Enhancing Internet security with IRR: protection against incorrect route advertisements

Posted date 04/07/2024
Autor
INCIBE (INCIBE)
Portada blog IRR

In the early stages of the Internet, during the 1980s, the network was characterized as a simple and experimental environment. During those early years, routing management did not need to address the extensive and heterogeneous mesh of autonomous systems and policies that characterizes today's Internet. However, the scenario began to change dramatically in the mid-1990s, when the Internet experienced an unprecedented expansion, both in terms of users and participating networks, beginning to require resolute and efficient mechanisms for routing management across the global network.

It was at this inflection point that the Internet Routing Registry (IRR) was conceived, complementing other protocols, such as BGP. While BGP facilitates the exchange of route information between autonomous systems, IRR provides a framework that allows network operators to document, share, and validate this information. This not only strengthens the security and reliability of global Internet routing, but also promotes more coherent and collaborative management and coordination among network operators in the global Internet community.

The IRR consists of a distributed, globally accessible repository for documenting route information between the various network operators, ensuring consistency and reliability of routing across the Internet. The collaboration in this initiative is diverse and broad, involving a variety of actors from different sectors and regions to improve the coordination and security of routes on the Internet, such as Internet Resource Registries (RIRs) or some large ISPs.

This collaboration helps improve the filtering of route ads across the network by allowing you to identify and discard ads that do not match your registered routes and policies. This filtering mechanism is crucial to preventing problems, such as prefix hijacking and route leaks, as it helps ensure that only valid and authorized route announcements are accepted and propagated across the network. In addition, IRR data is replicated and made available in various locations around the world, allowing robust and redundant access to routing information.

Basic operation

Routing policies

Routing policies are crucial for communicating and establishing how networks interact and how traffic is routed over the Internet. Policies can be created using the Routing Policy Specification Language (RPSL) based on RFC 2622 and RFC 2650. To do this, the first thing to do is to define the functional routing objects, essentially feature objects and route objects.

The main object used to describe the policies of an AS in RPSL is the aut-num object. This object includes attributes that describe the import and export policies of the AS, among other details, as shown in the following example for AS64500:

ejemplo política

Where:

  • aut-num: Identify el ASN, in this case, AS64500.
  • as-name: A symbolic name for the AS.
  • descr: A brief description of the AS.
  • import: Defines route import policies. In this case, all route announcements (accept ANY) from AS64501 AS64500 accepted.
  • export: Defines route export policies. AS64500 announces routes from its own AS-set (announce AS-EXAMPLENET) to AS64501.
  • admin-c and tech-c: Administrative and technical contact, respectively.
  • created: Creation record.
  • last-modified: Last modified record.
  • source: Identifies which IRR this object belongs to.

In turn, route objects formalize advertisements for an IP prefix on the Internet Let us look at an example.

ejemplo política

Where:

  • route: This is the IP prefix that is being advertised on the network. In this case, it is 203.0.113.0/24. This field indicates the network that is being advertised in BGP.
  • descr: Provides a description for the path object. It is useful for providing contextual information about the use of the prefix, for example, whether it is used by a specific customer or for a specific network within your infrastructure.
  • origin: This is the ASN from which the route ad originates. In this case, AS64500 is advertising the prefix 203.0.113.0/24. This means that any BGP advertisement for this prefix would need to come from AS64500 to be considered legitimate.
  • source: This field identifies the IRR in which the object is registered.

Additional authentication and authorization elements

To prevent unauthorized or uncontrolled use of objects within the IRR, authentication attributes are in place that establish a strict control framework over who can modify and represent routing policies and related objects. Its use is essential to establish a principle of trust between the peers who exchange information.

  • Maintained By (mnt-by): Identifies the authority to create, modify, or delete an object in the database and ensures that any changes to a specific object are made only by authorized entities.
  • Maintained Lower (mnt-lower): Specifies who has the authority to create more specific objects (subnets or subsets) under an existing object in the database, preventing unauthorized creations and helping to maintain a consistent and secure routing hierarchy.
  • Maintained Routes (mnt-routes): Defines who has the authority to specify routes within an IP address range object. And it ensures that route announcements associated with specific IP address blocks are managed only by authorized network operators.

The assignment of these authorities involves the definition of a fundamental object, the maintainer (mntner) that is used to protect other objects, ensuring that only authorized entities can make changes to the objects that are under their maintenance. Use authentication methods, such as passwords or PGP encryption, to verify entities making changes.

Routing object publishing cycle

Publishing a routing object usually involves creating an object in the corresponding IRR database. Each may have its own interfaces and specific requirements for creating objects, however, below is a general process that could be applied in most cases:

  1. Create an account on the IRR: Before you can publish routing information, you are required to create an account or identity on the registry (e.g., RADB, ARIN, RIPE, etc.).
  2. Secure authentication and authorization: This involves creating a maintainer object (Mntner) that contains your authentication and authorization information. You need to make sure that you have the necessary authorization to publish the objects and paths for the relevant IP blocks and autonomous system numbers.
  3. Create the route objects: Defines an entity object (IP or AS) or route that specifies the network prefix you want to advertise. Generally, the web interface or command-line tools provided by each IRR are used to publish the route objects and associated policies.
AFRINIC IRR Web Interface for Registering Objects

- AFRINIC IRR Web Interface for Registering Objects. Source -

  1. Validate the registry: Verify that the objects have been published correctly and that the routing information is accessible. In practice, network operators can manually query an IP address or an Autonomous System (AS) to the IRR repositories of their choice, using the who is command or one of several web tools with this functionality.

  2. Configuring routers after they have registered routing information is a crucial step in ensuring that policies are effectively enforced on the network. IRRToolSet is a suite of tools used to help network operators configure routers according to the information stored in the IRR.

    The suite includes several tools, including peval, rtconfig, and rpslcheck, that allow users to query IRRs and generate router configurations based on the policies expressed in RPSL.

  3. Maintenance: If advertised policies or prefixes change, route objects must be updated. In addition, it is advisable to regularly check the accuracy of the information in the IRR and make any necessary adjustments.

The following diagram provides a visual representation of the process of publishing and validating routes in the IRR, highlighting the critical steps:

Operating scheme of publication and route verification between AS

- Operating scheme of publication and route verification between AS. -

Conclusion

The operability of the Internet lies in its ability to manage policies and route announcements efficiently and securely, a critical aspect to which the IRR contributes, providing a framework of security and reliability in the transfer of data packets over the Internet that helps in the prevention of spoofing attacks. In addition, IRRs are conceived as a platform where operators can collaborate, fostering a more transparent and trustworthy internet ecosystem.

The IRR is a security and reliability system that is compatible with others, such as RPKI (Resource Public Key Infrastructure). While the IRR provides a mechanism for detailed documentation of routing policies and prefixes in a structured manner, the RPKI provides an additional level of security by using cryptography to validate the authenticity of BGP route announcements. In this way, the combination and coexistence of IRR and RPKI makes it possible to create a more secure and verifiable Internet routing environment, taking a significant step towards mitigating incidents on the Internet.

Etiquetas