BGP, the interdomain routing protocol of the Internet, was designed long ago without considering security. In the last decade, the Internet started to experience a growing number of «routing incidents». These incidents can be the result of malicious attacks, but more often they are due to operational mistakes, or «mis-configurations» made by some network operator. Because of the forwarding mechanisms of BGP, it is easy for a single operational mistake to propagate and cause problems to a lot of networks, resulting in intercepting or «blackholing» other networks traffic. In order to address this, prefix origin validation, based on the Resource Public Key Infrastructure (RPKI), was proposed and developed. Many discussions are going on about RPKI: doubts on its usefulness, as well as doubts on quality of data present in its repositories. In this thesis we would like to achieve two goals. The first goal: give a clear overview on types and reasons of routing incidents, as well as discussing existing solutions to address them. The second goal: analyze the deployment of RPKI and the quality of the data contained in it, via measurements from several points of view. This second goal will provide to the reader and to network operators an exhaustive analysis on the quality of RPKI. In our results, we show problems detected in the history (such as RIR's RPKI repositories not operationally reliable), as well as current errors in the registration of RPKI resources. However, we also show how RPKI deployment is positively increasing, the number of problems is decreasing, what are the causes of this problems and why they are not so serious. Moreover, we present the work we've done in parallel with this thesis in order to help fixing these problems by publicizing measurements.
BGP, il protocollo di interdomain routing di Internet, fu progettato in passato senza considerarne la sicurezza. Nell'ultimo decennio, Internet è stato colpito da un numero crescente di «incidenti di routing» (o «routing incidents»). Questi incidenti possono essere il risultato di attacchi malevoli, ma più spesso sono causati da errori umani o errori di configurazione generati da operatori di reti. A causa dei meccanismi di inoltro di BGP, è facile che un singolo errore di configurazione possa propagarsi e causare problemi a tante altre reti, arrivando ad intercettare o interrompere il traffico destinato ad altre reti. Per risolvere ciò, la «prefix origin validation», basata sulla Resource Public Key Infrastructure (RPKI), è stata proposta e sviluppata. Molte discussioni sono state spese riguardo ad RPKI: dubbi sulla sua utilità, così come dubbi sulla qualità dei dati presenti nei suoi repositories. In questa tesi vogliamo raggiungere due scopi. Il primo scopo: fornire una panoramica completa sui motivi e sui tipi degli incidenti di routing, oltre a discutere le attuali soluzioni per fronteggiarli. Il secondo scopo: analizzare lo sviluppo di RPKI e la qualità dei dati in esso contenuti, tramite misurazioni da diversi punti di vista. Con questo secondo scopo forniremo al lettore ed agli operatori di reti una analisi esaustiva sulla qualità di RPKI. Nei nostri risultati, mostriamo problemi rilevati nell'analisi storica dei dati (come ad esempio il fatto che i repository RPKI dei RIR non sono operativamente affidabili), così come mostriamo errori attualmente presenti nella registrazioni di risorse RPKI. Tuttavia mostriamo anche come lo sviluppo di RPKI sta crescendo positivamente, il numero di problemi sta decrescendo nel tempo, analizziamo le cause di questi problemi e spieghiamo perché non sono così gravi. Inoltre, presentiamo il lavoro di pubblicazione delle misure, fatto in parallelo alla tesi con lo scopo di aiutare la comunità a risolvere questi problemi.
Study and measurements of the RPKI deployment
IAMARTINO, DANIELE
2014/2015
Abstract
BGP, the interdomain routing protocol of the Internet, was designed long ago without considering security. In the last decade, the Internet started to experience a growing number of «routing incidents». These incidents can be the result of malicious attacks, but more often they are due to operational mistakes, or «mis-configurations» made by some network operator. Because of the forwarding mechanisms of BGP, it is easy for a single operational mistake to propagate and cause problems to a lot of networks, resulting in intercepting or «blackholing» other networks traffic. In order to address this, prefix origin validation, based on the Resource Public Key Infrastructure (RPKI), was proposed and developed. Many discussions are going on about RPKI: doubts on its usefulness, as well as doubts on quality of data present in its repositories. In this thesis we would like to achieve two goals. The first goal: give a clear overview on types and reasons of routing incidents, as well as discussing existing solutions to address them. The second goal: analyze the deployment of RPKI and the quality of the data contained in it, via measurements from several points of view. This second goal will provide to the reader and to network operators an exhaustive analysis on the quality of RPKI. In our results, we show problems detected in the history (such as RIR's RPKI repositories not operationally reliable), as well as current errors in the registration of RPKI resources. However, we also show how RPKI deployment is positively increasing, the number of problems is decreasing, what are the causes of this problems and why they are not so serious. Moreover, we present the work we've done in parallel with this thesis in order to help fixing these problems by publicizing measurements.| File | Dimensione | Formato | |
|---|---|---|---|
|
2015_12_Iamartino.pdf
accessibile in internet per tutti
Descrizione: Testo della tesi
Dimensione
4.25 MB
Formato
Adobe PDF
|
4.25 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/114342