Securing Interdomain Network Routing with Resource Public Key Infrastructure (2019)

By Mark Goodwin, Cox Communications, Inc.

In 2018, 1,300 IP addresses were hijacked from Amazon Web Services (Route 53). This malicious attack resulted in service disruption for about two hours and theft of approximately $150,000 in cryptocurrency.

Further (at no fault of Amazon), this attack exposed both ISP peers and customers to fraudulent routes leaving them susceptible to attacks. The root cause of this incident—and hundreds of others alike—was the lack of security in Border Gateway Protocol (BGP), the protocol used for Interdomain Network Routing.

As BGP announces IP reachability information between domains, there is no way to validate the ownership of the IP information. This vulnerability, which arises from RFC 4272, creates opportunities for inadvertent advertisements and malicious theft of IP resources. Thus it potentially impacts network services and stability. As the Internet of Things (IoT) continues to penetrate customer devices and increases reliability expectations on the ISP networks, ISPs have a responsibility to deploy industry best security practices to protect the IP network for customers.

This document introduces Resource Public Key Infrastructure (RPKI) with BGP Route Origin Validation (ROV) to mitigate the security issues of BGP associated with origin attacks. RPKI is an out-of-band security infrastructure that uses public key cryptography to validate ownership of IP resources for a given Autonomous System (AS). This paper first details the existing vulnerabilities with BGP. Second, it shows how RPKI—as well as deployment of BGP ROV—mitigate BGP hijacks, and route leaks. Third, it outlines a deployment strategy for BGP RPKI. Finally, this paper demonstrates how the attacker power to hijack prefixes decreases after top ISPs adopt RPKI.

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

Improve Routing Security by validating BGP (Border Gateway Protocol) with RPKI (Resource Public Key Infrastructure)
By Tony Tauber, Courtney Smith; Comcast
Deploying Segment Routing for PON Aggregation in Cox’s Metro Network
By Deependra Malla, Cox Communication Inc.
Modernizing Cox Communication’s Access and Aggregation Network Infrastructure for Remote PHY Deployment
By Deependra Malla, Cox Communications Inc.
Securing Remote PHY Infrastructure
By Pawel Sowinski and Gerry White, Cisco Systems, Inc.
The Cox National Backbone: Building A Scalable Optical Network For Future Applications And Network Evolution
By Dan Estes, Cox Communications and Gaylord Hart, Infinera
Public Key Infrastructure - Using X.509 Certificates For Device Authenication: Here A Cert, There A Cert, Everywhere A Cert
By Doug Jones, YAS Broadband Ventures, LLC.
Cox Next Generation 400G IP+OLS Architecture for Maximum Network Optimization and Cost Benefits
By Saurabh Patil, Cox Communications; Jason Bishop, Cox Communications
Segment Routing and Enterprise: What It Is and Why It Matters
By Jason Cole, Cox Communications
Cable and Mobile Convergence: A Vision from the Cable Communities Around the World
By Jennifer Andréoli-Fang, PhD, CableLabs; John T. Chapman, Ian Campbell, & Mark Grayson, Cisco; Ahmed Bencheikh, Praveen Srivastava & Vikas Sarawat, Charter Communications; Drew Davis & Paul Blaser, Cox Communications; Damian Poltz & Dave Morley, Shaw Communications; Eduardo Panciera, Telecom Argentina; Philippe Perron, Sylvain Archambault, Eric Menu, Géraldine Trouillard & David Lagacé, Videotron; Gavin Young & Bruno Cornaglia, Vodafone
How Cox Communications Implemented an Expert System for Service-First Autonomous Operations
By Dave Norris, Cox Communications
More Results >>