Solutions to Homework Problems 1. d. All of the above. 2. When an AS originates an IP prefix in BGP it is announcing that prefix onto the Internet. When an AS is allocated an IP prefix, it has been delegated a set of IP addresses to use on the Internet by an RIR or ISP. 3. BGP route attributes allow ASes to communicate reachability (e.g., AS path attribute) and policy information for a set of IP prefixes. 4. Mutual trust. 5. In route hijacking an AS originates a prefix without authority. BGP provide no method to authenticate which ASN may originate an IP prefix. In a routed wide area MITM attack the route attributes of a BGP announcement are manipulated to redirect traffic through an AS as well as hijack the associated prefix. BGP provides no method to authenticate either circumstance. 6. The primary vulnerability of the Internet routing system is a lack of means to authenticate the ASNs, network prefixes, and route attributes provided by others. 7. RPKI 8. AS network operators 9. The Internet routing system grows on a daily basis. The number of ASes in the Internet has also increased linearly over time. No single entity can administer punishment for abuse of the Internet. The financial cost is high. 10. Filtering has both a business cost and computational cost associated with it. 11. Everyone must do it and do it with an equally strict level of scrutiny. 12. There is an intensive amount of manual labor required to create and maintain these filters. 13. The key difference is that it uses the X.509 certificate system to provide cryptographic assurance only of the association between 1) an ASN and the IP prefixes it has been allocated and 2) an ASN and the IP prefixes it is authorized to originate. 14. RPKI was proposed as one technical solution to secure Internet routing. It uses cryptography to provide assurance of the association between: 1) An ASN and the IP prefixes it has been allocated. 2) An ASN and the IP prefixes it is authorized to originate. 15. Route Origin Authorizations (ROAs) 16. BGP does not provide a mechanism to authenticate the route attributes associated with the announcements of an AS. 6 17. Communication is an inherently insecure process. 18. Network: 30.31.48.0/20 (or more specific), AS Path: 50 19. Consider the network diagram and BGP route announcement from Router 50 of AS50 below. AS10 is a multihomed AS. Assuming no local preferences are set, for every AS, draw the path that AS would select to reach 30.31.51.10 beginning with the AS router and ending with the Midtrest webserver. AS 20 1.2.3.0/24 R20 1.1.1.0/30 R10 AS 40 www.midtrest.com AS 10 4.4.4.0/30 2.2.2.0/30 R30 5.5.5.0/30 7.7.7.0/30 30.31.51.10 3.3.3.0/30 R40 8.8.8.0/30 30.31.32.0/19 AS 30 AS 50 9.9.9.0/30 R50 10.10.10.0/30 AS 70 R70 Network: 30.31.48.0/20 AS-Path: 50-70-40 7 Network: 30.31.32.0/19 AS-Path: 40