Securing Interdomain Network Routing with Resource Public Key Infrastructure (2019)

By Mark Goodwin, Cox Communications, Inc.

In 2018, 1,300 IP addresses were hijacked from Amazon Web Services (Route 53). This malicious attack resulted in service disruption for about two hours and theft of approximately $150,000 in cryptocurrency.

Further (at no fault of Amazon), this attack exposed both ISP peers and customers to fraudulent routes leaving them susceptible to attacks. The root cause of this incident—and hundreds of others alike—was the lack of security in Border Gateway Protocol (BGP), the protocol used for Interdomain Network Routing.

As BGP announces IP reachability information between domains, there is no way to validate the ownership of the IP information. This vulnerability, which arises from RFC 4272, creates opportunities for inadvertent advertisements and malicious theft of IP resources. Thus it potentially impacts network services and stability. As the Internet of Things (IoT) continues to penetrate customer devices and increases reliability expectations on the ISP networks, ISPs have a responsibility to deploy industry best security practices to protect the IP network for customers.

This document introduces Resource Public Key Infrastructure (RPKI) with BGP Route Origin Validation (ROV) to mitigate the security issues of BGP associated with origin attacks. RPKI is an out-of-band security infrastructure that uses public key cryptography to validate ownership of IP resources for a given Autonomous System (AS). This paper first details the existing vulnerabilities with BGP. Second, it shows how RPKI—as well as deployment of BGP ROV—mitigate BGP hijacks, and route leaks. Third, it outlines a deployment strategy for BGP RPKI. Finally, this paper demonstrates how the attacker power to hijack prefixes decreases after top ISPs adopt RPKI.

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

The Cox National Backbone: Building A Scalable Optical Network For Future Applications And Network Evolution
By Dan Estes, Cox Communications and Gaylord Hart, Infinera
2008
Securing Remote PHY Infrastructure
By Pawel Sowinski and Gerry White, Cisco Systems, Inc.
2015
Public Key Infrastructure - Using X.509 Certificates For Device Authenication: Here A Cert, There A Cert, Everywhere A Cert
By Doug Jones, YAS Broadband Ventures, LLC.
2002
Segment Routing and Enterprise: What It Is and Why It Matters
By Jason Cole, Cox Communications
2019
Segment Routing Proof of Concept for Business Services
By Elaine Yeo, Charter Communications
2019
Network Support Infrastructure For Pod-Based Systems
By Mark DePietro, Motorola Broadband Communications Sector
2000
Network Planning Automation Using Big Data
By Ted Boone, Jignesh Patel, Rob Ames, Kyle Cooper & Chaitanya Vasamsetty, Cox Communications, Inc.
2018
Implement Closed-Loop Network Decisioning Now with Big Data Analytics and Fuel Future-State SDN Use Cases Through a Common Platform Deployment
By Brennen Lynch and Anukool Lakhina, Guavus, Inc.
2014
Eliminating Open Access Woes With Intelligent Carrier-Class Edge Routing
By Gerry White, Chief Technology Officer, RiverDelta Networks, Inc.
2001
Distributed Resource Management For On Demand Services
By Bruce Thompson,Cisco Systems Inc
2004
More Results >>