RIPE 76 Sees Strong Focus on Routing Security Thumbnail
Deploy360 17 May 2018

RIPE 76 Sees Strong Focus on Routing Security

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

The RIPE 76 meeting is happening this week in Marseille, France, held at the fantastic location of the Palais du Pharo overlooking Marseille’s Old Port. And it’s also another record attendance with over 850 people registered.

The first couple of days have primarily been devoted to plenary sessions, and there’s been a big focus on routing security. Erik Bais (A2B Internet) kicked off the discussion with a presentation on ‘Why are we still seeing DDoS traffic?‘, which highlighted that DDoS attacks are still originating from the same networks. Looking at the list of the worst offenders, there’s even one amongst the regular RIPE attendees, and he called for networks to clean up their acts. This was also a good opportunity to highlight the MANRS initiative, which of course includes measures to mitigate amplification attacks, and encourages networks to make good routing practices the norm.

Alexander Azimov (Qrator Labs) reinforced this message by outlining the current problems with BGP, including the ongoing route leaks and hijacks affecting the Internet. There are currently only moral obligations to not use other providers’ address space or to support anti-spoofing policies, yet major providers (including Tier 1 providers) continue to both originate and accept incorrect routes. There are things that can be done to mitigate this such as implementing IRR filters and ROA validation, but even then only around 10% of prefixes are using ROA and percentage of these are incorrect and therefore invalid. Network operators need to be doing better.

Job Snijders (NTT) also encouraged the case for filtering, and highlighted the use of Internet Routing Registries (IRRs) as a source for generating customer prefix filters. IRR sources are offered by the Regional Internet Registries, but also third parties such as RADB, NTT and ALTDB. However, IRRs differ in terms of purpose, policy and validation and still rely on network operators entering correct and legitimate information. This issue, particularly with certain IRRs needs to be addressed, as well as RPKI deployment being increased to allow incorrect IRR data to be identified and ignored.

That left Martin Winter (Hurricane Electric) to present the Real-Time Monitoring BGP Toolkit that is able to monitor for BGP errors and hijacks. This offers a looking glass service compiled from multiple sources around the world, and therefore enabling comparison of active BGP routes against known registered routes. The initial tests have revealed some interesting results such as the ongoing use of deprecated BGP Attributes, malformed 4-byte AS implementations, and repeated re-advertisement of the same routes. The tool can be found at https://rt-bgp.he.net.

Other highlights from the first couple of days including a lightning talk from Jordi Palet (Consulintel) who introduced HTTP/2, QUIC and DOH. Internet traffic is increasingly moving to HTTP/HTTPS due to the fact that networks are limiting access to these protocols, but the DNS is not yet using this. However, the IETF DNS over HTTPS (DOH) Working Group has been standardising the encoding of DNS queries and responses over HTTPS. which aims to enable DNS Privacy over paths where DNS-over-(D)TLS has issues.

HTTP/2 can reduce the number of round-trips, and avoid blocking by using  parallel streams and discarding the unwanted ones, so provides offers a faster web experience. QUIC can decrease latency, avoid packet loss blocking all steams (as with HTTP/2) and makes connections possible over different interfaces.

Our colleague Jan Žorž, along with Benno Overreinder (NLnet Labs), also chaired the BCOP Task Force on Monday. There were a couple of proposals for developing BCOPs – the first on recommendations for DNS Privacy Privacy operators from Sara Dickinson, and the second on running E-mail servers on IPv6 from Sander Steffann.

For those of you who cannot attend the RIPE meeting in person, just a reminder that remote participation is available with audio and video streaming and also a jabber chat room.

The full programme can be found at https://ripe76.ripe.net/programme/meeting-plan/

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related Posts

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...