL:        https://www.rfc-editor.org/info/rfc8207

        DOI:        10.17487/RFC8207

Deployment of the BGPsec architecture and protocols has many
operational considerations.  This document attempts to collect and
present the most critical and universal.  Operational practices are
expected to evolve as BGPsec is formalized and initially deployed.

        RFC 8097

        Title:      BGP Prefix Origin Validation State 
                    Extended Community 
        Author:     P. Mohapatra, 
                    K. Patel,
                    J. Scudder, 
                    D. Ward,
                    R. Bush
        Status:     Standards Track
        Stream:     IETF
        Date:       March 2017
        Mailbox:    mpradosh@yahoo.com, 
                    keyur@arrcus.com, 
                    jgs@juniper.net,  
                    dward@cisco.com, 
                    randy@psg.com
        Pages:      6
        Characters: 12287
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-ietf-sidr-origin-validation-signaling-11.txt

        URL:        https://www.rfc-editor.org/info/rfc8097

        DOI:        10.17487/RFC8097

This document defines a new BGP opaque extended community to carry
the origination Autonomous System (AS) validation state inside an
autonomous system.  Internal BGP (IBGP) speakers that receive this
validation state can configure local policies that allow it to
influence their decision process.

Daniele Iamartino, Cristel Pelsser, Randy Bush. Measuring BGP Route Origin Registration and Validation, PAM 2015.

BGP, the de-facto inter-domain routing protocol, was designed without considering security. Recently, network operators have experienced hijacks of their network prefixes, often due to BGP misconfiguration by other operators, sometimes maliciously. In order to address this, prefix origin validation, based on a RPKI infrastructure, was proposed and developed. Today, many organizations are registering their data in the RPKI to protect their prefixes from accidental mis-origination. However, some organizations submit incorrect information to the RPKI repositories or announce prefixes that do not exactly match what they registered. Also, the RPKI repositories of Internet registries are not operationally reliable. The aim of this work is to reveal these problems via measurement. We show how important they are, try to understand the main causes of errors, and explore possible solutions. In this longitudinal study, we see the impact of a policy which discards route announcements with invalid origins would have on the routing table, and to a lesser extent on the traffic at the edge of a large research network.

RFC 7128

Title: Resource Public Key Infrastructure (RPKI) Router Implementation Report
Author: R. Bush, R. Austein,
K. Patel, H. Gredler,
M. Waehlisch
Status: Informational
Stream: IETF
Date: February 2014
Mailbox: randy@psg.com,
sra@hactrn.net,
keyupate@cisco.com,
hannes@juniper.net,
waehlisch@ieee.org
Pages: 11
Characters: 19348
Updates/Obsoletes/SeeAlso: None

I-D Tag: draft-ietf-sidr-rpki-rtr-impl-05.txt

URL: http://www.rfc-editor.org/rfc/rfc7128.txt

This document is an implementation report for the Resource Public Key Infrastructure (RPKI) Router protocol as defined in RFC 6810. The authors did not verify the accuracy of the information provided by respondents. The respondents are experts with the implementations they reported on, and their responses are considered authoritative for the implementations for which their responses represent. The respondents were asked to only use the “YES” answer if the feature had at least been tested in the lab.

Title: Origin Validation Operation Based on
the Resource Public Key Infrastructure (RPKI)
Author: R. Bush
Status: Best Current Practice
Stream: IETF
Date: January 2014
Mailbox: randy@psg.com
Pages: 11
Characters: 26033
See Also: BCP 185

I-D Tag: draft-ietf-sidr-origin-ops-23.txt

URL: http://www.rfc-editor.org/rfc/rfc7115.txt

Deployment of BGP origin validation that is based on the Resource
Public Key Infrastructure (RPKI) has many operational considerations.
This document attempts to collect and present those that are most
critical. It is expected to evolve as RPKI-based origin validation
continues to be deployed and the dynamics are better understood.

RFC 6811

Title: BGP Prefix Origin Validation
Author: P. Mohapatra, J. Scudder,
D. Ward, R. Bush,
R. Austein
Status: Standards Track
Stream: IETF
Date: January 2013
Mailbox: pmohapat@cisco.com,
jgs@juniper.net,
dward@cisco.com,
randy@psg.com,
sra@hactrn.net
Pages: 10
Characters: 20082
Updates/Obsoletes/SeeAlso: None

I-D Tag: draft-ietf-sidr-pfx-validate-10.txt

URL: http://www.rfc-editor.org/rfc/rfc6811.txt

To help reduce well-known threats against BGP including prefix mis-
announcing and monkey-in-the-middle attacks, one of the security
requirements is the ability to validate the origination Autonomous
System (AS) of BGP routes. More specifically, one needs to validate
that the AS number claiming to originate an address prefix (as
derived from the AS_PATH attribute of the BGP route) is in fact
authorized by the prefix holder to do so. This document describes a
simple validation mechanism to partially satisfy this requirement.
[STANDARDS-TRACK]

RFC 6810

Title: The Resource Public Key Infrastructure
(RPKI) to Router Protocol
Author: R. Bush, R. Austein
Status: Standards Track
Stream: IETF
Date: January 2013
Mailbox: randy@psg.com,
sra@hactrn.net
Pages: 27
Characters: 59714
Updates/Obsoletes/SeeAlso: None

I-D Tag: draft-ietf-sidr-rpki-rtr-26.txt

URL: http://www.rfc-editor.org/rfc/rfc6810.txt

In order to verifiably validate the origin Autonomous Systems of BGP
announcements, routers need a simple but reliable mechanism to
receive Resource Public Key Infrastructure (RFC 6480) prefix origin
data from a trusted cache. This document describes a protocol to
deliver validated prefix origin data to routers. [STANDARDS-TRACK]

Debbie Perouli presented our first AutoNetKit / RPKI Emulation paper at CSET’12

Olaf Maennel, Iain Phillips, Debbie Perouli, Randy Bush, Rob Austein, and Askar Jaboldinov, Towards a Framework for Evaluating BGP Security, CSET’12, 5th Workshop on Cyber Security Experimentation and Test.

From the abstract:

In this paper, our abstractions are specifically designed to evaluate the BGP security framework currently being documented by the IETF SIDR working group. We capture the relevant aspects of the SIDR security proposals, and allow experimenters to evaluate the technology in topologies of real router and server code. We believe such methods are also useful for teaching newcomers and operators, as it allows them to gain experience in a sand-box before deployment. It allows security experts to set up controlled experiments at various levels of complexity, and concentrate on discovering weaknesses, instead of having to spend time on tedious configuration tasks. Finally, it allows router vendors and implementers to test their code and to perform scalability evaluation.

        Title:      The Resource Public Key Infrastructure 
                    (RPKI) Ghostbusters Record 
        Author:     R. Bush
        Status:     Standards Track
        Stream:     IETF
        Date:       February 2012
        Mailbox:    randy@psg.com
        Pages:      8
        Characters: 15491
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-ietf-sidr-ghostbusters-15.txt

        URL:        http://www.rfc-editor.org/rfc/rfc6493.txt

In the Resource Public Key Infrastructure (RPKI), resource certificates completely obscure names or any other information that might be useful for contacting responsible parties to deal with issues of certificate expiration, maintenance, roll-overs, compromises, etc.  This document describes the RPKI Ghostbusters Record containing human contact information that may be verified (indirectly) by a Certification Authority (CA) certificate.  The data in the record are those of a severely profiled vCard.

My presentation, with Kotikalapudi Sriram, given at Cisco NAG of the first results from modeling the signing and validation processor costs of BGPsec.

My take-away: