BGP route validation
SURFnet and security are like Cain and Abel. That’s obvious to anybody who has been the subject of DDOS attacks or has been in contact with SURFcert. From the beginning, SURFnet has always paid a lot of attention to security in connection with the Internet, the SURFnet network, and the networks of its connected institutions.
A “new kid on the block” has how entered the world of security. As a connected institute you probably won’t really notice this very much, but have you ever browsed the Internet and ended up on a website you didn’t expect?
Routing on the Internet works with AS numbers (an administrative number for a particular network) and IP prefixes.
IP prefixes are normally announced to other networks using BGP (https://en.wikipedia.org/wiki/Border_Gateway_Protocol). The prefixes should only be announced from an AS number (you can see an AS as a network that is part of the Internet) where the legitimate owners of these prefixes have their hosts using these IP addresses. But the Internet wouldn’t be the Internet if people didn’t try to get your information to their servers for whatever reason. As a customer, you have no way of making sure your traffic ends up on the server you were actually aiming for. If somebody on the Internet were to announce IP prefixes and the immediate neighbouring networks didn’t have their BGP filters in place, an IP prefix from AS A could also be announced as coming from AS B. That might attract your traffic to AS B instead of AS A.
This is a major security problem! People can now pretend to be your bank, or your health insurance company, or… well, I think you get the point.
Work has been going on for some time now to develop a solution, and SURFnet is actively involved in this. One solution under development is to prove cryptographically that a certain IP prefix belongs with a certain AS number. When a BGP router is able to verify that a prefix that it receives really belongs to the AS number from which the prefix is announced, it can be installed in the routing table. If the prefix doesn’t belong to the AS it is announced as coming from, the BGP router will not install the prefix in the routing table.
The system of coupling prefixes to AS numbers and having this proved cryptographically is called RPKI (Resource Public Key Infrastructure). Routers now can decide what to do with IP prefixes that are labelled as valid, invalid, or unknown. If AS B now announces an IP prefix as coming from AS A, this infrastructure can mark the IP Prefix with AS B as invalid, while the same IP Prefix from AS A is marked as valid.
SURFnet is now on the way to implementing this technology in its routing system, although having very strict rules on unknown labelled prefixes or even invalid labelled prefixes is not yet possible. Measurements such as these (http://www.jackloots.nl/surfnet/rpki) show the actual number of prefixes in the routing table and the number of prefixes labelled with a validation state.
I sincerely hope the number of valids will increase and that both the invalids and unknowns will drop to zero. This will take more effort from a lot of parties, but the necessary work is being done. We are therefore on the way towards an Internet that will be a little bit safer.