The Internet Engineering Task Force (IETF) meeting was held on July 14 – 20, 2018 in Montreal, where over 1,000 representatives of the professional community discussed the evolution of the Internet architecture, Internet standards and protocols.
Alexander Azimov, a network architect at Qrator Labs, introduced two new drafts of standards that could enable telecom operators to verify the BGP AS_PATH attribute. It should significantly increase protection against BGP anomalies that can be result of both mistakes and malicious traffic redirection (Man-in-the-middle attacks).
BGP (Border Gateway Protocol) is the basic Internet protocol enabling ISPs communication. As BGP was designed with no mechanisms of received routes verification, there are two consequences – Rout Leaks and BGP Hijacks. The protocol is being increasingly used for carrying out attacks. Traffic hijacking makes it easy to redirect users to phishing sites and thereby gain access to their logins, passwords and other user data.
BGPsec, an extension of the BGP protocol, was designed to solve this problem by adding step-by-step cryptographic signatures for the most important BGP attributes. However, BGPsec was so computationally expensive that no one ISP could support it. Moreover, equipment providers don’t make persistent efforts on this, so telecom operators are not interested in implementation of this technology. Also, it has backward support for "old" BGP which becomes a vulnerability of the whole system: BGPSec guarantees protection against BGP anomalies only if an attacker agrees to support it.
Qrator Labs suggests replacing strict cryptographic BGPsec validation with the external, working inside the protocol verification of the AS_PATH attribute using the new RPKI object.
RPKI (Resource Public Key Infrastructure) is a hierarchical public key infrastructure (PKI) designed to authorize, distribute and validate objects related to global Internet routing. RPKI allows telecom operators to register their own objects, collect others and validate a source of information. Currently there is only a ROA object (Route Origin Authorization) that can be used by operators to describe networks they announce. This object is used to filter some types of BGP anomalies.
Using the new RPKI object ASPA (Autonomous System Provider Authorization) will enable ISPs to register their upline providers allowing other operators to verify correctness of the AS_PATH attribute in routes received from customers and peering partners. Thus, even partial implementation will make an attacker lose the ability to construct a BGP message that will be valid relative to ASPA records.
"The best is the enemy of the good, and BGP was not an exception. Ideal mathematical models do not always have a place in the real world, where not only there is a fight with attackers but also with CAPEX/OPEX. The technology presented by our team at the IETF meeting turned out to be much more lightweight than its previous alternatives since it does not require changing the BGP protocol itself. Whereby it solves 99% problems with BGP anomalies. Our draft elicited response from both telecom operators and registers. However, it will take a few years before this technology is implemented by telecom operators," said Alexander Azimov, a network architect at Qrator Labs.
"Qrator Labs has been actively participating in the IETF work for several years. Introducing to the professional community a fundamentally new technology solving one of the main Internet protocols security problems has become a significant achievement of our team. Our project was supported by notable and experienced specialists in the Internet development and support. They will help us continue our work on creation of a new standard enabling effective work of modern networks," said Alexander Lyamin, founder and CEO Qrator Labs.
The authors of the new Internet-drafts of standards were Alexander Azimov, Evgeny Uskov, Evgeny Bogomazov from Qrator Labs, Rendi Bush from Internet Initiative Japan, Keir Patel from Arccus, Job Snijders from NTT Communications and Russ Husley from Vigil Security.