Incrementally deployable secure Internet routing: operator survey
Dear Nanog, Knowing how challenging it is to apply new technologies to current networks, in a collaboration between ETH, Princeton University, and University of Virginia, we constructed a system that provides security benefits for current Internet users while requiring minimal changes to networks. Our design can be built on top of the existing Internet to prevent routing attacks that can compromise availability and cause detrimental impacts on critical infrastructure – even given a low adoption rate. This provides benefits over other proposed approaches such as RPKI that only protects a route’s origin first AS, or BGPsec that requires widespread adoption and significant infrastructure upgrades. Our architecture, called Secure Backbone AS (SBAS), allows clients to benefit from emerging secure routing deployments like SCION by tunneling into a secure infrastructure. SBAS provides substantial routing security improvements when retrofitted to the current Internet. It also provides benefits even to non-participating networks and endpoints when communicating with an SBAS-protected entity. Our ultimate aim is to develop and deploy SBAS beyond an experimental scope. We have designed a survey to capture the impressions of the network operator community on the feasibility and viability of our design. The survey is anonymous and takes about 10 minutes to complete, including watching a brief 3-minute introductory video. https://docs.google.com/forms/d/e/1FAIpQLSc4VCkqd7i88y0CbJ31B7tVXyxBlhEy_zsYZByx6tsKAE7ROg/viewform?usp=pp_url&entry.549791324=NANOG+mailing+list We thank you for helping inform our further work on this project. We will be happy to share the results with the community. With kind regards Prateek Mittal, Adrian Perrig, Yixin Sun
Matt Harris|Infrastructure Lead 816-256-5446|Direct Looking for help? Helpdesk|Email Support We build customized end-to-end technology solutions powered by NetFire Cloud. On Fri, Dec 17, 2021 at 12:51 PM Adrian Perrig <perrig@gmail.com> wrote:
Dear Nanog,
Knowing how challenging it is to apply new technologies to current networks, in a collaboration between ETH, Princeton University, and University of Virginia, we constructed a system that provides security benefits for current Internet users while requiring minimal changes to networks. Our design can be built on top of the existing Internet to prevent routing attacks that can compromise availability and cause detrimental impacts on critical infrastructure – even given a low adoption rate. This provides benefits over other proposed approaches such as RPKI that only protects a route’s origin first AS, or BGPsec that requires widespread adoption and significant infrastructure upgrades.
Our architecture, called Secure Backbone AS (SBAS), allows clients to benefit from emerging secure routing deployments like SCION by tunneling into a secure infrastructure. SBAS provides substantial routing security improvements when retrofitted to the current Internet. It also provides benefits even to non-participating networks and endpoints when communicating with an SBAS-protected entity.
Our ultimate aim is to develop and deploy SBAS beyond an experimental scope. We have designed a survey to capture the impressions of the network operator community on the feasibility and viability of our design. The survey is anonymous and takes about 10 minutes to complete, including watching a brief 3-minute introductory video.
We thank you for helping inform our further work on this project. We will be happy to share the results with the community.
With kind regards Prateek Mittal, Adrian Perrig, Yixin Sun
Adrian, After viewing the video you included, I'm still not sure what SCION is or how it works (as best I can tell, a bunch of folks get together, share an AS border, and just do private AS peering with one another inside, then the shared AS border does the internet advertising of whatever public networks they wish?), but it sounds like your proposed monolithic new exercise wouldn't offer much beyond what could be done by allowing folks to get a default route VPN to a provider that does strict AS border RPKI ROV already. Can you describe how this would be better or stronger protection from any given attack than that, in a meaningful enough way as to make it worth potentially creating massive bureaucracies and new technical systems which seems to rely on massive networks of VPNs overlaid over the existing public internet? - mdh
Adrian, //Speaking as RTGWG co-chair As commutated to SCION proponents before, a detailed presentation at IETF RTGWG would be a good starting point. Please consider doing so at the upcoming IETF113. The best way is to subscribe to rtgwg mailing list and respond to chairs email request for presentations, perhaps you’d also want to respond to comments/questions after tthe presentation, being subscribed would facilitate that. Usually we’d prefer a draft to allow for a presentation, however, for the intro (unless you would actually go ahead and write an architecture draft), we’d be ok with just a presentation. Please let me know if you have got any questions. Cheers, Jeff
On Dec 17, 2021, at 12:27, Matt Harris <matt@netfire.net> wrote:
Matt Harris | Infrastructure Lead 816‑256‑5446 | Direct Looking for help? Helpdesk | Email Support
We build customized end‑to‑end technology solutions powered by NetFire Cloud.
On Fri, Dec 17, 2021 at 12:51 PM Adrian Perrig <perrig@gmail.com> wrote:
Dear Nanog,
Knowing how challenging it is to apply new technologies to current networks, in a collaboration between ETH, Princeton University, and University of Virginia, we constructed a system that provides security benefits for current Internet users while requiring minimal changes to networks. Our design can be built on top of the existing Internet to prevent routing attacks that can compromise availability and cause detrimental impacts on critical infrastructure – even given a low adoption rate. This provides benefits over other proposed approaches such as RPKI that only protects a route’s origin first AS, or BGPsec that requires widespread adoption and significant infrastructure upgrades.
Our architecture, called Secure Backbone AS (SBAS), allows clients to benefit from emerging secure routing deployments like SCION by tunneling into a secure infrastructure. SBAS provides substantial routing security improvements when retrofitted to the current Internet. It also provides benefits even to non-participating networks and endpoints when communicating with an SBAS-protected entity.
Our ultimate aim is to develop and deploy SBAS beyond an experimental scope. We have designed a survey to capture the impressions of the network operator community on the feasibility and viability of our design. The survey is anonymous and takes about 10 minutes to complete, including watching a brief 3-minute introductory video.
We thank you for helping inform our further work on this project. We will be happy to share the results with the community.
With kind regards Prateek Mittal, Adrian Perrig, Yixin Sun
Adrian, After viewing the video you included, I'm still not sure what SCION is or how it works (as best I can tell, a bunch of folks get together, share an AS border, and just do private AS peering with one another inside, then the shared AS border does the internet advertising of whatever public networks they wish?), but it sounds like your proposed monolithic new exercise wouldn't offer much beyond what could be done by allowing folks to get a default route VPN to a provider that does strict AS border RPKI ROV already. Can you describe how this would be better or stronger protection from any given attack than that, in a meaningful enough way as to make it worth potentially creating massive bureaucracies and new technical systems which seems to rely on massive networks of VPNs overlaid over the existing public internet?
- mdh
Hi all, On Fri, 17 Dec 2021 at 19:50, Adrian Perrig <perrig@gmail.com> wrote:
other proposed approaches such as RPKI that only protects a route’s origin first AS, or BGPsec that requires widespread adoption and significant infrastructure upgrades.
For both RPKI-based BGP Route Origin Validation and RPKI-based BGPsec - that meme “widespread adoption is a prerequisite to benefit” is somewhat annoying in getting widespread adoption going. Plz Stop It! :-) In my opinion, global scale BGP routing security does *not* depend on concepts like “herd immunity”. Rather, I would frame “BGP routing security” as a problem requiring selfish acts, not collective action. The benefits become immediately available to you and your EBGP peer (who agreed to participate in the effort). Commercial incentives align with upgrading (both transport capacity and security) one peer at a time. All of RPKI ROV, BGPsec, ASPA/peerlock, and even older plain-text stuff like “IRR” are incrementally deployable technologies; because how else would one ever get anything deployed in fast-and-wide growing multiple-operator networks such as the Internet? Nothing happens at the same time. But when it happens, it progresses at the pace of decades, at times so slow one might think the paint isn’t drying on the wall. BGP sessions “worth protecting” usually are the revenue generating/cost reduction sessions, and as such usually are assigned highest LOCAL_PREF. I think this property has interesting implications on how routing security features become available and are demanded from others throughout the ecosystem. For most networks at the edge, the private peering sessions also are the BGP sessions with the least BGP state on either side, compared to say upstream. The “significant upgrades” aspect is just part of the job and happen no matter what. Every network replaces all their kit at some point in time; but sometimes it takes as long as ten to fifteen years! The good news is that every replacement also comes with improved cryptographic op accelerators in the CPU and more memory; and it all seems to be converging towards commonly available general purpose computing systems on which people can run any BGP stack they want. I’m bullish on BGP routing security tech already specified and published through the IETF process :-) Kind regards, Job
the way i think of it is that rpki-based rov is a thousand points of light, each independently having a specified security property. rpki-based bgpsec forms islands of varied sizes, each island having a specified security property (quite different from that of rov). islands may merge to form larger islands. randy
participants (5)
-
Adrian Perrig
-
Jeff Tantsura
-
Job Snijders
-
Matt Harris
-
Randy Bush