1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

A Threat Model for BGPSEC Steve Kent BBN Technologies.
Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
How Secure are Secure Interdomain Routing Protocols? B 大氣四 鍾岳霖 B 財金三 婁瀚升 1.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
An Introduction to Routing the Internet Geoff Huston APNIC.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira Joint work with Yaping Zhu and Jennifer Rexford (Princeton University)
1 Interdomain Routing and Games Hagay Levin, Michael Schapira and Aviv Zohar The Hebrew University.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
Announcement  Slides and reference materials available at  Slides and reference materials available.
Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira (Yale University and UC Berkeley) Joint work with Yaping Zhu and Jennifer Rexford.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 Tutorial 5 Safe “Peering Backup” Routing With BGP Based on:
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Tutorial 5 Safe Routing With BGP Based on: Internet.
Internet Networking Spring 2004 Tutorial 5 Safe “Peering Backup” Routing With BGP.
Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)
Interdomain Routing Establish routes between autonomous systems (ASes). Currently done with the Border Gateway Protocol (BGP). AT&T Qwest Comcast Verizon.
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Economic Incentives in Internet Routing Jennifer Rexford Princeton University
Stable Internet Routing Without Global Coordination Jennifer Rexford AT&T Labs--Research Joint work with Lixin Gao.
Egress Route Selection for Interdomain Traffic Engineering Design considerations beyond BGP.
9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
Finding Vulnerable Network Gadgets in the Internet Topology Author: Nir Amar Supervisor: Dr. Gabi Nakibly Author: Nir Amar Supervisor: Dr. Gabi Nakibly.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 COMP/ELEC 429/556 Introduction to Computer Networks Inter-domain routing Some slides used with.
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
R-BGP: Staying Connected in a Connected World Nate Kushman Srikanth Kandula, Dina Katabi, and Bruce Maggs.
Efficient Secure BGP AS Path using FS-BGP Xia Yin, Yang Xiang, Zhiliang Wang, Jianping Wu Tsinghua University, Beijing 81th Quebec.
CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Pretty Good BGP: Improving BGP by Cautiously Adopting Routes Josh Karlin, Stephanie Forrest, Jennifer Rexford IEEE International Conference on Network.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
Measuring and Mitigating AS-level Adversaries Against Tor
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
BGP security some slides borrowed from Jen Rexford (Princeton U)
BGP Validation Russ White Rule11.us.
1 Internet Routing 4/12/2012. Admin. r Exam 2 date: m Wednesday, May 2 at 2:00 p.m. m If you want to take the exam in another day (e.g. due to travel),
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
1 Internet Routing 11/11/2009. Admin. r Assignment 3 2.
Are We There Yet? On RPKI Deployment and Security
Are We There Yet? On RPKI Deployment and Security
Are We There Yet? On RPKI Deployment and Security
Border Gateway Protocol
COS 561: Advanced Computer Networks
Are We There Yet? On RPKI Deployment and Security
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Fixing the Internet: Think Locally, Impact Globally
Presentation transcript:

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University

2 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix In deployment Crypto done offline In standardization Crypto done online What does (partially-deployed) BGPSEC offer over RPKI? (Or, is the juice worth the squeeze?) Security Benefits or Juice BGP and BGPSEC coexistence  road to BGPSEC full-deployment is very tricky because introducing security only partially introduces new vulnerabilities  not fully deployed BGPSEC provides only meagre benefits over RPKI if network operators do not prioritize security in their routing policies

3 1. Background: 1. BGP, RPKI, BGPSEC 2. routing policies in BGPSEC partial deployment 2. BGPSEC in partial deployment is tricky 3. Is the juice worth the squeeze? 4. Summary

44 Sprint D /24 D /24 D / , D / , D / , 2828, D / , 2828, D /24 A Sprint, 4323, 2828, D /24 Sprint, 4323, 2828, D /24

55 Sprint D /24 Which route to choose? Use routing policies. e.g. “Prefer short paths” 4323, 2828, D / , 2828, D /24 ? A A, D /24 A, D /24

66 Sprint D /24 Which route to choose? Use routing policies. e.g. “Prefer short paths” 4323, 2828, D / , 2828, D /24 ? A A /24 A /24 A, D /24 A, D /24

A A /24 A /24 77 Sprint D /24 RPKI Binds prefixes to ASes authorized to originate them. X RPKI invalid! Sprint checks that A is not authorized for / /24

8 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijacks assume RPKI is fully deployed, and focus on 1-hop hijack. prevent route manipulations

A S S SP, A, D, prefix A, D, prefix X BGPSEC invalid! 99 Sprint D /24 P/S S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix S S 2828, D, prefix S S 4323, 2828, D, prefix 2828, D, prefix S S P/S ? Sprint can verify that D never sent A, D prefix S S RPKI

What happens when BGP and BGPSEC coexist? 10 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijacks assume RPKI is fully deployed, and focus on 1-hop hijack. prevent route manipulations

A 11 Sprint D Siemens /24 P/S Should Sprint choose the long secure path OR the short insecure one? P/S ? Secure ASes must accept legacy insecure routes Depends on the interaction between BGPSEC and routing policies! RPKI S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix A, D /24 A, D /24

12 1. local preference (often based on business relationships with neighbors) 2.prefer short routes … 3.break ties in a consistent manner

Security 1 st 1. local preference (cost) (often based on business relationships with neighbors) Security 2 nd 2.prefer short routes (performance) Security 3 rd 3.break ties in a consistent manner 13  Survey of 100 network operators shows that 10%, 20% and 41% would place security 1 st, 2 nd, and 3 rd, [Gill, Schapira, Goldberg’12] Security Cost,Performance SecurityCost,Performance

14 Security 1 st 1. local preference (cost) (prefer customer routes over peer over provider routes) Security 2 nd 2.prefer short routes (performance) Security 3 rd 3.break ties in a consistent manner  To simulate routing outcomes, we use a concrete model of local preference. [Gao-Rexford’00, Huston’99, etc.]  Our ongoing work tests the robustness of this local pref model.

15 1. Background: BGP, RPKI, BGPSEC, routing policies 2. BGPSEC in partial deployment is tricky 1. Protocol downgrade attacks 2. Collateral damages 3. Routing instabilities 3. Is the Juice worth the squeeze? 4. Summary

A 16 Sprint D /24 P/S S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix P/S Security 3 rd : Path length trumps path security! ? Protocol downgrade attack: Before the attack, Sprint has a legitimate secure route. During the attack, Sprint downgrades to an insecure bogus route. A, D /24 A, D /24

17 A D Siemens /24 P/S A, D /2 4 A, D /2 4 P/S ? Protocol downgrade attack: A secure AS with a secure route before the attack, downgrades to an insecure bogus route during the attack. Sprint P/S

M prefix P/S

W XZ Y M Before X deploys BGPSEC ? X offers the shorter path ? Shorter path! prefix D V P/S Secure ASes: 5 Happy ASes: 8

W XVZ Y M ? W offers the shorter path! ? Security 2 nd : Security trumps path length! Y experiences collateral damage because X is secure! P/S Secure ASes: 6 Happy ASes: 7 After X deploys BGPSEC prefix D P/S

A ? ? 5617 Collateral damage (during the attack): More secure ASes leads to more insecure ASes choosing bogus routes prefix P/S

22 Theorem: Routing converges to a unique stable state if all ASes use the same secure routing policy model.  But, if they don’t, there can be BGP Wedgies and oscillations.

23 1. Background: BGP, RPKI, BGPSEC, routing policies 2. BGPSEC in partial deployment is tricky 3. Is the Juice worth the Squeeze? 1. Can we efficiently select the optimal set of secure ASes? 2. Can we bound security benefits invariant to who is secure? 3. Is the BGPSEC juice worth the squeeze given RPKI? 4. Summary

Let S be the set of ASes deploying BGPSEC, A be the attacker and d be the destination The set of ASes choosing a legitimate route is Happy S,, prefix ? d A d prefix A | Happy(S, A, d) | = 7

∑ all A all d Let S be the set of ASes deploying BGPSEC, A be the attacker and d be the destination Our metric is the average of the set of Happy ASes Happy S,, 25 | Happy(S, A, d) | = 7 |V| 3 1 Metric(S) = prefix ? d A A d prefix

Problem: find set S of secure ASes that maximizes s. t. |S| = k, for a fixed attacker A and destination d Theorem: This problem is NP-hard for all three routing models. Happy S,, 26 A d prefix

∑ all A all d Problem: Compute upper and lower bounds on for any BGPSEC deployment set S 27 Happy S,, |V| 3 1 Metric(S) = A d prefix

A 28 Sprint D Siemens /24 A, D /24 A, D /24 The bogus path is shorter!

A 29 Sprint D Siemens P/S Sprint is doomed The bogus path is shorter! P/S Regardless of who is secure, Sprint will select the shorter bogus route! /24 A, D /24 A, D /24

A 30 Sprint D Siemens P/S /24 A, D /24 A, D /24 The legitimate path is shorter! Sprint is doomed The bogus path is shorter!

A 31 Sprint D Siemens / and 4323 are immune The legitimate path is shorter! A, D /24 A, D /24 Regardless of who is secure, 4323 and 2828 will select legitimate routes! Sprint is doomed The bogus path is shorter!

∑ all A all d Problem: Find upper and lower bound on 32  Key observation. Regardless of who is secure: 1.Doomed ASes will always choose bogus routes 2.Immune ASes will always choose legitimate routes  Lower bound on Metric(S) = fraction of immune ASes  Upper bound on Metric(S) = 1 – fraction of doomed ASes Happy S,, |V| 3 1 Metric(S) = A d prefix

33 lower bound with RPKI 17% upper bound with BGPSEC In the most realistic security 3 rd model, the best we could do is make extra 17% happy with security! 53% 36% 47% Average Fraction of Happy ASes results based on simulations on empirical AS-level graphs

34 lower bound with RPKI 17% 53% 36% 47% Securing 50% of ASes on the Internet Improvements in the security 3 rd and 2 nd models are only 4% and 8% respectively. 24% Average Fraction of Happy ASes results based on simulations on empirical AS-level graphs

35  Graph: A UCLA AS-level topology from  39K ASes, 73.5K and 62K customer-provider and peer links  For each attacker-destination pair, simulated routing and determined the sets of doomed and immune ASes  Quantified security-benefit improvements for many different BGPSEC deployment scenarios  Robustness Tests  added 550K extra peering links inferred from IXP data on  accounted for traffic patterns by focusing on only certain destinations (e.g. content providers) and attackers  currently repeating all analysis with respect to different local pref models

36 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijack  Unless Security is 1 st or BGPSEC deployment is very large, security benefits from partially deployed BGPSEC are meagre  Typically little observable difference between Sec 2 nd and 3 rd prevent route manipulations BGP and BGPSEC coexistence: very tricky *protocol downgrades collateral damages routing instabilities

37 check out the full version at 1Proofs 2More empirical analysis and plots 3Robustness tests 4BGPSEC deployment guidelines

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.