24 - STUDENT - RTRlib: A flexible RPKI/Router Client for Securing BGP

Matthias Wahlisch (Freie Universitat Berlin)

The current Internet backbone is quite vulnerable against threats: miscon gurations as well as intended attacks (e.g., pre x hijacks) lead to disturbances on the BGP layer. A common anomaly is the incorrect announcement of the origin autonomous system (AS). A recent, prominent example in April 2010 shows that 15% of the US Internet tra c was redirected to China due to incorrectly announced IP pre xes [1, 243 .]. Tra c to all .gov servers and important companies, such as Google, IBM, owed on erroneous paths towards an AS operated by China Telecom.
Securing BGP has been discussed since more than one decade in the research community [2]. Current e orts of the Secure-Inter Domain (SIDR) working group within the IETF lie in the standardization of a set of protocols to enhance the security of BGP. They focus on solving two problems:
enable a router (a) to verify that a BGP update did originate at an authorized AS and (b) to verify that the AS path within the BGP update corresponds to the route traversed. Even though the latter is far from global deployment, rst steps have been performed to tackle the rst issue. An integral part for securing BGP is the Resource Public Key Infrastructure (RPKI) [3]. The RPKI is a robust security framework. It consists of a distributed repository that stores certi cates and Route Origin Authorization (ROAs). ROAs provide a secure binding between an IP pre x and an
AS that is allowed to originate that pre x. Since January 2011, almost all Regional Internet Registries o cially started to deploy the RPKI infrastructure. RIPE, for example, facilitates their members to issue ROAs. RPKI-enabled routers do not store ROAs itself but only the validated content of these authorities. The validation of ROAs will be performed by trusted cache servers, which will be deployed at the network operator site (e.g., NRENs). The RPKI/RTR protocol [4] de nes a standard mechanism to maintain the exchange of the pre x/origin AS mapping between the cache server and routers. In combination with a BGP pre x origin validation scheme a router is able to verify received BGP updates without su ering from cryptographic complexity. In this poster, we present our RTRlib. This is a lightweight C library that implements the RPKI/RTR protocol for the router end [4] and the proposed pre x origin validation scheme [5].
The RTRlib provides functions to establish a connection to a single or multiple trusted caches and to determine the validation state of a pre x/origin AS mapping. The RTRlib is useful for developers of routing software but also for network operators. Developers can integrate the RTRlib into a BGP daemon to extend their implementation towards RPKI. Network operators may use the RTRlib to develop monitoring tools (e.g., to check the proper operation of caches or to evaluate their performance). We present rst performance results and insights into the currently deployed RPKI infrastructure.

The URL to download the open-source software
is http://rpki.realmv6.org/

Download file