Securing Interdomain Network Routing with Resource Public Key Infrastructure (2019)

By Mark Goodwin, Cox Communications, Inc.

In 2018, 1,300 IP addresses were hijacked from Amazon Web Services (Route 53). This malicious attack resulted in service disruption for about two hours and theft of approximately $150,000 in cryptocurrency.

Further (at no fault of Amazon), this attack exposed both ISP peers and customers to fraudulent routes leaving them susceptible to attacks. The root cause of this incident—and hundreds of others alike—was the lack of security in Border Gateway Protocol (BGP), the protocol used for Interdomain Network Routing.

As BGP announces IP reachability information between domains, there is no way to validate the ownership of the IP information. This vulnerability, which arises from RFC 4272, creates opportunities for inadvertent advertisements and malicious theft of IP resources. Thus it potentially impacts network services and stability. As the Internet of Things (IoT) continues to penetrate customer devices and increases reliability expectations on the ISP networks, ISPs have a responsibility to deploy industry best security practices to protect the IP network for customers.

This document introduces Resource Public Key Infrastructure (RPKI) with BGP Route Origin Validation (ROV) to mitigate the security issues of BGP associated with origin attacks. RPKI is an out-of-band security infrastructure that uses public key cryptography to validate ownership of IP resources for a given Autonomous System (AS). This paper first details the existing vulnerabilities with BGP. Second, it shows how RPKI—as well as deployment of BGP ROV—mitigate BGP hijacks, and route leaks. Third, it outlines a deployment strategy for BGP RPKI. Finally, this paper demonstrates how the attacker power to hijack prefixes decreases after top ISPs adopt RPKI.

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

The Cox National Backbone: Building A Scalable Optical Network For Future Applications And Network Evolution
By Dan Estes, Cox Communications and Gaylord Hart, Infinera
Securing Remote PHY Infrastructure
By Pawel Sowinski and Gerry White, Cisco Systems, Inc.
Public Key Infrastructure - Using X.509 Certificates For Device Authenication: Here A Cert, There A Cert, Everywhere A Cert
By Doug Jones, YAS Broadband Ventures, LLC.
Segment Routing and Enterprise: What It Is and Why It Matters
By Jason Cole, Cox Communications
Segment Routing Proof of Concept for Business Services
By Elaine Yeo, Charter Communications
Network Support Infrastructure For Pod-Based Systems
By Mark DePietro, Motorola Broadband Communications Sector
Network Planning Automation Using Big Data
By Ted Boone, Jignesh Patel, Rob Ames, Kyle Cooper & Chaitanya Vasamsetty, Cox Communications, Inc.
Implement Closed-Loop Network Decisioning Now with Big Data Analytics and Fuel Future-State SDN Use Cases Through a Common Platform Deployment
By Brennen Lynch and Anukool Lakhina, Guavus, Inc.
Eliminating Open Access Woes With Intelligent Carrier-Class Edge Routing
By Gerry White, Chief Technology Officer, RiverDelta Networks, Inc.
Distributed Resource Management For On Demand Services
By Bruce Thompson,Cisco Systems Inc
More Results >>