Download presentation
Presentation is loading. Please wait.
5
To communicate among internet devices (ex.PC, Smartphone), each device has its own numerical addresses, called IPv4 and IPv6 To communicate among internet devices (ex.PC, Smartphone), each device has its own numerical addresses, called IPv4 and IPv6 IPv4 AddressIPv6 Address Form (example)211.192.38.12001:dc2:0:40:135:72df:9e74:d8a3 Total # of addressesApprox. 43 billions43 bil. X 43 bil. X 43 bil. X 43 bil.# of addresses possessed 112,328,1925,246 (/32=43 bil. X 43 bil. X 43 bil.) Rank (Possession)#6#9 Development Time19801996 1 st Assignment in KoreaJuly, 1986October, 1999
6
In Korea, by act of law of “Internet Address Resource”, an internet service provider who needs IP addresses must apply the request to KISA. Once confirmed, KISA procures IP addresses from APNIC and assigns to the ISP.
7
Depletion of IPv4 has been announced globally. Without transferring to IPv6, it will be difficult to sustain the market expansion, such as cloud, IoT, etc.
8
Establishment of “IPv6 All Ready” environment by 2019 based on components of Content-Platform-Network-Device
12
Targeted Traffic Misdirection MisconfigurationMisconfiguration MaliciousMalicious
13
↑ AS36561(YouTube) announces - 208.65.152.0/22 ↓208.65.153.0/24 has never been announce before failure 36561 17557 ※ Source : http://www.ripe.net/internet-coordination/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study
14
36561 17557 ↑AS17557(Pakistan Telecom) 208.65.153.0/24 announce. 2 분만에 전세계 RIS peer 들이 라우팅 정보를 업데이트 했고, YouTube traffic 이 파키스탄으로 redirect 되기 시작함 (Sunday, 24 February 2008, 18:49 (UTC) ) 36561 17557 ↓20:07(UTC) 부터 AS36561(YouTube) 는 208.65.153.0/24 announcing. 거짓정보인 AS17557(Pakistan Telecom) 은 철회되고, RIS peer 들은 YouTube's AS36561 에 대해 단일경로를 확보 17557 36561 ※ Source : http://www.ripe.net/internet-coordination/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study
15
↑ Hijacking 발생 전, 정상적인 마이닝 풀 서버에 접속 ↑ 악의적 ( 잘못된 ) 인 라우팅 정보가 전파되는 과정 AS3 가 AS4 와 " peered "되었기 때문에 악의적인 정보가 브로드캐스 팅됨. AS3 의 경로 정보가 AS2 의 정보보다 구체적이기 때문에 BGP 경로 선택 시 AS2 보다 AS3 에 더 우선순위를 줌 ※ Source : http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/ http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/
16
※ Source : http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/ http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/ ↑Hijacking 발생 후, 피해자가 비트코인 채굴 시 공격자의 마이닝 풀 서버로 연결되어, 채굴한 비트 코인이 공격자에게 쌓이게 됨
17
RPKI Resource Public Key Infrastructure IP Addresses & AS Numbers Digital Certificate The technology to issue certification and guarantee BGP routing information integrity by Public Key Infrastructure to organizations which own their IP addresses & AS numbers
19
AS1988 AS2016 1.18.118.0/23 AS1994 AS2015 1.18.118.0/24 Send a packet to 1.18.118.1
20
AS1988 ROA AS2016 1.18.118.0/23 1.18.118.0/24 AS2015 1.18.118.0/23 AS2016 RPKI router AS1994 차단 AS2015 1.18.118.0/24 Send a packet to 1.18.118.1
21
AS1988 Block ROA(Route Origin Authorization) ROA vs BGP table AS2015 1.18.118.0/24 1.18.118.0/23 1.18.118.0/24 AS2015 invalid 1.18.118.0/23 AS2016 valid IP Prefix/Length ASN Code Organization kr-Bank 1.18.118.0/23 2016 RPKI router RPKI Cache The organizations holding IP address / ASN gets certified by RPKI and send the certification to RPKI Cache server. ※ Block To block invalid routing information, RPKI or BGP option must be set in advance at its router AS1994 AS2016 Send a packet to 1.18.118.1
22
AFRINICRIPE NCCARINLACNIC APNIC KRNIC ISP-inet User net ROA-Route Origination Authorization (digital signature by User net) -AS2016’s 1.18.118.0/23 BGP Announcing information registered/ certified AS2016 Issuer : APNIC Subject : KRNIC IPaddr : 1.0.0.0/8 Issuer : KRNIC Subject : Inet-ISP IPaddr : 1.18.0.0/16 Issuer : ISP-inet Subject : User net IPaddr : 1.18.112.0/20 Issuer : User net Subject : kr-Bank IPaddr : 1.18.118.0/23 RIRs NIRs LIRs IP assigned Resource Certified ROA certified ……
25
Cisco XR 4.2.1 CRS-x, ASR9000, c12K XR 5.1.1 NCS6000, XRv XE 3.5 c7200, c7600, ASR1K, CSR1Kv, ASR9k, ME3600, ME3800) Juniper JunOS has support since version 12.2 Alcatel Lucent SR-OS has support since version 12.0 R4 Quagga Quagga has support through BGP-SRX (2016. 4)
27
National RPKI test will be held. (2/2 2016)
29
Inquiry : shkang@kisa.or.krshkang@kisa.or.kr 02-405-5492 Thank you
Similar presentations
