Internet Exchange Points

advertisement
Sofía Silva Berenguer
sofia @ lacnic.net
Internet Exchange Points
Workshop
Paramaribo - Surinam
AGENDA
•
•
•
•
•
•
How the Internet Works
Intro to BGP
IPv4 Exhaustion and IPv6 Deployment
Internet Exchange Points
How to request Internet Resources
Advanced topics
–
–
–
–
–
Route Hijacking
Leaks
Attacks against the path
Well known incidents
Securing the Routing System
HOW THE INTERNET WORKS
Interconnection of Networks
http://prezi.com/agzxt0exlfpk/network-interconnection/
Internet Routing
ASN 6057
announces
200.40.0.0/16
ASN 8158
receives
200.40.0.0/16
The prefix 200.40.0.0/16 is
propagated with BGP to the
Internet
Atributos:
200.40.0.0/16 AS_PATH ASN1 ASN3 ASN6057
Transit and Peering
• Transit
– Traffic and prefixes originating from one AS are
carried across an intermediate AS to reach their
destination AS
– Usually for a fee
• Peering
– Private interconnect between two ASNs
– Usually for no fee
Transit and Peering
ASN 65538
ASN 64511
Transit
ASN 65536
Peering
ASN 65537
Peering in an Internet Exchange Point
(IXP)
• Internet Exchange Point
– Common interconnect location where several
ASNs exchange routing information and traffic
ASN 65536
ASN 65537
ASN 65538
ASN 65539
IP address, where they come from?
Standards
Central Registry
Distribution
Regional Internet Registries
(RIRs) distribute IPv4, IPv6
and Autonomous System
Numbers
*
*
Distribution
Sometimes the distribution is done through
National Internet Registries (NIRs)
Allocations and
Assignments
End
user
Regional Internet Registries
INTRO TO BGP
Border Gateway Protocol
• A Routing Protocol used to exchange routing
information between different networks
• Exterior gateway protocol
• Described in RFC4271
– RFC4276 gives an implementation report on BGP
– RFC4277 describes operational experiences using
BGP
• Works on TCP port 179
More about BGP
• Learns multiple paths via internal and external
BGP speakers – Initial exchange of entire table
• Incremental Updates
– Picks THE bestpath and installs it in the IP forwarding
table – Policies applied by influencing the bestpath
selection
•
•
•
•
Keepalive messages exchanged
Many options for policy enforcement
Classless Inter Domain Routing (CIDR)
Widely used for Internet backbone
Neighbors
• BGP speakers
– Internal (iBGP) if they are in the same ASN
– External (eBGP) if they are in different ASN
eBGP
iBGP
ASN 65538
ASN 65536
Where to use BGP: Stub Network
ASN 65536,
Transit Provider
• Only one exit for
customer
• Not really need
to add BGP
ASN 65538, Customer
Multihomed Network
Transit Providers
ASN 65538
ASN 65539
• Different situations possible
•
•
•
ASN 65536
•
ASN 65537
•
Peering in IXP
Multiple links to same ISP
Secondary for only backup
Load share between
primary and secondary
Selectively use different
ISPs
Peering at IXP
INTERNET EXCHANGE POINTS
Why peer?
• Consider a region with one ISP
– It provides internet connectivity to it’s customers
– It has one or two international connections
• Internet grows, another ISP sets up in competition
– They provide internet connectivity to their
customers
– They have one or two international connections
• How does traffic from customer of one ISP get to
customer of the other ISP?
– Via the international connections
Why peer? (Cont.)
Internet
ASN 65536
ASN 65538
Why peer? (Cont.)
• Yes, international connections…
– If satellite, RTT is around 550ms per hop
– So local traffic takes over 1s round trip
• International bandwidth…
– Is much more expensive than domestic bandwidth
– Becomes congested with local traffic
• Wastes money, harms performance
Why peer? (Cont.)
• Solution:
– Two competing ISPs peer with each other
• Result:
– Both save money
– Local traffic stays local
– Better network performance
– More international bandwidth for international
traffic
Why peer? (Cont.)
Internet
ASN 65536
ASN 65538
Why peer? (Cont.)
• A third ISP enters the equation
– Becomes a significant player in the region
– Local and international traffic goes over their
international connections
• They agree to peer with the two other ISPs
– To save money
– To keep local traffic local
– To improve network performance
Why peer? (Cont.)
• Peering means that the three ISPs have to buy
circuits between each other
– Works for three ISPs, but adding a fourth or a fifth
means this does not scale
• Solution:
– Internet Exchange Point
Why peer? – Non-financial Motivations
•
•
•
•
Low latency
Control over routing
Redundancy
Aggregation benefits w/peering and Transit at
IXP
• ISP relationships – be one of the cool kids
• Marketing benefits
• Network reliability
Internet Exchange Point
• Every participant has to buy just one whole
circuit
– From their premises to the IXP
• Rather than N-1 half circuits to connect to the
N-1 other ISPs
– 5 ISPs have to buy 4 half circuits = 2 whole circuits
-> already twice the cost of the IXP connection
Simple Topology
• Layer 2 fabric
• N^N BGP relations
IXP Design
• Each ISP participating in the IXP brings a
router to the IXP location
• Router needs:
– One Ethernet port to connect to IXP switch
– One WAN port to connect to the WAN media
leading back to the ISP backbone
– To be able to run BGP
IXP Design (Cont.)
• IXP switch located in one equipment rack
dedicated to IXP
– Also includes other IXP operational equipment
(Management network, TLD DNS, Routing
Registry, Looking Glass, etc.)
– Optional: Second switch for redundancy
• Routers from participant ISPs located in
neighbouring/adjacent rack(s)
• Copper (UTP) connections made for 10Mbps,
100Mbps or 1Gbps connections
• Fibre used for 10Gbs and higher speeds
Peering at an IXP
• Each participant need to run BGP
– They need their own AS number
– Public ASN, NOT private ASN
• Each participant configures external BGP with
the other participants in the IXP
– Peering with all participants
Or
– Peering with a subset of participants
IXP - Routing
• ISP border routers at the IXP generally should
NOT be configured with a default route or
carry the full Internet routing table
– Carrying default or full table means that this
router and the ISP network is open to abuse by
non-peering IXP members
• ISP border routers at the IXP should not be
configured to carry the IXP LAN network
within the IGP or iBGP
– Set BGP next-hop to local router (Cisco IOS nexthop-self)
IP Address Space
• Some IXPs use private addresses for the IXP
LAN
– Public address space means the IXP network can
be leaked to the Internet, which could be
undesirable
– Filtering RFC1918 address space by ISPs is Best
Practice; this avoids leakage
• Some IXPs use public addresses for the IXP
LAN
– Address space is available from LACNIC
– IXP terms of participation usually forbid carrying the
IXP LAN addressing in the ISP backbone
Hardware
• The IXP Core is an Ethernet Switch
(Mandatory)
– Therefore invest in the best and most expandable
equipment that its financial circumstances allow
– Having 2 switches is good for redundancy if the
funds can allow
• Route Server (Optional)
– Provides ease of configuration for new members
– Direct peering between the IXP members can be
implemented in the absence of the Route Server
Hardware (Cont.)
• Other optional equipment
– Web Server (website, monitoring, etc.)
– Mail Server (email, mailing list, etc.)
– Transit Router (to provide Internet access to the
IXP website, email and staff Internet access)
– Route Collector (Looking glass which assists IXP
members with troubleshooting. It can also be
used to collect routes for statistics measurements)
Hardware - Suggestions
• Try not to mix port speeds
– If 10Mbps and 100Mbps connections available,
terminate on different switches
• Insist that IXP participants bring their own
router
– Moves buffering problem off the IXP
– Ensures integrity of the IXP
– Security is responsibility of the ISP, not the IXP
Location
• The location of the IXP is very important.
• The IXP location should be neutral and low cost.
• In considering the IXP location the following
factors should be considered:
–
–
–
–
–
–
–
Space
Environment Control
Security
Power
Access to terrestrial Infrastructure
Cabling
Support
Recommendations and Best Practices
• Only announce your aggregates and your
customer aggregates at IXPs
• Only accept the aggregates which your peer is
entitled to originate
• Never carry a default route on an IXP (or
private) peering router
• Failing to do so leads to route-hijacks and
leaks
General Info about IXPs
.
.
.
Source:https://prefix.pch.net/applications/ixpdir/summary/
.
.
.
General Info about IXPs
.
.
.
Source: https://prefix.pch.net/applications/ixpdir/?show_active_only=0&sort=traffic&order=desc
General Info about IXPs
Source: https://prefix.pch.net/applications/ixpdir/summary/ipv6/
HOW TO REQUEST INTERNET RESOURCES
• Go to https://solicitudes.lacnic.net/
• Or fill out a form and send it in the body of a
message to hostmaster@lacnic.net
– You can find templates at:
http://lacnic.net/templates/
• Once the online request or the form has been
processed by the system, the requestor will receive a
confirmation email with a ticket number.
• After that the hostmasters will analyze the request.
• If the request is approved, it may be necessary to pay
a fee and to sign the Registration Service Agreement.
Who can request resources?
• The person allowed to request resources for an
organization is the Administrative POC.
• To request resources through the new Requests
System you will have to log in using the
Administrative POC handle.
Requesting an ASN
• In order to qualify for an ASN allocation the organization
should have:
– A unique routing policy, meaning a policy that differs from that
applied by the upstream provider.
– Or, a network with more than one independent connection to the
Internet. (Multi-homed site)
• From January 1, 2007 to December 31, 2010 Lacnic assigned
ASN of 16 and 32bits upon request. However, since January 1,
2011 Lacnic stopped making distinctions between the
assignment of 16- and 32-bit Autonomous Systems Numbers
(ASNs) and will only assign ASNs from a general 32-bit pool.
This change will be introduced to comply with the Global
Policy "Internet Assigned Numbers Authority (IANA) Policy for
Allocation of ASN Blocks to Regional Internet Registries"
adopted in September 2010.
Micro-assignments to Critical Infrastructure
• Micro-assignment -> prefixes between /24 and /20.
• For projects and network infrastructure that are key or critical for the region,
such as IXPs (Internet Exchange Points), NAPs (Network Access Points), RIRs,
ccTLDs, among others.
• IXPs or NAPs must meet the following requirements:
– Duly document the following aspects:
• Prove by means of their bylaws their IXP or NAP capacity. The organization shall have at least
three members and an open policy for the association of new members.
• Submit a diagram of the organization's network structure.
• Document the numbering plan to be implemented.
– Provide a utilization plan for the following three and six months.
– If the applicant does not already have an IPv6 block assigned by LACNIC,
simultaneously request an IPv6 block in accordance with the corresponding
applicable policy.
• The rest of the applications shall be studied based on the analysis of the
documentation justifying the critical and/or key aspects of the project.
• Organizations receiving micro-assignments shall not sub-assign these IPv4
addresses.
Requesting an IPv4 block for ISPs
• To qualify for the allocation of a /22 block the org
must:
– Prove usage or immediate necessity of a /24
– Submit a detailed one-year usage plan for a /23
– Agree to renumber from previously allocated space and
return those IP addresses to their ISPs within 12 months
– If the applicant does not already have an IPv6 block
assigned by LACNIC, simultaneously request an IPv6
block in accordance with the corresponding applicable
policy.
• For a larger block additional requirements apply
Requesting an IPv6 block for ISPs
• To qualify for an initial allocation of a /32 block the
organization should:
– Be a LIR (Local Internet Registry), which means being an
organization that assigns address spaces for its network
services customers
– Not be an end site (end user)
– Document a detailed plan for the services and IPv6
connectivity to be offered to other organizations (clients)
– Announce the allocated block in the Internet inter-domain
routing system, with the minimum possible level of
disaggregation to the one that is publishing the IP blocks,
within a period no longer than 12 months.
– Offer IPv6 services to clients physically located within the
region covered by LACNIC within a period not longer than 24
months
More info
• Policy Manual
– http://www.lacnic.net/web/lacnic/manual
• Registration Services
– http://www.lacnic.net/web/lacnic/servicios-registro
ADVANCED TOPICS
Route Hijacking
• This occurs when a participant in the Internet
Routing announces a prefix for which it has no
authority
• Malicious or by operational errors
• More know cases:
– Pakistan Telecom vs. You Tube (2008)
– China Telecom (2010)
– Google in Eastern Europe (various AS, 2010)
– Latin American cases (beginning 2011)
Route Hijacking
AS 6057
announces
200.40/16
ASN 8158
ASN 8158
receives
receives y
200.40.0.0/16
200.40.0.0/16
200.40.235.0/24
AS 15358
announces
200.40.235.0/24
200.40.0.0/16 AS_PATH ASN1 ASN3 ASN6057
200.40.235.0/24 AS_PATH ASN1 ASN15358
Leaks
• There is not a standard definition of leaks
• But it happens when an ASN “leaks” noncustomer or self-originated routes to other
peers.
• The effects is to give transit to those networks
for the peers of the ASN
Route Leaks
2001:db8::/40
65536
2001:db8:100::/40 65537
How this
should work
without leaks
2001:db8::/40
ASN 64511
Traffic to whole
2001:db8::/40
goes this way
2001:db8:100:/40
Transit
2001:db8::/40
2001:db8:1/48
ASN 65536
2001:db8::/40
Peering
ASN 65537
2001:db8:100:/40
Route Leaks
2001:db8::/40
65536
2001:db8:100::/40 65537
2001:db8:1::/48
65536 65537
Now a Route
Leak
ASN 64511
2001:db8::/40
Traffic to
2001:db8:1::/48
goes this way
ASN 65536
2001:db8::/40
2001:db8:1/48
2001:db8::/40
Peering
2001:db8:100:/40
2001:db8::/40
2001:db8:1::/48
ASN 65537
2001:db8:100:/40
Transit
Attacks against the path
• AS Insertion:
– A router might insert one or more ASNs, other
than its own ASN, into an update message
• False (Route) Origination with valid ASN:
– A router might originate a route for a prefix using
an ASN not authorized to originate routes for that
prefix.
Attacks against the path
AS 6057
announces
200.40/16
ASN 6057
ASN 8158
ASN 8158
receives
receives y
200.40.0.0/16
200.40.0.0/16
200.40.235.0/24
Fake AS 6057
announces
200.40.235.0/24
200.40.0.0/16 AS_PATH ASN1 ASN3 ASN6057
200.40.235.0/24 AS_PATH ASN1 ASN15358
WELL KNOW INCIDENTS
Pakistan Telecom vs. Youtube
• On Sunday, 24 February 2008, Pakistan Telecom
(AS17557) started an unauthorized
announcement of the prefix 208.65.153.0/24
(Youtube)
• One of Pakistan Telecom's upstream providers,
PCCW Global (AS3491) forwarded this
announcement to the rest of the Internet, which
resulted in the hijacking of YouTube traffic on a
global scale.
• Reason: “Fat fingers”
• Video de RIPE NCC
– http://www.youtube.com/watch?v=IzLPKuAOe50
Moratel vs Google
• Reported by Cloudflare on November 06, 2012
• Google's services experienced a limited
outage for about 27 minutes over some
portions of the Internet.
• Moratel (23947) was “leaking” Google one
route and packets were going through
Indonesia
• Reason: “Fat fingers”
ASN and Prefix Hijack
• On 2011 one large European ISP complain that
one of their prefixes was being announced by
a Mexican ISP
• The Mexican ISP review their network but
could not found the problem
• Later it appears that a Brazilian ISP was using
the Mexican ISP’s ASN to announce the
European prefix
• Reason: Poor BGP knowledge
SECURING THE ROUTING SYSTEM
Recall how Internet Resources are managed
Recall how Internet Resources are managed
IANA
ARIN
ISP
LACNIC
NIC.br
NIC.mx
APNIC
ISP #1
LIRs/ISPs
RIPE NCC
LIRs/ISPs
End users
ISP mx
•Each RIR is an authoritative source of information about the
relation “user” <-> “resource”
•Each RIR operates its registration data base
•Members and RIRs sign Service Agreements between them
AfriNIC
Who has the "right" to use resources?
• When an ISP obtains resources from its RIR
(IPv6/IPv4/ASN):
– The ISP has to notify its upstream ASs which prefixes are going
to be announced via BGP
– This is usually done via e-mail, web forms or by updating an IRR
(Internet Routing Registry)
• Upstreams verify (or at least they should) the right of use
for the announced resources
– RIR WHOIS Text-based and not really suitable for automatic
usage
– IRR WHOIS Non-signed information, little additional tools
provided for verification of usage rights except for names,
phone numbers and email POCs
• This verification process is sometimes not as thorough as it
should be
What is RPKI?
• RPKI (Resource Public Key Infrastructure) allows
the validation of an organization right to use of a
certain resource (IPv4, IPv6, ASN)
• RPKI combines the hierarchy of the Internet
resource assignment model through RIRs with the
use of digital certificates based on standard X.509
• RPKI is standardized in the IETF through the SIDR
WG. It has produced RFCs 6480 – 6492
RPKI
• All RPKI signed objects are listed in public repositories
• After verification, these objects can be used to
configure filtering in routers
• Validation Process
– Signed objects have references to the certificate used to
sign them
– Each certificate has a pointer to an upper level certificate
– The resources listed in a certificate MUST be valid subsets
of the resources listed in its parent's certificate
– In this way a trust chain can be traced to a "trust anchor"
both cryptographically as well as in CIDR terms
X.509 v3 certificates with RFC 3779
extensions
Version
• X.509 Digital Certificates
– Subject, validity period, public
key and other fields
• With extensions:
– RFC 3779 defines extensions that
allow the representation of
Internet resources as certificate
fields
• List of IPv4, IPv6 and ASNs
assigned to an organization
• Implemented in OpenSSL 1.0c
onwards
Serial Number
Signature Algorithm
Issuer
Subject
Subject Public Key
Extensions
Subject Information
Authority (SIA)
Authority Information
Access (AIA)
Addr: 10.10.10.0
Asid: 65535
ROAs
• Using Certificates we can create objects
describing the origin of a prefix
• ROAs: Routing Origin Authorization
– ROAs contain data on the allowed origin-as for a
set of prefixes
– ROAs are signed using the certificates generated
by the RPKI
– Signed ROAs are copied to the repository
ROAs (ii)
• A simplified ROA contains the following information:
Prefix
MaxLen
Origin AS
Valid Since
Valid Until
200.40.0.0/17 20
6057
2013-01-02
2013-12-31
200.3.12.0/22 24
28000
2013-01-02
2014-12-31
• These ROAs states that:
– "The prefix 200.40.0.0/17 will be originated by ASN 6057
and could be de-aggregated up to /20" "This statement is
valid starting on Jan 2, 2013 until Dec 31, 2013"
• Other ROA content
– ROAs contain cryptographic material that allows validation
of the ROAs content
ROAs (iii) - Validation
• ROAs validation process includes:
– Criptographic validation of End Entity certificates
(EE) that are included in each ROA
– CIDR validation of resources listed in the EE
against the resources listed in the issuing
certificate
– Verification that prefixes listed in the route origin
attestations are included in the prefixes listed in
the EE certificates of each ROA
Creation of ROAs
Creation of ROAs
Origin Validation
• Routers build a database with the information
they receive from the caches
• This table contains
– Prefix, Min length, Max length, Origin-AS
• By applying a set of rules a validity status is
assigned to each UPDATE prefix
• Network operators can use “validity” attribute
to construct routing policies
Origin Validation
VALID
UPDATE 200.0.0.0/9
ORIGIN-AS 20
IP prefix/[min_len – max_len]
Origin AS
172.16.0.0 / [16-20]
10
200.0.0.0/[8-21]
20
• If the "UPDATE pfx" is not covered by any entry in
the DB -> "not found"
• If the "UPDATE pfx" is covered by at least one entry
in the DB, and the origin-AS matches the ASNs in
the DB -> "valid"
• If the origin-AS does NOT match -> "invalid"
Origin Validation
INVALID
UPDATE 200.0.0.0/22
ORIGIN-AS 20
IP prefix/[min_len – max_len]
Origin AS
172.16.0.0 / [16-20]
10
200.0.0.0/[8-21]
20
• If the "UPDATE pfx" is not covered by any entry in
the DB -> "not found"
• If the "UPDATE pfx" is covered by at least one entry
in the DB, and the origin-AS matches the ASNs in
the DB -> "valid"
• If the origin-AS does NOT match -> "invalid"
Origin Validation
INVALID
UPDATE 200.0.0.0/9
ORIGIN-AS 66
IP prefix/[min_len – max_len]
Origin AS
172.16.0.0 / [16-20]
10
200.0.0.0/[8-21]
20
• If the "UPDATE pfx" is not covered by any entry in
the DB -> "not found"
• If the "UPDATE pfx" is covered by at least one entry
in the DB, and the origin-AS matches the ASNs in
the DB -> "valid"
• If the origin-AS does NOT match -> "invalid"
Origin Validation
NOT FOUND
UPDATE 189.0.0.0/9
ORIGIN-AS 66
IP prefix/[min_len – max_len]
Origin AS
172.16.0.0 / [16-20]
10
200.0.0.0/[8-21]
20
• If the "UPDATE pfx" is not covered by any entry in
the DB -> "not found"
• If the "UPDATE pfx" is covered by at least one entry
in the DB, and the origin-AS matches the ASNs in
the DB -> "valid"
• If the origin-AS does NOT match -> "invalid"
Routing Policies with Origin-validation
• Using the BGP validation attribute network
operators can construct routing policies
• For example:
– Assign higher preference to routes with status
“valid” than routes with status “unknown”
– Drop routes with status of “invalid”
• Very important, RPKI is a source of data,
operators are free to use it as it suits them
better
RPKI in action
Routers validate updates
from other BGP peers
RPKI Management
System
Caches feeds routers
using RTR protocol with
ROA information
Cache
Repository
Caches retrieve and cryptographically validates
certificates and ROAs from repositories
RPKI Operation Modes
• “Hosted” mode
– LACNIC issues certificates and keeps public and private
keys in its systems
• Certificates are issued at the request of member
organizations
– LACNIC provides a web interface for management
• “Delegated” mode
– Each organization has it’s own certificate, signed by
LACNIC’s CA
– The organization sends signing requests to LACNIC,
who returns them signed
• “Up-down” protocol
RPKI today
• 5 CAs and repositories working (RIRs) in
hosted and delegated mode (just APNIC)
• Validation, CA and origin validation working
software and devices
• Some other tools built around (bgpmon,
LACNIC Labs, RIPE Labs)
• ~ 11,700 routes signed (~ 8.9% 1,226 invalid or
hijacks)
• Origin Validation available in Cisco, Juniper,
Quagga, BIRD
LACNIC’s RPKI Structure
Self-signed RTA
LACNIC RTA
LACNIC’s Resources
Signing chain
LACNIC
Production
<<INHERITED>>
ISP #2
ISP #1
Resouces of ISP #2
ROA
End Entity cert.
Resources of ISP #1
ROA
End Entity cert.
End User CA
#1
(Resources of EU#1)
ROA
End Entity cert.
ROA
End Entity cert.
LACNIC’s RPKI Structure (ii)
• CAs
– Entity that issues certificates (bit CA=1)
• ISPs can use the certificate to sign it’s clients’
certificates
• Certificates Repository
– Repository of certificates, CRLs and manifests
– Accesible through “rsync”
• Management Interface
– User web interface for those who prefer “hosted”
mode
RPKI CA Services
• Children certificates issuance when the
registration database is updated or on user
demand
• Children certificates revocation in a
centralized manner or on user demand
• Periodic issuance of CRL for CA certificate
• CA Certificate and children certificates
publication in a public repository (rsync)
Conclusions
• The routing system is one of the core
operations of the Internet
• Still is vulnerable to attacks and bad configs
• Some work has been done (RPKI, Origin
Validation)
• We need to continue our work
– Protocol specification
– Deployment (Filtering, RPKI, Origin validation)
Links / References
• LACNIC’s RPKI System
– http://rpki.lacnic.net
• LACNIC’s RPKI Repository
– rsync://repository.lacnic.net/rpki/
• To see the repository
– rsync --list-only
rsync://repository.lacnic.net/rpki/lacnic/
• RPKI Statistics
– http://www.labs.lacnic.net/~rpki
Questions?
Comments?
CASA DE INTERNET DE LATINOAMÉRICA Y EL CARIBE
twitter.com/LACNIC
facebook.com/ LACNIC
youtube.com/user/lacnicstaff
gplusme.at/LACNIC
Sofía Silva Berenguer
sofia @ lacnic.net
Thank you!
Download