French Internet Resilience Observatory
Transcript of French Internet Resilience Observatory
French Internet Resilience ObservatoryFrançois Contat, Guillaume Valadon
Agence nationale de la sécurité des systèmes d'informationhttp://www.ssi.gouv.fr/en
RIPE 67 - October 15th, 2013
ANSSI - http://www.ssi.gouv.fr/observatoire 1/31
The observatory in a nutshell
Prior issues• the Internet is misunderstood;• network incidents analysis are rarely France-oriented;• the usage of best current practices is unknown.
Some of our objectives• study the French Internet in details;• develop technical interactions with the networking community;• publish anonymized results;• publish recommendations and best practices.
ANSSI - http://www.ssi.gouv.fr/observatoire 2/31
Internet resilience?
«Resilience is the ability to respond to a major crisisand to quickly restore a normal service.»
The French White Paper on defence and national security, 2008
The Internet is often considered as a regular industry. Its resilienceis mainly studied through:
• the dependency on electricity;• the location of physical infrastructures.
The observatory aims to study the Internet resilience from atechnical point of view.
ANSSI - http://www.ssi.gouv.fr/observatoire 3/31
Who?The observatory is under the supervision of the ANSSI...
Created on July 7th 2009, the ANSSI is the national authorityfor the defence and the security of information systems:
• in French, ANSSI, Agence nationale de la sécurité des systèmesd’information;
• in English, French Network and Information Security Agency.
Main missions are:• prevention;• defence of information systems.
One of its priorities is the Internet resilience.
http://www.ssi.gouv.fr/en/
ANSSI - http://www.ssi.gouv.fr/observatoire 4/31
Who else?
..AfnicThe French Registry for the .fr zone as well as overseas territories.
http://www.afnic.fr/en/
Afnic has been co-leading the project since the beginning.
French network actorsISPs, IXP, transit providers…
ANSSI - http://www.ssi.gouv.fr/observatoire 5/31
What can be observed?
Two main possible directions:• services (HTTPS usage, mail…);• Internet structure (routing, name services).
Today, the observatory is focusing solely on the Internet structurethrough BGP and DNS.
ANSSI - http://www.ssi.gouv.fr/observatoire 6/31
How to observe?
Several technical indicators were defined:• 7 indicators for BGP (route objects, hijacks, RPKI…);• 5 indicators for DNS (topological distribution, DNSSEC…).
In the report, each indicator contains:1. a description;2. a methodology and its limitations;3. an analysis.
ANSSI - http://www.ssi.gouv.fr/observatoire 7/31
Data and indicators
RIS project - BGP updatesData: AS origin, prefix, AS_PATH…Indicators: hijacks classification, connectivity, IPv6, BCP…
RIPE-NCC Whois databaseData: route, route6, aut-num…Indicators: hijacks classification, connectivity, IPv6, BCP…
ANSSI - http://www.ssi.gouv.fr/observatoire 9/31
Identifying the French InternetExisiting databases are not adequate: some ASes are missing.
Finding French AS• more than 40,000 ASes in the Internet;• automatically identify French ASes using an unsupervised learn-
ing algorithm.
Results• 1270 French ASes;• compared to existing public databases (Cymru, RIPE):
• 9 ASes missing in our database;• 40 and 70 more ASes.
ANSSI - http://www.ssi.gouv.fr/observatoire 10/31
Connectivity
Motivations• are French ASes well connected to each other?• are there Single Point Of Failure (SPOF)?
Methodology• build a representative graph of the French Internet:
• use AS_PATH seen by the RIS collectors;• extract the subgraph of French ASes.
• identify the critical ASes (SPOF) for the French Internet:• highlight ASes whose loss can lead to a loss of connectivity.
ANSSI - http://www.ssi.gouv.fr/observatoire 11/31
ConnectivityIPv4
..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Blue: French ASes.Red: ASes whose loss leads to a loss of connectivity.
.
..
There are few ASes whose loss can significantlyimpact the French Internet.
ANSSI - http://www.ssi.gouv.fr/observatoire 12/31
ConnectivityIPv4
..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Blue: French ASes.Red: ASes whose loss leads to a loss of connectivity.
...
There are few ASes whose loss can significantlyimpact the French Internet.
ANSSI - http://www.ssi.gouv.fr/observatoire 12/31
Prefix conflicts
....AS1 ... AS2.... AS3....
AS4
..192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24 AS2 AS1192.0.2.0/24 AS4
.
BGP
• prefix announcements between ASes: routes are exchanged;
• both ASes announce the same prefix: hijack?• could be anycast, DDoS protection, customer…
This conflict must be named differently: event.
ANSSI - http://www.ssi.gouv.fr/observatoire 13/31
Prefix conflicts
....AS1 ... AS2.... AS3....
AS4
..192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24 AS2 AS1192.0.2.0/24 AS4
.
BGP
• prefix announcements between ASes: routes are exchanged;• both ASes announce the same prefix: hijack?
• could be anycast, DDoS protection, customer…
This conflict must be named differently: event.
ANSSI - http://www.ssi.gouv.fr/observatoire 13/31
Prefix conflicts
....AS1 ... AS2.... AS3....
AS4
..192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24 AS2 AS1192.0.2.0/24 AS4
.
BGP
• prefix announcements between ASes: routes are exchanged;• both ASes announce the same prefix: hijack?• could be anycast, DDoS protection, customer…
This conflict must be named differently: event.
ANSSI - http://www.ssi.gouv.fr/observatoire 13/31
Prefix conflicts
....AS1 ... AS2.... AS3....
AS4
..192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24 AS2 AS1192.0.2.0/24 AS4
.
BGP
• prefix announcements between ASes: routes are exchanged;• both ASes announce the same prefix: hijack?• could be anycast, DDoS protection, customer…
This conflict must be named differently: event.
ANSSI - http://www.ssi.gouv.fr/observatoire 13/31
How can we classify an announcement as valid?
....AS1 ... AS2.... AS3....
AS4
..192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24 AS2 AS1192.0.2.0/24 AS4
.
BGP
In this example, we look for the prefix 192.0.2.0/24 in whoisdatabase:
$ whois -T route 192.0.2.0/24
descr: Route object exampleroute: 192.0.2.0/24origin: AS4mnt-by: AS1-MNT
ANSSI - http://www.ssi.gouv.fr/observatoire 14/31
How can we classify an announcement as valid?
....AS1 ... AS2.... AS3....
AS4
..192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24
.
192.0.2.0/24 AS2 AS1192.0.2.0/24 AS4
.
BGP
In this example, we look for the prefix 192.0.2.0/24 in whoisdatabase:
$ whois -T route 192.0.2.0/24descr: Route object exampleroute: 192.0.2.0/24origin: AS4mnt-by: AS1-MNT
ANSSI - http://www.ssi.gouv.fr/observatoire 14/31
Classifying events
... ..valid
.connected
.abnormal
.0 .400
.800
.
1200
.
1600
.
2000
.
2400
.
2800
.
3200
.
3600
....
Num
bero
feve
nts
.
100 %
.events
.events
.events
.events
Valid: a route object exists for the AS including the prefix.Connected: one of the ASes provides transit to the other.Abnormal: it might be a prefix hijack.
.
..
After analysis, 7 abnormal events seem to be realhijacks.
ANSSI - http://www.ssi.gouv.fr/observatoire 15/31
Classifying events
... ..valid
.connected
.abnormal
.0 .400
.800
.
1200
.
1600
.
2000
.
2400
.
2800
.
3200
.
3600
....
Num
bero
feve
nts
.
29 %
.
71 %
.events
.events
.events
Valid: a route object exists for the AS including the prefix.
Connected: one of the ASes provides transit to the other.Abnormal: it might be a prefix hijack.
.
..
After analysis, 7 abnormal events seem to be realhijacks.
ANSSI - http://www.ssi.gouv.fr/observatoire 15/31
Classifying events
... ..valid
.connected
.abnormal
.0 .400
.800
.
1200
.
1600
.
2000
.
2400
.
2800
.
3200
.
3600
....
Num
bero
feve
nts
.
29 %
.
48 %
.
23 %
.events
Valid: a route object exists for the AS including the prefix.Connected: one of the ASes provides transit to the other.Abnormal: it might be a prefix hijack..
..
After analysis, 7 abnormal events seem to be realhijacks.
ANSSI - http://www.ssi.gouv.fr/observatoire 15/31
Classifying events
... ..valid
.connected
.abnormal
.0 .400
.800
.
1200
.
1600
.
2000
.
2400
.
2800
.
3200
.
3600
....
Num
bero
feve
nts
.
29 %
.
48 %
.
23 %
.events
Valid: a route object exists for the AS including the prefix.Connected: one of the ASes provides transit to the other.Abnormal: it might be a prefix hijack....
After analysis, 7 abnormal events seem to be realhijacks.
ANSSI - http://www.ssi.gouv.fr/observatoire 15/31
Cross-check routing table and whois database
.
.......
.4289 French prefixes
. 3771 Frenchroute objects
.
RIS LINX
.
Whois database
...
RIS LINX
.
Whois database
.
Prefix filtering
.
Whois consistency
.
uncovered prefixes
.
prefixes covered
.
unused route objects
.
matched route objects
.
unused route objects: 1183
.
matched route objects: 2588
.
31% of route objects are unused in 2012
.
uncovered prefixes: 660
.
prefixes covered: 3629
.
15% of French prefixes could be blackholed
.
..
• prefixes announced with BGP should be cov-ered by route objects;
• preliminary step to RPKI.
ANSSI - http://www.ssi.gouv.fr/observatoire 16/31
Cross-check routing table and whois database
.
........4289 French prefixes
. 3771 Frenchroute objects
.
RIS LINX
.
Whois database
...
RIS LINX
.
Whois database
.
Prefix filtering
.
Whois consistency
.
uncovered prefixes
.
prefixes covered
.
unused route objects
.
matched route objects
.
unused route objects: 1183
.
matched route objects: 2588
.
31% of route objects are unused in 2012
.
uncovered prefixes: 660
.
prefixes covered: 3629
.
15% of French prefixes could be blackholed
.
..
• prefixes announced with BGP should be cov-ered by route objects;
• preliminary step to RPKI.
ANSSI - http://www.ssi.gouv.fr/observatoire 17/31
Cross-check routing table and whois database
..
.
.
.
.
...4289 French prefixes
. 3771 Frenchroute objects
.
RIS LINX
.
Whois database
..
.
RIS LINX
.
Whois database
.
Prefix filtering
.
Whois consistency
.
uncovered prefixes
.
prefixes covered
.
unused route objects
.
matched route objects
.
unused route objects: 1183
.
matched route objects: 2588
.
31% of route objects are unused in 2012
.
uncovered prefixes: 660
.
prefixes covered: 3629
.
15% of French prefixes could be blackholed
.
..
• prefixes announced with BGP should be cov-ered by route objects;
• preliminary step to RPKI.
ANSSI - http://www.ssi.gouv.fr/observatoire 18/31
Whois database consistency
.
.
..
.
..
..4289 French prefixes
. 3771 Frenchroute objects
.
RIS LINX
.
Whois database
..
.
RIS LINX
.
Whois database
.
Prefix filtering
.
Whois consistency
.
uncovered prefixes
.
prefixes covered
.
unused route objects
.
matched route objects
.
unused route objects: 1183
.
matched route objects: 2588
.
31% of route objects are unused in 2012
.
uncovered prefixes: 660
.
prefixes covered: 3629
.
15% of French prefixes could be blackholed
.
..
• prefixes announced with BGP should be cov-ered by route objects;
• preliminary step to RPKI.
ANSSI - http://www.ssi.gouv.fr/observatoire 19/31
Prefix filtering
..
..
..
.
.
.4289 French prefixes
. 3771 Frenchroute objects
.
RIS LINX
.
Whois database
..
.
RIS LINX
.
Whois database
.
Prefix filtering
.
Whois consistency
.
uncovered prefixes
.
prefixes covered
.
unused route objects
.
matched route objects
.
unused route objects: 1183
.
matched route objects: 2588
.
31% of route objects are unused in 2012
.
uncovered prefixes: 660
.
prefixes covered: 3629
.
15% of French prefixes could be blackholed
.
..
• prefixes announced with BGP should be cov-ered by route objects;
• preliminary step to RPKI.
ANSSI - http://www.ssi.gouv.fr/observatoire 20/31
Prefix filtering
..
.
.
.
.
.
.
.4289 French prefixes
. 3771 Frenchroute objects
.
RIS LINX
.
Whois database
..
.
RIS LINX
.
Whois database
.
Prefix filtering
.
Whois consistency
.
uncovered prefixes
.
prefixes covered
.
unused route objects
.
matched route objects
.
unused route objects: 1183
.
matched route objects: 2588
.
31% of route objects are unused in 2012
.
uncovered prefixes: 660
.
prefixes covered: 3629
.
15% of French prefixes could be blackholed
...
• prefixes announced with BGP should be cov-ered by route objects;
• preliminary step to RPKI.
ANSSI - http://www.ssi.gouv.fr/observatoire 21/31
Data & tools
The DNSWitness platform is used to collect data.
Active measurementsData: .fr domains retrieved from the whole .fr zone.Tool: DNSdelve.Indicators: number of DNS servers, IPv6 services, DNSSEC…
Passive measurementsData: requests received by Afnic authoritative servers.Tool: DNSmezzo.Indicators: Kaminsky attack, IPv6 queries…
ANSSI - http://www.ssi.gouv.fr/observatoire 23/31
Distribution of authoritative DNS servers
... ..1.
2.
3.
4.
5.
6+.0 % .
10 %.
20 %
.
30 %
.
40 %
.
50 %
.
60 %
.......
Number of servers per .fr domain
. 0.3.
30
.7
.
49.3
.2
.
11.4
A high number of servers per zone increases the resilience.
.
..
There are enough servers per .fr domains.
ANSSI - http://www.ssi.gouv.fr/observatoire 24/31
Distribution of authoritative DNS servers
... ..1.
2.
3.
4.
5.
6+.0 % .
10 %.
20 %
.
30 %
.
40 %
.
50 %
.
60 %
.......
Number of servers per .fr domain
. 0.3.
30
.7
.
49.3
.2
.
11.4
A high number of servers per zone increases the resilience.
...
There are enough servers per .fr domains.
ANSSI - http://www.ssi.gouv.fr/observatoire 24/31
Distribution of ASes per DNS zone
... ..1.
2.
3.
4.
5.0 % .
20 %
.
40 %
.
60 %
.
80 %
.
100 %
......
Number of ASes per .fr domain
.
81.9
.12.6
.3.9
. 0.9. 0.6
A high number of AS per zone increases resilience.
.
..
Most domains are located in one AS.
ANSSI - http://www.ssi.gouv.fr/observatoire 25/31
Distribution of ASes per DNS zone
... ..1.
2.
3.
4.
5.0 % .
20 %
.
40 %
.
60 %
.
80 %
.
100 %
......
Number of ASes per .fr domain
.
81.9
.12.6
.3.9
. 0.9. 0.6
A high number of AS per zone increases resilience.
...
Most domains are located in one AS.
ANSSI - http://www.ssi.gouv.fr/observatoire 25/31
DNSSEC deployment in .fr domains
DNSSEC prevents DNS cache poisoning.
Deployment history• .fr zone signed and published: September 14th, 2010;• .fr zone accepts signed delegation since April, 2011.
All .fr domains could be signed.
Deployment in practice• only 1.5% of the whole .fr zone is signed;• thanks to a single French DNS registrar.
.
..
DNSSEC is not widely deployed.
ANSSI - http://www.ssi.gouv.fr/observatoire 26/31
DNSSEC deployment in .fr domains
DNSSEC prevents DNS cache poisoning.
Deployment history• .fr zone signed and published: September 14th, 2010;• .fr zone accepts signed delegation since April, 2011.
All .fr domains could be signed.
Deployment in practice• only 1.5% of the whole .fr zone is signed;• thanks to a single French DNS registrar.
...
DNSSEC is not widely deployed.
ANSSI - http://www.ssi.gouv.fr/observatoire 26/31
IPv6 deployment of servers within .fr domains
... ..DNS
.Web
.0 % .
20 %
.
40 %
.
60 %
..........
. ..2010 . ..2011 . ..2012
.6.4
. 0.9. 0.3.
41.0
. 1.6. 2.2.
59.7
.10.6
. 4.2
DNS: NS record points to a name with a AAAA record;mail: MX record points to a name with a AAAA record;web: www.zone.fr has a AAAA record.
.
..
Insufficient IPv6 deployment besides DNS servers.
ANSSI - http://www.ssi.gouv.fr/observatoire 27/31
IPv6 deployment of servers within .fr domains
... ..DNS
.Web
.0 % .
20 %
.
40 %
.
60 %
..........
. ..2010 . ..2011 . ..2012
.6.4
. 0.9. 0.3.
41.0
. 1.6. 2.2.
59.7
.10.6
. 4.2
DNS: NS record points to a name with a AAAA record;mail: MX record points to a name with a AAAA record;web: www.zone.fr has a AAAA record.
...
Insufficient IPv6 deployment besides DNS servers.
ANSSI - http://www.ssi.gouv.fr/observatoire 27/31
IPv6 deployment of DNS cache and clients
... ..IPv6 transport
.0 % .20 %
.
40 %
.
60 %
.
80 %
...
Transport
.. ..AAAA/IPv6
.A/IPv4
.other
.0 % .20 %
.
40 %
.
60 %
.
80 %
.......
Requests
.
..
. ..2011 . ..2012
.7
.11
.11
.
72
.17
.13
.
64
.
23
Data received by Afnic servers is now analyzed based on:• transport: IP version preferred by DNS caches;
• requests: IP version preferred by clients.
.
..
Most traffic and queries are still related to IPv4.
ANSSI - http://www.ssi.gouv.fr/observatoire 28/31
IPv6 deployment of DNS cache and clients
... ..IPv6 transport
.0 % .20 %
.
40 %
.
60 %
.
80 %
...
Transport
.. ..AAAA/IPv6
.A/IPv4
.other
.0 % .20 %
.
40 %
.
60 %
.
80 %
.......
Requests
.
..
. ..2011 . ..2012
.7
.11
.11
.
72
.17
.13
.
64
.
23
Data received by Afnic servers is now analyzed based on:• transport: IP version preferred by DNS caches;• requests: IP version preferred by clients.
.
..
Most traffic and queries are still related to IPv4.
ANSSI - http://www.ssi.gouv.fr/observatoire 28/31
IPv6 deployment of DNS cache and clients
... ..IPv6 transport
.0 % .20 %
.
40 %
.
60 %
.
80 %
...
Transport
.. ..AAAA/IPv6
.A/IPv4
.other
.0 % .20 %
.
40 %
.
60 %
.
80 %
.......
Requests
.
..
. ..2011 . ..2012
.7
.11
.11
.
72
.17
.13
.
64
.
23
Data received by Afnic servers is now analyzed based on:• transport: IP version preferred by DNS caches;• requests: IP version preferred by clients.
...
Most traffic and queries are still related to IPv4.
ANSSI - http://www.ssi.gouv.fr/observatoire 28/31
Conclusion & recommendations
« For BGP & DNS, the French Internet status is acceptable.However, there is no evidence that it will be true in the future. »
2012 report
Recommendations1. declare route objects, and keep declarations up-to-date, in order
to ease filtering and hijack detection;2. deploy IPv6 to anticipate problems;3. apply BGP best current practices;4. distribute authoritative DNS servers across several ASes.
ANSSI - http://www.ssi.gouv.fr/observatoire 29/31
Future work
Tools• scale to handle 40k ASes;• reduce indicator limitations;• use more than one BGP collector from RIS.
The next report• will be published mid-2014;• indicators will be enhanced;• items will be written in English.
ANSSI - http://www.ssi.gouv.fr/observatoire 30/31