How Secure are Secure Interdomain Routing Protocols? B96209044 大氣四 鍾岳霖 B97703099 財金三 婁瀚升 1.

Slides:



Advertisements
Similar presentations
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Advertisements

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
PortLand: A Scalable Fault- Tolerant Layer 2 Data Center Network Fabric B 財金三 婁瀚升 1.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira (Yale University and UC Berkeley) Joint work with Yaping Zhu and Jennifer Rexford.
1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.
Don’t Secure Routing, Secure Data Delivery Dan Wendlandt (CMU) With: Ioannis Avramopoulos (Princeton), David G. Andersen (CMU), and Jennifer Rexford (Princeton)
CS Summer 2003 Quiz 1 A1) IGP (IS-IS, OSPF) BGP A2) Stub Transit. because it is adverting AS2’s routes to AS1 and vice versa. A3) Traffic discarded.
BGP EE122 Discussion 11/7/11.
Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.
Delayed Internet Routing Convergence Craig Labovitz, Abha Ahuja, Abhijit Bose, Farham Jahanian Presented By Harpal Singh Bassali.
Wresting Control from BGP: Scalable Fine-grained Route Control UCSD / AT&T Research Usenix —June 22, 2007 Dan Pei, Tom Scholl, Aman Shaikh, Alex C. Snoeren,
Interdomain Routing Establish routes between autonomous systems (ASes). Currently done with the Border Gateway Protocol (BGP). AT&T Qwest Comcast Verizon.
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University
Backbone Networks Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101
A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University
BGP Border Gateway Protocol EE122 Section 3. Border Gateway Protocol Protocol for inter-domain routing Designed for policy and privacy Why not distance-vector?
Inter-domain Routing Outline Border Gateway Protocol.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.
Information-Centric Networks04a-1 Week 4 / Paper 1 Open issues in Interdomain Routing: a survey –Marcelo Yannuzzi, Xavier Masip-Bruin, Olivier Bonaventure.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
1 Interdomain Routing (BGP) By Behzad Akbari Fall 2008 These slides are based on the slides of Ion Stoica (UCB) and Shivkumar (RPI)
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)
Finding Vulnerable Network Gadgets in the Internet Topology Author: Nir Amar Supervisor: Dr. Gabi Nakibly Author: Nir Amar Supervisor: Dr. Gabi Nakibly.
Sign What You Really Care About -- Secure BGP AS Paths Efficiently Yang Xiang, Z. Wang, J. Wu, X. Shi, X. Yin Tsinghua University, Beijing AsiaFI 2011.
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 COMP/ELEC 429/556 Introduction to Computer Networks Inter-domain routing Some slides used with.
A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
Efficient Secure BGP AS Path using FS-BGP Xia Yin, Yang Xiang, Zhiliang Wang, Jianping Wu Tsinghua University, Beijing 81th Quebec.
CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
Border Gateway Protocol BGP-4 BGP environment How BGP works BGP information BGP administration.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Denial of Service Resilience in Ad Hoc Networks (MobiCom 2004) Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly November 21 th, 2006 Jinkyu Lee.
Are We There Yet? On RPKI Deployment and Security
No Direction Home: The True cost of Routing Around Decoys
Are We There Yet? On RPKI Deployment and Security
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COMP/ELEC 429/556 Introduction to Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
BGP Instability Jennifer Rexford
Presentation transcript:

How Secure are Secure Interdomain Routing Protocols? B 大氣四 鍾岳霖 B 財金三 婁瀚升 1

Outline Introduction Model and Methodology Fooling BGP Security Protocols Smart Attraction Attack Smart Interception Attack Smart Attack Are Not Optimal Finding Optimal Attack is Hard Implementation Issues Conclusion 2

Introduction BGP Quantifying – Worst Case Comparison – Traffic Flow: Routing, Business, AS-path Thinking like a Manipulator Finding and Recommendations 3

Model and Methodology Modeling Interdomain Routing – AS Graph – Establishing Path – Business Relationship: C > P2P > P Modeling Routing Policies – Ranking: LP, SP, TB – Local Preference: GR3, C > P2P > P – Export Policy: GR2,at least 1 Customer 4

5

Model and Methodology Threat Model – 1 Manipulator – Normal ASes, Normal Path – Attration and Interception – Fraction Attracted Attack Strategy: – Unavailable or Non-existent Path – Available but not Normal – Export Policies 6

Experiment on Empirical AS Graph – Average Case Analysis – Random Chosen Pairs – Multiple Dataset 7 Model and Methodology

Fooling BGP Security Protocols BGP: No validation → False Path Origin Authentication: Prefix Owner → Clain to be the closest soBGP: OrAuth, Path Existence → Exist, Unavail. 8

Fooling BGP Security Protocols S-BGP: Path Verification: abc if bc sent to a → Shorter Path Data Plane Verification → Also Forward Defensive Filter : No Stub 9

Smart Attraction Attack Shortest-Path Export All Underestimation Defensive Filtering : Crucial Different Strategy to Different Protocols 10

11

Smart Attraction Attack SBGP: Hard to find Shorter, Not Opt. Export Policy Matters More Different Sized Manipulator : Tier 2 Different Sized Victim : Tier 1 vs Tier2 12

A stub that creates a blackhole 13 Smart Interception Attack

Stub Make Blackhole : Failure Blackhole or Not 14

Smart Interception Attack 2 Strategies: – Shortest Available Path Export All – Hybrid Interception Attack Strategy Evaluation 15

Smart Attack are Not Optimal Longer Path might be better Exporting less might be better Gaming Loop Detection 16

17

Exporting less might be better 18

Gaming Loop Detection 19

But.... Finding Optimal Attack : NP-Hard Realistic ? Implementation Issues – OrAuth with RPKI/ROA – Defendive Filtering in Practice – Trust Model 20

Conclusion secure routing protocols (e.g., soBGP and S-BGP) should be deployed in combination with mechanisms that police export policies (e.g., defensive filtering) defensive filtering to eliminate attacks by stub ASes, and secure routing protocols to blunt attacks launched by larger ASes 21

Q&A 22

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.