Securing Critical Internet Infrastructure: an RPKI case study in Ecuador
Securing the Critical Internet Infrastructure is an ongoing challenge for operators that require collaboration across administrative boundaries. A lot of attention has been given in recent years to securing the Domain Name System through a technology called DNSSEC. However, in the last couple of years, the attention has shifted to the security of the Internet routing system and the best practices adopted by network operators around the globe in this area. The main questions these efforts are trying to answer are: is your network authorised to use resources such as IP addresses? Do my packets travel through the advertised path or are diverted on their way? These problem statements may sound too technical for the audience but in reality they can quickly be converted in real business impact. Unauthorised claiming of network resources are proven to cause downtime not only for one web server but to complete networks. Particularly, imagine a phishing attack where the IP address, the domain name and the TLS certificate are legitimate but you just interacting with the wrong network. The hijack of IP addresses is normally due to bad operational practices (basically miss-configurations that leak to the global Internet) but it is also suspicious of playing a role in SPAM and other sensitive areas in security.
The global inter-domain routing infrastructure depends on the BGP protocol that was initially developed in the early 90s. Operators know that a number of techniques are needed to improve BGP security. Although these improvements, it is still possible to impersonate the entity with the right of use of Internet resources and produce a prefix hijack as the famous Youtube incident in 2007. The IETF, vendors and Regional Internet Registries have been working inside the SIDR working group to create technologies that allow the cryptographic validation. The first outcome of this effort has been the Resource Public Key Infrastructure (RPKI) and the BGP origin AS validation; two complementary technologies that work together to improve inter-domain routing security.
Last September something exceptional happened in Ecuador, a small South American country: the entire local network operation community got together to be pioneers in securing its local Internet infrastructure by registering its networks in the RPKI system and implementing secure origin AS validation. The objective of the project was to demonstrate how the technology could solve real operational problems in fully deployed environment. We started the project with the aspiration of covering 80% of the country inside the RPKI system. At the end of the workshop, we had overpassed our goal achieving more than 90%.
After this success story, we are now working on documenting our lessons learned and to disseminating them. Two sessions are planned for the next Cisco Live Milan in late January 2014 where this topic will be covered:
Route Security for Inter Domain Routing – MIL1415166
Advance inter-domain BGP routing Laboratory – MIL1415187
Read more here.