Verify Countersignature Validated with airSlate SignNow

Lots authenticate countersign

ok so for the next talk I wanted to call up Russ white from LinkedIn he's going to talk to us about bgp okay clickers right here and so today I am working under a double disadvantage they put behind a puppy behind a podium and I walk when I speak as my step father used to say mommy mommy why am i running around in circles shut up or I'll know your other foot to the floor and they won't let me draw in the slides and I have to talk with my hands so if I wave my hands randomly just ignore it okay so that's ok so today I'm Russ why time with LinkedIn you may remember me from other places and other times but right now I'm at LinkedIn on the architecture team doing cool stuff with datacenter and bgp and bgp security going to linkedin has convinced me of or has impressed upon me the importance of path validation and bgp security we're an open peering company and pass validation and beach p security or a big deal to us so i want to walk along and just talk a little bit about where we are where I think we are and I'm going to give you some ideas about what I'm working on right now or what I have a small group of people working on right now but I want to impress on you one thing from this talk is that whether or not we have a viable solution we need one because this is a big deal and it's coming our way like a freight train I have some inside contacts at DHS and other places and I've been told that there is no government mandate right now from the US government to do something about bgp security but there probably will be in some period of forthcoming time and whatever system happens to be on the block when that mandate comes will be the system that that will be mandated so if you don't like what's on the block or if you think it's not deployable or it's not deployable in your network then the time to speak up and do something about it or to try to help design something that you find deployable or whatever is in the now rather than in the five years when and eight hits or whatever the time frame is I don't want to give a specific time frame I'm just making things up okay so I did that a lot by the way all right so we already have origin authentication and I really don't have to spend a lot of time on these slides right because you already know this we have the RPG I and I'm not here to tell you that we should either use or not use the rpki that's acts a decision that LinkedIn is going through right now is trying to figure out what we do with the RPG I stuff so that's okay but we all know how this works right we have a 65,000 to is authorized to advertise some / 64 DBA 01 / 64 you should be proud of me that I'm using these six addresses right I have converted all of my writing and all of my other stuff to be six addresses anyway 65,000 and those are actually the right ones to you know I didn't use just some public space those are actually the documentation addresses so 65,000 to creates a resource certificate sign with a private key and additional parameters this is placed in our pikia database which is today distributed through our sink and then when you actually look at hello maybe not Tony ah I think I actually want one slide too far didn't I that's okay so now when in a 65,000 receives this route for DB 80 once I 64 it can use the public key from the RPI and it can validate the art of the r-la which is countersigned by the ir or the nick or whatever you want to go into for language there and it can check the origin authentication this is really cool this is useful it gives me or 'then authen origin authentication I'm again not going to discuss what the deployments day this is I think Aaron just came on board which is probably a good thing and we're looking at what we're going to do with this now this is kind of cool but there are lots of attacks that still can happen with origin authentication only for instance I can a 65,000 three who wants to consume the traffic for DBA zero once I 64 can advertise the oh I used in ipv4 address in the slide and it's the wrong address that really stinks anyway I didn't catch them all so can advertise DB 80 once I 64 you set to pretend that's a v6 address with a one behind it can say I am attached to a 6500 too and I have a connection to them so they're farming advertised this route with 6500 to 6500 three in the AAS path and 65,000 will be none the wiser so to get around this type of attack we need some sort of path validation so first thing I will do is I will talk about a little bit requirement I've had a lot of people ask me about pass validation in the last six months or so and again like I said when I on-boarded with LinkedIn the first thing they impressed on me was that path validation is a big deal for us and there are various reasons that I could get into but I won't but anyway so some of the requirements that I've talked to people about and you can agree or disagree and I'm happy if you disagree in fact I'm really happy if you disagree or disagree or agree I don't really care i just want your input right or wrong good or bad i just want your input on this this is what I've heard and brought up come up with Ruiz bgp because it's trusted and understood this does not however mean using the current bgp peering sessions will talk about that in a second using a new address family or a new message right now we're looking at a new address family in the little group of people we have gathered together but that's not a given that could be changed at any moment no reason to reuse current best path for this application we want to reuse existing policy mechanisms if possible this is one of the beauties of running bgp is that you can attach communities to your advertisements and if you have a community that you use to filter out you can use that same community to filter advertisements for pass validation so it's kind of cool don't mess with origin authentication in general again I don't want to argue about origin authentication and whether what we have is good or bad or whatever that's not really you know it seems to be deploying I'm happy if it deploys it's not perfect nothing is perfect everything is a trade-off in the world of complexity and network engineering so it is what it is and so the one thing we would like to think about is our sink seems to be a scaling issue that I've heard a lot I've heard this through the grapevine and from people and I'm not sure it's absolutely true but I've heard this and I think that it might be possible or it might be useful to think about a way to allow whatever we do for path validation to replace our sink in the long run turn my big thing is is I want to solve eighty percent of the problem space in the deplorable way I want it to be so one thing is is that i don't think i have come to the conclusion after looking at this problem for 15 years that there are no perfect solutions and hints if i can solve eighty percent of the problem in a way that cost me very very little and i can deploy it then i can find other ways to solve the other twenty percent of the problem and i'm perfectly happy with that solution I think kada was on stage last I think they might have some ideas since they're talking about internet measurement I think there may be some ways to measure things and look at things that you can catch the twenty percent the straight up path validation can't do so again an example I put on here stateful inspection IDs payers you know there are various things that I do in the networking worldwide take pairs of solutions or multiple solutions and try to figure out what to do there's a thing on here don't make the HD crypto I'm not convinced that's correct yet persistence and face of DDoS I actually am not convinced that's correct either but it would be a nice thing to do all right so rethinking requirements one thing I want to make sure I do is I don't want to I want to hide things that aren't otherwise available this is a big deal for a lot of transit providers it's not so much for me necessarily but it is for a lot of people being able to hide things that are otherwise not available or otherwise that you can't take the route reflector or a chart of the internet connectivity and discover things I want to be able to hide things that you could hide in other ways I want to be able to control where information is advertised I'm I want to be able to tell my peer what my interconnections are without them being able to tell their peers if I can do that there's a way to do that and now remember that this is a trust mechanism and clearly people can play against the rules or play outside the rules and do whatever they want to do I want to be able to optionally attach peering types and other policy to specific relationships this is optional and I'm very insistent on this being optional at this point because I understand again that some people don't want you to know what their policies are now we'll say later on that the more you expose your policies the more secure things become but there are business relationships and you just have to be you know whatever that is it is now another thing that I am thinking about in requirements are that we have come up with in this little group i'm working with is that we want an overlay carrying the information has been very insisted upon me or very impressed on me by various people that i do not want to touch existing ebgp peers so even if i'm using vgp as a transport because it's convenience neat and all your knots already know how to configure it I don't want to touch my existing ebgp peers by the way this is for me as well okay linkedin doesn't want to touch my existing bgp peers it's very important from a scaling perspective and various other reasons incremental value or incremental deployment should add value incrementally this is a very big deal and so this is the concept that we're working with some of you might find this slightly familiar we've grown by the drawing board and we thought some things about what we're doing but conceptually we are working with a s level semantics I say we we have a very small team formed of a couple of different providers and a couple of different vendors that we're working with to come up with this this is not anything that's kind of big public stuff right now we're just batting ideas around on a little mailing list to try to figure out what we're doing only a is level changes should be reflected in the base advertisements this is a scaling issue as much as we can more detail may be included but doesn't have to be so conceptually you build a set of path pairs each path bear can contain a policy if you want to these can be used as a set of paths a as filters at the AAS edge depends so one of the things that we've argued about discussed is frankly I don't care what you're doing you're a s all i care about is getting the information to decide how to do about path validation the best that I can and how are you use that information is completely up to you so if you want to use that as path filters or if you want to use that as some other whatever you might want to do it's not really my business to delve around in your AAS so you do what you'd like to do I'm just trying to find ways to provide you with the information to make this work so for instance different advertisements received with the asp s 65 for 65,000 for 65,000 three at a of 65,000 you can look and say as a 65,000 for connected to 65,000 3 yes is there a policy along the path that says I shouldn't be receiving this route no that's only if the policy is exposed am I connected a a 65,000 yes i have an 80% reliability i think there abouts that this is a good route now again doesn't solve everything but network engineering is a set of trade-offs and it is what it is and I'm hoping that we can find other ways to solve the rest of the problems later without getting too much more intrusive than where we already are Oh uh don't touch the bed button ah hey okay anyway so conceptually this is a tree taste base tag I assume you know what a dag is it's like an SPF or a Dykstra SPF without taking anything off policy can hang off the note so we have another name for this called a pass state vector you may find a research paper out there on that that's very old so I'm really not going to spend time talking about this if you really want to talk about this feel free to send me an email catch me afterwards I don't really care I don't care about this this is some stuff about packet formatting that we were talking about yes Randy shaking his head okay Randy wants me to go back I'll go back and I'll talk about this this is conceptually one way of doing this we actually don't know how to do this okay that's why I was going to skip this slide yeah that's fine this is conceptually we have been talking about within our little with our little quiet little group talking about this that you could use bgp AF and you would reform at the AF and do a special best path because this is the easy thing to do okay so I'll be honest you know I'm not a big fan of overloading bgp with everything in the stinking world and if i'm going to overload bgp with everything in the world i really kind of prefer to do it any new message type rather than in uaf but the world is what the world is and tilting at windmills is not my favorite hobby so I'm not going to argue about what the formatting looks like operationally a 65,000 the way this we're thinking about doing this is that you could advertise three different connectivity sets for instance you could bound a community using communities and a asset or a set of connectivity which would be signed with your private key which could be validated by your public key and we get I'm not going to get too deep in the crypto because the crypto is the crypto you know we have some smarter people about crypto than I am in the world and we're kind of relying on them and other people in the community to help us with this but anyway community bound so again I'm thinking in terms of if I can attach a community to a route I can attach it to this advertisement this is one of the joys of using bgp is if i have the community sets i can actually filter with the same communities on my edges and where I'm filtering routes I can advert actually filter connectivity as well so this is just a general idea again not not not validated or borne out operationally again i kin community i can use transit communities to block routes one hop away from me if I want to people can do bad things with your information if you hand it to them I'm sorry I can't do anything about that but that's the way it is right so i can do i can actually mark non transits and appearing relationship we're talking about adding bits for this that would be encrypted and validated in a way that would allow you to declare a customer as a customer as a valley and block the valley routes in the network attacks resolved of course of 65,000 five at verte eyes is DB a 01 with the path of 65,000 165 thousand five then you can actually look at your graph or you can actually look at your i want call it a graph but however it's actually implemented in a particular instance of this type of thing you can actually look at the growth of the pears and say you know what 65,000 one doesn't have a connection to 65,000 five even a 65,000 five advertises a connection to 65,000 one if you know much about Dykstra and SPF you always wanted to wake an activity check so if 65,000 one is not advertising a backlink back to 65,000 five and exists it isn't matter what 65,000 five claims it just works that way in that type of a thing now if someone decides to expose who is a not supposed to be a valley then you can always mark that information and block valley transit through of aliens for instance 65,000 one in this instance should not be a transit path between 65,000 to and sixty five thousand five so you can actually mark that and make that not happen so thoughts on the solution I think this would meet the objectives are reasonably worded government mandate now I said reasonably worded so it's reasonably rewarded in government in the same sentence might seem like an oxymoron to some people but that is what it is I think it would protect about eighty percent or more of what needs to be protected works with existing origin validation if we want it to to stop hijacking stop truly out of the path man in the middle is not culpable to replay attacks necessarily it's all kind of dependent on what you do with your certificates but that would actually do can protect your private information in a way that you want to all right path forward we have a small group working on this we are slowly but surely increasing the group we need some community support to think about this a little bit need more thinkers thinking about this we've not taken to this this to the ITF yet we are trying to get actually to the point where we have implementations before we take it to the ITF just to be realistic about things if a mandates forthcoming the goal is that you know we really want to have a solution on the table if something happens if somebody says this must take place and I understand because I've talked to a lot of my friends in the provider community that you know lots of people want to do a lot of different things there a lot simpler for instance well let's let every large every tier one set up their own IRR and will just solve the problem that way okay so I live on the edge and I'm not really happy with that solution for various reasons and I don't think tier 1 and tier 2 should actually be happy with that solution either some people are saying let's go back to the IRS there's been a lot of studies on the IRS and I think they're probably reasonably correct in a lot of cases from what I've heard Randy shaking his head notice one I'm going to get called on that one but nonetheless I think that the problem with the IR system is that it's easy enough to convince people to put information in and it's hard to get people to take the stuff out it's invalid so I think we need something that's a little more dynamic and works as the topology goes and can be automated and dev opt really like that I use that term I'll say it three times DevOps DevOps their bombs all right anyway can be coded up and dev upped and I think we need a lot of this stuff going on to make this better sir questions and i'm going to give you my email address even though it's not in here I'm really really really difficult to find it's russ at linkedin com I don't know if you can remember that or not but that's my work address is Russ at linkedin com Randy standing at the mic and so is sandy so I'm going to duck underneath the protective cover its podium so there are bad things about the Amana put and there are good things about baby I'd up are you yes ready Randy bush i oj DevOps is the operator is finally discovering that those computers are programmable um it's really nice to see you're thinking matured over the years I'm really cheering you should be aware that our sink is already being replaced there's internet draft for it and there's implementations and testing the one fundamental thing that bothers me about inter AS map being the essential semantics is that a yes enter a routing is prefix specific not a as specific if I understand that sure and but but otherwise keep hacking man okay good thanks now Sandy's gonna beat me up I'm not um I think you'd win the fight I did you go back to I don't know it was the slide where you said here's how origin about validation works in new owners don't tell me about organ validation does wait way back way way back which one do you want more laughing this one okay a s6500 to creates a ro there's an ro a signed with a private key bar by right right okay this doesn't have any bearing on your subsequent discussion no but I did want you to understand if linkedin is looking at this it is most emphatically not the a s that signs the rowa they're saying who's allowed to announce it right the prefix holder who has a right to use the address space so you know if you're going to use this light again this is a very loose set of slides just to give a general over I'm done asking for precision in two slides do all you know say 2001 creates a row assigns a private key yeah just too well in the IRR world for most things in the IRS it's the a s that's respect that has the authority to say things because it's a routing policy except for route objects and it's it's typical to see people carry that forward to the row a world I just mm-hmm okay Randy already mentioned our sink is there's a new draft in the cyber working group called the rrd p we kind of call it the Delta protocol and ripe is implementing and testing okay good and randy said you know it's prefix specific there are any track yesterday had a talk by someone who did some measurements of the valley free gal rexford model and the AAS paths that are exist in sixty-five percent match that model but that means 35% don't match that model so you know that right you got to keep that in mind and there is work in the grow working group to add a bit to the bgp updates to say kind of weather adds up or down sort of so you should know about that and the BGP sec protocol could then be used to protect those bits and you'd end up with a cryptographically assured discussion of what the policy was on a link right so yeah so I intentionally did not mention bgp set because i didn't want to come here and like beat up on anything i was my intent was just well you've got an in-band mechanism using cryptography so that's another in band mechanism that you guys good to exactly so yeah okay thanks Annie okay oh it's fine oh there's dog now I'm gonna get beat up again I never go ahead hmm from what I could see what you're proposing or at least outlining bears some resemblance to s 0 would be GP which had full specs that we could read can can you characterize like where your thoughts differ from the previous sov GP yeah so in many places first of all we have abandoned origin authentication within pass validation we've separated those two entirely and second of all I think there is a completely different group working on this is much more realistic about what we can do with in BGP itself and how to manage things in BGP itself and I think the third thing is is you know we're trying to avoid dabbling inside the a s we don't we don't we just want to try to provide people with the right information to build it on tools and do what they want to do so I think I think there's a lot of differences in those areas it's much more and beyond all that I think I actually have two implementations perhaps on the verge of being committed so a little bit happy about that many of your slides said you had no idea of how to ah yes it's just yet so these are kind of non non d well there's ago this is experimental right this is kind of will this actually work can we do what we want to do and I'm not going to lay down packet formats right now because I don't actually I think part of it is is that we need to get implementations under our belt to understand if the packet formats anybody is thinking about will actually work so that that's a crucial key little more experience with what we're doing yes I rasulullah go for deutsche telekom well ok I am I would be interested to have a clear description of what information model you want to use you are coming in and in the presentation in particular saying well ok our sink is a bed transport which well ok other people are working on and then well ok bgp is a nice transport and then you come up with stuff that is to a large degree structure following the chosen transport and that's kind of that's kind of not really the way i would like to look at well ok expressing policy in in a more abstract way the next thing is all ok for getting things actually secured which i think we want to and which quite certainly what part we would be part of a mandate if the mandate is reasonable well ok kind of a I'm not I'm not hearing I'm not hearing the security design which should take care of making sure that actually authoritative data is put into the system and it stay the integrity of that data and the oft entity of a data is secured and trusting that well ok after we are force some some fuzzy data model into an exist transport to fix that later on does not look like a very promising and reasonable approach okay so first of all in the data model contact me off after or you know email me or something because we can talk about that that's not here in the slides there is thinking around it but it is not anything definite as far as making sure that the data is correct so I will tell you that we are on shall I say very touchy ground with this part of the problem because i have talked to certain providers who have said i do not want any outside body playing in my in my space and telling and trying to authenticate who i'm connected to or not on the other hand from a security perspective it's very important to make sure that that information is correct so there is a fine line here someplace and at some point we're going to have to figure out how to make this work in a way either it's going to have to come down to we have to do this anyway or we're going to have to come down to the point where we say and we're going to find some way to make all of this work together and I don't know the answer that question so that's why it's not in the slides well I think there cannot be a question about that integrity and authenticity of the data that is exchanged into domain has to be secured right agree I do not see any concern that actually would say well okay we have to bypass vet yeah okay well we can talk about that after i have people who have told me otherwise anything else great thanks you